Tim Cook Announces Apple CEO Exit - 2026-04-20

research into that which one the browser one yeah just about like what i could get from a browser a browser right it's a lot but it's also not a lot you know what i mean it's like it's like on i don't know it's one of those some level it's not that sensitive that you're using you know the grammarly add-on or whatever but at scale at scale that's where i was gonna go yeah As soon as you get like the big enough, then you can sell it. Right. You can sell it. You can say, oh, I can tell you exactly who, what other, like, you know, one password. Oh, by the way, you also use your, you also use Bitwarden or like, did you know 70% of your users also have a VPN app or I don't know, something like that. You know, like, I don't know something. There's so many insights you could gain for sure. Yeah. That was really what I kind of came from that. Right. But. All right. So there's 420. Let's smoke some weed. Yeah, it's so high. We're never going to come back. Like are actually taken edible because who smokes weed these days? And we have all this technology at our. Isn't an edible like twice as potent though? Oh, no, it just depends. No, no, no, no. It depends. You can get it. There's no going back. That is the downside of an edible. Once you commit. You're there for the ride. You're in for the ride. y'all are crazy to talk about this on recorded live streams I wish it was six hours no it can be up to like 48 hours if you do badly enough 48 hours what the yeah if it takes you 48 hours to come down off of a high like that you've eaten any more than you should have trust me so the thing about this culture is that it's a high tolerance building drug and so the people who actually are chronic users need these absurd doses of edibles. And so if you're friends with someone who's a chronic user and they offer you an edible and it's like a 50 milligram edible, yeah, you're going to be gone for a couple of times. That would lock me up for a while. Yes, you're going to be gone for a while and you can't come back. It also depends on people's metabolisms and stuff. But yeah. When it comes to chemical uptake, inhalation is always the fastest. Liquid is faster. solid will take a little bit longer. And then suppository, the true fastest. Yeah. Oh. That's the only way to drink. I wasn't going to go there, but hey, it's you, Ham. It's you, Corey. I got you. I'll go there. I know. We know that's how Corey gets stuff done fast, right? That's it. That's all I have to do. The AI summary is going to be like, this is now for adults only. Exactly. Speaking of big companies wanting to moderate this at this point, they're definitely putting us in the M.A. mature audience only category. Yeah, I still can't get over it. I mean, I grew up in the day when it was the devil's lettuce, whatever, and walking into a dispensary and being able to legally buy stuff is still a trip. Yeah. There is a dispensary walking distance from my house, and it's across the street. from the police shooting range. Well, that's a way to keep people mellow when they're using firearms. Yeah, I mean, I live in Portland, which is like the most drug-focused city. It's like the greenest city known to man. Yeah, there's like billboard ads that are so funny. They're just like, you know, 90s fonts, and it's just like, good weed. has like no other context i gotta say that there's like no differentiating i like from my perspective there's no differentiate i i can't i don't know if anyone else can tell the difference but i'm like okay there's like 17 000 variants of the same thing i don't know so to those of you who participate happy 420 and for those of you who don't just watch out for the brownies okay stay home don't drive it's the same stay home don't go anywhere don't try to operate under the influence definitely don't use cobalt strike under the influence it's basically impossible yes pretty much Wow, that's a first. Am I the only one who didn't hear the awesome metal music? No. No, I didn't hear it either. If you're an audio listener, pretend like there was a really cool metal intro done by Bo himself. We don't know if they heard it. Welcome. It's April 20th, 4-20-2026. This is Black Hills Information Security's talking about news. I don't remember how to podcast now that I didn't hear the intro, so I am confused. They heard the music. They heard the music. I'm glad. I'm glad. I'm glad. Anyway. That's what's important. If they hear the music. The audience is what counts. That's more important than if we do. That's all that matters. So today we've got, we're living in a post-mythos world here, people. So everyone get your CVEs ready. Get your CVSS scores. Add one to them, as John said last week. And we're going to talk about the Vercel breach. We're going to talk about webinar TV, scraping Zoom recordings. We're going to talk about cookies, all kinds of cookies. And if you're here for 420, you know what kind of ones we're about to talk about. And I think, I don't know, just some fun things happening. So I guess let's start with Vercel. It seems like the highest profile thing. Wade, you said you've been working this one, just in it. Is it bad? How bad is it? Just throw me out there. Gosh. No, like we weren't affected. I don't know if I'm allowed to say that on stream. But... Well, I think you just did. Okay. Okay, more importantly, what is Vercel? Wade, what is Vercel? What does it do? Yeah, that's what took me a while to figure out too. I think Ralph knows Vercel better than I do. But I do know secrets can be stored in Vercel. And secrets now must be rotated that were in Vercel. There was a flag in Vercel that said if it was sensitive, you were cool. If it wasn't sensitive, you weren't cool. You needed enterprise level Vercel in order to have logging, which is a recent thing. Oh, wait. Vercel is a cloud AI company. No, hold on. Everyone's a cloud AI company, according to them. Okay, yes. Bronwyn, you are correct. Everyone is a cloud AI company, 100%. Well, no, no. I went to Vercel.com, and right away it says build and deploy on the AI cloud. Come on. That's the same thing it says on allbirdsshoes.com. Anyway. Yeah, but that's only because they shifted over from shoes to AI, which makes no sense whatsoever. I can't wait till Skechers does it too. What Vercel is, is essentially it's a hosting service for front end. Platform as a service. Yeah, yeah, right. They're a hosting service for front end frameworks, right? So if you have a website and you want to, you could host it on Vercel. We personally use Vercel for my front end, right? So they host the front end of the website. And then the backend, which is the API, is hosted totally somewhere else. So when you... Now, that's not how everyone does it. If you have a node-based application, you could have the frontend and the backend in the same application, and Vercel will gladly host that for you, as well as many other services that can do that, including Cloudflare, just to mention a few. But Vercel is one of the most popular for doing it. There's also a couple other ones out there that are pretty popular for these deployments. But where the security side comes in is that you can obviously upload environment variables. Now, those environment variables can be used within your front end application. They can be used within your back end application. However, you know, it pieces in there. Vercel does more than just website hosting. I'm using air quotes here because it's a bit more complex, but they also do a lot of other things. But the idea is that when you do deploy one of these web applications or one of these web frameworks, that you're probably going to have some environment variables that you want to access in real time. And if you didn't mark them as secret, then they could have been exposed in this particular breach, according to Vercel. So sensitive is technically what they say, not secret. But yeah, basically, it does. Interestingly enough, on the write up, it says that it originated from the compromise of context.ai, a third party AI tool used by a Vercel employee. So this is like that AI supply chain thing that everyone's paranoid about, rightfully so, is if you use these sketchy third party AIs, does anyone know anything about context.ai? Is this just like some random, is this reputable? Or is it like if you just go on the Google Chrome extension store and search AI, it's like the third result. So it's going to work back to one of our favorite things. But so Context AI got hit. They then pivoted to that user who then they escalated privileges via Google Workspace. And then we're able to do stuff, right? if you go look at some steeler logs and there's some context ai creds that got taken a picture of yeah so there's a couple pictures of that yeah so it also could be next js i guess i mean who knows there's been so many supply chain type compromises so it's a reputable company but they aren't appropriately doing ai or they aren't appropriately doing credential management stuff with info stealers. It looks like Hudson Rock actually said that like there, which for those that don't know, Hudson Rock is a commercial info stealer provider similar to Flare. It looks like they actually said publicly that, you know, they think it was stealer. Somehow Roblox auto farm scripts. So it's like, OK, here's the supply chain. An employee at Complexity.ai was apparently doing Roblox hacking on his work machine. Bro, man. or on his home computer, on his home computer with his credentials synced. So that's bad. Then we have the employee at Vercel was using Complexity. or Context.ai, which I guess is that, was he, or were they allowed to be doing that? We don't know. But my assumption is most companies that are small and Vercel's probably small aren't really controlling what third-party AI tools people, employees are using and that has supply chain risk associated with it. So yeah, If you're a CISO listening to this, don't let your employees install whatever AI tools they want, no matter how much they beg, scream, and cry. If, and then if you're working this as an IR person, they do allow you to pull down logs for 90 days in the CSV, all the audit logs, and then you can work it from there. Good old, good old grep. Good old grep. You gotta wait to those logs. If you are going to put environment variables, save them as sensitive, make sure you're marking any AI keys as sensitive or secure or whatever they call them. Every platform has got different ones. Don't use environment variables. Don't do it. There's tools out there. People have been asking me this question a lot. They're basically like, okay, so you have to use environment variables sometimes. There's a lot of cases where they make sense. But basically, in security, we deal with the trust boundary. Environment variables are only good on one computer for one trust. That is like everyone on the computer can now read those environment variables. So if there's any untrusted programs running on that same computer, they're compromised, right? So like, you just have to keep that in mind and you don't put sensitive things in environment variables wherever you possibly can. There's like, there's tools like 1Password and other secrets managers that can dynamically pull credentials from without storing them in environment variables. Yes, so I want to push back on that because there's a couple of things that when you actually implement that, you still have to have that key somewhere on the host in an environment variable, even with 1Password or whatever you want, right? you can dynamically pull them all you want. The hope or the benefit is that you can rotate them. That's really more important. You can rotate them and you can audit who's accessed them, by the way. Well, somewhat, yes. But either way, the idea that if I have all of my secrets in a password manager- That they can't be compromised? That they can't be compromised. That's not true. Yeah, that's not true. And not to, I'm pushing back on the idea that environment variables are the only- Are inherently bad. Yeah, no, they're not. They're inherently bad. They're not inherently bad. Inherently bad. But the better ways to do it, right, where you actually do implement, because I've had to think about this in process flow, about like using 1Password to pull environment variables in to keep it the most sensitive as possible. The thing is, is that key for 1Password does have to exist somewhere on that remote host. Yeah, yeah. Programmatic access you have to facilitate somehow. And that key is going to have to get scoped to the specific amount of variables that are required, just the minimum required for that application. Well, if as an attacker, I have access to that key, I totally can retrieve those variables on demand right from 1Password, right? So it doesn't necessarily stop that attack path. But what it does allow you to do hope and benefit is that you can revoke those faster without having to go into Vercel and change every damn one of those environment variables over and over again, right? So it allows you to one click, essentially rotate all your keys without having to go fight across all of your... All right, Ralph. Doesn't Bitwarden or someone else have that too? Okay, just stop saying 1Password. Well, actually, if you want to know what is kind of the real standard for this, it's actually HashiCorp Vault. That's the one that most people use. Like, no offense to 1Password, but like in most deployments, people are rolling their own HCV instances that are using HashiCorp. Yeah. Well, actually, so 1Password's offering is pretty good. They actually have two different ways to access that. You can use CLI, and then they have a full API-based setup where you can actually essentially like dole out a special server that would only be accessed through maybe a specific kind of network. So it's not even just through 1Password and it has a whole token management system to allow you to kind of like do a middle piece in there. So you can broker that access to 1Password while not actually even exposing the interface that is required to access that key. I want it on the record that I am not a corporate shill. I feel like we've crossed over into where Ralph knows more about 1Password than Wade does. Oh, without a doubt. Without a doubt. I definitely know OP, right? Like, I have it set up in several places. But, like, I'm over here defending things, not setting engineering up. Yeah, yeah. That's the one thing, right? No, totally there. Dude, if you ask me to run the sock at BHIS, I don't know how the heck to do that. Someone else can figure that out. Anyway. Yeah, I think the, from my perspective, the IR, and Patterson, feel free to jump in here. Rolling secrets. this is going to be the like number one most used ir playbook of 2026 right like like is there anything any advice you'd have wade or patterson on how people can get in the practice of being better at rolling these secrets and like is there any tips you guys have that could help like with this ir process wow that's a loaded question yeah make a plan before you before you're in the midst crisis that would be priority one that's such a sprawling sort of unique snowflakey i mean listen to us argue about our process moments ago my yeah my most significant recommendation is i totally agree rotation of credentials is you know it it playbook i don know i think last year maybe it was playbook number two but i think you right With the forthcoming it be playbook number one and sleuth out where your creds live have a programmatic way to rotate them quickly and efficiently And once you accomplish that, of course, you should test it. And then you're golden. Well, you're not golden, but you're much better off. You're ready to react quickly instead of just being like, what credentials were compromised? Where do they live? What do they do? if we roll them how much of our production environment breaks exactly yeah that's the thing right i was gonna say a lot of credentials are moving to to like a mandatory expiration date as well yes so that everything should be honestly that's like that's a good thing you can set now before a breach happens is just set everything to expire every three to six months or whatever interval you choose and then you have to get in the practice practice of rolling you're gonna figure out how to automate your way yeah exactly yeah it's like you know if if you have users that are getting breached which you do and you have password expiration you have mfa and you have like you basically have to set yourself up in a place where guess what your developers are putting your api keys into chat gpt into anthropic into context ai cursor freaking deep seek whatever it is and so you have to it's you're better off just assuming those credentials are breached all the time monitoring them for suspicious activity and rolling them on a regular basis versus being like no this is the secret break glass key that lives in the you know secret place and no one can ever access it like yeah yeah I do think the playbook a really good one is is to honestly just design rotation into your implementation and I think you really help yourself out you know when they do get exposed so and if you're using variables right it's easier to do that because all your passwords are going to be in a centralized location and usually you can you can interact with them programmatically so yeah and also setting limited scopes like basically secrets management is if you do it well it's going to be a pathway to the end of 2026 without a whole lot of pwnage if you do it poorly you're going to get popped like it's this is not the first and it won't be the last where environment variables are leaked and blah, blah, blah. There's all the other ways that environment variables can leak, by the way, or be exposed. You know, we're talking about like browser harvesting and program harvesting. Like just assume any program running on your computer can read your environment variables. And there's a lot of programs running on your computer. And they, so like, just keep that in mind. Anytime you export something, it's... Yeah. This is the Steeler Logs playbook, right? Or the, you know, npm malleable pack malware whatever you know yeah sure totally alright what else happened I guess we can talk about a certain teenager who the guy who compromised power school this is a breach we talked about when it happened but there's this pretty interesting long article in ABC News about his experience and I don't know it's kind of like I feel like it's been a while since we've had these a high, a big deep dive into the character of a hacker. And it's kind of interesting. I mean, we don't have to go through the whole article, but it's worth a read. I think it, it basically, for me, really reiterates how much these online hacking communities impact these young kids, right? Like they basically take over their world and really suck them in and make them think and feel that they're, you know, living a very glamorous, rewarding life when in reality, They're just kind of the fall guy for a big cybercrime situation. So this person, his name is Matt Lane, Matthew. So he so he's he got sentenced to four years in prison and basically on his way to prison. I guess he'd already done six months and this was a sentencing hearing. But essentially, he did an interview with ABC News kind of talking about what the life was like and what he did. and he sounds, at least in the article, he sounds very remorseful and the kind of funny thing which we'll talk about at the end is he's like, I hope I get a cybersecurity job. Maybe he will, maybe he won't. I guess we'll see. Please submit your resume to BHIS and we'll interview you. The Darknet Diaries episode will be out shortly, I'm sure. Yeah, wait, really? That's a guess. If he's willing to talk to ABC News, there's no... That's fair. Yeah, which unheard of, like usually we don't hear like this almost seems like a play for right at least for me to to make him look good which he he does seem honest and truthful but you don't hear about this too often about them no these are rare these are super and then like it's just like we've talked about before and like in the uk right these kids have been picked up over and over again but they're they they keep it a secret and like hush them and put them away yeah identities completely which is Also pretty cool, I think. But without a doubt, he's going to get a job. Yeah. And of course, where did he start? Roblox. Roblox. Roblox. I mean, I think it's, I don't know. I think it's really just a matter of people who feel like outsiders tend to look for communities where they fit in, regardless of whether it's cybersecurity or, you know, terrorism, whatever. Pick a, it could be just a lot of people fall into sports or into, you know, like, things that are more normal ways of fitting in, I guess. But in this case, you know, he got sucked into a community that was kind of pushing him in a bad way. I mean, this is the same thing that happens for most kids who end up as criminals is they get sucked in with people who are older than them and kind of take advantage of them in a lot of ways. I think one of the big differences in this case, too, is that most people typically don't get caught. Right. He was just used as a scapegoat or not a scapegoat, but they essentially like a patsy and this. Right. They just used him to to not get caught. Right. And so I think we're going to see more being made an example. Yeah. Yeah. And I think we're going to see more and more of this, though. Right. Because essentially what happens is, is that MGM or whoever gets hacked. Right. MGM was mentioned in this article as well. Right. They want a lever to pull. They're not going to go to, you know, North Korea to get it. So they're going to take it out on the U.S. assets that were used to leverage that attack. right and so i think yeah so right it the one of the interesting kind of notes from this is like the impact is definitely higher so with the power school thing we talked about it in the i think on the show like the there was an initial breach and they actually did a ransom demand and they got the ransom payment of three million dollars but then there was another ransom demand sent to all of the individual schools so basically like in this scenario someone gained access to whatever server they exfilled all the data to, you know, whether it was someone trusted or not, we don't know. But essentially, they like got the data, a copy of the ransomware data set. And so, you know, it's kind of a poster child for why you shouldn't pay the ransom, because there's no guarantee that someone else hasn't accessed that data and can use it to continue to extort and do bad things. I mean, on some level, obviously, there's credibility lost, but it is like kind of interesting sort of sub plot is like the fact that they he unfortunately other people even if he like has remorse and feels bad other people have the data too and can continue to sort of drive impact from it even if he doesn't want to do that other people still can it looks like they're looking for someone else you know they're looking for other people in connection with these crimes in addition to him yeah that example piece to stop that from happening again right from other people being like oh think about this. But I will also flip the coin one more time and just say that his age, right, being young and just impressionable and willing to do these things. I mean, people at a young age, including myself, have done stupid things that maybe you regret or maybe it was just unsafe. Right. And this is one of those examples, you know, at a younger age, taking taking advantage of people who are younger, you know, to. Yeah. Fifteen year old. And like, yeah, when I was 15, you could have convinced me And unfortunately, Roblox has been a known resource for radicalizing young people, especially young males. And not just for hacking. It's used for radicalizing young men for all kinds of unfortunate and sometimes violent purposes. I mean, the fact that he only went into hacking. yeah he may get a career out of it someday when he gets out of prison but yeah they talk about that in the news in the ABC article too that like Roblox is basically there's a couple uplifting parts of the article like one there's a couple programs that actually go out and try to you know recruit people into a community that's you know fostering positive things instead of you know kind of similar to what our community does obviously we don't go out and recruit people on Roblox but There's something called the hacking games that's like, you know, basically Roblox based positive version of this community. The other thing that they mentioned is that Roblox specifically says they've hired several young people to help secure their systems after they participated in similar programs. So like the if you're out there listening to this or, you know, watching and reading the article, realize that there is a pathway to use your skills for good and to get paid for it. right? Like, you know, you might get a job at Roblox, you might get a hacker one bug bounty payout, like go the good route. If they ever resume bug bounty payout. Well, no, they're still doing payouts, they're just not taking submissions, so. Ah, okay. But yeah. When they resume, well, you could still submit directly, but yeah, anyway, basically the concept is there is a good and an evil version of this story. I think four years is fair to me, like, that's like enough time that he'll definitely have, you know, hopefully some time to think about what he did, but also not like 10 years, which is just like a criminal graduate program where you just go and learn how to be a really good criminal. So I don't know. We'll see what happens. But he does have $14 million in restitution to pay to victims. So when he goes to get his first cyber security job, he'll be like, my salary demands are quite high because my restitution demands are also quite high. I gotta make 14 million dollars a month sorry so we'll see how that goes salary's kind of high but you know salary's kind of high but it's only one month and then he goes back to prison you have to pay interest on that probably dude I'm assuming the system is set up to completely block anyone from actually being reformed and just put them into a cycle of re-infracting does bankruptcy apply here does bankruptcy not apply to restitution i don't know i don't know i don't we need we need to get it under a different these are adult questions dude this isn't that kind of show yeah fair enough all right so next we can talk about mythos after i mean i don't know for me we i guess we talked about it last week like i've still had a lot of customers asking me questions about it john did a big linkedin post about it which we'll link to if you guys if anyone didn't see it but basically it's kind of the sentiments that we echoed last week on the news, I think the answer to Mythos is basically twofold. One, it's definitely hype. There is some hype tied into this. Anthropics trying to maintain their relevancy, and that's just part of this. But also, piece number two is some of the claims and things are real. And I've been telling customers, you have to assume something like this is going to exist in the next, you know, short future. We don't know when or how, but if they're basically advertising this capability, that means all the other AI companies are short, are close behind. And that includes DeepSeek, right? Like what was the, what was the distance between the like GPT-4.0 release and DeepSeek release? Like, does anyone know that off the top of their head? It was probably like, was it three months, six months? Yeah. Like I forget. And the timeline is so small for all of them right now. It's shorter than you think, basically, is what I've been telling clients. This kind of a vulnerability crusher AI will exist in the next three to six months. And publicly so. So basically, get ready for that. And so I guess the other follow on article to this is that Anthropic did release Opus 4.7. Yes. Well, OK. so yeah the opus 4 7 release is actually really interesting specifically because opus 4 7 now has specific gateways and gatekeeper stuff built in for cyber security abuse so basically opus 4 6 if you just told her you were an authorized if you just told her you were an authorized pen tester it'd be like oh all right what are we doing are we hacking china let's go opus 4 7 supposedly has better, more gateways built in that will basically force you, hey, you know, this seems like you're doing something unauthorized. And it has its own verification model at the account level. So there's also Anthropic Drama where they're requiring identity verification for their accounts, which we don't, I don't know if we have an article source for that. Someone could probably find it, but they're requiring KYC verification for all their accounts. And in Opus 4.7, you'll hit that limiter more often of it being like, hey, it seems like you're trying to do bad stuff. For all I said, Black Hills, if anyone's curious, you can get authorized. So you can basically tell Anthropic here, we're a pen test company, we're authorized and they will allow, well, they'll take down those gateways. But I feel like that's a pretty good way to reduce abuse. Obviously, it's kind of a moot point at this point because you could just use 4.6, right? You could just be like, all right. And 4.6 is actually better in some ways, in some regards, but the point yes if if you go back up to the table megan it it shows technically opus 4.7 is actually worse for cyber security by like 0.3 percent or whatever so if you look it says there's one for what is it cyber security vulnerability reproduction 4.6 was 73.8 and 4.7 is 73.1 so it's 0.7 percent worse yeah they did it on purpose they nerfed it a little bit i watched a bunch of like people essentially digest the numbers here. But the one thing going back to what you said, Corey, is that we are still on the continual march of improvement. Yes, it's going to happen. And it's like, it's so fast that like, you know, when is, you know, I keep thinking about like, when is Opus 5.0 going to come out? And like, honestly, it could be four months and that could be like on the extreme version of it. And ChatGPT could come out with something even faster. And you know that, yeah, so it just keeps going. It's like a steady march. I do want to say one last thing, though, about the essentially the gatekeeping of cybersecurity. Open AI was a lot worse. Like if you asked it to do something, like, no, I can't do that. I can't do that. Like it really gate kept a lot more than Anthropic. And now Anthropic's kind of catching up, even though arguably sometimes it gets super annoying, even if you're not trying to do something malicious, right? Just kind of do something related. Eventually it gets to the point where it's just like, I'm going to not help you with this stuff. And you know what's going to happen in that case? Models are going to show up that will help you with that. Correct. There's going to be obliterated models and hugging face models and deep seek and mistral and all these other quen. And there's Chinese models. There's no way. But my point is, and is that there's no way anthropic or open AI, no matter how great their frontier model is, is going to stop what is coming. Right. Yes. A hundred percent. They are just in the front. That's all. Yeah. No, 100%. I linked to the verification program if anyone's curious in Discord, and the next article we can kind of dovetail in is the KYC verification Anthropics requiring this It not super clear when they going to start requiring this or what the rollout going to look like They basically just posted this and now everyone's salty. But essentially, the bummer here is that they're going to use Persona, which is a company that has taken on a lot of investment from Palantir and Peter Thiel and those sorts of shady folks. And Persona has also had issues with cybersecurity in the past. I will say, I think the issues they've had are very overblown. Like, people's concern, like, you know, they had some issues with them exposing the source code, I believe, for one of their government identity verification systems and, like, the way that the authentication worked and stuff. To my knowledge, they haven't actually had any exposure of, like, the identities themselves yet. And it should be noted that this company persona is also, they seem to be kind of the standard in silicon valley that's what discord is using that seems to be what most companies are using so it's not really out of band also by the way open ai is doing this too yeah if our parents are you know if our parents are open ai and anthropic they're both doing it and so we probably just have to roll with that i would say get ready for kyc across the whole internet it seems like yeah that stuff is coming across different pieces different different market And mainly different laws, right? In different states. It's all kind of moving that direction. And most of these companies, they're in a business, shocker, to make money. If KYC is what they have to do to stay in business, that's what they're going to do, right? It's just a huge bummer that we can't have a government-backed, like actual state-run KYC that like uses the, like they already have my passport, dude. I already like, you know, answered a bunch of questions and gave my fingerprints away. And some guy touched my butt. No, I'm just kidding. but yeah i'm already a u.s citizen that was way different man i don't need that well listen okay i went to an appointment and i'm like whatever happened happened way cheaper than normal that's what yes it was discounted now we know why it's a benefit of my credit card all right so basically i mean the point is the government already knows who i am has my identification documents they like can they not just give me like an ssh public key or whatever Yeah, that's that right. Like some private private public key system or like why? Why hasn't there any been any blockchain like blockchain technology behind it is pretty cool and can track things. Why aren't we using that in the like production? It's a bummer. I said NAI. That would be perfect. Dude, are we about to make a company again? Another one? No, no, no, no. We've already we've already made one company. We don't need to make another. the i think like i think there are companies or countries what is it estonia i want to say off the top of my head that like has like a full digital identity system that's nationalized and has like voting based on that system like i don't know it's one of these like small countries that you've never heard of but they have like 10 gig internet and really good tech i don't know it's easier to do at a smaller scale i mean totally they yeah and they probably have a lot fewer than what, 360 or 400 million citizens, whatever we're up to these days? Yeah. I mean, you're not wrong, but still, that arguably also means we have immense amounts of resources available to create systems like this. Yeah, if we have the will. That's the bottom line. Breaking news. Breaking news! We got Tim Apple stepping down at Apple. So now he's just changing his name to what? Tim? Tim. What? Tim Apple stepping down? Tim Cook is stepping down after more than a decade. It's probably because he asked Siri whether he should leave. And she was like, yes, leave. Yeah, she was. She was. Don't let the door hit you in the ass on the way out. Honestly. So word on the street is they're finally going to come out with a new Siri this year. I mean, OK. That's just powered by ChatGPT. Yeah. Yeah. So. Well, no, no. No. So, okay. Hold on. Hold on. So, first of all, for those that have been living under a rock, it does seem that he's, we don't know, but Apple hasn't been doing super well in AI to the point that I know several people in my personal life who have, like, seriously considered switching to Android just because of how bad Siri is. And that's totally valid and fair. Hold on. And he's been unable to correct that. Would you say, Raul? Not to say that everything you said about Siri is not correct because all of those things are correct. Is Alexa just as bad or is it better? It's worse. Yes. And they came out with an AI version and whatever, right? I think it's tough for the non-made AI to companies that came out with those original voice assistants to move into it. They just pushed Gemini to Google Auto. Oh, yeah. And it could not play any of my songs. I was like, Alexa or Google play Toy Story storyteller on YouTube as I'm driving. And then it plays like some random thing. And I'm like over and over again, I'm like, you know, I'm just going to do this myself and hopefully don't get in a car crash. But yeah, well, OK, so and by the way, before, you know, obviously we haven't even read the whole article about Tim Apple stepping down, but they did actually partner with Google. That's who they chose as their AI partner. So in iOS 26, which was last year's release, they have like chat GPT integration. And as an iPhone user, I always use it, but it also ties not in. It doesn't tie in anything. But every time I use it, I'm like, ask chat GPT basic question and it can answer it. That's as far integrated as it is. That's pretty lame. So they did partner with Google to get a Gemini model to basically hopefully correct some of the issues they have. Who is John Ternus? That's the person they chose as the replacement. Or Ternus? I don't know how to pronounce that. You Google him, he says he's an engineer and an executive, which... So he's VP of hardware engineering, and then he's VP. Right, which sounds pretty cool, to tell you the truth. Like, if someone were to shake it up... I will say, their hardware might be their strongest department, honestly. Like, you really, if you're comparing the iPhone hardware to other companies, that's what everyone sets the bar at is like the actual physical characteristics. And if you look at the laptops, it's kind of the same thing. They were super pioneering when it came to the Apple Silicon stuff. So I think it's a reasonable. So just to just to put it out. So AI is cool and awesome, but the hardware is how we interface with it. And Apple definitely dominates that market space, especially from the handheld. They're over 50 in the US and all this other fun stuff. So they're not going anywhere anytime soon, regardless of how crappy Siri is. Or maybe that it proves to be. But yeah, they're definitely a dominant piece in the glass that we get to see, right? Totally. Yeah, and that's not going to change. I think there was an interesting video the other week about how Windows laptops are kind of in a weird spot right now where you have Windows, which is Microsoft, then you have Copilot, which is also Microsoft, and then you have a bunch of laptop manufacturers that have to figure out how to work with Copilot and Microsoft or else they're not really included in the whole party these days because like Windows now requires you to have all these co-pilot ties. You have to have a co-pilot keyboard. You have to have a co-pilot button on your keyboard. So basically... Just to be like a Windows computer. Yeah, just to be a Windows computer. So like basically for a Windows laptop to be really good, all these companies have to work together and do well. For an Apple laptop to be good, it just has to be one product from one company. So I don't know, we'll see. We'll see. while we're speaking about windows we can talk about new concerns with cyber security around windows recall which for those that don't know the coolest feature they ever added i can't wait yeah well so recall so recall was a really cool feature that was designed like with the release was it windows 11 or windows it was like in it was yeah in one of the updates for windows 11 because this is years ago yeah years ago this is september 2024 wow that feels like 10 years ago in the world of ai it that was that was so long ago but basically it was a feature that would essentially record your screen and let you go back to a previous time yeah all the time so as you could imagine they rolled it in an incredibly insecure fashion at first and everyone was like please no can you not do that and there was a you know people were publishing tools that would extract all the data from it it was a fun little time and now i guess they're trying to re-release it i i assume and not all the security vulnerabilities have been fixed that's my assumption what about the whole thing being just one big vulnerability like that's yeah like everything that there is that sending it off to i don't know who like who would use this who's the primary user of this that one person who's like green and let chat gpt look at it too so maybe that's it maybe it's from the AI perspective that the AI destroyed your laptop so much that you got to recall back to a time beforehand. Yeah. The new version of Windows Restore. It's just one prompt. It's an AI prompt that restores all the files. It's just a markdown file that says, this file lives here. This file lives here. I don't even know anyone who uses backups personally, like in their personal setups. I use backups. I don't know any... I don't know any like non-techie people will say that like normal normies yeah that's like i can't see anyone i can't see anyone using this and then from a corporate perspective like i understand it i'm wondering if this it could be used forensically but why you wouldn't need it right it could but like would you even need it if you if you have access to it would you're a decent forensicator i would think not i don't think you would need it though you would just like run your normal like end case or anything to pull everything off of it you wouldn't have to use recall so yeah i was thinking i mean it is it could give you a ton of insight into like it's basically a screen recording of everything the user was doing right so it could give you way more insight than any of those forensic oh yeah flat out when that used they say recall stores messages, things on your screen, emails, documents, browser history. If you're using the computer and you've got recall on it, it's recording everything. With the right DLP software, though, I have all that, too. That's the thing. That's fair, but I think the biggest thing is just, no one asked for this. No one actually needs this. No one wanted this. Right now, everyone's fighting the battle of all their employees want AI, And they have to figure out how to get AI into their company without screwing up security. None of their employees are like, can I get Microsoft Recall? No one wants that. My favorite use of this is when someone calls in and says their mouse was moving by itself. And I'm like, all right, let's go check it out and recall. And be like, no, it's not moving. You're moving. We can see. Your use for it is just proving people are dumb. There's way better tools for that, man. yeah but if it's a recording we could prove it to him don't move my icons that's exactly how i like it my icon that's an oldie an oldie but a goodie yeah speaking of creepy recording of things that shouldn't be recorded 404 media published an article about this company called webinar tv which their mo and this is just as a business model insanely creepy their mo is to enter publicly accessible Zooms using a bot and then record them and transcribe them. For whatever reason, they're doing this at scale. I don't think anyone really knows why. The article doesn't really cover why. I can't really imagine why. But here it is. Basically, of course, because public Zooms are public, some of the information in there probably shouldn't be public. And, you know, they give some examples in the article like Graves Disease and Thyroid Foundation patients support groups for like one of the funny ones is like nudist support group it's like I have to wear clothes guys it sucks like basically that it's recording this data it's not super clear why it is but it's claims that they've hosted over 200,000 webinars I don't really know what their business model is but it feels like from a privacy perspective like do they have any lawyers that have ever even thought about this for more than 10 seconds. Like I cannot imagine the amount of PHI and PII. I mean, I think the biggest thing is like if you're going to some of these webinars, just assume it is, you know, being recorded. Yeah. Being recorded by someone, change your name to something anonymous, maybe hide your face or don't show yourself on camera. I don't know. Or just it sucks because it's like the companies that are putting on these webinars aren't really trying to do this. They're not trying to make it you know cyber security problem but they are yeah and so yeah then basically they're also interestingly enough the the webinar will actually like register they can registrate or they they have people that are registering for these sorts of things and like actually submitting like forms and things to get into some of these webinars so it's like i don't know it's basically super creepy i don't know what this company is but I think that maybe they're pulling all the data to feed to AI. Well, okay. That's not my first thought. One of the things covered in the article, too, is that some of these public meetings or publicly listed meetings are things like recovery groups or faith-based conversations. They kind of have to be public in order to serve the population they're trying to reach, which is like if it's a 12-step group, that's always been an open meeting format. It's always been anybody can show up. Why would it be any different in a digital form than it is in a physical form? So with Webinar TV going and scraping all of this stuff, yeah, this is a huge deal. And, you know, who thought this was a good idea? The only thing I can figure in terms of how they're making money is by advertising. advertising or like you said selling the data to ai right like that it's at the end of the day this is data mining like that's basically what this company does yeah on some level like you could argue oh it's youtube but it's like it's not youtube because none of these people the goal of this meeting wasn't to create content like that's not you know that that's not how it works that people were just going to the meeting to be at a meeting not to create content for someone else so I don't know how this is legal I don't know where they're based I hope they go away but on their website there's 221,000 webinars and searching I did search for Black Hills I didn't see any infosec like they haven't been in ours they're not in with us right now that I know of I'm looking around but yeah if you do a free webinar definitely kick these bots out free is not free free is not free so we're kind of we're kind of quick firing but the cookie article is pretty interesting so this is an article again we 404 media basically a company called when i wasn laughing at you cory web web x you can laugh at me me It okay Web X published a report where they basically claimed that all the big tech companies are not enforcing cookie tracking properly. Essentially, from a technical perspective, you ask Google not to track you, and it's like, here's a cookie. I'm tracking you anyway, basically. have a cookie you're gonna love it you don't want me to track you here you go have a cookie and so essentially all these companies have disputed they're like oh no it's not it's fine it's totally tracking i think the you know yeah the gifs and the results in the chat are basically exactly how we all felt before the show which is basically like are you telling me these big companies are potentially willing to take on fines just to track people because it's more valuable to just take the fines and, you know, get the data versus not ever getting the data. So basically, we'll see how this plays out. There are some pretty aggressive privacy laws in states like California that will lead to them incurring fines for this sort of behavior. But unfortunately, The fines are just a slap on the wrist for them. I mean, you know what? Google earns more than $100,000 in interest in an hour. So even if it's multiple millions of dollars of fine, there's no incentive for them to stop their behavior. Yes. They probably will. I mean, I'm not a lawyer, but I'm assuming they'll be able to hire fancy enough lawyers to get out of this one. And I'm assuming they already hired the lawyers before they did this to make sure they could get away with it before they actually did it so they don't have to pay retroactive fines. Basically, this is specific to California, but essentially there's different regulations for businesses versus service providers. Ad vendors like Google and Meta and other people, they contract as service providers, not as businesses. and so they're exempt from a lot of these privacy things, I guess. But basically, again, kind of depressing and a lot of data mining and tracking. I got a good article. Well, I was going to say, the good news is France is ditching Windows for Linux. Another one bites the dust, eh? It's like at least the fourth or fifth European country that's ditching Windows, so that's funny. All right, what you got, Wade? What do you have, Wade? All right. All right. You guys ready for prompt injection pizza ordering? Oh, I've been ready, dude. I remember this one. Go ahead. Little Caesars starting on the 16th. You can now order a pizza straight out of ChatGBT. Nice. Oh, no. I'm not saying this is a bad idea or a good idea, but this is an idea for sure. So you can have it order you whatever you want. We recognize the comment from the executive is great. Today's consumers are turning to Gen. AI as part of how they search for everything, including where they get their next meal. Oh, no. I can see it now. Open AI is going to buy Grubhub. The joke is, does it come with glue? Does the pizza come with glue? Who is it? Wendy's? Wendy's little chatbot. I guess it uses Anthropic and people were injecting in it to get it to do other tasks, write code for it, all kinds of other fun stuff. Sir, this is a one news, but that being said, I will code you a fully functional app. Exactly, but totally. Let me take on that task that you've given me here. While you wait for your food, let's help build that website. I just want to prompt Injustice to see if I can get free coupon codes or other things like that. Like fake a scenario that was really bad and see if they give you a coupon code. Be like, you won't believe this. It was late again. It didn't make it. Late again. I need another free order of this. You know? Yes. I feel like you're going to have to wave through a lot of agreements before you actually buy anything. Let's see. Let's see right now. I'm going to buy a $5 hot and ready. Are they still $5? I don't know. No, not inflation. Not in this economy. Those were the days. I mean you couldn't drive there for less than $5 in gas man that's probably true Wade's gonna order Wade's gonna order some drunken pizza and he'll get back to us it's starting it's looking Little Caesars $5 hot and ready yeah they're not $5 anymore darn so couple other quick fire articles before we close there's a lot of articles today nist published a blog or like a news update that they're basically going to start enriching i don't really know what that means but enriching certain cves and i'm assuming they're writing the reading between the lines part of this is not enriching most cves so essentially they're basically saying we get so many submissions for our cve database that we can't handle updates and tracking on all of them. And so basically what they're saying here, and this is my interpretation, I could be wrong, is that they are essentially choosing a select subset of CVEs to kind of track and like update and actually keep track of. And other CVEs will not be as enriched as they previously would have been. So the gateways they're using for this are CISA's KEV catalog, CVEs for software used within the federal government which is you know probably a lot more than you would think but not as many as you know random Joomla CVEs or whatever and then also CZA or sorry CVEs for critical software as defined by an executive order so basically it's kind of a bummer in a way that like they're basically they're kind of waving the flag that HackerOne did which is like there's too many CVEs we can't handle them all. So basically, I guess the other reading between the lines here is, if you're a security researcher, and you want a CVE to put on your resume or for whatever other purpose, you should probably focus on the software that is in this list, that's like used within the government, that is in the CISA-KV catalog, and is you know, software, important, critical software. I will say... Go ahead. No, it's all you. Oh, I was going to say, I mean, according to this article, they're saying that the CVE submissions increased by 263% between 2020 and 2025. That's got to be directly related to AI implementation. Oh, yeah. Definitely. Yeah. And, you know, that's, even before AI, the CVE system was struggling because we don't really have the kind of support for analyzing and patching problems. And we mentioned last week about how, you know, HackerOne had the bug bounty program, but do we have a remediation bounty program? and we don't. So, but the combination of this, yeah, this, sorry, this sucks. I don't have a positive spin on this. It's kind of a bummer of a week. The remediation bounty is you have a job and you don't get... The bounty, honestly though, I feel like cybersecurity was like such a wave to be riding for the last like 10 years. And then I feel like in the last couple of years, it kind of slowed down. But we were like, nah, AI is going to replace everyone. And I feel like my hope is that this year that really swings back in the other direction and everyone's like, never mind, AI is just creating problems and we need to find people to solve those problems like now or actually more like yesterday. Yeah, it's like, OK, great. It's a nice idea that all of these AIs can can possibly replace cybersecurity experts. But the reality is that the increased influx of exploits and and the increased accessibility of being able to attack systems has wiped out any net gain that would have been received. Patterson, you can speak to this better than I can because you're seeing how it's hitting our SOC services already. Whatever it is that these companies think that they're going to save by firing all of their cybersecurity people, I'm just going to say it out loud. I think they're idiots because there's no way possible that AI as it exists today can ever address all of the things that face any organization that has a profile that could possibly be attacked by malicious actors. And if you're cutting your people and you're thinking that an AI can do it, well, AIs are great at tasks, but you need people, human butts in seats, who are doing jobs to organize and coordinate those tasks because there's too much. I don't know, Bronwyn. We're developing tomorrow. I think you're way off, Bronwyn. I have an AI that'll solve all the problems by just deleting the whole company. It's easy. You could solve all cybersecurity problems. That is one solution. You know, unplugging and living under a rock is another solution. I mean, I totally agree with you. I think the key thing that's still, at least as of today, is still true, is that AI is going to do something. Some things are going to be smart, and some things are going to be incredibly dumb. And you need someone skilled to make the decision about which is which. They're like drunk interns. They have really good hits and really bad misses, but you've got to supervise them. And that's what you need the humans for. I also think, and I was thinking about this because I wound up talking to a lot of friends over the weekend about AI and prompt engineering and where things are going. And I think that in the long run, we're going to be seeing the ability to work with AI, prompt engineering, machine learning, data science, all of those things. These are going to be not just nice to have skills. They're going to be required skills. Yeah, it's the same thing as putting Microsoft Office on your resume. It's like, it's not really getting you anywhere, but like you do need to know it. It's table stakes. It's table stakes, 100%. That's a good point. All right, so let's do our plugs real quick before we close. Patterson has an upcoming, wait, what do you got to plug? It's at the bottom. If you scroll to the bottom of the news, there are all the plugs there. I can't read. All right, so here's the plugs. That's not the kind of thing you want to admit in public, Corey. Come on. Patterson is teaching a pay what you can workshop next week, rapid endpoint investigations for Linux and Mac. Important in the world of supply chains and developers and all these people getting compromised using AI tools they weren't supposed to be using. Patterson, do you have any other things you want to plug about it? That's pretty exciting. That was an excellent summary. Yeah, super excited about it. Webcast this week on the subject for our Pay What You Can workshop next week. Just practical, practical, tactical skills for Linux and Mac investigations. So love to see you there. Nice. That's exciting. Yeah. I mean, we've increasingly seen more and more clients asking us to do red teams on Mac and not so much on Linux. I'm assuming Linux is more like server based stuff, not endpoints. But I guess it does say Nix endpoints. So for those Linux people out there, you can really probably harden your system a lot by following them. Pick up some French. You'll be doing some clients on Linux too real soon. Oh, good point. if you're doing government work in Europe you're going to need no Linux endpoints in the next like very shortly oh yeah and then Wade you also have a workshop coming up not until May but you're profiling Know Your Enemy what are you talking about I have a talk and a workshop I don't remember when the talk was it's on the calendar but the talk is like how to read the news which I find I definitely should go to that You should, well, if you want to guest star in it, because I know you can secretly come in. I can't really get out of reading. We can just argue and yell at things. Then, yeah, I have a 25. No, that's for Ralph and I. I do have the $25 workshop on threat actor profiling. That is a full four hours, which will be super fun. And then I am teaching at the Threat Hunting Summit. My CTI 101 class, but now it's two days instead of one day. Yes. so twice the value twice twice the fun twice the value i'm sure it'll be cool awesome yeah it is crazy you can get some of this stuff for 25 or like you know even cheaper that's insane that's such a good deal i'm also doing a webcast i think it's next week next wednesday maybe i'm not sure when it is but i'm going on as a guest to natalia's webcast and we're going to be talking about some burnout stuff i did a burnout webcast when i first started at black hills back in 2021 if you go back and look at it i didn't have a beard i had short hair it's kind of terrible so obviously have to kind of re-up the ante and get back in the modern world of burnout and there's a ctf where you have to find cory's face in that photo am i actually in there no i'm not in there am i maybe i am i That's the CTF, man. That's the CTF. I'm the robot. Oh, no. Yeah. So see you all next Wednesday. As long as you're not the walrus. Hopefully not. Although you never know. I'm just hoping it's not just like some kind of weird therapy thing where then I'm just like crying at the end of it. I'm like, I'm so burned out. This is terrible. We'll see. I might have to role play someone else. I'll role play Wade. I'll be like, I'm a new dad. I got terabytes of logs coming in. I can't wade through them all. Dude, that's me to a T. That's it. That's all you need to know. I can't wade through them. All right. I told you, you're not going to sleep for the first two years. Oh, no, I'm already sleeping. I'm fine. Baby's already sleeping like six hour shifts. It's pretty nice. I'll use that in my webcast. I'll be like, nah, sleep. Honestly, sleep is very important. I upgraded as a dad and got a garage fridge recently, and it's full of Red Bulls. So I'm good to go. You don't need that sleep. That's so much sugar. I just honestly, I got that. I have Celsius too. The Celsius just make me feel weird. I don't know. Yeah, it's too much. I think Celsius is too much. That's for a person like, I don't know. That's the thousand milligram edible of energy drinks. I can agree. All right. So I think that's all we got. Thanks all for coming. we'll see you next week have a good week later guys bye bye bye bye