Mythos finds a curl vulnerability - 2026-05-18

Talk about John's nudes till like twenty minutes in. This is Yeah.

We're ahead of schedule.

Don't

No. We haven't capture the flag, which is how fast can we get demonetized every show?

By the way, did you see that article about CTFs and bug bounty programs?

Yeah.

They're fucking cratering everywhere.

I can the B side San Diego CTF one and two were both won by by AI.

Yeah. Oh, yeah.

And the only one they didn't get was where you won, you had to call a phone number. Yeah. And nobody told us No one told us that that literally the dude was just sitting in the middle of the room letting the AI do everything. He didn't even and they were watching him. And I'm like, why did no one come tell us or like say anything? Like, you guys let him win. I don't know what to tell you.

I was I was talking to Roman at the last, like, Tampa CTF they did. And I you know, he he totally was like, yeah. It's like, I think the last team was pure AI. They just had a bot and an agent and stuff. So, like, CTFs are it's it's a whole new world of, like, how to buy that system.

That one off the resume. But those black badges are still good. Right? That can pay for my $200 a month Claude subscription?

Yes. Yes. And then I was like, well, you could make it, like, really hard where you have to spend a lot of tokens, but then some people are just using their, like, company's tokens. Like, they don't

makes it really a bad idea. How could we embed in some of these challenges something that, like, forks the AI off to just burn a ton?

Oh, yes. We can do that, and we should.

The answer is somewhere on a Wikipedia page. You must crawl every Wikipedia page.

You must you must distill all knowledge, human knowledge from Wikipedia into one system prompt and then include that in every system prompt that you send. Why

don't just prompt inject them the whole entire way to the CTF?

Yes. A 100%.

Start, you know, hacking them and they don't even realize it. Right? They're like, holy crap.

We Just inflate the context. Every time you have a context, inflate above the maximum context size. I could see it. Yeah. Alright. Are we doing this show? Is everyone ready? Do people feel ready?

I don't even know we're live.

Ready as I guess

we're live. Let's roll

the fingers.

Let's do this. Okay. Let's go. Hi, John. How's it going? You go it. You take it. And I'm You do it.

I just like that you got put on the spot and you you really had the right pace for it, which was like,

really?

Yeah. I'll I'll I'll do it. Hello, and welcome to another edition of Black Hills Information Security talking about news, the show where we talk about the end of Western and Eastern civilization extensively, and sometimes we talk about computer security. We've got our usual cast of characters. We also have Shane. Say hi, Shane. Great to have you with us on as well. But it's been kind of a slow week in news. I don't think that there's been many new

How many zero days do you need, John? Systems. How many zero days? Listen. There's two hot spicy zero days, and you're just gonna go through a slow week? Bring it up.

Mythos must have been sleeping this week. Yeah.

Okay. So first of all, Mythos was sleeping, but it found one vulnerability in Curl. So it was, like, kinda a little bit awake. I guess we could talk about that first. Let let's start with dehyping Mythos.

It's weird you get this. And by the way, the article was great. And I liked how he was like, the results were meh, you know, whatever. And then you had a Firefox and Mozilla coming out, and they're basically like, it found hundreds and it was amazing. And you always say the truth is somewhere in between, but I understand that CURL is probably a smaller project, maybe tighter knit code possibly. I don't know. Curl's been

around Curl's not that big. All it does is download things. I don't understand how it would be that big.

Okay. There's a okay. But there are a couple of interesting things

those flags that really make it magical.

Here's the interesting tidbits. First of all, they have fixed. It's over a 178 lines or 7,878,000 lines of code, which is way more than I would have guessed. It's written in c, not in Rust. So you'd think it'd just be full zero days because it's not Rust. Yeah. That's true. But it's you know, basically, there have been a 188 CVEs in curl, and I don't think they've really added much in the way of features. So it's really just Sure. Yeah.

Well, the other thing to remember about cURL is it's kind of what Ralph said. It's downloading data, right? Like you got a bunch of options for a number of different services that you can use, but it's not actually doing protocol parsing. If you compare this to something like Wireshark is a good example, where it's doing tons of protocol parsing, that's where your vulnerability and your attack space is going to come into play with this. So and not all that surprised because it's not all that complicated.

such a application. Does it have a lot of great purposes? Yes. Alright? And like, I'm not saying I don't think curl is cool. I use it all the time or whatever or wget or whatever the thing you wanna do to download stuff or or check something. But other than that though, I think, what is it? Kerl's got a 178,000 lines of code and Firefox has 21,000,000. It's 118 times larger code base because it does so many more things.

Which, if you do the math, That's kind of in the same

space Yeah. Right?

Of the number of critical vulnerabilities that were discovered.

Yeah. The other fun Easter egg in this article is that it's installed over 20,000,000,000 times.

Oh, I'm sure. I am sure. Like, you can install any Linux distro and accidentally get curled.

It's insane. It says it runs in every every smartphone, tablet, car, TV, game console, and server on earth. What a What a bad ass thing to be able to just say.

What is life?

That'd be nice.

So the other zero there's multiple zero days. Not more than I mean, I guess technically, that's not really a zero

day because there's just exploits, vulnerabilities Yeah. That didn't

But that's d I being mythos. There was also a zero day. There was a really interesting Google threat intelligence report from last week on I mean, they don't disclose what it was. I'm assuming it was like cPanel or something like that. I mean, we've seen cPanel get abused hard in the last couple weeks.

But No.

Someone coded up using Gemini or maybe not Gemini, a zero day for popular open source web admin framework panel.

Cpanel. Yeah.

Cpanel. It could be cpanel, phpMyAdmin. I don't know. Who knows? But basically an MFA bypass that comes from a business logic flaw.

Well, Corey, this gets into the conversation that I've been having with DRock, kind of the CTO of BHIS. And the the thing that we're trying to get our head around is I believe fundamentally that in the next eight months, the price of doing anything with AI is gonna start going up. Right? You're looking at on Throttbook, you're looking at we've talked about it on the show. OpenAI, they can't continue to lose money on what they're doing.

I had a huge I had a huge long discussion about with AI about this, And With AI. Basically, it's it's like it's pitch is essentially so first of all, I didn't know this, but it's actually kind of interesting. Anthropic is predicting that they're gonna become profitable in 2027, which is kind of unique. OpenAI says 2030, which I feel like OpenAI's case is a lot less likely to be true than than Anthropic.

But that makes sense.

People pay for Anthropic.

But OpenAI's new user subscriptions have flatlined. Right? And Anthropic

Well, also, they they have a free product. That's like where they kinda screwed up is they competed on the basically, the the AI summary of this was essentially for people who don't pay for AI, for free users, nothing really changes. For the uber high end of AI users is where they get hurt what you're talking about applies, like the power users.

And that's where we have to start looking at it as a firm that's doing defense and offense, is what level do we need for which tasks? Because right now, if we're tracking what people are doing at BHIS, almost everybody goes to the latest, greatest, most expensive model, right? For everything. We really have to start saying, okay, what are we gonna be doing in running our own models hosted? Do we wanna get the little NVIDIA or these little boxes that they can run their own?

DGX Spark. Yeah,

sparks and getting those for the employees. Like, people are going to have to start seriously looking at what level of AI firepower do you need for what task, because you're going to have to start addressing your costs here shortly.

Answer is not

should on any- doing that anyway. We should be doing that anyway. We are. Because

We are. It's just Anthropic

is very, like, they're very enterprise focused. Like, they released last week, like, their their email show. Lot of you saw it, but they're gonna start restricting what you can use your subscription for. So anything that is basically not Claude code or Claude desktop, they're gonna give you a monthly credit to use those things for. And that seems like, oh, this is great or okay for the user until you realize like in the SOC, we use a lot of GitHub workflows and those have just been on an account.

Don't need open to do that stuff.

You you don't. You don't.

Exactly. You don't. And that's like, but you you're inclined to because it's the best. And then Yeah. Like, they are very much the enterprise Like,

G to B. Wants to The B to B one. Yeah.

Exactly. The clean app. Use our platform. We'll do a good job.

The GHS versus the beta max.

We'll give you plenty of quota.

But pulling it back to this news story. Yeah. It's just like Corey said, you don't need Mythos. No. Right now. To do the security research that people are freaking out about. Right? It's unnecessary for a lot of the different activities.

Half the time, I'm just like, hey, could you push this for me? Because I don't wanna do that.

Yeah, yeah, yeah. I would do that.

Every time I baseball.

No. That's

so Can you help me get I can't get.

Come on. How many times have I said? How many times have I said?

Oh, I was gonna get Shane's take because he's our guest, and we're all talking over him, and I'd like to get his take because he's presenting at our Threat Hunting Summit, and we're super excited to have you at our Threat Hunting Summit that's coming up June ish seventh.

Mid June. Mid June.

Yeah. June 17. We'll go with that.

Midsummer Festival.

Yeah. We're gonna dress up like Renfare, but go ahead, Shane.

If you wanna stick to article side, even Jensen Huang in his keynote was talking about that tokenization is going to be one of the things for for new employees, you're going get a token balance as part of your negotiation on there. That's kind of how his presence is. I like the idea. I think it's gonna come in it's gonna come local. Why not?

Yeah. And if you have a solid, like, custom agent that you can utilize for this stuff, you can, like, enforce it to delegate to the lower tier models, and that's the best way to save on costs.

Yeah. Yeah.

One of the like, a a couple of other super interesting things I learned from my deep dive was if you look at agentic chaining, like, you look at, like, okay, an agent creates a chain of tasks because of how AI works. If you chain too many tasks, no matter how good the model is, it'll fail, like, 50% of the time. So, like, in the research I was looking at, if you chain like six tasks by the sixth thing, it's like a 50% failure rate. And so it's like using a fancy model doesn't save you. You could be using a cheap model instead.

I like the change of pace, but this was an interesting take for somebody that works on bug bounty programs, Shubs. And basically, they were talking about how they did a lot of bug bounty programs, and article that comes up right after this one.

Yeah, very much.

Where these companies, like, I don't know how bug bounty programs How do you survive in the age of AI? And it's funny because some of their solution is Basically Prometheus has come down, fire is everywhere. We literally have AI security research doing things at a pretty high level that anybody with a competent level of technology capabilities can do. And what does that do to the bug bounty program space? So and I've got another take, but I wanted to get you guys' takes on that before I give my

opinion. I think this is I think this is just alarmism from bug bounty hunters being basically, it's them being like, we're not getting paid. This sucks, which is fair. Like, okay. That's fair.

I don't think it's just the vulnerabilities that are ramping. Right? It's just that submissions themselves are easily created. Right?

Yeah.

Yeah. Just just the reports.

And you

and you can no longer tell with the trash reports from the good reports because the AI is writing all of them.

I think we're gonna come to that. I think Linus Tollbold has a really good solution, and we'll talk about that next, but you're you're right. So alright.

Okay. Well, that that's all I had to say.

Well, and at the risk of of pulling Cassandra, I've seeing for many months now that AI was going to accelerate and amplify all of the problems that we already had in addition to introducing new problems.

It's just

not getting old.

Yeah, tell me about it. But it You're basically is doing exactly that, and it's doing it in multiple spaces. Come on. It's doing it not only in cybersecurity with all kinds of things, but the bug bounty programs are another example. The amount of submissions has gone up. The value of the submissions has become a huge question mark, much more than it was. And yeah, the only way to churn through all of those submissions is going to be to use AI.

Open source projects have the same problem now, is they have so many PRs that they cannot go through them, and a lot of them are crap. But I'm sure there's some decent ones buried in there, but they just don't have the ability to filter through that much, that much PRs. Reviewing one code review, like, kinda sucks because you gotta go through it and re read 2,000 lines of someone else's code, but now you have 600 in your queue because some guy pointed at it for the afternoon.

Yeah. I said, hey.

We got some excess usage. Go for it.

Basically, like, it's also really funny because in the bug bounty post, he like, the the creator sugar or whatever his name is, Shug, I don't know. He's he's very self aware where he's like, I don't like it because it breaks the ADHD loop that I rely on for bug bounty hunting. Like, yeah. Which is totally fair and honestly, like, what's the solution? Just be patient.

But I want to throw this out there. I love this because it's highlighting that pentesting was never really about just finding vulnerabilities. I think that there were a lot of firms that tried to couch it in like, We're lead hackers, and we're going to hack your stuff better than any people can have their hack stuff. And really, the firms that are successful and the firms that do a good job are the firms that can take the vulnerabilities and they can communicate it effectively to the customers, not just as an Easter egg hunt of here's 400 cross site scripting vulnerabilities, but saying you have a cross site scripting issue in your development life cycle process that needs to be systematically addressed. You have a policy process procedure failing that is missing as far as, let's say, change management and vulnerability analysis.

Yep.

Does anyone have a take another take on this? For me, it's like, they'll figure it out. Just be patient, bug bounty hunters. You're you're like, you're gonna get faster. You're gonna get paid more. It's just gonna take longer. I think the only thing to call out is temporary. In the meantime, people will get sick of waiting and they'll publish stuff. Right? Like, that's the biggest problem.

That's that's part of that

or that's if that's someone's career though, that could very well for them derail things. If your career is as a bug bounty hunter, right?

Yes, think it's just that but going with the CTS on going like, certainly into the CTS stuff, right? We rely on usually your GitHub or any type of repo is a more foundation for your credit credibility, right? Within the element, right? Yeah. So nowadays, like if even if you did do a CTF, or you write all these blog posts, and you have all this stuff in your GitHub, you could theoretically just make it all with Claude. You just have a scheduled task to make you a blog post. Yeah. Which comes

up with something. Your writing sample didn't get any better. Yeah. Looking,

if they're using their brains, then they're gonna look at how much time went past before all of these submissions were made. Because a human can only do so much in a given period of time.

Is fair. Well, that's

something else.

Agree. Look at like

I'm going make a general prediction about AI.

Everyone, Bronwen's going learn us stuff. Yeah.

I went through a lot of this when the web went mainstream, and I'm seeing a lot of the same patterns in terms of early adoption that just sucks ass big time, and yes, add to the cookie jar. But over time, people figure it out. And I'm looking at the patterns that I'm seeing in reading lots of stuff from lots of different industries, people who companies who fired a lot of people claiming AI, if they weren't actually just firing humans to make more money to spend on AI, and they actually thought seriously that AI could replace the humans, they're finding out the hard way. They're learning the painful lesson. No.

in the long run,

human output will increase in value as people see that the craft, the quality, and the insight is deeper. No AI could ever write left hand of darkness or the sun also rises, And the same thing is true going forward, and it's just going to take time for us to wait out the tech bros in Silicon Valley for them to get a clue and stop shoving bad AI down all of our collective throats.

I'm out. Just know that anthropic is like challenge accepted. Left hand of darkness part two coming.

Right hand of darkness?

What? Right hand of darkness. No, I agree 110%. I do. And that gets into the webcast, and I don't want to get too much into that.

So I have a take. Ralph, you have a take? Yeah. Go ahead.

Mean, because I I thought a lot about this when I talked to Roman about, like, how to, like, hack CTFs where they weren't as easy to hack with AI, but then I just realized that, maybe the whole thing was like, your a CTF is like it it's two things. Right? It's learning skills, and it's also learning ways to maybe solve a problem that isn't known. Right? And that really gets into the, you know, the unknown piece of it. And if you can solve it with AI,

I feel like that's kind

of a valid way to attack it. Right? Totally. And so the flip side of that is how do I create a problem that is not AI resistant, but just like built to to to fight this war. You kind of like saying like, you can't have AI, but in your business, you're totally gonna need AI. So like, where where do we go at?

Would be unrealistic to say no AI. That's not a real option. Yeah. Okay. So I totally agree. And here's my take. I'm curious if people agree or disagree with this. I think the concept of banning AI or having an AI free CTF is pointless. At that point, c CTFs are completely diverging from reality. If we're looking at, like, I'm looking at my team of 12 pen testers, they aren't doing things differently.

So You could also make a a challenge that involves analog clock faces. They still suck at that.

I want to put another alternative on the table, and I want you guys to think of it in terms of chess. Chess, by and large, has been pretty well solved by Stockfish. I mean, there's still room for improvement, but Stockfish is a open source chess engine that literally will beat Magnus, like the world's Yeah. Like the best chess player we've seen in history. It will beat him pretty regularly.

Think that's a separate category. That's my take.

You have like a human human CTF.

Yeah, exactly. You have it's like sports. Like, I race bikes, and I don't race against fast people because I'm not fast. It would be a super boring. It would be the most boring race ever to have me race against a pro. They're just gonna crush me. Like, it's it's like a different category. You have AI assisted CTF, you have human CTF. Yeah. Two different categories, two different approaches. Yeah. Reprising.

The the one thing I don't think we're discussing is the difference between a red team CTF and a blue team CTF. Like you guys, I think they're inherently different.

And I don't I think that my approach would work for either.

Think your No, I definitely agree. I think I do think your approach would work. But like the over and that that is the answer. But with like, the one thing with the blue team backup, make I owe Oh, no, what I've been doing is you make you make people write not just write a report, but you have to explain to me how you got to that conclusion. Right?

show

me show me give me the query. Right? Like

here's the problem, though. If you do that for a CTF, you already lost half the CTF players because they don't want to write reports.

Good. Good. Then those are the CTF players you don't wanna hire. Right?

If they don't wanna write reports, they don't have a future

in the industry. Education has sort

of the same issue. Right?

Where it's like, how do we stop

people from cheating on their test? It's you use their machine or you do it in person and somebody proctors you. Like, that is the only way to get around the cheating.

And then There's there's three categories then. There's one CTF where you have to write reports that already fixes the AI problem. Seriously, I think I genuinely think it does.

There's a single m dash.

Yeah. I was gonna say like, just base on something.

We know you did not use word.

I guess what I would say is like, so like, we're looking inwards at BHIS. How do we hire? We don't just say like, oh, you want a CTF? Here's your job. Like, obviously, we had CTFs could do the same thing of being like, you know, there are CTFs that are more reporting based and will not based just purely in score.

Like, let's go. What if we

did it? Like, they did the CTF, and at the end, we do like The UK master's thesis defending approach where you get the three teams Jeopardy! And it's like, on this challenge, you use curled.

Why?

Explain. Then they have to we are using these options. This is why we said

Because of AI.

We did.

And that's

what universities and high schools are doing. They're like, write your paper with AI, and we're gonna grade it knowing that you're using AI. So we expect no grammatical errors. We expect dumb But then when you're graded, you have to get in front of the class and answer questions about your paper.

John And forensics five zero eight. Not to, like, at the end of you do an IR report, right, you have to go all way through it, then you have to present it. And that's usually when the teams fail is when the presenting happens. And you, Yeah, like, yo, I found this, I found this hash. It's everywhere. Well, why?

Okay, so Shane, do you play a lot of CTFs out of curiosity? Or have you in the past?

I played a little bit here and there, but not as much. I I helped work on some of those indirectly through just kinda like the prompt side of it. Like, here's what I want to do. And I also teach a class on ethical hacking. So some of that plays a role in there.

to go.

You can't get you can't just point an AI at that and start going digging in. The last thing was one of my other cohorts, what he does with his, he has a physical part to it. What I mean by that is some of the flags that you get in there

You gotta you gotta arm rest this Dave Kennedy for this next play.

Yes. Yeah.

It's like Double Dare on Nickelodeon. There's less behind that.

They they do that at at DEFCON too. So not not for the CTF, but for, like, the RF village and other things like that, where they have, like, rabbits and other things like that. So essentially, it becomes a scavenger hunt, a real life scavenger hunt, not a digital one. And so when you put that piece in there, then that can slow people down. Except for then you what you'll end up building though is runners.

Yeah. You're basically fuzzing the freaking applicant.

Yes. I

I am teaching an intro to operating systems course for a college right now, and they have one of those labs where you have to log in and do all this stuff. Right? And everyone was having a really hard time with the labs. And I'm like, oh, I wonder if I could just have Claude do all this for me. Claude couldn't do it, not because it couldn't figure out the labs, but because the questions of the labs were written so bad that it couldn't figure it out and I couldn't figure it out.

When you're calling it the

IST squared methodology.

No. Is a

horrible peppy question. So I want mean Linus. Can we go to Linus Tollbals? And he's talking about, once again, it's AI Slop. And he's got two beautiful things that I think are amazing in this article.

you. Because he used AI

credits and your money to do the job, that that's great. Right?

He used AI to read all the responses and ask how many were BS, and 99% of them were BS. So he's, like, yeah. I mean, fight that fire. Yeah. Fight fire with fire. Like, if you set these simple guidelines, like, has to have a patch, it has to be passcode, it has to, you know, meet our guidelines, how many submissions are left? Six. Okay. Like, great. But yeah, mean, I love it.

Yeah. I'm willing to bet.

Like, I'm I'm guessing, like, if I made a model that was good at bug hunting, I'd be like Linux. Where are you Linux? Like, I need to fix it right now. That it's the easiest thing to pull apart and fix. It's also similar to curl where this is battle hardened code, guys. This is not I mean, there was copy fail. There have been some fun spicy ones recently. But, you know, Linux is hardened. It's been tested a bajillion times by a bajillion different people, and it's not just easy to hey, Claude.

Yeah. I'm always like, I'd say the only downside is there's so many contributors, and that's really where the where usually the bugs come up. Right? When you have it's a ton of people all contributing, and then you have to validate and all the other fun stuff. So, I mean, that's why it keeps continuing to be bugs. Right? But humans

Yeah. Like, weird. True.

Alright. Let's segue to the next article. John wants to talk about a new Roomba that he's gonna buy

that's The new Roomba.

The Roomba.

The Rumble Roomba from Germany.

Rumble Roomba.

So this is Yeah. This is a great story, and, you know, it's kind of terrifying, but I think it's good. So Germany is flooding Ukraine. I don't think I think flooding is a bit overselling it, but there's hundreds of- There

is some mud in the picture, so it's fine.

There is some mud in the picture.

They

call them Jurcon or Gurcon combat robots.

And Juris, right they're called like the Roombat Schnarkens token or some shit like that. Whatever.

But it it's funny because well, I think it's good because it allows them to get supplies to the frontline and certain things that, you know, you wouldn't want to put humans at risk in actually doing these things. It's kind of getting away from AI, but it's tangentially associated with it. But it's just kind of showing the evolution of technology, and this is now the robot side of it. And the reason why I'm excited about this as a security practitioner is it's more stuff to test. I just cannot wait to get one of these in the office.

What are you saying? People are going get run over by the Roboruba?

Okay. John, instead of having a riding mower, you're at one of these robots and right at churches.

Bronwen, I love you. You need to talk to my wife and subtly drop John's birthday is coming up. He needs a Rambo Roomba for

I think this war is

really interesting.

Rambo Roomba. What do you call it? We're getting to see, right, modern warfare developed in real time and it's wild. Right? Like, the the Ukraine war is a modern day battlefield. Right? Drones, the new robot that carries or, you know, other like, this is all happening. And because they're they're fighting, you know, in this new battlefield and they're developing it on the fly. The wildest part of this though is not just security as you mentioned, John. Right?

folks in Ukraine have been brilliant as far as I'm concerned.

They're adapting Why haven't we seen one of these resilience.

Okay.

We haven't seen any of these in video games. Like like, we've seen plenty of robots running around, but not one that's, like, bringing you ammo. Right?

Time. Time.

Right? Like So not a battle for

a two month, man.

Right. Did they have a did they have a bot that brought you ammo in the newest battlefront? I don't think so. I don't remember the

old one.

And the old one, but Has anyone seen this is kind of off topic, but it's also very much on topic. Has anyone seen the videos of, like, the Coco delivery robots? Like, just scratch

Oh my god.

Causing chaos? Yeah. Okay. So, like, if you haven't been exposed to this on the Internet, I'm sorry, but you're in for a treat when you go hunting for this. But just go on YouTube or TikTok or wherever you go and search Coco Robot fail, c o c o, and just watch the videos of these. They're basically like delivery bots, you know, that just fail in the most hilarious ways of just like falling down stairs, driving into floods, driving into tunnels.

I love Don't

forget the empty Waymo's that are

terrorizing the town in Georgia.

My favorite question is, is this gonna be ordered food to be delivered in, like, like, underneath an overpass on an interstate in, like, a tent city, with a bunch of homeless people? And it was just like the dichotomy of what's being like, what's what that showing is is pretty hilarious.

And then so that's the question is, is that gonna be the like, are we gonna see videos of Russians just watching a robot, like, fail to deliver ammo for, like, seventeen hours, or is it gonna be actually useful? Like, we'll see.

I don't know. I mean, the other thing is every time you show those videos of these Cocos getting destroyed and obliterated, I think it's just helping Cocos stock. Because the one thing that I take out of this is these things are put together pretty damn well.

Oh, yeah. Yeah. Yeah. Can drive into floods. They can get run over my car. But Part of

it with the drones will always rely on the humans that that operate them to an extent. Right? Like, there was that video, I think, that I saw last week, where somebody had deployed this new, like, farming drone, and they took it off from, a street, and so they take off and start to move across the road towards the farm, and it's immediately run into by like a by a big truck and sent

it to like a bunch of pieces. Oh, no. I saw that. Yes. I I I I don't know. I mean, this is I will say, like, anytime, you know, for for something like this, you can place a human that's potential lives saved, but also Yeah. You know, is it is it going to or is it gonna be like as I ordered ammo, like, seventeen hours ago and it just says its tracking number is missing and

Your cocoa is Amazon Prime over there.

Your cocoa is the solution. Your cocoa has been rerouted. Oh, no.

Those Amazon delivery bots that like fly over people's houses and drop a parachute of top ramen at your house for you? Like.

I'm so excited for that.

The future is here.

Alright. I got excited about it.

May not have her flying cars yet, but we

got flying. I just imagine John out there with like a directional antenna trying to hack as it flies by. Right? Like drop package. Drop package.

Drop package. Drop signal. Drop signal. Mhmm. Yeah.

Yeah. So It'll let your people

do more and faster, but Yeah.

You have

break more stuff faster. But restrict their executive Yeah. Problems.

It's an issue that to restricting their tokens.

So post about that this week where it was talking about as you get down the AI pipeline and you use AI to build or develop, you are building yourself into like this position where you have so much like tech sprawl and tech debt and all these different pieces that there comes a point where if you stop using AI, you are toast. So you're, as you're building out these processes, you're building so much more work for yourself that you you can't get away from.

But that goes back to what we've talked about in the past about the coming SaaS apocalypse, and I saw other articles that flat out said SaaS is dead. I can't remember who said that this last week.

But John, AI is SaaS, dude. Not to burst your But

that's my point. If you're looking at SaaS as a company that you produce a service and somebody can rebuild that SaaS product from scratch with an internal team, the idea of buying SaaS from a third party vendor, spending potentially hundreds of thousands of dollars for something to be internally developed, and this gets back to Hayden's point, if you now have this code base where all of a sudden we have an explosion of software being written, and this is one of the things that I don't think that people understand about AI, whenever you're using AI to write code, it's using a part of its brain that's completely effing disconnected from the security code analysis part of its brain. Those are trained on two completely different data sets. And we've seen a lot of different stories where people will have code written by AI, and then they'll use that same AI to evaluate the code for security vulnerabilities and find multiple critical vulnerabilities in it. So once again, I think it's just great.

Yeah. So a couple of quick hits since we kinda spent a lot of time talking about AI. First of all, there's a BitLocker zero day.

Oh my god. I heard about that.

That we kinda forgot about. Basically, if you have physical access to a system and it's using BitLocker, you can put a file on a USB drive, throw it in there, boot into recovery, and get a command prompt

on that system. USB stick.

Yeah.

Yeah. Now a couple of quick things about this. You can't do it from a cold boot state, like where the system is starting up from cold.

No. UPS. No, absolutely cold.

Yeah. Yeah. If it's been down for a while, the memory state goes out from what I've been reading.

Well, the whole

So look, there's a difference between standby and completely shut down. Whenever you're looking at Windows computer systems and you go back to cold boot attacks, you go to FireWire attacks, and I think this one too, if this system is completely powered down and there's no suspended state, I don't think that this works. At least that's what I read in one of the testing. But if the system is in standby mode and it comes back up, then you can actually go through and you can bypass it. So that's interesting, but the real question I want you guys to get, do you think this was intentional?

Yeah. I think it's a backdoor to my

Okay.

I I'm gonna go with no. People were like, oh, the the bug bounty researcher themselves said, I just can't see any other explanation. I was like, is this your first Microsoft bug? No. Like like, you know, not to diminish the capabilities of this person.

Ralph, what's that?

Microsoft knows need escorted out.

Ralph thought it was a was a was a intent intentional.

What do

you why do you say that?

I mean, enforcement, it looks trivial, like, the actual attack path. I didn't see anything, like because, John, you mentioned that, you know, the system has to be on and the the actual key is in the TPM. Right? So that's in the TPM module. And so it has to be on the Wait.

We're putting these keys in the TPM reports?

Yeah. Yes. Yeah.

They're in the TPM reports. They're overdue, John. They're overdue. Oh, my.

So the keys are there. And on that device when it boots and it realizes that the the order has changed, then it prompts. Windows does. But this attack essentially bypasses that prompt and allows you to get access to the C drive. There's a bit more into it, but functionally, that's how it works.

it was

I think it was on purpose and the CIA is gonna be upset that they have

The Yeah. I think that Microsoft's been selling magic USBs for a hot second. Mhmm.

Also, the security researcher says that they have another, vulnerability similar to this one that they're planning on releasing.

Think Oh, This this person is popping off. I guarantee you they just had a bad experience with MSRC and were like, know what? We'll see how I can MSRC.

Well, look, MSRC is very timely. They're responsive. They're consistent in

the way that they communicate

with security firms and they take vulnerabilities that

Okay. Seriously. There is Listen, John.

I do have two recommendations if you actually wanna stop this from a physical hardware attack, because we implement this on our own devices that we ship out. So the two things you need to do is first, implementing a BIOS password. Right? That's a Poxie

or USB ports.

That was my answer.

BIOS password. All right.

Yeah. That's a BIOS password. Another, and the second level way to lock this down is using Secure Boot. Now people don't realize actually how secure boot works, but one of the functional ways that secure boot can work is that you can designate your own keys that you actually create and put into the BIOS and the operating system will not even boot with those without those keys in existence. Right?

Well, okay. So, John, to to to take it serious, like, honestly, MSRC people, if you're if you're listening to this, you guys need to start using AI. It's

okay. The job is fine.

Guys you guys need to, like, come on. Get access to chat GPT. Like, come on, guys. Start processing the bugs or else. Like, yeah.

I but going back to, like, the intelligence community and DOD, like, field expedient, like, forensic

Physical access, man?

This is a this is a huge thing, especially if you're in the military in the field field, like straight up physical access bypass authentication controls. That's something that we've used for years and in a variety of different ways. I kind of lean towards Ralph on this one, that it was intentional. And I agree, Corey. Like, I'm not a 100% certain, but it also doesn't apply for Windows 10. Is that correct? I don't like this

is Yeah. This is your reason to go revert. Yeah. We gotta revert back to Windows 10 now.

But that's what makes me, like, argue with myself. Right? That it wasn't an intentional thing. Because if you really wanted to have utility to the CIA and you wanted to have utility to the NSA, more more particular, if you wanted to have utility to operators in the military and JSOC, you would want it to work in Windows 10.

Well, yeah, but they probably have a different USB from Windows.

That's fair point. Fair point. That's not a yellow USB. It's a red USB.

Yeah. Yeah. Which which one do I use?

Yeah. It's a different colored cut the red wire, John.

Yeah. So They don't want

they the Odyssey Microsoft got rid of the red USB because they want everyone to move to Windows 11. That's why.

That's what they're doing.

So as far as the Canvas breach, any big updates on that? Has anyone followed that

one anything new, has there? Like, we still don't know how they got breached in the first place. Mean

They paid. Yeah. They're in.

That's

They paid. That's the big news. They did pay, and they reached an agreement or whatever to not have the data released. We'll see if that actually holds or if someone leaked it or, you know, who knows? But

Well, they they deleted the data, but, you know,

Did they run shred dash n seven or did they just,

you know, put in the recycle the DOD or not? Oops.

So do know some people who are dealing with that with the community colleges in California. So

I've heard rumors that they paid up to $10,000,000

Yikes. And I thought that much. That's actually

like, they asking for like 2,000,000 per school?

Yeah, it was like,

cut a deal.

That's only five schools. Yeah. No. I mean, I don't know. It's a bummer because I almost guarantee you that $10,000,000 is gonna go to absolutely no one. Like, that that's going to that that's not actually buying any security, but I understand. Like, they've kind of dropped it. They dropped the ball a few times, so it tracks that they would also pay the ransom. But who knows? Behind closed doors

and my bills a lot or doesn't use Canvas.

Really, I want my records to be breached. That's that's my favorite.

It's just easier for me to get my shit when I inevitably spill coffee on my computer. Yeah.

It's way easier. I like to back up my data on all the ransomware clouds. That's typically where I put it.

And you know, it's safe.

Right? Yeah.

Yeah. There was a couple of like non starter articles that we thought were really dumb that we should call out.

Please do it. Please do it. Please do the

ones one.

The panel was tech crunch.

Oh, go ahead. Yeah. Okay. One from the sun.

The one there was one that somehow yeah. I don't know. Apparently, like, some lady's nudes leaked, and somehow that's newsworthy. I don't know why, but I don't know.

It has to do with their clients. But, yeah, let's yeah. We don't

even It's like Android spyware. Also, there's an article that, like, clawed when you install it and install spyware, it's just like someone who doesn't know what spyware is in that article.

Every time. Every time.

It's like if the provider that you installed their software, you can use the software to control it, which is spyware, but that's also the product you're paying for. So it's like I installed AnyDesk, and I think it's an RMM tool, guys. Like, crap.

Well, we also had the DigiCert breach. I don't know if we talked about that last week. You know?

There was Oh, that was like a that

was at least three weeks ago.

Yeah. That was a

while did.

They had a good write up.

There was the gas tanks. Like, supposedly, people were claiming that Iran was messing with gas tank monitoring, which had no authentication. And, basically, what they were doing is just, I guess, lying about how much gas there was in the tanks of being like, actually, there's no gas. Like, I I

don't really see the I

think they

were saying that if if the gas tanks read fall like, have false readings, they can potentially explode when you fill them up

Or overfill or whatever. Yeah. It's like it's like fill

or something.

The classic, like, specter of what could be possible with OT hacking, but didn't

actually But that's like that's like 80% of, like, the bad DEFCON talks where it's like Totally. Theoretically, if I can hack your toaster, I can burn you. And it's like If

you just stick your hand in your toaster for twenty to thirty minutes.

All the conferences you go to and there's some jackass running around with the Flipper Zero opening up the charge ports on all the Teslas. It's like, god, this shit again. You know but stun hacking does have its place. It absolutely does.

It does. The train thing is

cool. The they're coming.

Yeah. Do the train one. Do the I train

wanna talk. Brian thinks that we're attacking him, and I would just wanna call out, Brian, you did a great job. I know you're correlating the news stories by the community, and we appreciate that. We aren't saying anything about you and the job you're doing. You're doing a great job, Brian. I just wanna call that out. So alright.

Yay, Brian.

Yeah. I guess let's let's have Shane plug his stuff. Shane, what you got coming up?

Shane, take it away.

So I am going to be delivering a presentation in June for the threat hunt that is faced that you are y'all are putting on. Specifically, I'm kind of setting the course for you have no idea what you're doing, you're beginning to kind of get started. And what's next? Many of the clients

are relatable

and tend to have that whole, hey, just find bad. I've got this funk instance going to town. And that's find bad is like the worst statement you can give me. Because if I find bad, you're going to have a bad day. And I don't like to work from that direction. I like to work a little bit more structured. So that's kind of the beginning of

the as I can go

into more details. Or if you have questions.

So you you use stats and then sort by least common log. And then there you go.

I think you just literally read bad.

Bad. Six six six, we found say yes, I misread whenever whenever they were talking about your talk, I misread it as threat hunting after dark. And I gotta say like, you know, saxophone solos were playing in my head. I'm like, this is gonna a this is gonna be

playful song. It's like, you're either gonna grab a bottle of bourbon or you're gonna grab a a can of balls and go get started.

Exactly. So my question is, and I know the answer is both at some level, right? Sure. Is this kind of designed for talking to potential customers, kind of letting them know what they need to be to be prepared for an incident, or people that are truly trying to learn threat hunting? Or is it some combination of both?

Probably a little of both, but it's more on the the threat hunt side. What we're getting on our side is we're getting a lot more calls about, hey, you know, we have this team that we want to start up, or we have we have this telemetry, how can we look at it? And starting to build that, but they have no that all they know is alert, detect, and that kind of environment. They don't know how to actually do hypothesis drawing and instead of that just reactive, react, react, react. That's the only thing they know.

And I think that that's a huge problem. Right? Like, whenever I talk about threat hunting, a lot of people think, Well, we have a SIM, we have an EDR, we're getting And I think you're starting with the base presumption that the type of attacker you're going for is bypassing those particular security controls, whether they're on a device that doesn't have the telemetry or you're dealing with some advanced adversaries. And I think for me personally, that's a huge mind shift away from detection and alert tuning logic to you're actually, like you said, coming up with a theory, and you're going and hunting for more advanced adversaries. Is that kinda the way you look at it as well?

Yeah. Advanced adversaries as well as just dumb stuff that's

on the network that, like, how do

you how do you actually how do you actually know you have all of your assets covered? How do you know? You you go ahead a SIM. Okay. You've got a SIM. What do you use into? You got an EDR. Did you did you cross reference them to see if your SIM actually has the same number of assets reporting as what you have in your EDR? If you don't,

you have

a secret. I don't tell people that.

Proprietary information chain. You're sharing all the secrets.

Job, you cross correlate, and you're like, hey. We're missing 10,000 agents. They're like, what?

You know?

Dude, don't laugh. That literally happened to us. Oh,

I I mom, I won't say anything. Nothing.

It happens all the time. Like, what do you mean? What do you mean? What do you mean 30% of our environment has no EPP or EDR? It's like, those words you just said or what I just said to you.

Exactly. Or what do mean there's 2,003 on the network? Like, come on. Oh, that that's the best. I have one of those not to the last year, actually. But, yeah, getting

devolve into drinking. It's like, okay. The worst network I ever saw crack. Okay. It's gonna take a shot of whiskey to get through this one. It's just like defenders, man. So Alright. Well,

we're On that over. Yeah. Wade has stuff. Ralph has stuff. There's other stuff to plug, but they'll be probably here next week to plug their stuff. Probably.

Probably. More CTI classes. Come take CTI stuff. Have fun.

John, aren't you, like, doing a webcast this week or something?

I am. The webcast is basically how we're you how we're doing AI wrong and looking at AI incorrectly. And it it has a lot to what we talked about today, where people are like, it's gonna save money. It's gonna be more efficient. It's gonna solve security.

Alright. On that note, we'll see you all next week. Thanks for coming. Later, everybody. Usage resets prematurely.