Hacked - Breaking the Chain of Custody
Episode Date: March 16, 2026We start this chatty chat looking at the legacy of EternalBlue, an NSA-developed cyberweapon that leaked in 2017 and powered global disasters like WannaCry, to explain a new mobile threat called "C...oruna." Just as EternalBlue likely escaped government chain of custody to become a tool for mass digital carnage, Coruna is a sophisticated iPhone exploit framework leveraging 23 vulnerabilities that has similarly migrated from elite surveillance into the hands of broader cybercriminal groups. This "EternalBlue moment" for mobile marks a shift where nation-state-grade tools, capable of silently hijacking devices via compromised websites, are now circulating freely in the wild. Also, cute little Macbooks! Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
I want to talk about something called Eternal Blue.
It's not my favorite color, but...
Back in 2017, a mysterious hacking group calling themselves the shadow brokers,
released a big archive of offensive cyber tools onto the internet.
We've talked about them before.
At the time, no one knew where these tools came from.
What researchers did know pretty much immediately was that the archive contained a number of very advanced exploits.
capabilities normally only seen at like nation-state level operations.
The good stuff.
We call that the good stuff.
On that good stuff.
And amongst the tools in the archive was an exploit called Eternal Blue.
Researchers figured out that Eternal Blue targeted a very serious vulnerability inside of Windows.
The exploit worked against server message block protocols used by Windows machines for file and printer sharing on local networks.
And basically by sending a specially crafted packet to a voluntary.
vulnerable machine, an attacker could trigger remote code execution without any kind of authentication.
What that basically meant was like there was no fishing email in this hack. There was no malicious
download, no having to make someone click something. Basically, Eternablu let attackers remotely take over
unpatched Windows systems just by reaching out to them over the internet or a local network.
Right. I would call that a Hollywood hack. It's a Hollywood hack. You didn't have to go to the wrong site.
Microsoft had already released a patch roughly a month before this leak,
but millions of systems around the world hadn't installed it yet.
And once that exploit became public, attackers moved fast.
As you do when you have something that powerful?
When you got the heat, you got to move.
A bunch of very famous hacks that relied on Eternal Blue.
May 2017, just weeks later,
the ransom were known as you might have heard of it, Wanna Cry,
began spreading around the globe using Eternal Blue as its entry point.
If you're unfamiliar, that malware spread automatically from machine to machine.
Within hours, the worm had reached more than 150 countries.
It had disrupted hospitals and telecom providers and transportation systems and government agencies.
Pretty bad.
And then a month later, another, not pet you.
For new listeners, these are two extremely famous incidents.
Again, using the same exploit to propagate across corporate networks.
It looked like ransomware at first,
but researchers later figured out that the attack was designed to destroy data.
Big multinational companies, huge portions of their global IT infrastructure wiped out.
Just those two, billions of dollars in economic damage.
As security researchers continued to analyze the exploit behind both of these attacks, Eternal Blue,
they started to figure out where it came from.
The code contained, like, distinctive characteristics that matched tools previously associated with a highly
advanced hacking group known as the equation group.
Over time, researchers and intelligence analysts came to a consensus that Eternal Blue
wasn't originally a criminal tool at all.
It was likely a government cyber weapon that had leaked.
The exploit had reportedly been developed by the U.S. National Security Agency as part
of offensive cyber operations, and for years it had been used in intelligence activities.
But once that shadow worker archive appeared online, the ex-exploits, the ex-exhaired.
exploit escaped its original chain of custody. This very sophisticated exploit developed for intelligence
leaked and within weeks it's being used to power global cyber attacks. Which is why today,
when security researchers warned that a new exploit toolkit, this time targeting mobile,
could represent another eternal blue moment, they're invoking this very specific story that we've
started with. A powerful exploit, probably built for guns.
government use that has somehow escaped its intended operators and is now circulating way beyond
the intelligence community, bringing us to now. According to report released Tuesday, security
researchers at Google say they've identified a sophisticated iPhone exploitation framework floating
around in the world and exploit that they're calling Karuna. The toolkit contains five separate
chains capable of bypassing iPhone security protection and silently installing malware when a target
visits a compromised website.
And while Google's report refrains from speculating as to where this extremely complex
exploit came from, a second research report suggests that this is probably an eternal
blue moment where a powerful new compromise floating around in the world might have its roots
in a leak from a government program.
So we're going to start this chatty chat here with the story of Karuna here on Hacked.
From Solo.
Karuna.
How are you doing, Scott?
I'm good, Jordan.
How are you?
Good.
I just love the thought.
This isn't what happened, but, you know,
somebody just accidentally making their GitHub repo public.
Sure.
It's like someone at the NSA,
accidentally making their GitHub repo public.
Yeah, yeah, yeah.
Just like, oh, my God, I just leaked, you know,
all of this crazy stuff.
Didn't even realize it.
Yeah, you know, that bespoke piece of Mao.
we paid like a half a billion dollars to.
It's open source now.
We want to keep incredibly secret for the moment that we actually need to use it.
Instead of just handing it out freebies on the dark web to be used and destructive data destruction worm malware.
That can be like geotargeted to a specific region.
Sure.
We don't like this country.
Go.
Pretty much.
We're going to get into that here of like.
It's really fascinating where these geo-targets were.
Yeah. You got it.
Well, I'm intrigued to see, you know, just to tap back to the last episode talking about how, you know, the Mexican government's being compromised by Anthropic Claude.
It's going to be interesting to see how much reverse engineering and how good these models get a reverse engineering to the point that those new bespoke complex malware can be developed at a much.
more expedient pace.
Yeah, there's a lot of really interesting timeline stuff here of when exactly was this
developed over the last, call it four years.
And the exact point where we go, that was probably human authored and the language of
the code is relevant versus that was likely not human authored and the language of the code
isn't relevant.
There's a lot of like sleuthing to be done in this code and the language that it was written
in.
The bit instances of natural language and the language
that those are in is very relevant to the story.
Well, please, you're teasing us all.
Please tell us.
What was it written in?
There's a lot of English.
I'm going to say, I'm going to say shrillic, no.
No, no, no.
Though relevant based on where it was found used.
So we're talking about an iPhone compromise.
There's no message, no click.
In the versions that researchers were analyzing,
a vulnerable iPhone can be hijacked by just going to a booby-trapped website.
You don't have to do anything once you go there.
Just go, and you're done's up.
Payload's delivered.
Payloads delivered.
Google's threat intelligence group describes Corona as,
it's like a full exploit kit.
There's five complete iOS exploit chains that all kind of work together,
23 total exploits.
It's complicated.
And it targets iOS 13 through like 17.2.1.
So quite recent.
There's another research firm embroiled in all this,
and they're important to understand is the two characters.
There's Google, and then there's I-Verify.
I-Verify's entry point into this was criminal.
infrastructure. Weeks before all of this popped off in March 3rd, I verify I had spotted
like a set of suspicious domains. I have them listed here. I won't say them on air. You can find
it. They seem to be like kind of patched and cordoned off at time of recording, but who knows
what happens. So I'm not going to air them. The equation group that you mentioned in regards to
the first malware that you mentioned, Eternal Blue, they're not relevant in the Karuna landscape.
Not to my knowledge.
Okay, because equation group's actually pretty interesting.
Most people think that they're actually the tailored access operation unit of the actual official NSA.
They're like, I don't know if they're a sub or like a subcontractor or what, but.
Yeah, you see the external group that everyone knows about those.
It's probably just like an elbow of insert government body.
Yeah.
Totally.
I want to talk about some of the places that they found Karuna.
There are a lot of Ukrainian websites with geo-targeting locked on them.
Alternatively, there's a lot of like Chinese crypto sites.
So this has truly gone wide and is being used in some very targeted, interesting ways.
I verify managed to extract this like one-click chain that combined like a vulnerability in Safari with local privilege, like escalation, all stewing together to allow full device control.
They nicknamed it Crypto Waters because they first found it being used.
on these like cryptocurrency wallet scams.
And then the deployment looked like a watering hole, like infecting visitors that come to a site.
You got renamed later, but it's a pretty good name for it.
And they note again that like this doesn't use a one-time link.
This isn't like tightly targeted in some way.
They could reinfect a device over and over and over again if they reset it.
Like it just keep, it kind of works.
And it's very consistent with like criminal scale operations rather than anything like boutique or targeted.
So you were saying there was a number of pathways in it and a number of exploits in the framework or in the kit.
So essentially, if you ran into a website that had this injection on it, it would essentially run a host of exploits at you and the ones that worked, worked, and the ones that didn't didn't.
Is that kind of the vibe?
That's my non-deep-in-the-wall security researcher understanding of this is that it's multiple paths to the same conclusion.
Right.
So instead of it being one exploit, one vulnerability, they've got a package and a kit of them, like a root kit of exploits.
And they're going to just going to throw them all at you and see which ones work.
It's like, I don't know, but to me it tells a story of a big operation that's been banking these things.
Sure.
And saying, like, we just sort of keep this up to date with all of the best ways to muck up an iPhone.
And then using it all to steal your crypto.
Bingo, bingo.
Let's tango.
It's got a $5 wrench.
It's not a $5.
It's an insane package of O-Days.
It's a $200 million bundle of O-Days.
Google's threat intelligence group published its findings on the same thing.
They named it Karuna.
That name comes from allegedly its developers.
That name was found inside of it.
We'll talk about that in a little bit.
That could be indicative of something.
Yeah, that's a really interesting name.
Google's Big Medan narrative here isn't like, this is very advanced,
which it, of course, is the thing.
you get from reading that report is like, oh, this is proliferated. This compromise is very,
very widespread by the time we're recording this. They figured out kind of its prior life up to this
point. I'll skim through it. In February of last year, Google says it captured parts of this
just like a little bit of this iOS exploit chain embedded in like a freshly discovered
then JavaScript framework. They attributed to quote in the report of like,
It seems to have connections to a customer of a surveillance company.
They don't name the surveillance company or the customer.
That summer, they reported that the framework appeared embedded in hidden eye frames
on a laundry list of compromised Ukrainian websites, specifically activated when the visitor
was coming from the Ukraine.
It was geotargeted.
Okay.
Pretty interesting.
In this phase, Google says delivery was like, it was selective at this point.
they attribute it to UNC 6353, a suspected Russian espionage group.
But again, that is the user, not the developer.
Right.
By late 2025, it goes really, really wide.
They say they identified Kourna's framework now hiding somewhere else on this vast set of, like, fake cryptocurrency websites coming out of China.
A lot of finance-related stuff.
This is no longer restricted by geolocation.
It's financially motivated.
It's going wide.
It's scam sites.
And in this wave of scam sites, Google says the action deployed a debug built which exposed the internal name, Karuna.
That's where it came from.
So what I'm hearing and what I will fabricate.
Speculate wildly.
Wildly.
Somebody built it.
Russia probably deployed it against the Ukraine.
Yeah, yeah.
And then once it became less relevant and less exciting, they gave it to their friends in North Korea to steal cryptocurrency.
Oh, fast. That's an interesting read. I hadn't actually gotten there.
Yeah, like, because North Korea loves to steal crypto.
Like, they have an entire department based on it.
Yeah, they will do your IT work and they will steal your crypto.
Yeah, definitely.
And they will do a pretty good job at both.
Is the weird thing? It's good fun.
Yeah.
I have a government revenue line item for stolen cryptocurrency.
crypto. And fake IT work. I love that parallel of like, do you need help with sysadmin stuff?
If we find your crypto while we're doing it, we will take it. But otherwise, we'll do it.
Give us five stars. Tip your driver. Like it says a little bit of that. Put this laptop in your
house and we'll give you $500 a month. That was a wild one. So like what is it being used for once
it's on people's system? And it's like obviously crypto wallet extraction. There's like little
modules inside of it, they're very seemingly targeted towards it. But it's like, can we get
access to your photos? It's good at that. Can we get access to your WhatsApp? It's great at that.
Can we get access to your notes, emails? Like it's a full system compromise. I want to dig into
the clue that changed how researchers understood what this was. As they're digging into the like
the code behind Karuna, a clue stood out almost immediately, which was overlap with the previous
iPhone exploitation campaign known as Operation Triangulation.
Triangulation was a highly sophisticated iPhone hacking campaign
uncovered back in 2023 that targeted Kaspersky employees.
This all gets who said what,
but Russian authorities publicly accused the NSA of running that operation
and the U.S. government never responded to that claim.
Targeting Kasperski employees.
Telling silence, maybe.
Telling silence.
Sorry, I'm in that mood today.
No, no, it's good.
It's all very conspiratorial.
It's good. It's good fun.
I hope you're enjoying some conspiracy vibes while you do your dishes or whatever you're doing while you listen to this.
According to some reporting on Wired, which is very, very good.
And everyone should check out.
Both Google and I verify say that Karuna appears to contain components that were previously used in that triangulation tool chain.
You see where this is going.
That overlap is a very strong clue as to what's going on here.
There are other breadcrumbs pointing in the same direction.
Google's report notes that parts of the exploit framework contain documentation and code comments written in like, well, that's pretty clearly native level English.
Doc string's typical of a very professional corporatized development environments.
The timeline of this putting it as kind of like in a blurry in between of AI development suggests it's human authored and that can still be used as a signal.
Give it two years.
That won't be a useful signal at all.
Give it two months, Jordan.
Code comments is interesting, because is that the system writing those?
If it was AI generated, would that be the system?
Would that be a human author going in?
Like, it all gets really muddy.
But it looks like a couple years ago is probably a real human involved in this.
And especially given that it's built on a stack that went by years, went back years prior to that.
The quality of agenetic engineering, a fancy way to say, vibe coding has gone up.
greatly in the last, you know, four to six months.
There you go.
Two years ago, it would have been a liability in something this sophisticated and elegant.
Which is where I verify as Rocky Cole, I believe CEO there described it as a quote,
eternal blue moment for mobile malware.
Cole's kind of argument is that Corona probably represents that same dynamics starting
to play out in smartphones.
You got like super high level top tier exploitation capability that starts an espionage.
and then gradually just like kind of bleaches its way outward first probably to other state level
actors and eventually just down to like the open internet and criminal campaigns yeah crypto theft
crypto theft Google's threat intelligence group is like a little kind of cautious about making that
connection um i like just how swinging for and i verify is they're like it's the government and they've
got like the cork board and the yarn the yarn strings i feel it um i need one of those from my
background in my webcam.
Totally.
But they do acknowledge in their report that they're like,
this all suggests an active market for secondhand zero-day exploits.
And you can kind of surmise where those would come from naturally.
There's one other detail that caught researchers' attention that I think is interesting here.
Cole says that Kroona didn't look like a toolkit assembled from like stolen fragments by different groups.
It reads like a coherent system.
the phrase that jumped out from his report was a single author.
This is not stitched together.
Someone, a group sat down and tried to make this.
Suggests where this escaped from and how it got into circulation.
Something that sophisticated that many years ago.
An elegant software engineering project for a bunch of brilliant minds looking to explain things.
Any indication of it made it into the malvertising?
You're mentioning, like, compromised websites.
That's an interesting application for it.
I didn't read about it.
I only saw malware and destructive applications of, like, we're going to delete your stuff.
You don't pay us money.
And if you pay us money, we might still delete your stuff.
Also, we're going to steal your crypto.
Like, that was sort of the thrust of the examples I saw.
But you can imagine how it would have applications in malvertising.
Yeah, it depends on how complicated it is to deploy.
But if it's something as simple as like a JavaScript,
Often you can deploy those through malmortizing and there you go.
Well, you know where to find it.
Something to do this weekend.
Something to do this weekend.
It was all the comments in the last episode asking if we had referral codes for
wrenches.
And I was like, we're not telling you how to do this stuff.
Also, shop.
That's where you buy the wrenches.
Maybe we should make a wrench, a little merch wrench.
That could be fun.
A merch ring.
I suggested that to one of the,
commenters.
$5 wrench.
$5 wrench.
We'd have to give
XKCD is his cut, though.
This is true.
This is very, very true.
The point of the
Google Doc,
when you get to the end of it,
it's not Google Doc,
the Google Research Report
is they really linger
on the idea of, like,
we cannot confirm
where this came from,
but what we do really
are reminded of here
is that there is a thriving
market of brokers
buying and reselling these kinds of extremely high level, like state level zero days.
And important to know is there probably isn't clean exclusivity by the time we're all hearing about it.
Like they'll sell it to a bunch of different people.
We can look at the sentencing of a U.S. contractor, like executive, a guy named Peter Williams of Trenchin
for selling hacking tools to Russian brokers and the thing called Operation Zero.
Like there's a, there are concrete examples of these things getting bought and sold.
and one group thinks it's exclusive,
but they're actually selling it to multiple people.
There is a big thriving market of this stuff,
and it operates very, very sketchily.
And it goes without saying,
Karuna is no longer effective on iOS,
on the latest version of it.
The big takeaway is like, hey, update your phone.
And if you can't update your phone, lock down mode.
Because otherwise, you can totally just go to a website
where this can happen to you.
You mentioned U.S. contract.
Which brings into my head a story that I saw.
Seeing as this is a chatty chat.
It's a chaty chat.
I read a story the other day about a U.S. contractor's son
and how he had managed to steal $46 million in cryptocurrency
from seized wallets by the U.S. Marshal's Service.
Oh, okay.
Wait, wait, wait.
How did the contractor have access to the U.S. Marshal Services
seized crypto wallets?
I'm assuming the contractor worked in and around that stuff.
Maybe they were a tech cybersecurity consultant, whatever.
Anyway, the John Dagheita.
I don't know how to pronounce his name.
I keep laughing.
If you're a long time listener of the show, you will know that this is something that I do.
My trick is that I just confidently, I storm into the name and then keep going.
So I'm not pronouncing them righter than you.
just pronouncing them faster than you.
Okay.
I'm going to try this.
Okay.
John Dehita, known online as Lick.
It works.
He was caught after bragging about it in a telegram chat about how much money he had in
crypto.
This is the kid?
The kid, yeah.
Oh, what a dip shit.
He's 25 years old.
He's not a total kid.
But yes, language.
What a dip shit.
Oh, no.
Okay.
So daddy has a contracting company.
Daddy has a contracting company.
Our daddy contracts to the U.S.
Marshal Service by the sounds of it.
Okay.
And the kid knew how to get access to these wallets and stole the money.
Wow.
So they had a federal investigation that ended up with, you know,
them realizing who the theft, the thief was.
Yeah, sure.
Arresting this kid.
Yeah, I think he was in like the Bahamas or,
St. Martin. That's where it was.
So, you know, living it up, penthouse life, all this free money.
Yeah, right. Do they have extradition?
Did he go to a sunny place with extradition guy?
He was arrested by the FBI, so I'm assuming yes.
Sure.
It was an international collaboration with the French.
Fuck.
The French intelligence thing that we all know the name of.
Gendarmeri
The French gender marry
In St. Martin
partnered with them
Okay
So yeah
So anyway
They I just remember reading the story
And when you mentioned
U.S. contractors
This one just jumped into my head
Sure
Like you know
Just a classic play there
Of you know
It's the um
Daddy's access
I know what to do with it
Give me the money
It also
It also evokes
The trope of the like
Police Station Evidence Room
full of like another word for evidence is extremely valuable stuff.
And the idea of the person just going into the evidence room and taking stuff out.
But the evidence room is your father's security contracting companies giant pile of seized cryptocurrency assets.
Yes.
It's perfect.
A lot of the research here was done by Zach XPT.
He's like a Twitter user and kind of crypto.
You know, yeah, you should know who he is.
Pretty popular guy.
Read his stuff all the time.
Cool stuff.
And, yeah, Daquita didn't, like, was mocking him on telegram.
Mocking XBT.
Yeah, because he was the one researching it and posting all this information and kind of led to the, like, unearthing of it.
And, like, this person, like, went to war with them online.
And now is in jail.
So.
So.
So, it turns.
It turns out it doesn't matter if you're on the Dutch side or the French side of St. Martin.
I just learned there's two.
They both have extradition treaties with the United States.
Yeah.
If you got $46 million in crypto that you stole from government evidence lockers,
maybe you should have went somewhere a little bit less friendly to the U.S.
Yeah.
And there's like a list of them too.
Yeah, just just.
Like, I feel like you could be living very well in Hong Kong right now.
Like, you'd be fine.
You'd be great.
Again, not evidence.
You can't buy tickets to Hong Kong in the merch store.
Not instruction, I mean.
Wow.
That's rookie moves, man.
Rookie moves.
Friday, we're recording this a little early because I'm out of here next week.
But the, yeah, it kind of ended with the Daggeta started sending small amounts of the stolen money to Zach XPT's public.
crypto address.
So he was like dusting his wallet with like transactions with the stolen money is like part
of the gag.
Like this is just somebody that grew up on like troll culture.
Yeah.
Internet troll culture and and is now going to be in jail for a considerable amount of time.
It could have just ghosted.
They could have just kept their head down, hid the money, went to a non-extradition country.
You had tens of millions of dollars in non-traceable currency.
It was like, you're done.
loosely non-traceable, but still, even then, even if they can't trace it.
Hard to get back.
Yeah, exactly.
Yeah.
Traceable. Yeah, no, they can watch as you spend it.
This is true.
Yeah, they can totally, it's like a big, thick six inches of plexiglass between you and
them just being like, oh, he's buying a boat this time.
It's like, yeah, it's fine.
When one of the best things is when he was arrested in like a real 90s like gangster
pick scene, he had a solid metal briefcase entirely packed full of hard cats.
in like bands.
Like he had $10,000 bricks just fill in a briefcase walking around with it.
That's what they arrested him.
And he had in his possession.
Yeah.
Yeah.
Would I do different?
Like every decision up to that point, the answer is definitively, yes, I would do different.
I wouldn't do any of the things that led him into this situation.
But by the time you find yourself living on an island, sort of just waiting for the
international police to come get you because you didn't go.
to a place without an extradition to the country where you committed your crimes.
Totally.
Would I have a metal briefcase full of cash?
Yeah.
Probably.
Yeah.
Yeah.
Handcuffed to my wrist.
Yeah.
Coddy guards.
Yeah.
Exactly.
Crazy.
Yeah, but apparently they link the fight and blow up on telegram as like hard evidence to why they
knew it was him.
Don't fee the trolls.
Yeah.
Just the ego.
pockets full of stolen crypto.
Like, it's, come on.
There you go.
Rookie move.
Rookie move.
Rookie move.
Yeah.
When you steal $50 million, just quietly disappear.
Just vanish.
You're so close already.
Yeah.
We really have a nice spread in the first chunk of this episode of like about as high level in operation as you can get and just some clown car noise.
Like, it's like a good, good spread.
Should we break for?
I think we should break.
and then when we come back, I want to,
we don't talk about consumer electronics very often.
I want to talk about the educational consumer electronics market stat.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late,
an alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations
from the ground up for a world where attackers are already,
using AI. They created the Aurora superintelligence platform, a fully agentic system powered by
the swarm of experts. Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of
deterministic agents that handle whole entire workflows. Humans stay in the loop and on the loop
to validate the critical decisions and keep everything trustworthy, and all of this is just off
running on their secure operations graph. A constantly updating intelligence engine fueled
by more than 9 trillion telemetry events every week, and over a decade of real world.
incident response. The system reasons on real signals and real context not synthetic
training data. And the result is the new Aurora agent SOC. It's the first
SOC that is agent led by design you get agents that coordinate, agents that investigate,
agents that respond at machine speed, and hundreds more that automate the
repetitive work that normally buries human analysts. Arctic Wolf didn't try and
bolt AI onto an old model. They rebuilt the model entirely. What makes even more
effective is how it works with Arctic Wolf's concierge experience. The team brings customer-specific
context directly into the platform so every AI-driven decision reflects your environment instead
of generic assumptions. The automation frees your concierge security team to focus on higher
value strategy and proactive risk reductions while the agents handle the grind. If you want to see
what trustworthy production-ready AI and security operations actually looks like, go to
ArcticWolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected
and cybersecurity teams were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th.
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights in how threat actors are evolving,
how defenders are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Welcome back.
Welcome back.
So last episode, you had brought up a supply chain attack about Klein.
I did.
And I was so keen to talk about other things that we cruised right by it.
And I just glanced off it.
It's like another instance of like what can happen when anyone can vibe code some crazy crap.
But I feel like there's a lot more depth there that I didn't get to.
Yes.
So I have since read up on it.
And I think it's a cool.
thing to talk about because it's very I don't want to say it's complicated but it's a very
interesting route okay so provide a primer for the people that maybe missed last episode because it was
a small detail in that sure so the Kleinjection was discovered by a security researcher adnan khan
and I've read his blog post on this and it kind of shows some of the risks of
AI prompt induction and it shows those risks
through executing a supply chain attack
that poisons GitHub actions,
caches, which changes NPM library requirements,
which then means that anybody that installs this open source package
gets a little Easter egg in the form of,
and in this form of it was OpenClaw, but we'll get to that.
Okay.
So somebody posted a issue title in GitHub,
there's the ability to post like problems.
Like, hey, here's an issue with your repo.
If I'm in this situation, like you can, you know, whatever.
Just imagine you download some open source software.
It doesn't work as it should.
You can post an issue with the description and then the developer sees it has the ability
to act on it.
Somebody figured out that they were using AI to parse their issues and kind of prioritize
them and bucket them and stuff like this.
So somebody put a prompt injection into the title of an issue.
That prompt injection led to the triage bot leveraging tool access to the shell or bash.
It flooded its cash, evicted its legitimate build dependencies,
and inserted new poisoned versions of the dependencies.
Does that make sense?
I believe so.
Okay.
So Klein's GitHub, somebody posts an issue with a prompt injection in the issue title.
Then the AI agent that they have that organizes their issues reads that issue title,
the prompt injection runs on it.
What it does is it uses that issue at LLM's bash access to overwrite the dependencies for the project,
inserting poisoned versions of certain things that have bugs and malware and Easter eggs inside of them,
Trojan horses inside of them.
So then later, in the CICD integration and deployment process, something that like is packaging up this popular piece of software for delivery runs, it puts in these new poison dependencies into it.
Does that make sense?
Yeah, I'm realizing now the high level thing here is on get, there's like there's an issues system that allows people to give feedback of like there's something wrong here.
Yes, exactly.
And that they had like basically an AI-powered issue
Manager.
Resolving triage, exactly.
Yeah, yeah.
That is responding to these things.
And inside of that issue, there was a command, a prompt injection, like a natural language.
Like, I'm just going to tell you what to do triage bot.
And that was the toll hold that they used for this compromise.
Correct.
And the triage bot used its shell access to look in the build cache and replace valid
packages with poisoned versions of those valid packages that were then bundled up and packaged
into the deliverable of the actual piece of software.
And really, what they were delivering was OpenClaw.
So why would you want to have open, I have a sense of why you would, but for the sake of
discussion, why would you want to get OpenClaw installed on someone's system without them
knowing about it?
Well, it is a remotely controllable AI agent that has full shell access to the computer.
It's about as ground level control as you can possibly get.
Yes, it's like the ultimate.
Which is fine if you want it to be there because you're giving this system that you're controlling ground access of your own system.
The yore is very, very important.
Yes.
Yes.
Yes.
So it was only live for about eight hours before they caught it, which is actually pretty impressive.
of that they caught it that fast, given that it was just baked into the build caches.
They must have had some other systems going through and probing it,
but they assumed that it was on thousands of computers.
Crazy.
Anyway, I just thought it was something that we glanced past last week or last episode
that I then read up on after the fact and was like, oh, shit, we really should have
talked about that because it is pretty cool.
It's nice to get to dee into it a little bit deeper because I sort of just drove by it during that discussion.
The idea of prompt injections in issues on Git is really, really fascinating because I feel like more people are wiring stuff up to just sort of, I feel like more people are wiring AI up to auto resolve issues like this, because why would you need someone to do that?
And it's like, well, you're kind of leaving it alone in a dark room with the open internet.
And they might come up with some bad ideas for it.
Well, yeah, and the researcher here, Kahn, states that, like, one of the things you should never do, which is one of the founding principles of lots of the new agentic systems, is give Bash access to an agent.
Sure.
Yeah.
But, like, open clause entirely based on that, you know, even Claude Code, but they run it inside of a Docker, like they put them inside of tiny little isolation chambers.
the
but yeah
anyway
it's just a really
interesting
process as
now that yeah
as you were saying
agents are
people are using
AI to try
and automate
facilitate so many
processes
a lot of the
big agentic
are like
a lot of the big
LLM companies
are spending a lot
of time on
figuring out
how to fight
prompt injection
but there's a
really good chance
that something
like a small
triage agent
was using like
a small
cheaper model
and maybe it doesn't have as
comprehensive anti-injection
programming and identification.
But even then, those systems will,
as we know in our dealings
with LLMs, even if you tell them
don't do something,
sometimes they'll just do it.
Sometimes they'll just do it.
Sometimes they'll just do it.
So, yeah, prompt injections
is going to be a fascinating
twist.
Can you do it on a MacBook Neo?
I don't know what you can do on a MacBook, Neo.
No, it does.
No, it does.
This is such a hard pivot.
Have you ever used a Chromebook?
I have.
My wife has one.
Does she really?
She doesn't know that.
She's a bit of a Luddite.
Does she like it?
She hates computers in general.
Sure.
I got sick of her asking to use mine when she needed a computer.
So on Black Friday one year,
I just bought her a $200 Chromebook and was like, if you ever need a computer, use this one.
It will be collecting dust in your closet, get it when you need it.
Sure.
I'm surprised you, well, I am and I'm not.
I was going to say, I'm surprised you didn't go with an iPad, but I think the existence of this product speaks to the use case of why an iPad, of when an iPad doesn't work.
Exactly.
Exactly.
The world has shifted to just being Chrome web apps.
We're talking in one presently.
We certainly are, yeah.
Yeah.
And so the whole world is just running Chrome web apps.
And for a long time, it's like those run for context horribly on iPads.
And so for a long time, it felt like Apple was trying to sell this vision of the iPad is the cheap computer.
If you need a cheap computer, if you're a kid, if you're a student, if you just do a little web rest and just get an iPad.
But that doesn't make a lot of space for running good Chrome web apps, which,
the whole world runs on.
And as such, a weird niche product category that is Chromebooks was able to sort of proliferate,
specifically in the educational market, which Apple used to, like, dominate.
It used to be an IMAQ and IMAX in every school.
Like it was just a huge part of their market.
Anyway, I think we're talking about this because they've just announced a thing called the MacBook Neo,
which if you're into consumer electronics, is really fascinating for not chapter locators and, you know, skip ahead.
Skippy skip.
Skipy skip.
And then Jordan and I like to take a diversion into consumer electronics.
And Apple just released a bunch of stuff.
So buckle up.
Yeah.
So they're dropping a new entry-level laptop, brings that Mac OS ecosystem to a super low price point.
It's $599 MSRP.
The only reason, USD, the only reason I even want to talk about this isn't that price point.
Probably wouldn't we talk about this normally.
It's $499 educational pricing.
So Apple, and by extension, MacOS, now has a sub-500 USD for schools solution available, like an aluminum MacBook.
Unibody chassis.
Unibody chassis.
Unibody chassis.
Exactly.
Unibody chassis.
Exactly.
Here, so, like, I'm just going to, let's get chatty chatting about this.
Let's get chatty chat.
When I saw this, I was like, how is my phone so much more expensive than this thing?
like this has a 13-inch liquid retina display.
My phone has a 4.6-inch liquid retina display.
You know, like I get that there's cheaper pieces
and they have a lot more space
and it's not as dense a battery and blah, blah, blah.
I get it.
I get why small things cost more money,
but it has so much in it for $499 USD for educational pricing.
Unreal.
Like, it's just a very, very good value.
And it's interesting because it speaks to a world where like there's going to be a lot of kids coming up now with these as opposed to Chromebooks.
And it's going to really like there's going to the wall that already exists around computing where it's like I have an iPhone already.
I would just like the computer that works with it.
It's like that wall I think just got a lot taller because now you're going to have kids coming up on MacBooks.
They're going to be as familiar with macOS as they are with iOS by a certain age.
You know, maybe they didn't get it quite as early in life, but they're going to get into that ecosystem way, way or really.
weird. Yeah, I've always joked that
the, like, MacBook airs were just iPad
pros with a keyboard.
Yeah. But running MacOS instead of iOS
or OS, whatever, they drop the eye on it.
My apologies.
Mac family.
But the MacBook
Neo runs the A18
Pro chip, and there's apparently a bunch of
nerfing to this thing. Apparently
it has USB port speed things.
Like there's a bunch of, like, they've degraded
the qualities
that we've come to just expect
from an Apple device.
They've lowered those to make essentially a cheap consumer product,
which is probably phenomenal for shareholder value,
because I do agree.
Like if I had a child, this is what I would buy them.
They come in pretty colors.
They're very much intended for a specific audience.
And they're probably just good enough,
especially given the fact that most Gen Zs and Gen A's
don't even know what a file system is.
The chips have been getting so powerful for the last few years
that to put an A18 Pro,
which for context is the same chip.
in an iPhone 16 Pro into a laptop is like it was better than the M1 chip for four or five years ago.
Which is still a totally adequate chip.
Like if you have an N1 laptop, it's great.
Works great.
So why wouldn't you?
And you've just driven the cost down because that's a cheaper chip for them to make.
Because they're making it at the scale of an iPhone.
And it's like, what other things can we find in this?
And it becomes a really fascinating industrial design and manufacturing question.
This is a physical track pad, like a non-haptic, like just a literal,
big clicky button. It's like you, if you're a MacBook person, you haven't seen one of those
in a half a decade. But the supply chain for manufacturing them was probably really
bumping. And they could get them really, really cheap before they stopped using them.
It's like, okay, bring it back. What else are we really good at manufacturing at scale?
Break it on out again. Because the people that are, it goes without saying almost no one listening
to this will want to buy this. No one really interested in technology at all for themselves.
would want to buy this.
Just buy a MacBook era or MacBook Pro.
But man, for that secondary device or that kid's device or that your wife's device just doesn't
care and just wants it to work.
Totally.
They're going to move units.
Well, that's just it.
To go back in time, like even though the Chromebook was like $250,000, if I was put in
that situation again, I would probably just buy one of these because I know how to manage,
like it's a Unix computer.
Like this is a great little, I'm so familiar with it.
Like I've been a Mac user since they went to the FreeBSD kernel base in OSX.
And it's great.
I think for me, this is just like as a, to flip into the HAC's investment side of things.
Sure.
Given rampant inflation, given, you know, so many things going on in the world, the businesses that are
succeeding in the in the markets or the one coming down to meet people where they are rather
than trying to push the top end up. And I think you see this with Apple here. They're full
McDonald's in it here. You know, let's make the happy meals cheaper. Let's do this. Let's add
cheaper value add-on packages. Like there's a bunch of things that companies are doing now to
adapt to the current market conditions. And I think this is Apple just saying, hey, if they probably
forecast it out if we make this thing, it'll add X billion dollars to our top line.
revenue and it's not going to touch their MacBook Pro lines, studio lines, Mac mini lines.
This is just totally satisfying and servicing a niche that they're currently not talking to.
It's also getting people, it's satisfying that niche.
And then to our earlier point, it's also getting people into that ecosystem
younger and preventing Android from getting that to hold.
It's like Chromebook has been shifting. They've had this weird bifurcation where there's Chrome
OS and then there's Android and then there was kind of a desktop version and like this is just
messy.
They've been consolidating that.
Yes, they have.
Where Android is going to run on Chromebooks and on phones and what an amazing way to
introduce people when they're young to this ecosystem.
So even if mom and dad have an iPhone, they're very comfortable in Android and then maybe hardware
or or pushes them into making that jump away from the iPhone.
This is just a way of saying like you will you will maybe never use.
use a non-Apple computer.
If you just get given a phone when you're a teenager and given a Chromebook or an Apple Neo,
MacBook Neo, or a MacBook Neo when you're in school, it's like you just won't touch other
types of computers, which is like it's tough.
They make a great product.
It is less like there's an anti-competitiony.
There's something complicated about it to me where I'm like, it is nice when people know
how different types of devices work.
I think it's preferable in a lot of ways.
but just the sheer quality difference.
It's like those Chromebooks are not respectfully good devices.
They are what they are.
They are what they're intended to be.
And here's the thing is like in the Chromebook world, you know,
you can buy a $150 Chromebook or you can buy a $1,500 Chromebook.
A better way of putting is, Chromebooks have an issue.
Android laptops.
Let's call them Android laptops.
There you go.
There's such a, and they'd,
run Linux. Like, that's another thing. Like, I love having my wife's Chromebook because I have the whole
Linux subsystem installed on it. I can go and do it and use it like a Linux laptop if I need to.
I do agree with you that it is very much like a market play, market saturation play.
It'd be really strange to give your kid like a year old iPhone. Maybe they get AirPods for Christmas
and then you're giving them an Android Chromebook or an Android laptop as their like primary work
computer where in this case this is essentially servicing that market like I know in a lot of the
early tech breakdowns they were saying essentially like if you actually want to buy one of these
and you're not just buying it for your child who wants like a pretty purple computer yeah like just
go find a MacBook air with an M2 chip and it's a better computer and you'll get it for less money
and that's what's going to be interesting about this is like right now everyone's saying do you get a
MacBook near or do you get an error and it's like if you're reading a tech blog that would
write about that don't buy this computer is
is the real takeaway there.
But it's like, well, what happens in five years when these are used?
Because now there's a like $300 MacBook.
Or it'd be like 200 probably.
You know that you can like this kind of workable.
And it's like it's metal.
It's decent.
It runs macOS.
It's like it kind of works.
Like these ships seem to have like longevity.
And they're the thing I'm really curious to see is like, so you took an iPhone ship and
you put a laptop battery in it?
Like is this thing just a.
a beast on performance in that regard.
Like obviously not in like video editing performance, but it's like, is the battery life just
insane because of the chip efficiency or are these chips not that much more efficient than
the M line?
Oh, they better be.
I would think they would be.
But I guess it also depends on how hard the laptop goes on them versus how hard a cell phone
goes on them.
This is true.
Because a cell phone's kind of entirely designed.
So I'm looking at the battery and power estimates and it's saying 16 hours of video
streaming, 11 hours of regular use.
with a 36.5 watt hour lithium ion battery,
which is a pretty tiny battery.
It actually has a 20-watt USBC power adapter,
which is essentially a fast charger for your cell phone,
versus, like, I think my MacBook Pro has 120 or 140 watt USBC adapter.
Actually, no, I have the new Meg.
They went back to Meg, save great decision by them.
But these are almost half the price of the base MacBook Air.
So if you're standing in an Apple store
and all you need is something to do
online work, work inside of Chrome apps.
And we've talked about this before on the show
where everything is just an electron app now.
Electron being a framework
to essentially embed chromium
into native operating systems.
So Slack is electron.
Notion is electron.
Title, Spotify.
think is electron. So electron's just kind of everything now. And like there's no reason not to
build a new application in electron because it deploys instantly across multiple native
computer systems because it's just essentially a website build.
Crazy. It does raise. There's this weird thing of like does have, does having a really good
value over here reveal a lack of value over here. And I'm just struck by the fact. And I have no
beef with the Apple Watch.
I can't help but notice that a base level Apple Watch series 11 costs $50 less than this
computer.
And I know they're both computers, but like the watch costs pretty much the same price as
the MacBook.
If you have the educational discount, it's actually $49 more.
You want to go up to an Ultra, it's two of them.
Yeah.
Yeah.
It's nuts.
Like I'm an AirPods pro guy.
I'm like how it's a better part of a laptop.
It's crazy.
Well, but here's the thing is the great divide.
So, like, truthfully, I just ordered a new MacBook Pro for the company.
And if you get a relatively decently specced out MacBook Pro with a pro chip, not even a Max chip, you're touching $4,000.
Like, the gap is huge.
So you could buy, you could buy an entire fleet of these Neos for the price of, like, one MacBook M5 Ultra.
The Daisy Chainum.
Yeah.
So, really like, you know, when it comes to hardware planning for businesses and even personal use,
looking at how much power certain people actually need is now a massive.
Like if you've got 200 employees and most of them just, you know, work in Chrome.
Gmail and Notion, you know, they can get an $800 computer versus the person who needs a bunch of horsepower for audio, video, animation, coding, you name it.
You know, because their computer is going to be 5, 6K.
And they made them purple.
And they made it cute and purple.
It's like not for nothing.
You made a cute little blue MacBook Pro?
Maybe I'll buy that one.
I just want to talk about like just keep on the Apple train.
And now that we're talking about,
now that I've started talking about the higher-end chips,
the pro and the Macs,
and they haven't released the Ultra yet.
Everybody's highly anticipating the Ultra release
because everybody, the open-cloth
frenzy has led to a Mac Studio frenzy as the Mac studios.
We've talked about it on the show before, but the Mac studios with lots of shared memory.
You can get them with they used to be able to get them.
Apple has stopped selling them with 512 gigs of shared memory.
In this economy?
The current M3 Ultra.
No, no, they were literally selling off the shelves.
Whoa.
So they, I remember watching it.
So we have a custom Apple store for our company.
So we get kind of our own backend access into the Apple store.
and they went from an M3 Ultra with 512 gigs of memory went from like delivered in five to seven days
to delivered in five to seven weeks to delivered in like three months to you can't order this
anymore in like seven days yes and then Apple I think came up the other day everybody's waiting for
the M5 Ultra Mac studios to essentially just be LLM servers but
Apple came out the other day and said they won't be selling any M3 Ultras with 512 gigs.
So everybody's kind of hoping that's a good indication that they're not building anymore because they're prepping for the launch of the M5 Ultras.
I'm hoping that everyone who's going to go OpenClaw insane has done so already.
And the pricing of RAM can just sort of reach its homeostasis again because this cannot persist.
I want to keep talking about some apple chips.
Bring up open claw crazy in a few minutes because I've got some, given my, the feeling I'm in today,
I got some interesting observations I want to make about the open claw world.
I'm looking forward to it.
But anyway, the M5 Pro Max and what I can only assume, the ultra chips have a brand new core inside of the main chip set.
They have neural accelerators, which are actually, Apple is suggesting that they're presenting
up to 400% increases in AI tasks.
So the M5 Ultra Max Studio will be hotly demanded if it is that capable.
Yeah, they're not dumb.
They see these things flying off the shelves as like development units for all these hijinks,
and they're like, well, that's great.
Totally.
What a wonderful thing to get out of having invested in this vertical supply chain of chips.
It's like, oh, we're suddenly very in demand.
Well, the big question mark is going to be what the price is, given how expensive RAM has gotten and how AI has led to this just frenzy on quality RAM chips.
So 512 gigs, like the Mac Studio in that structure, the M3 Ultra, was about 10,000 US, which is a lot of money.
But for a server capable of running a model that can shove itself into 450 gigs of V RAM,
is a steal of you.
Like the,
I don't know if you've looked at GPU prices lately,
but they're also completely insane.
I haven't checked in on it.
I know it had gotten insane.
GPUs had gotten insane.
It feels like they've been going nuts for a while.
Ram the last like year and a half is just gone crazy.
The joke had been,
you know,
of all of the things that Apple marked up,
the gnarliest was always ram.
It was like the jump from eight gigs,
like a barely usable,
gigs up to a usable 16 gigs was like 400 bucks and like an order of magnitude greater than the
actual cost of like of that writ that literal stick of RAM it's like for us to put it in this computer
you're going to pay hundreds of dollars yeah um and now that that gap is almost closed it's like
that's actually kind of just what it costs like the hysteria in the ram market has rendered
apple's ridiculous pricing kind of coherent which I never would have thought I would have seen that
The other big thing is like the new M5 upper end chips, the ultras and stuff, the memory bandwidth, which is super important for AI tasks, is incredibly fast.
Okay.
For like, for essentially a consumer electronic, like a Mac studio that I could just go to Apple.com and order right now, the new versions of them will be very competitive with the boutique products being built by other AI manufacturers.
and Apple's invested pretty heavily into their MLX program,
which is their kind of version of CUDA.
So it's like the way that the models can talk directly
to the system and the chipsets and the memory.
So a lot of these models are coming out optimized now for MLX,
which means they're optimized for Apple use.
So there's a lot going on in this space,
and I'm intrigued to see what's going to happen.
I'm intrigued mostly to see what the price of these things are.
If they come back out at $10,000 for an M5 Ultra with 512 or 768 gigs of RAM,
because that's the other thing that they're realizing is most of these super models,
like Kimmy K-25 or any of the big, big deep sequence, one of them,
they require at least two of these studios if you want to run one of the premier models
and they have to cluster them, which then adds extra delays and latency
because, you know, Thunderbolt 5 is the fastest interconnect.
So, I don't know.
There's a ton of technical stuff going on, but I'm pretty intrigued to see what they do.
If they release an M5 Ultra with a terabyte of built-in shared memory, it'll be mayhem.
I'm going to run these models on a Neo and you can't stop me.
You can?
Can you really?
Yeah, yeah, yeah.
Some of the new Gwen models, like the Alibaba models, they've made incredibly,
lightweight versions of them that will run on your iPhone, no problem.
I can actually show you.
I have one installed right now.
I am fascinated.
Yeah.
You will need to show me that, actually.
Can I run it on an Apple Watch?
Maybe.
Actually, maybe, yeah.
For $800, I would hope the Apple Watch can.
It's totally the Apple Watch Ultra.
It eats up to a molten ball on your wrist.
Yeah, yeah.
It's a scarification tool.
It's a scarification tool.
Okay, let's wrap it up with your open claw madness.
Take out the cork board, take out the yarn, connect it.
Take us out with a hot tick.
Vibe coding, open claw madness.
People creating, you know, people vibe coding frameworks to run virtual companies of agents,
all of these things.
One of the things that I've been noticing.
Okay.
it's a lot of the same people
that were huge
web three crypto people
like this is
they're not software engineers
they're not
they're not it is
they just you know
the new wave of hype
and I've just
it's something I've noticed
like there are there are the software engineers
that are adopting agentic development
like myself
of course
but the hype
the GitHub repos
of just insane tools that have had zero testing.
There's just so much stuff being thrown out into the world.
And every time I see a Twitter user that's like publishing some new massive,
here's how you run a billion dollar company with my new tool.
And I look at their profile and it's like NFTs, Web3.
It's the same crowd.
My guy.
Same crowd.
It was drop shipping.
is I'll give you, buy my course that teaches you how to make courses.
It was Amazon Kindle Books written by ChatGPT.
It's a company of a billion dollars made entirely of agents.
It's the same shit.
Yeah.
And it's frustrating because deep below that Parmesan rind of shit, there's a really
interesting novel technology.
And it is just, you can't even see the light.
Like it's so thick on top of it.
Yeah, I'm with you.
I'm so with you.
As I've spent a little bit more time on Twitter as of late,
and I'm just seeing it all.
And I'm like,
this person just released what they're calling a production system to do all this stuff.
And it's like I can tell just by it.
Like it's just straight vibe coded.
And it's like, it might sure,
it might be able to run.
But it's like now they had,
I feel bad for them because they probably have.
had no idea, you know, when 8,000 or 80,000, you know, crypto grows set up their companies
and run into all of the bugs that are probably nestled inside of their piece of software,
how long it's going to take them to try and resolve them all.
Like, they've just created themselves a full-time job in the open source community.
And I'm just like, oh.
100%.
We talked about this last episode.
It's like, it's quick to make, it's quick to deploy.
it is not quick to maintain.
That's the real.
Especially when 80,000 people start pressure testing it.
It's going to go one of two ways.
It's going to go, they run into a bug and they uninstall it and they never use it again,
which I'd say is like a bad customer story.
Or they file a bunch of issues and yell at you on Twitter.
And it's like those are the two outcomes.
You know I've talked before about the hit of dopamine.
mean you get when you start a project versus the slow drip of cortisol and stress of actually
getting a project moving and getting and I don't even just talking about software development.
I'm kind of more talking about non-software development, but I think it applies here.
The spike of excitement of a new idea and the first few steps and then the disproportionate slog
of the next 10 steps before it equilibrium is back out and is just I'm working on a project.
Yeah, I have another job.
and I decided and it was intentional
and I made the choice
to pursue this new project.
It feels like this tech
has enabled people to think
they've jumped over those shitty five steps.
Like the part where it's work,
it's like, no, I can just make it
and it's instantaneous
and it's out in the world
and it's done and it's there
and it should be making me money
and providing value
and, and, and, and it's like...
I'm getting tons of likes on Twitter.
I'm getting shares here.
You can't skip the five steps.
The five bad ones that followed
the two good ones.
good ones. It's like you can't, there's just no way. They just move. You've just moved them into
trying to maintain a thing that barely works that you don't know how to maintain because you vibe
coded it. It's like, that's all you did. You just delayed it a little bit and you extended the good
feeling at the start a little bit because you got further. And I get it. I really, really get
that cycle in wanting to hack it, but it it abides. It cannot be hacked. Well, that it's like
vibe coding,
agentic engineer.
Well, it depends on who you are.
I'll say that there's the two camps there.
I think if you don't know how to program
and you don't understand the structures,
what's underneath what you're looking at,
you're a vibe coder.
If you're a software engineer that uses AI
to facilitate your process,
but you still are critical of how it's doing things,
what it's doing.
You understand when you see a bug,
what it's probably doing under the surface,
and you can, like, give it explicit instructions.
You're like an agentic engineer, has the new fancy term for that.
But here's the thing is, like the, if you were like an idea person, like you're like,
I got an idea, I want to build this thing.
It costs so much time and money five years ago.
It would have cost you years of your life to go from that idea to a product or a workable concept.
If you were like a solo person is building.
building in your in your spare time, it would have taken you years to build out a proof of
concept for this idea of yours. And now you can do it in like 45 minutes. And that that I think
is the, you hear a lot about how engineers in Silicon Valley, young tech workers, you know,
computer science students are just not having social lives anymore. They're not going out. They
don't hang out. They don't drink. There was a joke the other day from the Y Combinator. I don't
think it was a joke. A tweet from the Y Combinator CEO talking about how he's quit drinking so that he can have better mental capacity for his like long agentic coding sessions because he's just getting so much stuff done. And I think that's totally valid. So I built, I think I sent it to you repoCost. Dev. If you've got, if you're bored, go to repoCost.dev. You can throw in a GitHub URL and it will use a proven model to estimate how much time and money it would have.
cost to make that repo.
And just so
people can vibe code a product, and
then five years ago that product would have
cost five.
Like even repo cost.dev,
I vibecoded,
has a value
of like $84,000 for the time.
And it would have taken one year.
And it built it while I was in the dentist
chair getting a checkup.
But that kind of product that requires
functionally no maintenance after you
make it and put it out in the world is so different.
To go back to whether this is different for the agentic engineer versus the vibe code,
or it's like, I actually don't care what your skill set is.
I care the story you're putting out into the world about the thing that you've made.
And a fun thing that you can just sort of make and deploy and it's cool and it's a tool.
It's useful to some people and it's out there quickly is so different than like Salesforce is cooked.
I made a better one over the weekend.
It's like, no, you do.
did not.
Stuff like that, cool stuff, quick stuff, little like ideas and kind of trying to catch,
you know, a moment so different than insert whole industry is over, bro, because I did this
in a weekend.
It's like, I promise, I promise you didn't.
Yeah.
But the thing, like the, I could see the attraction of it.
Sure.
As somebody that likes to build things, it does move so fast.
like I've been building loom for myself.
And that's the thing is like I don't really care.
I think it's cool.
I think people should check it out.
But I'm building it for myself.
It's a very functional utility for me.
Yeah.
And that's it.
Like I want it.
I will use it.
So I'm building it.
And I think that's a good motivation.
If your motivation is I'm trying to build the next cool thing to get hyped on the internet.
I want to build the next open claw.
There's so many people trying to build the next open claw.
I think maybe that's a good movie.
And vibe coding it out every day.
There's 10 new ones on Twitter.
I think maybe that's a useful place.
Is like, are you, I'm not saying you can't make a ton of money in software development
with stuff that was created using these tools.
I'm not saying that at all.
But I'm saying, are you fundamentally trying to, is there a thing that doesn't exist
that you want to make exist that sounds cool to you?
And so you're using these tools to that end?
Or are you going, people always got really rich.
off software development.
Now it's cheap so I can get rich cheap.
It's like one of those is a fool's errand.
And the other one is like just objectively true.
If you just have a cool idea and you want to try and make it, that got easier.
And if you think you can become the next Sam Altman using Sam Altman's tools,
you're out to lunch.
Well, a common thing on Twitter if you look, if you just look for anybody talking about
stuff they're working on, vibe coding, you'll see the ones who,
were like clout chasing and posting all their successes have their monthly reoccurring
revenues in their description they're like 15,000 MRIR heading to a million and it's like they're
they're just vibe coding up tools and throwing them into the world hoping somebody pays them for them
and then they will get rich do it and some people are making money like I'm not taking that away
for them people got rich drop shipping too totally but you put a coin into the slot in the internet slot machine
and hope it comes up and there's a bit more skill to it than that.
But like, yeah, totally.
You can get rich doing the thing that makes most people no money.
That's always been true.
Yes.
Oh, that's fascinating.
So repo cost.dev, check it out.
It's an interesting tool.
Lume is currently at $15.7 million for development time.
This is, and this is like, let's go back to a message Jordan this the other day.
So there's about 1,360 estimated man months into Lume.
1,360 man months.
It would have taken 37.5 devs three years to build it.
I have built it in a month.
And that means that I am with my AI friends, a 1,350 X engineer.
Gone of the days of 1x, 2x, 3x, 10x, you now have 1,000X engineers.
But can I run it on my Apple Watch?
Probably.
Probably.
Probably. Probably. This is pretty lightweight.
I kind of like that. It's the new metric.
It's multi-threaded. I think there's threading on the Apple Watch. There must be.
A molten ball on your wrist.
Eternal Blue, Karuna,
the MacBook and EO.
Klein.
I think that's another one in the bucket.
Yeah. Feeling good? Anything we missed?
Feeling good.
No. I don't think so.
I don't think so either.
Thanks for joining us.
I'm going to go buy a purple laptop and no one can stop me.
I'm going to buy a MacBook's Mac Studio with a bunch of gram in it.
The two most different computers.
Can you put them on the same order just to confuse the Apple Rep?
But here's the thing is if you're offloading all of the computation onto your Mac Studio,
if it's doing all the heavy lifting, all you're going to need is the terminal.
It's like the MacBook Neo is the terminal of the vibe coding age.
We're just going back in time now.
Exceptional.
It'll be a big server and a small terminal.
The MacBook Neo is the terminal.
The huge Mac Studio is the server.
I like the idea of just a Mac, not even a Mac, an iPad mini dangling by the cable.
It's light enough that you don't even, it's just dangling from a cable in the middle of the room.
And that's your terminal for like a server farm of Apple, of Mac Studios.
Just swinging in the middle of the room.
Just boot type, run.
Thanks for listening, everybody.
And as always, we will catch you in the next one.
Take care.
That was fun.