GitHub bans vindictive security researcher - 2026-05-26

Is this thing on? Where's my chicken tendies? Where's my triple dipper combo or whatever? I don't know what Chili's is, but people are into that thing. If you like Chili's, paste in the chat your favorite order from Chili's. I don't I there's not Chili's where I live, so I don't know what that is.

If anybody says it's their chips and salsa, I've got beef with them on that one.

Why are they really, really bad at chips and salsa? That's fair.

I can't even remember how many years it's been since I was to a Chili's.

I've just discovered oh, no. But it says it's permanently closed. Yeah. They don't exist in my region. I would have to drive. Oh, no. It's also permanently closed. How far would I have to drive to get to a Chili's? Let's see.

I know that the chain lives on in the video game

What? Where is this going?

The video game

just It's definitely still a real thing. It's just not in the Pacific Northwest.

It's really Okay. Restaurant. Unfortunately, in California, they're everywhere.

Okay. So I would have to drive or ride my bike because that's how I get places. Let's find out how far it would take me. It would be a three day bike ride, 767 miles, but it would probably be insanely beautiful because it would go through Eastern Oregon and then Northern California. It would be incredible.

That sounds nice.

I'm gonna do that. I'll see you guys in a month.

All for all for chili queso. Duotech today is a

matter of quality, not quantity. Sorry. You know, if you ever do get down this way, Corey, let me know, we will make

sure break up

the smoker and have just yeah. I'll make homemade baked beans from scratch.

We'll Oh my goodness.

Do the whole schmear.

Okay. That sounds way better than Chili's. The the trip plans have changed. Yeah. I'm definitely not going to Chili's anymore. But I think you live farther away than my nearest Chili's, unfortunately. Let's see.

Stab. Yeah.

That would add another 300 miles. It would be 1,059 miles.

Well yeah. I mean That's lot. For me to drive from from my house to Sacramento is easily eight hours by car. Yikes. So

And I only travel by bike, so that definitely extends the timeline quite significantly.

I I will say significantly in the middle. Yeah.

Over the weekend, I rode my bike to the Pacific Ocean, and I talked to a guy there that was, he was riding from Canada to Mexico. And I was like, that's a that's a lot of riding. That was the whole conversation. I think he was kinda lonely. It's kinda like, riding from Canada to Mexico would take. He said he he budgeted a month. I was like, that's pretty good. That's pretty good pace.

That seems a little ambitious by my standards.

Because, yeah, that's like 80 to a 100 miles a day, which is pretty I mean, that's a that's a commit.

That is a definite commit. I mean, a gazillion years ago, I did walk Hadrian's Wall, which I was averaging but the first day was the longest. I was, like, 15 miles, but it was all flat. And then later on, the average was seven to 10 miles a day.

That sounds amazing. I wanna go do this.

It was it was awesome.

The the wandering through fields feeling like you're in lord of the rings, I'm assuming?

Yeah. You do a lot of that, and and it's kind of embarrassing. I I blizzard my feet badly on that particular excursion, so I wound up having to do a little bit of cheating. There's a a bus line that runs along the well, you know, it I you should have seen. I had so many they call me

Oh, blisters are blisters are one way trip. Once you blister up, you can't go back. It takes weeks to heal. Yeah.

Well, actually, I was pretty good by the end of the week. But that that first day, oh my god. I got to I it's a it's a whole long story, but, the thing you wanna do is you wanna walk from west to east so that the wind is at your back. Even though Sycamore Gap no longer has a sycamore because a deranged teenager chopped down a multi 100 year tree, it's still very scenic. There are tons of Roman sites where they had garrisons and and various other things that are museums all along that way.

Alright. Well, I think we've stalled long enough. John Strand has abandoned us. We must continue without him.

Hey. You know, he's jet setting. That jet lag is not to be messed with.

That's true. Alright. You can roll the finger, Meagan. Let's do this.

Alright. Give me one second because there might be

Have to download more RAM first. I get it. I've been there.

Rolling in three two.

Hello, and welcome to Black Hills Information Security's talking about news. It's Tuesday. I'm scared. I thought we only do this show on a Monday. But yesterday was Memorial Day in The US, which means we weren't here. And so now we're here with our skeleton crew of people who actually survived the weekend, apparently. I guess it took some people out. We've got me. We've got Alethe, and we've got Bronwen. How's it going?

Doing well. How about you?

I'm alive. That's what I've been telling people. I feel like that's as that's that's as aggressive as I'm willing to go. You know? Like, I don't wanna get I am alive. It is true. That's you know, I don't wanna be I don't wanna be mean.

If you're not alive, you look awfully good for a corpse. I'll say that much.

Thank you. Yeah. That's the goal. That's my bar is like look better than a zombie. So that's always how I'm trying to live. Stories this week. We've got some good stuff. We had our routers patched by the FBI. That's nice. We also leaked our GovCloud keys.

Or form is rule, yep.

So yeah, basically this is someone from GitGuardian that reported it. Honestly, my biggest question with this is why doesn't GitHub just automatically take this down? For non legacy repos, I know there's secret scanning on GitHub. I know there's, like, capabilities to do this. I'm really confused why I can still in 2026 create a repo that has sensitive exposed data in it.

Well, yes, you are crazy, but not about this.

I don't get yeah. I don't know.

You would

you would think it seems like they're policing all the wrong things.

It's just a text file called important AWS tokens dot TXT. Like, why is that? I don't get why that is a thing. But, yeah, basically, spokesperson from CISA said the agency is aware of the report exposure and is continuing to investigate the situation. There is no indication that any sensitive data was compromised as a result of this incident.

think we're gonna see more managed GitHub repos and companies not allowing contractors to have their personal GitHub in the mix, which I think is what happened here. It says this contractor created theirs back in September 2018 and then just used it for the work they were doing.

Yep. I will say I do think Git GitHub is kind of a nightmare when it comes to managing, like, accounts. It's like, hey. Who's a squeezy hacker 17? Is that should they have access to our GitHub?

I had this problem in the past with engineers that I hired that they want to keep the activity on their own personal GitHub so that they can keep that keep their little green boxes. Keep their streak,

their shower curtain or their

this point, like you're basically asking people to separate their personal work from their professional work. And I think a lot of people are gonna have an issue with that. But security wise, I don't really see another option.

Totally. It's kind of one of those areas of like, oh, our developers, they're not subject to security policies because they're developers and they're special. But that probably shouldn't be a thing.

Special.

Yeah. So let's move on. There was also an NGINX critical vulnerability with POC code published. This is CVE twenty twenty six forty two thousand nine hundred forty five with a CVSS of 9.2, not a 10, At least from our perspective and our customers, this wasn't that exploitable. It requires a certain configuration to be exploitable, and none of our customers matched those criteria.

Yeah. I know nothing to contribute for me. I'm waiting for somebody in the chat to finish writing.

But I'm still tripping over the CVE number. 42945.

That's just from mythos this week. Probably. Still. Yeah. It's basically I don't know. I it's I guess I'm not sure. It was a

part

of f five's quarterly patch. So it actually got released and published as part of another vendors, which is kind of interesting. Like, f five uses NGINX, so they published this bug. I don't necessarily know if it was AI generate, you know, if it this is actually discovered by AI. They didn't specify, like, the chain of custody on this vulnerability.

Basically, if you're not doing it already, patch all the things, please.

Yeah. Definitely. We didn't talk about this, or I don't know if it's in the list. But speaking while we're here, there was an article in bleeping computer that said that they might be publishing mythos. I don't know.

I hadn't heard that. The last I heard, which was, what, last week, was that mythos was never going to be accessible to the public, which makes no sense at all to me because it's only a matter of time before they wind up they, meaning the frontier model developers, develop something that's even better at finding and creating malware than Mythos is.

Yeah. So this just got dropped into my feed by someone. And, like, basically, the reason this became an article is because some users noticed that when they went to select a model in Claude, it, it gave them the option for Mythos. Oh, were

you talking about Mythos?

Well, we're trying to. Now you're here. So now we, we gotta go backwards.

Yay. Welcome to the party, hates.

Hayden, did you get access to videos?

Talking about? No. Did you get it? Dude. If I no. I if only I would have expensed it right away. I'm sure it's $2,000 a month.

Okay. Queries per week. Well, hold on. In the news article, the screenshot that the whoever, you know, sent to bleeping computer is just a person who's just on a pro plan. So, like Yeah. I saw that. It's not clear on whether it's, I guess, does it say in the UI if you're on like pro or pro 20 x or whatever? Like, don't know, but probably not. But basically, this isn't a real thing, but some users did see that they were able to select Mythos in their UI.

Well, Anthropic is notoriously bad at accidentally leaking things ahead of time recently. Like, they leaked model names ahead of time recently. They've leaked things to the UI many times that aren't supposed to be in there yet. So, I mean, this could this I I would guess this is probably just a way to give those, like, Project Glasswing companies access to mythos inside of Cloud Desktop. I don't mean I don't think that this necessarily means that it's coming soon to to us normal people, but it could be.

Well, okay. I mean I found the article, article, I think. Let me go ahead

and it in the Discord. Yeah. It's, I don't know.

Yep. That's one.

Basically, it's kind of a it's kind of a rumor. Like, it it's literally just, like, some users were able to select Mythos in the Claude UI. That's it.

Well, they say that they're adding it to Cloud Code.

That yeah. How are people using it before then? Or what Yeah. It it just connects to to your brain, and it's like, oh, don't worry. I'll find everything that you want.

You what you do is you you install the Mythos launcher into your environment and then it just sprays it installs it. It's like an EDR. It installs a Mythos agent on every system in your environment. Wonderful. Don't

worry. You're now secure.

You're now secure through Mythos. You just type the prompt to just recurring every minute. Don't hack me, please.

Don't hack me, bro. Don't hack me.

So next article. This one's kind of fun. I apparently, this has happened before. This is the first one I remember, but the FBI decided to patch patch in air quotes a thousands of routers throughout The US and other places. Basically, they they published this, you know, little write up on what they did and how they did it.

Mhmm.

Two, reset DNS settings, aka remove the DNS resolvers and force the routers to obtain legitimate DNS resolvers. And then, I guess, three, somehow close the door behind them. So, basically, if your router went down last weekend, I have bad news for you. And there's a list of affected routers.

Weekend. Is that bad?

These are really old routers. Like, most of them are specifically tagged as wireless n routers, which like holy crap that brings me back. Yeah. Yeah. That's a that's an old one.

Issue with TP Links not too long ago either? Like a major issue with TP Link?

Most of the I mean, any router has major issues. That's just the way it is. But I don't know specifically any major issues with them recently.

Well, this is not this is not the first time the FBI has has done stuff. In 2021, they patched, copied, and removed malicious web shells from vulnerable web servers in the Microsoft Exchange proxy log on. And they also what what they were involved in removing lingering web shells with the Hafnium exchange response. So that was 2021.

2021, and then it's happened a handful of times since then.

Yes. PlugX botnet disruption, SoHo router botnet disruption. That was, let's see, twenty twenty twenty four and 2023. So they're they're sticking their hands in all kinds of pies.

I mean, I honestly like, of all the things that you could be sketched out by, this is the least sketchy to me. Like, just taking down botnet infrastructure, I'm here for it. That's super I'd be a little bit salty if my router just stopped working, but honestly, it would be, like, better than participating in a Russian botnet. But also you lose your plausible deniability for being a threat actor. Right?

I mean, you could still claim that. You could just claim it. Just lie.

Just be like, yeah. It's the Russians. Why don't you patch my router for me, please?

Yeah. Yeah. Pretty much. Exactly. Yeah.

Think it's cute that they say legitimate users can also reverse the changes by logging into the web management pages and restoring the desired settings. Like all the people that still have this router, none of them are quite

Are not. Yeah. I do love the idea that someone's like, I really like the Russian DNS servers. I was getting a lot of great results back. I am going to log in, set the Russian DNS servers back so I can Google something and just immediately get malware on my computer.

I bet it's like credit card processing routers at, like, fast food chains all over the place.

Oh, yeah. Or

something that just doesn't, you know, get residential type internet No

one even knows they exist. You go to tell the customer that they have it.

I don't know.

Yeah. You're like, hey, you have an exposed router. They're like, where? Even the ISP doesn't know where it is.

I don't know if you've ever supported orgs like that, but they'll just like order a new service and then that vendor will be like, this is who we use for Internet. And then you've got like six different routers and all kinds of stuff. And people are using Internet connections that they don't even know.

Oh, yeah.

Where they're coming from.

Yeah. I think the best one I've seen so far is one of our customers, one of their remote employees connected their laptop directly to their ONT, which is like the fiber terminal, which is basically a modem. And so the laptop pulled a public IP off the ONT, which is like, we found the exposed RDP on the internet. So like, it was just the weirdest thing ever. It's like, this Internet host with a public IP is just one of your work laptops. So that's a fun that was a fun scenario. But

Hey. We have another addition to the party. Hey, Wade. Can't hear you.

Oh, but got him. It's the Russian botnet.

I was

wondering you have a little bit.

His router his router got patched by the FBI. I get it.

That's why he's late too.

So You got his mixer. Yeah. So Drupal is also oh, hey, Wade. Let's go.

Yeah. Alright. I got a new camera. How do I look?

You look marvelous, darling.

That's some nice lighting you got there.

The lighting is always a problem. Like

You look like a hacker, though.

Do I?

You got some depth of field. You got some depth of field there. Some bokeh or bokeh.

Definitely. I got us I got myself one of those, like, fancy Sony DSLR cameras since my webcam broke. But, anyways

I just ordered one of those yesterday. We have to talk about this after the so we don't derail another podcast. No. We

yeah. Speaking of Why

should today be any different?

Yeah. Speaking of mythos, let me just keep this train on the tracks. Drupal has released an emergency core security update. I'm blaming Mythos for this completely with no sources to prove that. But, basically, they're publishing an urgent core security update for all supported versions.

Well, Corey, just one one thing when it comes to a a content management system, a CMS, one of the guiding principles you always want to maintain is do not hack the core. Now the problem is with Drupal, anytime you implement it, you have to hack the core. And it's I don't know if they corrected it, but back when I was still doing web development, that was still a thing. You had to hack the core. And that was

does that even mean? I feel like I'm in a hacker's movie right now. What does hack the core mean? Is that real?

There there are core files in the CMS that you basically do not want to mess with unless you're a Tony Stark plus level genius or you're really desperate to get something shoehorned in and you don't know a better way to do it. Those are, you know, the extreme cases.

I like those odds.

So are you saying that CMSs are hardcore? Is that what you're saying? You.

Two points. No. They're not. But when when you install WordPress or or some other framework or Drupal well, other than Drupal, you're supposed to maintain the integrity of those certain core files. But it's the same thing. You don't wanna go tweaking your DLLs in a way

I tweak on DLLs every weekend when no

one's working. But you're a hacker. You're not just a normal web developer, but the problem is with Drupal, you have to hack the course. So there are lots and lots of installations of Drupal that not only won't get patched, but if they do get patched, the poor people patching them have to reverse engineer what changes they made to core files and figure out how to apply those changes after they update the core.

Alright, Bronwen. You get 10,000 bonus points for figuring out how to legitimately say hack the core and make us sound like we're in a hacker movie.

Hack the core.

So what's this? Has anyone seen this Azure vulnerability that they rejected, I guess? Has anyone had a chance to look at this? This is from May 16, so a little bit older, but

Oh, you moved on to

another story. Got it.

New story. Yeah. Basically, a security researcher named Justin O'Leary discovered a security flaw in March reported to Microsoft. MSRC rejected the report. And then basically, he went to cert and cert said, no. We're gonna assign a vulnerability for this. And then I guess they were like, hey. Never mind. You should probably close this. But basically, this is Azure backup vulnerability, where trusted access is granted and backup clusters have admin privileges for some reason.

Okay, I do remember reading about that one now.

Is it basically Microsoft's official statement was, this is not a security vulnerability, but expected behavior. It requires pre existing admin privileges within the customer environment. So no product changes were necessary and no CVSS or CVE was issued. But also they fixed it.

Well, they

Well, everything else says

that they they they they originally also told MITRE part of the problem was, like, it looks AI generated. So, like, they're like, yeah. We don't want your slop CBEs, but we will go fix the problem. Don't worry.

So, yes, this is just, from my perspective, this is how you get things like BlueHammer and the BitLocker vulnerability. Like we're in a spot right now where I told a customer last week, could just get local admin on their laptop because of Microsoft. And that's just the way it is. And I think this is the bed that they made for themselves is by doing stuff like this. To basically be like, this isn't a real vulnerability.

Did we talk did you guys talk about the researcher who got banned from GitHub?

No. Please tell us about the researcher who got banned from GitHub.

Alright. So recently, a researcher who has been releasing Microsoft vulnerabilities got banned from GitHub. So GitHub has terminated the account of Nightmare Eclipse, an anonymous rogue security researcher known for dropping critical unpatched Windows vulnerabilities since

Oh, yeah. We talked about this. Did we We talked about this. Oh, no.

Did we? This guy this is just We This was this week. This was last week.

Okay. We talked about the

The Vollns he released.

The Vollans they released. Okay. So But Did they reinstate it yet?

Not that Or is it GitHub kicked him off.

Yeah. Is it gone gone? This is basically, they blocked the yellow key exploit.

Yep. Yeah. The his repo is gone. 404 error.

Well, it's on GitHub to GitLab now.

He moved to GitLab. Yeah. Yeah.

Yeah. Okay.

So, basically I mean, honestly, though

threatening Microsoft. What the it it says move to GitLab, and then they're now threatening to release unspecified documents telling Microsoft to mark this date July 14. That's crazy.

Woah. I yeah. It's like

I mean, I gotta say your bones are shattered that day. Okay? I guess they didn't like losing all their git commit history and everything. Jeez.

Is this is it actually live on on GitLab either? Or did it also go down there?

That's what this article says.

This deadeclipse.blogspot doesn't seem to have any repos on it. I don't know. But either way, this is basically great case study in how you should not handle public relations with vulnerability researchers. Especially because Yeah. I mean, you're basically the other funny thing about Microsoft is they're part of the glass wing mythos, like, cool kids club.

The Gitlabs are four zero four. Yeah. I

found out.

Since we're talking about GitHub, do we wanna talk about team PCP?

Love PCP. I've got a gallon of it right here.

Team PCP.

Yeah. I didn't see that article. Let run through it.

It's hold on a second. Let me share it on

So so with GitHub getting compromised?

It's them basically, team PCP is actively poisoning open source code.

Oh, that one. Oh, yeah. They're still doing that. They've not gotten bored of it.

I mean, it's I think it's been going on for a long time, and, it certainly seems like the type of thing that would be an obvious thing for a group of malicious hackers to do. But Wired seems to think that it's an unusual happenstance.

I mean, I think it's unusual the level of access they've gotten to from GitHub or, like, within GitHub. Like, that's pretty sketchy. It it seems like they've actually compromised didn't they compromise, like, the internal some of the internal GitHub code as well, not just open source projects?

Was it can't have a wire rule. Let me have a free article.

I I don't know if they ever talked about who actually breached GitHub. I think it was last week some GitHub did release that they had internal repositories sort of accessed in some way and stolen I heard it

was team PCP. I mean, are some articles out there corroborating that. I don't know if

that's gonna shock me, man.

I'll paste it I'll paste the article I found, it's on help net security, basically claiming that team PCP was the ones who get breached GitHub's internal code base through a poisoned Versus code extension. Oh. Yes. Which is just hilarious. That's right. Yeah. How is that seriously the the entry vector for this? Like, you work at GitHub and you're just installing random extensions on Versus code. How is that possible? Yeah.

We need to talk about Just friendly reminder, if you're gonna download an extension, you better be sure where it's coming from.

How how often do you see logs for that situation, Hayden?

Of, like, Versus Code extensions? Oh my gosh. We get so many logs of Versus Code. It's crazy.

Really? I I don't think I've ever been at a location that is logging Versus Code.

Well, we get we get alerts quite frequently from the SOC team as we work on rules because our our detections are all as code, and so we're working with code detections, which are technically hitting against the raw detections because they have some of those same matching strings and indicators. So every so often, it'll be like, yep, guys. I'm doing all 14 of these terrible things. Just go ahead and allow this to happen. Please don't isolate me.

Dangerously skip permissions. It's fine.

Yeah. Yeah. Right?

I mean, that's what Seraph said in Discord, basically. Like, it probably was Claude or Copal that installed the extension, not the actual user themselves.

Oh, no.

Apparently, it was a pretty well known extension, NX console, which I don't know what that is. It better be good. What is it? What does it actually do? This better be related to Vim.

It's a it's it's a plug in for Notepad plus plus.

Is it really?

No. I'm just What is it? That's more a callback to you to you making me uninstall Notepad plus plus everywhere.

Oh, yeah.

Tragic. It enhancers okay. NX console enhances your editor's AI features by providing relevant context to large language models powering Versus Code in Cursor. Automatic CTA by your workspace infrastructure generators and feed it up to date NX docs.

So this is probably the Microsoft employee needed to, like, juice up Copilot inside of Versus Code.

It probably is part of, like, their internal KBs, I would assume. Right? Like, there's no way someone just decided I don't know. Maybe they I

don't know, man. I don't know.

I mean, let this be a reminder to everyone who's listening to this. If you don't already have a allow list for your browser extensions and your Versus Code extensions, should work on that. Although honestly, in this case, this is a supply chain thing. So even if you do have an allow list, this still could have hit you. And 2,200,000 installs is a lot. That's kind of a lucky or unlucky timing thing.

Yeah. I've seen a lot of people just say at this point, you need to fork all your dependencies and just pin them. Don't ever update anything.

Yeah. Speaking of vulnerable routers, Unifi or Ubiquiti also patched three max severity vulnerabilities, unauthorized changes to targeted systems and proper access control, prompt command injection, network access, and then command another command injection one. So basically the router bleeding is never gonna stop bleeding. Like, if you have a router

Is that my router updated this weekend? Probably. I guess.

If you have a router, you need to make sure it's either automatically updating or that you're manually updating it because it this is gonna be just such a common theme this year is just See, I said Vulnerability after vulnerability.

Task reminders to to check to make sure that that stuff is updated at least once a month. Is this just I just

make it automatic. I would forget.

Yeah. Yeah. Was gonna say automatic is the best. But yeah.

Every morning at 2AM, my my ubiquity goes down and comes back up.

Yeah.

Me off video games several times because I forgot about it.

I will say, though. I I will say so.

2AM. So

Yeah. Also, why are you gaming at 2AM? Get it together. Wait.

Oh, I'm sorry. The only time my children are sleeping.

Dude, kids go to bed at, like, 6PM, dude. Don't lie. Oh, no.

No. That yeah. That's then

you then you have to recover after that. That's the

The worst worst in your room is that

one right behind me. So if I click clack on the mechanical keyboard Throwing

frag grenades.

Yeah. He gets pissed off.

He tells me. He's like, dad,

stop playing video games. No. I

love that your kid would be telling you to stop playing video games. This would be the ultimate, like, reverse card Uno moment.

Yeah.

But, yeah, I think Bronwen's tip is good because, like, there are scenarios where repos will break. Recently, if you're a plex person, they had to change some repo keys. And so their auto updates broke. So you had to manually update your repo or whatever. So, like, it's good to check. I agree with auto update being the absolute best, but it's also good to verify every month or so that, like, is it working? Do you have to switch your repos, or, you know, is everything good?

And I actually do have it set on auto update, but, you know, paranoia is a survival skill in this industry.

It's true. It's very true. Any chance What else?

Speaking of supply chain attacks, we wanna talk about Pizza Hut. I was I was trying to

read that one. Hit us with some pizza. Let's go to the buffet.

It seems

like people gamed the AI in order to cherry pick the deliveries that they want that provided the most tips so they would make more money, which then caused wait times to go out the wazoo. Okay. Hold on. They're saying

it caused a $100,000,000 in damages.

This dude owns eleven Pizza Hut. So now that's

that's Eleven pizza? That's like, dude, how many pizzas is that? That's gotta be, like, a freaking

guy was rocked. He owns a hundred and eleven. A hundred and eleven Pizza Hut. Jeez.

So he's claiming almost a million dollars in damages per Pizza Hut?

Dude, it is like, can't out pizza

the hut.

So wait. Yeah.

Because if it's over thirty minutes, it's free. And he's saying that before this, it was 90% of everything was delivered on time. But after they implemented this, everything went to heck.

Dragon Tail.

So he's giving away free pizzas, essentially.

Okay. So this is this is a lawsuit between Pizza Hut, like the corporate entity, and a large franchisee. Right? He's basically saying, you made me adopt this AI thing that I don't like, and then it cost me a lot of money, basically.

Seems fair.

You know what it is? It's the drivers are waiting for additional deliveries. They're not just taking the first one that's ready.

Okay.

And so they're trying to do multiple.

It's like batching. They're trying

to

Yeah, it's starting in

an Uber.

Isn't it also called drag in the old

days with pizza pizzas when you ordered pizza?

They would only deliver like multiple orders if they were on the same street or whatever. I mean, if you think back, I like saw a meme of this over the weekend. But if you think that these people were navigating with paper maps, taking a phone call, making a pizza and getting it to your door within thirty minutes, and they implemented this AI and it completely messed everything up when we're like literally missing GPS and like online ordering. I don't understand. But it must have just been, holding drivers from leaving for it said fifteen minutes or more.

That has to be some, like, inflated number where they're like, yeah.

We we've suffered this reputational damage

and stuff. Not fact. This is what they're claiming.

No. It's not. Alleges that Pizza Hut failed adequately train operators on the system.

So, basically, the courts will

decide have reputational damage? Like, what is everybody's overall opinion of Pizza Hut? Like, are you if you're going to get pizza, is that your first choice? Definitely. Me?

No. Not generally. Not currently. But I've heard that they are refurbishing the current Pizza Hut design to make it look more like the nineties family friendly

selling heard that on YouTube.

One Pizza Hut owner so down for that.

Who was updating his who was retrofitting retro pundit and fitting Yeah.

His Retro his franchises

himself. But I think that's a different guy.

Yeah. Okay. I mean, either way, there wouldn't be my first pick, but I do I will I I wouldn't push back. If my friends if it was, like, let's get pizza, we're all drunk, that would be I'd be

like, fine. Like, it

would Honestly couldn't be sober pizza. It would never be sober pizza, but it could be drunk pizza.

If I got a free pizza because it came and didn't come in thirty minutes, I would order all of my pizzas from there hoping that I get another free one. It's

That's basically what they're claiming happened. Yeah. So the other thing is it's called Dragon Tails, which if you're a nineties kid, I mean, that should hit somewhere for you. Yeah. That's a thing. I mean, I think the courts will decide and the verdict better be delivered in whether you can or cannot out pizza the hut, basically.

Yeah, essentially. True or false.

That's funny I mean, honestly, it's a cautionary tale for, like, the companies forcing AI rollouts like this. People don't like AI beings pushed down their throats. Like, whether it's the pizza delivery drivers, the franchise owners, the consumers. If you're gonna do the AI thing, you gotta do it right. You can't mess this up. You get one shot, and then you're screwed.

Yeah. And you gotta deploy it to, like, a couple stores first because people are gonna figure out that system right away. Like, if somebody if it controls someone's livelihood, they're gonna find the way to maximize that pretty quickly. So instead of doing, you know, a 111 stores or whatever it was of just one dude, maybe do a phased rollout. Maybe be a little careful with it.

So, basically, the good, like, rule of thumb if you're rolling out an AI system is that a bunch of stoned pizza delivery people can figure out the gaps and exploit them. You didn't get a very good pen test.

That Pretty

and like, I think customer service one zero one is that the customer always lies. I mean,

the customer always lies.

Well, that

is why

it's pretty The customer is always right. They may be deaf, dumb, blind, or

long tethered. The customer always lies.

But they're always right.

I love that being the first rule of what

is for their own benefit. Like everybody's going to put themselves first. When you as an employer hire contractors, they don't see themselves as part of your team. They see themselves as a separate entity. So if they can take advantage of a system, they're going to.

Very true. If you're in Germany, I have bad news. There was a huge amount of data leaked from a German healthcare hospital or I guess several hospitals. The article is in German, so I can't read it, but I'm just gonna read the summary. And basically data was stolen from UniMed.

See the article under that one?

Yeah. We're gonna skip that.

What?

I'm not I'm not I'm not wading through those logs. So okay. This one's interesting. Microsoft shut down an illegal code signing operation. Interesting.

I thought that was you.

So basically, this is a cybercrime service that sold code signing certificates to ransom more gangs, which can help with bypassing controls and defenses. The they're calling it Fox Tempest, and which has been around since about a year ago and abuses their artifact signing code service. I'm wondering whether these are, like, are they using shell corpse or are they actually just stealing the code signing certificates? It looks like they're using shell corpse because it says they use fake identities and impersonated real organizations. So they're basically just signing up for an account and being like, hey, what's up?

I was just doing Intel research around certs, right, for for my actual class that we'll talk about later, I guess. But cert dot c h has been down for like the past month. The last month trying to get to it and to to build some labs off of it, and it just kept going down. If you don't know what cert dot s h is, it's pretty much every public

certificate transparency laws.

In in ever. Right? So then you can go there and theoretically trace back one of these malicious certs back to Microsoft and their poor signing capabilities. But you could also look if they're using the same names or if they're using the same company names. You could then go look around for the same certs. But, of course, like, I knew the moment I talked about this online, it was gonna work, and it did. Okay. There it goes. Five zero two gateway. I got in once.

I think you're just rate limited, man.

I I'm haven't been hitting it that much. Like

It doesn't like you.

They have it on GitHub. I'm like, maybe I should just stand up my own. Like

I will say there are a lot of other sources for certificate transparency data, and cert.sh is just one. And you should have an official if you if you rely on this kind of data, you should have an paid API that gives you access to the certificate transparency data. Hey. Most of the big ones have it, like, you know, your security trails or census or showed in or those. But yeah. Anyway, that's a fun little cybercrime operation disrupted. There's no chicken news.

I'm sorry. Story. It's not a

cyber security

chicken story. I But it is a chicken story.

Okay. I also have a normal article whenever Hey. That's with the chicken. Chickens. Rubber chicken. Go.

So a a chicken escaped a poultry factory and is now living the life of Riley. It's been rescued. This per person on Reddit is in East Williamsburg and said that a chicken escaped a local poultry factory and is now just enjoying its nice and easy life living in the bathtub.

For those listeners and that are listening to us and not with a visual podcast, we're looking at a chicken on the side of the street hiding behind some containers. It definitely doesn't look like a normal chicken. It is black, which do someone who is more chicken informed than me. Like, what that is not a typical American chicken. And why is it in the bathroom in pink light?

Have you never gone to, like,

a Kelly's barracks? Alethe has it. Come on. Come on. What kind

of chicken is place? Worried about this person's bathroom? Bathroom? Like, what is the lighting in their bathroom?

That's scary. I don't think we should

be I showing feel

mood lighting.

What? It's okay.

So Alethe Alethe already nailed the first rule of retail, which is that the customer's always lying. I think that the first rule of Reddit

Not lying.

I think the first rule of Reddit is the same rule that the poet the OP is always lying.

Always lying. You never go look at their let's go look at their history. Okay. Their posts are open.

You probably don't wanna do that.

There's It didn't didn't give me an SFW flag, so that's how we know it's okay. This is

more Reddit coded than me, I guess.

I don't Like I said, it's not cybersecurity related, but it is a chicken story, and the chicken is free.

Alright. I mean, there's let yeah. Let's let's let's move on, but I think you could spend fifteen seconds debunking this. It also appears to be a rooster. Why there would be a rooster? Anyway Let's move on.

So my story, I put it in the Zoom chat. It's just a bleeping computer article. It's the first article I could find on this. And this this is half story, half, like, wild tinfoil hat hypothesis. Right?

from these scans.

I think I I got a call at, like, 4AM on Sunday from one of our guys asking, like, what are we supposed to do about this? Because it's just messing scanners, and it's

just blowing everything up. You're just sitting there watching 20,000 alerts roll and be like, that should be normal, baby.

Right. That's normal. In a sock, that is totally normal. Like, everything breaking and 50,000 alerts coming in, like, I don't know how many times that's happened to me.

It shouldn't be normal, but it is. But this this time, it was like oh, man. It was it was immensely frustrating. And and we, like, we held off the rush after a little bit because we have, like, intelligent risk scoring on our rules. So after a while, they started to recognize that, like, this is not actually real malicious activity.

Yeah. I mean, that's crazy. Has it how long has it been since there was an exploitable vulnerability like this? Like, since we had EDR? Like, I I'm confused. Wouldn't this happen anytime there's a local PriveSK or something in Windows? Like or is it just that this specifically hits on some signature?

What changed or what happened that was different.

It also could be that CrowdStrike beat them to the punch. You know what I mean? Like, they developed an alert for this before the scanner plug in was developed.

It also wasn't just CrowdStrike.

Was, like, two or

different EDRs.

Then it's not a scan.

They're actually running the what it was.

That's why.

Right. So we had it was CrowdStrike sent to the one and Defender, like, all were really angry. At least those three were were ticked off about that mess. And so those all three were firing up the hook like crazy. Interesting. So that was that was interesting. I I still am very curious. So, Wade, you said it's because they were just running effectively the raw code. They weren't That's that's what it's saying. Yeah.

Was, but it's TLGR.

Yeah. The tenable Nessus decided that actually running an exploit POC of mini plasma against its hosts is the best way to test if it's vulnerable. So

And it's like when they started spamming JNDI, like, log four shell strings against everything.

Like, one of the one of the top tunes you do right off the bat, though, right, is you say Is Nessus. Everything the Nessus user does. So that's, like, number one. And then, it does crazy stuff.

Are you saying we have to tune the EDR? Is that similar to changing my router settings?

Right. Very similar. You you don't just any any. You deny that.

I always end my firewall rules with an allow all just in case someone wants to get to something.

Well, it's just like with EDRs. Like, if you have the insert vendor name here, then it's the perfect one, and you'll never get hacked. And so we will take bids for which vendor name we actually insert in there and post. So we'll start that bidding. Just go ahead, email. Corey, what's your email again for Blackhills?

It's Hayden@BlackhillsInfosec.com.

Hot. Damn. He got me.

Jay Strand? Is that what it was? No. Jay Strand. Strand dance.

It does sound cool enough to have a first name email.

No. No. Well, the Jay Strand, it's a it's a it's a canary email, people who aren't sure.

It's our marketing email, J Strand.

We had someone send a really nasty email, a vendor that we had contacted to do some work. They we didn't respond to them quick enough, so they just found John's email and emailed him directly. So I got into and and basically told him, like, hey. Your team is not responding to this fast enough. Here's everything our product does. So I went and domain blocked that entire company, and John thought that was hilarious. Just they're just they're just totally, like, black listed now in our

Is that a very aggressive EDR company that we all know about?

No. It was a it was a different company. I'll tell you afterwards.

I think I know which one you're talking about, Wade. Is it the one that always offers you a Yeti mug? I'm like, dude, I have a Yeti mug. I'm not

I got so many Yetis. Like, you gotta get me something really good now to

I'm not gonna click the fish

for Yeti whale

on my

sand mugs. Okay. Now if you start fishing me offering a DJX Spark, I'm gonna click that shit in a heartbeat. I'm I'm not clicking for a Yeti.

I got an Oculus Quest once.

You actually got it, or you got this?

Yeah. It's behind me. There's a proof point Oculus Quest behind me right now if anybody wants it. It's it's cool.

But you sold your soul for an Oculus Quest. Alright. This week in security. Yeah. Dude, I sold

myself for my soul for a Chipotle bowl, man. I think

this was, like, 2020. I think it was, like, 2020 that I got that. Yeah. Like, I was stuck inside. Come on. It's a VR headset. Like, I was like, you know what? I just gotta listen to a sales pitch.

Like, see

In 2020, come on. We were still in full COVID lockdown. Of course.

They had the blood saver though. Yeah. But I'm

gonna tell you right now. Star Wars flight games with a headset was amazing, and I thoroughly puked.

Oh, dude.

Like, I I I was like, I can fly a tie an x wing. No problem. No. Dude, it was not a half

ass puke. It was a thorough puke.

This poster

this poster right here is because I threw a grenade in half life Alex and

punched hole in your door?

Punched the wall. Like

Oh, that that game's terrifying in VR. Been bigger room.

I didn't have anywhere to play. You know?

Where's this phasmophobia in VR? I don't know if you've played that game, but it's like a ghost type game. I'm good.

I'm good.

It's horrifying. It was not a good experience. I did one round of that in VR. I was like, nope. I'm done. I'm I'm good without this.

I I'm not a fan of horror video games, and if it has zombies, I am out. So I can't imagine doing that in VR.

Alright. So based on yeah. Now that it's almost the end of the show, so let's have everyone plug your stuff. Who wants to go Wade, do wanna go first? You're on

the screen. I'll go first. I'm here. So I am giving a threat intelligence class in one month. It's my ThreatIntel one zero one class, it's now two days. It has a lot more. I think there's 13 labs in it now. And we talk about everything about getting into intel, the roles that you'll have, dark web stuff now. I have some an OSINT class. Surprisingly, the OSINT class was really hard for me to write just because I wasn't sure how to scope it.

Sweet. Alethe, you got some stuff?

Yep. I have one thing coming up quick. This Friday, May 29, starting at 12PM Eastern. So 9AM Pacific, if I'm doing the math correctly. That workshop is four hours. It's on social engineering and creating pressure proof pretext for primarily physical engagements, but can go outside of that as well. So that is pay what you can or $25 and open enrollment ends soon.

Awesome. And then Wade's class is also part of the threat hunting summit, which is gonna be, June 17, and then there will be classes that follow it. There's gonna be lots of very cool talks, lots of trainings that follow it, a lot of very interesting talks like how AI agents solve threat hunting's biggest problems. We experiment a lot with how when you augment human based, you know, threat hunting with with AI to scope these things out for you, make them a bit easier just to find sources. The keynote specifically is Jason Haddix looks like.

do it. I love

a good deal. Landmines, insurance, and incident response.

Wow. Landmines. Sign me up. Yeah. Alrighty. Well, I think that's everything. Any final article that you're around on Thursday. Oh, yeah. Bronwen, you have a webcast. Right?

Why do I feel like the redheaded stepchild today? No. Yeah. Thursday, I'm doing the paranoid prompter. It's gonna be talking about using AI, specifically targeting use cases and examples for cybersecurity. And we're we're gonna touch on a lot of different things. So talking about some of the liability issues, going into some practical use cases, and lots of ways to stack your prompts and build a library that will help you go further, farther, faster.

Paranoid prompter is so good. That's such a fun like, I love that. That's amazing.

With alliteration.

Yeah. That's awesome.

Alright. That's my favorite.

Else has anything to plug. Right? I don't have

anything your we gotta start plugging your Strava, Corey.

You guys if you've if you've ever seen a private you've ever seen a private Strava that no one else can access unless you're someone I personally know in real life, you should definitely follow me on Strava. Alright. That's all I have to plug. Yeah. Have a good week, everyone. Short See you next Monday. Bye bye.

Kill it with fire, Meagan.

So hot in this room.

Dying. Wade held it in camera.