Tim Cook Announces Apple CEO Exit - 2026-04-20

Research into that.

Which one? The browser one?

Yeah. Yeah. Just about, like, what I could get from a

A browser?

A browser. Right?

It's a lot, but it's also not a lot. You know what I mean? It's like it's like on I don't know. It's one of On those some level, it's not that sensitive that you're using, you know, the Grammarly add on or whatever. But at scale

I was joking.

At scale

That's where I was

gonna go.

Yeah. As soon as you get, like, the big enough, then then you

can sell it. Right? Like Yeah. You can sell it. You can say, oh, I can tell you exactly who what other, like, you know, one password. By the way, you also use your you also use Bitwarden. Or like Yeah. Did you know 70% of your users also have a VPN app? Or I don't know. Something like that. You know? Like, I don't know. Something there's so many insights you could gain, for sure.

Yeah. I think that was really what I kinda came from that. Right? But

Alright. So there's

It's $4.20. Let's smoke some weed.

Yeah. It's getting so high. We're never gonna come back. Like

Or actually take an edible because who smokes weed these days, and we have all this technology at our

Isn't that edible, like, twice as potent, though?

Oh, no. It just depends.

No. No. No. Depends.

It You can get it. There's no going back. That is the downside of an edible. Once once you commit, you're you're You're you're there

for the ride.

Let's sit set up.

Y'all are

crazy talking

about this on record.

I wish it was six hours. No. It can be up to, like, forty eight hours if you do bad badly enough.

Forty eight hours? What the

Yeah. Yeah.

If if

you if it takes you forty eight hours to come down off of a high like that, you've eaten Well,

they make some more than you Trust should me. The so the thing about this culture is that it's a high tolerance building drug. And so the people who actually are chronic users need these absurd doses

Oh my gosh.

Of edibles. And so if you're friends with someone who's a chronic user, and they offer you an edible, and it's like a fifty milligram edible, yeah, you're gonna be

gone That for a would knock me out Yes. For

You're gonna be gone for a while, and you can't come back. Yeah. It depends it also depends on people's metabolisms and stuff. But yeah.

When it when it comes to chemical uptake, inhalation is always the fastest. Liquid is faster. Solid will take a little bit longer, and

almost the true fastest.

Yeah. Oh. Yeah. Know, wasn't gonna go there, but, hey. It's you, Ham. It's you, Corey.

I gotcha. I'll go there.

I know. We we know that's how that's Corey gets gets stuff done fast. Right?

That's it. That's all I have to do.

The AI summary is gonna be like, this is now for adults only. Exactly.

Speaking of speaking of big companies wanting to moderate this at this point, they're definitely putting us in the MA, mature audience only category.

On yeah. I I I still can't get over it. I mean, I grew up in the day when it was the the the devil's lettuce, whatever, and and walking into a dispensary and being able to legally buy stuff is still a trip.

Yeah. Is a dispensary walking distance from my house, and it's across the street from the police shooting range.

That's not

way to keep people mellow when they're using firearms.

I mean, I live in Portland, which is like the most drug focused city that I it's like the greenest city known to man. Yeah. There's like billboard ads that are so funny. They're just like, know, nineties fonts, and they're just like, good weed. There's like no other context.

So to those of you who participate, happy four twenty. And for those of you who don't, just watch out for the brownies. Okay?

Stay home. Don't drive. It's the same stay home. Don't go anywhere. Don't try to operate under the influence. Definitely don't use cobalt strike under the influence. It's basically impossible.

Yes. Pretty much.

Wow. That's a first.

Am I the only one who didn't hear the awesome metal music?

No. I If didn't

hear you're an audio listener, pretend like there was a really cool metal intro done by Bo himself. Alright.

I don't know if

they Welcome. Heard It's April 2026. This is Black Hills Information Security's talking about news. I don't remember how to podcast now that I didn't hear the intro, so I am confused on

how They heard the music. They heard the music.

I'm glad. Glad.

Anyway That's what's important if they hear the music.

That's more important

than if we do.

Well, that's all that matters. So today, we've got we're living in a post mythos world here, people. So everyone get your CVEs ready. Get your CVSS scores. Add one to them, as John said last week. And we're gonna talk about the Vercel breach. We're gonna talk about webinar TV scraping Zoom recordings. Mhmm. We're gonna talk about cookies, all kinds of cookies. And if you're here for 04:20, you know what kind

of And cookies we're about to talk

I think, I don't know, just some fun some fun things happening. So I guess let's start with Vercel. It seems like the highest profile thing. Wade, you said you've been working this one, just in it. Is it is it bad?

Just throw me out there. Gosh. No. Like, we weren't affected. I don't know if I'm allowed to say that on stream. But Well,

I think you just did.

Okay. More

importantly Yeah.

What what is Vercel? Wade, what is Vercel? Dude. What does it do?

Yeah. That that's what took me a while to figure out too. I think Ralph knows about Vercel better than I than I do. No. But I do know secrets can be stored in Vercel, and secrets now must be rotated that we're in Vercel. There was a flag in Vercel that said if it was sensitive, you were cool. If it wasn't sensitive, you weren't cool. You needed enterprise level Vercel in order to have logging, which is a recent thing.

So Oh,

wait. Vercel is a cloud AI company.

Well, no. Hold hold on. No. Go on.

So everyone's a cloud AI company according to them. Okay.

Yes. Bronwen, you are correct. Everyone is a cloud AI company. 100%.

Well no. No. I went to vercel.com, and right away, it says, build in

the Okay.

Okay. But that's the cloud.

Come on. That's the same thing it says on allbirdsshoes.com. Anyway.

I knew we do it. Only because they they shifted over from shoes to AI, which makes no sense whatsoever.

Wait till Skechers does it too.

What what Vercel is is essentially, it's a hosting service for front end

Platform as a service?

Yeah. Yeah, right. They're hosting service for front end frameworks. Right? So if you have a website, and you wanna you could host it on Vercel. We personally use Vercel for my front end. Right? So they host the front end of the website, and then the back end, which is the API, is hosted totally somewhere else. Right? So when you now, that's not how everyone does it.

So sensitive is technically what they say, not secret. But yeah, basically, it does enough, on the write up, says that it originated from the compromise of context.ai, a third party AI tool used by a Vercel employee. So this is like that AI supply chain thing that everyone's paranoid about, rightfully so, is if you use these sketchy third party AIs Does anyone know anything about context.ai? Is this just like some random is this reputable, or is it like if you just go on the Google Chrome extension store and search AI,

it's like the third result, So like so this it's gonna loop it's gonna it's gonna work back to one of our favorite things. But so context.a I got got hit. They then pivoted to that user who then they escalated privileges via Google Workspace, and then were able to do stuff. Right? If you go look at some Steeler logs, and there's some context AI creds that got taken a picture of. Yeah. So there's a couple pictures of that. Yeah. So also could be

Next. Js, I guess. I I mean, who knows? There's been so many supply chain type compromises. So it's a reputable company, but they aren't appropriately doing AI, or they aren't appropriately doing credential management stuff with Infosecalers.

If and then if you're working this as an IR person, they do allow you to pull down logs for ninety days in the CSV, all the audit logs, and then Good you can work it from old good old grep.

Good old grep. You gotta wait up those logs

if you are. You're gonna put environment variables, save them as sensitive, make sure you're marking any, like, key as sensitive or secure, or whatever they call them. Yeah. Every platform has got different ones.

Don't use environment variables. Don't do it. Yeah. There's tools out there. People have been asking me this question a lot.

Yes. So I I wanna push back on that, because there's a couple things that when you actually implement that, you still have to have that key somewhere on the host in an environment variable, even with one password or whatever you want. Right? You could dynamically pull them all you want. The the the hope or the benefit is that you can rotate them. That's really more important.

You can rotate them, and you can audit who's accessed them, by the way. Yeah. Well,

somewhat, yes. But either way, the the the idea that if I have all of my secrets in a password manager,

that That they can't be compromised?

That they can't be compromised. That's not not to to I'm pushing back on the idea that environment variables are the only Are inherently bad.

Yeah, no.

They're bad.

They're not inherently But

the better ways to do it, right, where you are actually do implement, because I've had to think about this in process flow, about like using one password to pull environment variables in to keep it the most sensitive as possible. The thing is is that key for one password does have to exist somewhere on that remote host

Yeah.

The process. Yeah. Programmatic access, you have to facilitate somehow.

And that key is gonna get have to get scoped to the specific amount of variables that are required, just the minimum required for that application. Well, if as an attacker, I have access to that key, I totally can retrieve those variables on demand right from one password. Right? So it doesn't necessarily stop that attack path, but what it does allow you to do, hope and benefit, is that you can revoke those faster without having to go into Vercel and change every damn one of those environment variables over and over again. Right?

Alright. Alright, Ralph. Doesn't Bitwarden or someone else have that too, okay? Just stop saying one password.

Well, actually, actually, so you if you wanna know what is kind of the real standard for this, it's actually HashiCorpVault. That's the one that most people use. Like, no offense to 1Password, but like, in most deployments, people are rolling their own HCB instances, or using Yeah.

Well, actually, so 1Password's offering is pretty good. They have actually have two different ways to access that. You can use CLI, and then they have a full API based setup where you can actually essentially like dole out a special server that would only be accessed through maybe a specific kind of network. So it's not even just through one password, and it has a whole token management system to allow you to kind of do a middle piece in there. So you can broker that access to one password, while not actually even exposing the interface that is required to access that key.

So I wanna know the record. Was And I hope that we cross. I I feel like we've I feel like we've crossed over into where Ralph knows more about 1Password than Wade does at this point.

Oh, without a doubt. Without a doubt. I definitely know OP, right? Like, I have it set up in several places, but, I'm over here defending things, not setting engineering up.

Yeah. Yeah. Totally care. Dude, if you ask me to run the socket BHIS, I don't know how the heck to do that. Someone else can figure that

out. Anyway.

Yeah. I think the from my perspective, the the IR, and Patterson, feel free to jump in here. Rolling secrets. This is gonna be the, like, number one most used IR playbook of 2026. Right? Like like, is there anything, any advice you'd have, Wade or Patterson, on how people can get in the practice of being better at rolling these secrets, and how like, is there any tips you guys have that could help, like, with this IR process?

Wow. That's a loaded question. Yeah. Make a plan before you before you're in the midst of crisis. That would be priority one.

Ready to react quickly, instead of just being like, what credentials were compromised? Where do they live? What do they do? If we roll them, how much of our production environment breaks?

Exactly. Yeah. That's that's the thing, right?

I was gonna say, lot of credentials are moving to to like a mandatory expiration date as well. Yes. So that you

can Everything should be. Honestly, that's like, that's a good thing you can set now before a breach happens, is just set everything to expire every three to six months, or whatever interval you choose, and then you have to get in the practice of rolling

Yeah. Them stuff You're gonna have to to out how to automate your way out of that.

Yeah. Exactly. Because, yeah, it's like, you know, if if you have users that are getting breached, which you do, and you have password expiration, you have MFA, and you have like you basically have to set yourself up in a place where, guess what? Your developers are putting your API keys into ChatGPT, into Anthropic, into Context AI, Cursor, freaking DeepSeek, whatever it is. And so you have to it's you're better off just assuming those credentials are breached all the time, monitoring them for suspicious activity, and rolling them on a regular basis, versus being like, no.

Yeah. Yeah. Do think the playbook, a really good one, is to honestly just design rotation into your implementation, and I think you can really help yourself out, you know, when they do get exposed.

Yeah. Then if you're using the variables, right, it's easier to do that because all your passwords are gonna be in a centralized location, and usually you can you can interact with them programmatically, so.

Yeah. And also setting limited scopes, like basically secrets management is if you do it well, it's gonna be a pathway to the end of twenty twenty six without a whole lot of pwnage. If you do it poorly, you're gonna get popped. Like it's this is not the first, and it won't be the last where environment variables are leaked, and blah blah blah. There's all of other ways that environment variables can leak, by the way, or be exposed.

really This is the Steeler Logs playbook. Right? The, you know, NPM, valuable pack, malware packet, whatever, you know, but yeah, sure.

Totally. Alright. What else happened? I guess we can talk about a certain teenager who the guy who compromised PowerSchool. This is a breach we talked about when it happened, but there's this pretty interesting long article in ABC News about his experience, and I don't know.

Matthew.

So he yeah. So he's he he got sentenced to four years in prison, and basically, on his way to prison, I guess he'd already done six months, and this was a sentencing hearing. But essentially, he did an interview with ABC News kind of talking about what the life was like and what he did. And he sounds, at least in the article, he sounds very remorseful, and, you know, he's the kind of funny thing that which we'll talk about at the end is he's like, I hope I get a cybersecurity job. Maybe he will, maybe he won't.

But The Darknet Diaries episode will be out shortly, I'm sure.

Yeah. Wait, really? No.

That's a guess. I'm get if he's willing to talk to ABC News, there's no That's fair. Yeah. Which unheard of. Like, usually, we don't hear like, this almost seems like a play for right? At least for me to to make him look good, which he he does seem honest and truthful, but you don't hear about this too often about them. No.

These are rare. These are super rare.

And then, like, it's just like we've talked about before in, like, in The UK. Right? These kid kids have been picked up over and over again, but they're they they keep it a secret and, like, hush Put identities?

And put

them away. Yeah. Identities completely, which is also pretty cool, I think. But without a doubt, he's gonna get a job. Like Yeah. And of course, where did he start? Roblox.

Roblox?

Roblox.

Yeah. I mean, I I think it's, I don't know. I I think it's really just a matter of people who feel like outsiders tend to look for communities where they fit in, regardless of whether it's cybersecurity, or, you know, terrorism, whatever. Pick a pick a It could be just a lot of people fall into sports, or into, you know, like, things that are more normal ways of fitting in, I guess. But in this case, you know, he got sucked into a community that was kind of pushing him in a bad way.

I I think one of the big differences in this case too is that most people typically don't get caught. Right? He was just used as a scapegoat. Or not a scapegoat, but essentially, like, a patsy in in this. Right? They just used him to to not get caught. Right? And so I think we're gonna see more

It's being made an example of Yeah.

Yeah. And I think we're gonna see more and more of this, though. Right? Because essentially what happens is is that MGM or whoever gets hacked. Right? MGM was mentioned in this article as well. Right? They want a lever to pull. They're not gonna go to, you know, North Korea to get it. So they're they're gonna take it out on The US assets that were used to leverage that attack. Right? And so I think we'll see

more of it. Right? It the one of the interesting kind of notes from this is like, the impact is definitely higher. So with the PowerSchool thing, we talked about it in the I I think on the show. Like, the there was an initial breach, and they actually did a ransom demand, and they got the ransom payment of $3,000,000.

Yeah. The example piece too is to stop that from happening again, right, from other people being like, oh, think about this. But I will also flip the coin one more time, and just say that his age, right, being young and just impressionable and willing to do these things, I mean, people at a young age, including myself, have done stupid things that maybe you regret, or maybe it was just unsafe. Right? And this is one of those examples, you know, at a younger age taking taking advantage of people who are younger, you know, to to

Yeah. 15 year old.

Yeah. Like

Unfortunately. Yeah. When I was 15, you could've convinced me I didn't probably.

And unfortunately, Roblox has been a known resource for radicalizing young people, especially young males. And not just not just for hacking. It's it's used for radicalizing young men for all kinds of unfortunate and sometimes violent purposes. I mean Yeah. They only went into hacking. Yeah. He may get a career out of it someday when he gets out of prison. But

Yeah. They they talk about that in the news, in the ABC article too, that like, Roblox is basically there's a couple uplifting parts of the article. Like, one, there's a couple programs that actually go out and try to, you know, recruit people into a community that's, you know, fostering positive things instead of, you know, that's kinda similar to what our community does. Obviously, we don't go out and recruit people on Roblox, but there's something called the hacking games that's like, you know, basically Roblox based positive version of this community. The other thing that they mentioned is that Roblox specifically says they've hired several young people to help secure their systems after they participated in similar programs.

good resume bug bounty payouts.

Well, no. They're they're still doing payouts. They're just not taking submissions. So

Ah, okay.

Well, if they ever

But, yeah. When they resume well, you could still submit directly, but yeah, anyway, basically, the concept is there is a good and an evil version of this story. I think four years is fair to me. Like, that's like enough time that he'll definitely have, you know, hopefully, some time to think about what he did, but also not like ten years, which is just like a criminal graduate program where you just go and learn how to be a really good criminal. So I don't know.

Salary's kinda high, but, you know.

Salary's kinda high, but it's only one month, and then he goes back to prison.

Do you have to pay interest on that?

I'd probably, dude. I'm Right, assuming the I'm assuming the system is set up to completely block anyone from actually being reformed and just put them into a cycle of re a reinfracting early.

Does

bankruptcy apply here? Can, like does bankruptcy not apply to restitution? I don't know.

I don't know. I don't we need we

need get it under a different

These are adult questions, dude. This isn't that kind of show.

Isn't that kind of

show. Fair enough.

Alright, so next we can talk about Mythos. I mean, I don't know. For me, I guess we talked about it last week. I've still had a lot of customers asking me questions about it. John did a big LinkedIn post about it, which we'll link to if you guys, if anyone didn't see it.

Like, I forget timeline's so small for all of them right now.

It's shorter than you think, basically, is what I've been telling clients. Like, this kind of a vulnerability crusher AI will exist in the next three to six months, and publicly so. So basically, get ready for that.

And So I guess the other follow on article to this is that Anthropic did release Opus 4.7, which

Yes. Has well, okay. So, yeah, the Opus four seven release is actually really interesting, specifically because Opus four seven now has specific gateways and gatekeeper stuff built in for cybersecurity abuse. Basically, Opus four six, you just told you were an authorized if you just told her you were an authorized pen tester, it'd be like, oh, alright. What are we doing?

like, alright.

And 46 is actually better in some ways, in some regards, but the point

is Yes. If if you go back up to the table, Meagan, it it shows technically, Opus four seven is actually worse for cybersecurity by like point 3%, or whatever. If you look, it says, there's one for, what is it, cybersecurity vulnerability reproduction. Yeah. Four six was 73.8, and four seven is 73.1. So it's point 7% worse.

Yeah. They did it on purpose. They nerfed it a little bit. I watched a bunch of people essentially digest the numbers here. But the one thing, going back to what you said, Corey, is that we are still on the continual march of improvement.

Yes. Numbers are

gonna

It's

gonna happen. And it's like, it's so fast, and that like, you know, when is, you know, I keep thinking about like, when is Opus five point o gonna come out? And like honestly, it could be four months, and that could be like, on the extreme version of it, and ChatGPT could come out with something even faster, and you know, that yeah. So it just keeps going. It's like a steady march.

Correct. There's gonna be obliterated models, and hugging face models, and deep seek, and mistral, and all these other quen, and there's Chinese There's

no way but my point is, and it is that there's no way Anthropic or OpenAI, no matter how great their frontier model is, is going to stop what is coming. Right?

Yes. A 100%.

They are just upfront. That's all.

Yeah. No. A 100%. I I link to the verification program if anyone's curious in Discord, and the next article we can kinda dovetail in is the KYC verification, Anthropix requiring this. It's not super clear when they're gonna start requiring this or what the rollout's gonna look like.

Yeah.

If our parents are, you know, if our parents are OpenAI and Anthropic, they're both doing it, and so we probably just have to roll with it.

I would say get ready for KYC across the whole Internet. It seems like Yeah. That stuff is coming across different pieces, different different market, and and mainly different laws, right, in different states. It's all kind

of moving that direction, and most of these companies, they're in a business, shocker, to make money. If KYC is what they have to do to stay

in business, that's what they're gonna do. Right?

It's just a huge bummer that we can't have a government backed Yeah. Like, actual state run KYC that uses the like, they already have my passport, dude. I already, like, you know, answered a bunch of questions, and gave my fingerprints away, and some guy touched my butt. No. I'm just kidding. But, yeah. I'm already a US citizen.

Was my fingerprint, man. I don't need that.

Well, listen, okay, I went to an appointment, and I'm like, whatever happened happened.

It way cheaper than normal. That's what I said.

Yes. Was discounted.

Now we know a

it's a benefit of my credit card. Alright? Yeah. Yeah. Basically Yeah. Mean, the point is the government already knows who I am, has my identification documents. Yeah. Yeah. Like, can they not just give me, like, an SSH public key or whatever?

Yeah. That's that right? Like, some private private public key system, or, why why hasn't there any been any blockchain? Like, blockchain technology behind it is pretty cool and can track things. Why aren't we using that in, like, more production?

It's a bummer. Does that

make sense? An AI. That would be perfect.

Dude, let's Are we about to make a company again? Another one? No.

No. No. We've already we've already made one company. We don't need to make another. I'm bad. The I think, like, there are countries, what is it? Estonia, I wanna say off the top of my head, that has a full digital identity system that's nationalized, and has voting based on that system. I don't know. It's one of these small countries that you've never heard of, but they have 10 gig Internet and really good tech. I don't know.

It's easier to do at a smaller scale. I mean

Totally.

They Yeah. And they probably have a lot fewer than, what, 360 or 400,000,000 citizens, whatever we're up to these days.

Yeah. I I mean, you're not wrong, but still, that arguably also means we have immense amounts of resources available to create systems like this.

Yeah. If we if we have the will. Yeah. That's We

got break.

That's the bottom line. You know? But Breaking news. News. Breaking news.

We got Tim Apple stepping down at Apple, so now he's just changing his name to what? Tim? Tim. What? Tim Apple stepping stepping down after more than a decade. It's probably because he asked Siri whether he should leave, and she was like, yes, leave.

Yeah. She was she was don't let the door hit you in the ass on the way out.

Honestly, so word on the street

is they're finally gonna come out with a new Siri this year.

I mean, okay.

That's just powered by ChatGPT?

Yeah. Yeah. So the the well, no. No. No. So, okay. Hold on. Hold on. So first of all, for those that have been living under a rock, it does seem that he's we don't know, but Apple hasn't been doing super well in AI to the point that I know of several people in my personal life who have seriously considered switching to Android just because of how bad Siri is. And that's totally valid and fair. Hold on, Sam. And he's been unable to correct that. Would you say wrong?

Not not to not to not to say that what everything you said about Suri is not correct, because all of those things are correct.

Is Alexa just as bad, or is Yeah. It It's worse. It's like worse. It's

worse? Yes. And they came out

with an AI version, and and whatever. Right? I I think it's it's tough for the non AI to like, companies that came out with those original, like, voice assistants to like, have to move into it.

They just pushed Gemini to Google, or to the audio, whatever, auto, Google Auto.

Oh, yeah.

And it could not play any of my songs. I was like, Alexa or Google, play Toy Story storyteller on YouTube as I'm driving, and then it plays, like, some random thing, and I'm like, over and over again, I'm like, you know what? I'm just gonna do this myself, and hopefully don't get in a car crash. But

Yeah. Well, okay. So and by the way, before, you know, obviously, we haven't even read the whole article about Tim Apple stepping down, but they did actually partner with Google. That's who they chose as their AI partner. So in iOS 26, which was last year's release, they have ChatGPT integration.

You Google him, he says he's an engineer and an executive, which

So he's VP of hardware engineering, and then

he's Which asking sounds pretty cool, to tell you the truth. Like, if someone were to shave

I will say, their hardware might be their strongest department, honestly. Yeah. Like, the you you really if you're comparing the iPhone hardware to other companies, that's what everyone sets the bar at, is like the actual physical characteristics. And if you look at the laptops, it's kinda the same thing. They were super pioneering when it came to the Apple silicon stuff, so I think it's a reasonable

They're so so just to just to put it out, so AI is cool and awesome, but the hardware is how we interface with it, and Apple definitely dominates that market space, especially from the handheld. They're overfitting

Oh, yeah.

In The US, and all this other fun stuff. So they're not going anywhere anytime soon, regardless of how crappy Suri is, or maybe that it it proves to be. But, yeah, they're they're definitely a dominant piece in the glass that we get to see. Right?

Totally. Yeah. And that's not gonna change. I think

Yep.

There was an interesting video the other week about like, how Windows laptops are kind of in a weird spot right now, where like, you have Windows, which is Microsoft, then you have like Copilot, is also Microsoft, and then you have like a bunch of laptop manufacturers that have to figure out how to work with Copilot and Microsoft, or else they're not really included in the whole party these days, because like, Windows now requires you to have all these Copilot ties. You have to have a Copilot keyboard. You have to have a Copilot button on your keyboard. So basically You have a Windows computer? Yeah.

Is the coolest feature they ever added. Can't Yeah.

Well, so Recall so Recall was a really cool feature that was designed, like, with the release. Was it Windows 11? Yeah. Or Windows Yeah.

It was like in it was supposed to be in one of the updates for Windows 11 because This

is years ago. Yeah. Years ago. This is September 2024. Wow, that feels like ten years ago in It the world of

does.

That was it does. So long ago. But basically, it was a feature that would essentially record your screen and let you go back to a All previous time. Yeah. All the time. So as you could imagine, they rolled it

in an

incredibly insecure fashion at first, and everyone was like, please no. Can you not do that? And there was a, you know, people were publishing tools that would extract all the data from it. It was a fun little time. And now, I guess, they're trying to re release it, I I assume, and not all the security vulnerabilities have been fixed. That's my assumption.

What about the whole thing being just one big vulnerability? Like That's not like everything that I'm sending it off to I don't

know who. Like, who would use this? Who's the primary user of this? That one person who's screen like

and let chatty p t look at it too.

Bro, maybe that's it. Maybe it's from the AI perspective that the AI destroyed your laptop so much that you gotta re recall back to a time beforehand.

Like the new version of Windows restore? It's just one prompt. It's an AI prompt that restores all the files. It's just a markdown file that says, this file lives here. This file lives here.

I I don't even know anyone who uses backups personally, like, in their personal setups. Like

Who use backups?

I will not I don't know any

data. I don't backups.

I don't know any, like, non techy people will say that. Like, normal well, normies.

Right? That's fair. See I

anyone people. I can't see anyone using this. And then from a corporate perspective, like, understand it. I'm wondering if this could be used forensically. But Yeah. Why you wouldn't need it. Right? It could, but, like, would you even need it if you if you have access to it?

Would you forensicator, would think not.

I don't think you would need it, though. You would just, like, run your normal, like encase or anything to pull everything off of it. You wouldn't have to use recall. So I'm thinking

I mean, it is it could give you a ton of insight into like, it's basically a screen recording of everything the user was doing. Right? So it could give you way more insights than any of those forensic Oh, yeah.

Flat out. That use

They say recalled stores, messages, things on your screen, emails, documents, browser history. If you're using the computer and you got recall on it, it's recording everything.

With the right DLP software, though. Like, I have all that too. That's the thing.

It just that's fair. But, like, I I think the biggest thing is just this no one asked for this. No one actually needs this.

No one wanted this.

Like, okay. Right now, everyone's fighting the battle of all their employees want AI, and they have to figure out how to get AI into their company without screwing up security. No one of their employees are like, can I get Microsoft Recall? One My wants

my favorite use of this is when someone calls in and says their mouse was moving by itself, and I'm like, alright, let's go check it out in Recall, and be like, no, it's not moving. You're moving. We can see it like like that.

Your use for it is just proving people are dumb? Oh. There's way better tools for that, man.

Yeah. But if it's a recording, we could prove

it to them. Don't move my icons. That's exactly how I like it.

Move my icon. That's an oldie. An oldie but a goodie. Yeah. Speaking of creepy recording of things that shouldn't be recorded, four zero four Media published an article about this company called Webinar TV, which their MO, and this is just as a business model, insanely creepy.

Mhmm.

Basically, of course, because public Zooms are public, some of the information in there probably shouldn't be public. And, you know, they give some examples in the article like Graves' Disease and Thyroid Foundation patients, support groups for, like, of the funny ones is like nudist support group. It's like, oh, I have to wear clothes, guys. It sucks. Like, it's recording this data.

think that maybe they're pulling all the data to feed AI.

Well, okay. That's not I never thought. One of the things covered in the article too is that some of these public meetings or or publicly listed meetings are things like recovery groups or face faith based conversations. They kind of have to be public in order to serve the population they're trying to reach, which is like, if it's if it's a 12 step group, that's always been an open meeting format. It's always been anybody can show up.

Advertising or, like you said, selling the data to AI. Right? It's like that it it it's at the end of the day, this is data mining. Like, that's basically what this company does. Yeah.

No. Not in

I'm looking around. Yeah, if you if you do a free webinar, definitely kick these kick these bots out. Free is not free. Free is not free. So we're kinda we're kinda quick firing, but the cookie article is pretty interesting.

I wasn't laughing at you, Corey. Sorry.

I was laughing at you. X-ray you can laugh at me. It's okay. Web X-ray published a report where they basically claimed that all the big tech companies are not enforcing cookie tracking properly. Essentially, the like, from a technical perspective, Google's you ask Google not to track you, and it's like, here's a cookie. I'm tracking you anyway, basically.

Have a cookie. You're gonna love it.

You don't want me to track you? Here you go. Have a cookie. And so essentially, all these companies have disputed. They're like, oh, no.

Unfortunately, the fines are just a slap on the wrist for them. I mean, you know, what Google earns more than a $100,000 in interest in an hour. So even if it's multiple millions of dollars of fine, there's no incentive for them to stop their behavior. Yes. And they money.

They probably will. I mean, I'm not a lawyer, but I'm assuming they'll be able to hire fancy enough lawyers to get out of this one. And I'm assuming they already hired the lawyers before they did this to make sure they could get away with it before they actually did it, so they don't have to pay retroactive fines. Basically, this is specific to California, but essentially, there's different regulations for businesses versus service providers. Ad vendors like Google and Meta and other people, they contract as service providers, not as businesses, and so they're exempt from a lot of these privacy things, I guess.

I was gonna say the good news is, France is ditching Windows for Linux.

Another one bites the dust, That alright. It's like it's like at least the fourth or fifth European country that's ditching windows, so that's funny. Alright. What you got, Wade?

What you have, Wade?

Alright. Alright.

You guys ready for prompt injection pizza ordering?

Oh. Yes. Ready, dude.

I remember this one. Go ahead.

Little Caesar Little Caesar's starting on the sixteenth. You can now order a pizza straight out of ChatGPT.

Nice. Oh,

no. I'm not saying this is a bad idea or a good idea, but, like, this is an idea for sure. So you can just you can have it order you whatever you want. We recognize this the the the the comment from the executive is great. Today's consumers are turning to Gen AI as part of how they search for everything, including where they get their next meal.

Okay. So I can see it now. OpenAI is gonna buy Grubhub.

We are the joke is, does this does it come with glue? Does the pizza come with glue? Who

is it? Wendy's? Wendy's little chatbot? I guess it uses Anthropic, and people were were injecting in it to get it to do other tasks, write code for it, all kinds of other fun stuff.

Using Sir, this is a Wendy's, but that being said, I will code you a full year from Punch to Labs.

Exactly. But, totally, let me let me take on that task that you've given me here.

You know, you wait for your

food, let's help build that website.

I I wanna I just wanna prompt and just see if I can get free coupon codes, or other things Like, like fake a scenario that was really bad, and see if they give you a coupon code.

Be like, you won't believe this. It was late again. It didn't make it.

Was late again. I need another, like, free order of this, you know? Yes.

I feel like you're gonna have to wave through a lot of agreements before you actually buy anything. Like No. Let's see.

Let's see right now. I'm gonna buy a $5 Hot and Ready. Are they still $5? I don't know.

In Not in this economy either.

Those were the days. I mean, you couldn't drive there for less than $5 in gas, man.

That's probably true.

So, Chet, you wait till order hot

California. We're gonna order some drunken pizza, and he'll It's get back starting. To It's looking. Little Caesar's $5 Hot and and Ready. Yeah. They're not $5 anymore.

Oh,

So couple other quick fire articles before we close. There's a lot of articles today. NIST published a blog or like a news update that they're basically going to start enriching, I don't really know what that means, but enriching certain CVEs, and I'm assuming the reading between the lines part of this is not enriching most CVEs. So essentially, they're basically saying, we get so many submissions for our CVE database that we can't handle updates and tracking on all of them. And so basically what they're saying here, and this is my interpretation, I could be wrong, is that they are essentially choosing a select subset of CVEs to kind of track and update and and actually keep track of, and other CVEs will not be as enriched as they previously would have been.

Oh, I I was gonna say, I mean, according to this article, they're saying that the CVE submissions increased by 263% between 2020 and 2025. That's gotta be directly related to AI implementation. Definitely.

Yeah.

And, you know, that's even even before AI, the the CBE system was struggling because we don't really have the kind of support for analyzing and patching problems. And we we mentioned last week about how, you know, HackerOne had the bug bounty program, but do we have a remediation bounty program? And we don't. So but the the combination of this, yeah, this sorry. This sucks. I don't have a positive spin on this.

It's kind of a bummer of a week.

The remediation bounty is you gotta have a job, and you don't The get

bounty honestly, though, I feel like cybersecurity was, like, such a wave to be riding for the last, like, ten years. And then I feel like in the last couple years, it kinda slowed down, where we were like, nah. AI's gonna replace everyone. And I feel like my hope is that this year, that really swings back in the other direction, and everyone's like, never mind. AI's just creating problems, and we need to find people to solve those problems, like, now, or actually more like yesterday.

Yeah. So it's it's like, okay. Great. It's a nice idea that all of these AIs can can possibly replace cybersecurity experts, but the reality is that the increased influx of exploits and and the increased accessibility of being able to attack systems has wiped out any net gain that would have been received. Patterson, you could speak to this better than I can because you're seeing how it's hitting our SOC services already.

Know, Bronwen. I think Yeah.

We're gonna develop it tomorrow.

I think you're way off, Bronwen. I have an AI that'll solve all the problems by just deleting the whole company. Yeah. It's easy. You could solve all cybersecurity problems.

That that is one solution. Yeah. You know? Unplugging and living under a rock is another solution.

I I mean, I totally agree with you. I think the the key thing that's still, at least as of today, is still true is that AI's gonna do something. Some things are gonna be smart, and some things are gonna be incredibly dumb. And you need someone skilled to to make the decision about which is which.

They're like drunk interns. They have really good hits and really bad misses, but you've gotta supervise them, and that's what you need the humans for. I also think and and I was thinking about this because I I wound up talking to a lot of of friends over the weekend about AI and prompt engineering and where things are going. And I think that in the long run, we're going to be seeing the ability to work with AI, prompt engineering, machine learning, data science, all of those things. These are going to be not just nice to have skills.

Don't need to set up security, but in their minds. It's like the same thing as putting Microsoft Office on your resume. It's like it's not really getting you anywhere, but, like, you do need to know it. Like, that that really

is table

It's table stakes. A 100%. That's a good point. Alright. So let's do our plugs real quick before we close. Patterson has an upcoming wait. What do you got to plug

the if you scroll to the bottom of the news, there are all the plugs

there. Read.

Alright. So here's the poems. That's not the

kind of thing you want to admit in public, Corey.

Come on. Is teaching a pay what you can workshop next week, rapid endpoint investigations for Linux and Mac. Important in the world of supply chains and developers and all these people getting compromised using AI tools they weren't supposed to be using. Patterson, do you have any other things you wanna plug about it? That's pretty exciting.

That was an excellent summary. Yeah. Super excited about it. Webcast this week on the subject for our pay what you can workshop next week. Just practical practical tactical skills for Linux and Mac investigations. So love to see you there.

Nice. That's exciting. Yeah. I mean, we we've increasingly seen more and more clients asking us to do RedTeams on Mac and not so much on Linux. I'm assuming Linux is more like server based stuff, not endpoints, but or I guess it does say NICS endpoints. So for those Linux people out there, you can really probably harden your system a lot by following the onboarding.

Some French should be doing some clients on Linux too real soon.

Oh, good point. If you wanna Hey. If you're doing government work in Europe, you're gonna need to know Linux endpoints in the next, like, very shortly.

Oh, yeah.

And then, Wade, you also have a workshop coming up not until May, but you're profiling Know Your Enemy.

Meagan, have

a talk.

What are you talking about?

Yeah. I have a talk and a workshop. I don't I don't remember when the talk was. It's on the calendar, but the talk is like how to read the news, which I find

Oh, I I definitely

should go to that.

You should well, you you should if you wanna guest star in it, because I know you you can I can't read secretly

come in

and we can just argue and yell at things? Then, yeah, I have No. That's for Ralph and I. Do have the the $25 workshop on threat actor profiling. That is a full four four hours, which will be super fun. And then I am teaching at the threat hunting summit. My CTI one zero one class, but now it's two days instead of one Yes.

So twice the value?

Twice twice the fun, twice the value, I am sure. It'll be cool.

That's awesome.

Yeah.

It is crazy you can get some of this stuff for $25, or like, you know, even cheaper. That's insane. That's such a good deal. Also doing a webcast. Think it's next week, next Wednesday maybe.

And there's a CTF where you have to find Corey's face in that photo.

Am I actually in there? No. I'm not in there, am I? Maybe I am.

I mean, that's that's the CTF, man.

That's the CTF. I'm the robot. Oh, no. Yeah. So see you all next Wednesday.

Not the walrus.

Hopefully not. Although, you never know. I'm just hoping it's not just like some kind of weird therapy thing where then I'm just like crying at the end of it. I'm like, I'm I'm so burned out. This is terrible.

We'll see. Look at the interview.

I might have to role play someone else. I'll role play Wade. I'll be like, I'm a new dad. I got terabytes of logs coming in. I can't wade through them all.

Dude, that that's me to a t. That's it. That's all you need to know. I mean, I

can't wade through

a I told you. You're not gonna sleep for the first two years.

Oh, no. I'm already sleeping. I'm fine. Babies already sleeping, like, six hour shifts. It's pretty nice.

I'll use that in my I'll use that in my That is my webcast.

I'll use that in my

I'll be like, nah. Sleep honestly, sleep is very important.

I I upgraded as a dad and got a garage fridge recently, and it's full of Red Bulls, so I'm I'm good to go.

You don't need that slow down. Sleep is just a garage. I have so

much sugar. I just honestly, I I got that

I'm Celsius too. The Celsius just make me feel weird. Like, I don't know. Don't know. Like

Yeah. Yeah. It's too much. I think Celsius is too much. That's for a person, like, I don't know. That's the thousand milligram edible of energy drinks. Yeah. Could Anyway. So I think that's all we got. Thanks all for coming. We'll see you next week. Have a good week.

Later, guys.

Bye bye. Bye bye.