Risky Business - Risky Biz Soap Box: Greynoise knows when bad bugs are coming
Episode Date: November 20, 2025In this sponsored Soap Box edition of the podcast, Andrew Morris joins Patrick Gray to talk about how Greynoise can often get a 90 day heads up on serious vulnerabilitie...s. Whether it’s malicious actors doing reconnaissance or the affected vendors trying to understand the scope of the problem, it seems that mass scanning activity lines up pretty nicely with typical 90-day disclosure timelines. A fascinating chat with Andrew, as always. This episode is also available on Youtube. Show notes
Transcript
Discussion (0)
Hey everyone and welcome to this Soapbox edition of the Risky Business podcast. My name's Patrick Gray.
For those of you who don't know, everyone you hear in a soapbox edition of this show paid to be here.
It's a sponsored product. But we get to have some really great conversations and that's what we're going to do today.
So today's Soapbox is brought to you by Grey Noise. And if you don't know,
Gray Noise operates a global scale network of honeypots which enables them to see who's doing mass scanning and mass exploitation on the internet.
to detect that sort of stuff very quickly and turn it into all sorts of extremely valuable threat intelligence.
So the way most people use it is they can look up an IP to see if bad stuff has originated from it.
So it's a good way for you to avoid toxic IPs.
They can also do stuff like capture people's attacks and reverse ENG using AI,
reverse end someone's probes into ODAY, like this is something that they've done before.
but normally it's an intelligence about IP kind of product.
But, you know, going with that theme of them discovering all sorts of really interesting stuff,
the founder of Grey Noise, Mr Andrew Morris, joined me for this interview
where we really started off talking about how they are getting a three months heads up these days
when really damaging Ode is about to drop.
So it's a bit of a windy road in this conversation for me when I did it,
and probably for you as the listener,
understand exactly how that's happening.
But basically there are all these tells that Grey Noise can pick up on where they can say,
there is going to be a Cisco ASA like bug dropped in three months that's really, really damaging.
People should prepare for that.
So yeah, really interesting conversation that I recorded from a hotel room while I was in Melbourne
with Mr. Andrew Morris, the founder of Grey Noise.
And we also talk a lot about IPV6 versus V4 and some of the challenges there,
just all in all a great conversation and interview.
please enjoy it. I will drop you in here where Andrew is talking about Gray Noise's ability to sort of
pre-cog know that some serious vulnerability is coming. Here he is. Enjoy. So Bob Rudis, he's our chief
scientist, he's, you know, he's doing some research for, to back up some marketing claims that we're
making maybe a year or two ago, right? And some marketing claims are making, hey, we're going to see
early warning signals and blah, blah, blah. And so it's like, hey, Bob, can you, can you, can you
you dig into this and really find maybe an example or two of us spotting something before it happens,
right? Bob digs into the data and he does like a lot of kind of regression searches and tests
against looking at spikes that happen against of probe, scan, crawl activity, basically inventory
activity for specific sensors that are running specific software and then looks to see if any
noteworthy vulnerabilities come out within a certain period of time of that.
And like we knew in our hearts that it was likely that that was linked or that these two things were together stated differently.
All of a sudden, everybody and their grandma wants to know about, I don't know, you name it, Fortnite's, AIS routers, who cares?
And then, you know, three months later, like clockwork, we hear about a really big, bad, scary zero day that's been disclosed.
And that's when it becomes public.
So we knew this in our hearts, because we've been doing this for a handful of years, the behavior of it makes sense.
But when we actually dug into a we wrote a research paper about this, the results of it are like kind of eerie, how often it happens consistently.
Correlation is one to one, basically.
Yeah, I mean, it's like kind of every time.
So there's a certain size of spike that we only see when a very big scary vulnerability is going to be disclosed.
And it's within 90 days, right?
30 to 90 days.
And what's fascinating about it is so then that.
I don't want to say embolded us, but like, you know, I'm a cynical, skeptical security person.
Security people hate hearing, like, marketing BS that they're going to hear of like,
oh, I'm going to ha, whatever.
I was like, hey, guys, let's be very careful about any claims that we make on this.
But I'm looking at the charts and I'm like, this happens every time, like every single time.
So after we published the paper, we see it was, I mean, there were two pretty big scary spikes,
one in people looking for Cisco ASAs and the other for people looking for Palos.
and really bad bugs came out really kind of right smack on time.
So what's fascinating to me, let's take the step back, right?
Who's doing it?
Who is doing those spikes?
It's not like all of a sudden everybody starts doing really big spikes.
It's so tightly coordinated when it happens that it's very clear that it's one actor
operating from many, many different places.
So what I find is...
Someone who has the, someone who has resources, basically, right?
If they're the ones doing the global recon and then developing, or have already developed and then do the recon, but yeah, it's someone, it's well resourced.
And so what's fascinating is that you'll see, I mean, they've got resources because we'll see it happen all at exactly the same time with exactly the same protocol fingerprints from maybe 5,000 IPs at exactly the same time.
So it's like, okay, well, I know that whoever it is either can lease 5,000 IPs on the internet or they've got access to 5,000 compromised devices.
So there, in and of itself, you've got resources.
But the other one that's really fun to think about is, is this a defender or an attacker?
Is this the vendor or a research?
Okay, so there's a couple things here, right?
So there's that, right?
Which is someone like my beloved co-host, Adam Walo, who has actually built mass scanning tech previously.
Like he built the low-hanging kiwi fruit many, many years ago and you know, you see someone
ripping through the internet looking for that stuff.
It could have been him.
Could be some beardy Unix guy in New Zealand just looking for stuff.
But the other angle on this, right, is I respect the science of it.
But this is not actionable insight.
Okay.
You know what I mean?
So even if you know, even if you gray noise, and I just wanted to get your feelings on this, right?
Sure.
Because you're gray noise, you're sitting on this extremely sophisticated thing, right?
The sauce, as you call it.
The sauce.
Like Neo from the Matrix, watching the little things fall, right?
That's right.
And you're like, in three months, someone is going to attack SharePoint.
You know what I mean?
Like, yeah, yeah, yeah.
Okay.
So what do you do at that point?
Because you could tell all your customers in three months,
someone's going to attack SharePoint.
They're not going to do anything.
Because we live in a horrible world.
You're not wrong.
You're not wrong.
I would say for the first five years of gray noise,
I would say nobody does anything.
You know, there's so much fud.
There's going to be people that say stuff like this,
that indeed is not actionable.
I am personally now so confident in this.
And I feel like we've gotten this correct enough,
enough times, and we've got the receipts to prove it, that at this point, you need to take, like, all those
security controls that you think that you have on these edge devices. You better double-check those,
all of the networks that are behind them, you better make sure, you better assume that they can be
moonwalked into, right? Any kind of audit that might involve, like, hey, let me just reread those
configs real quick. Like, with my eyeballs, even though no alerts went off because you can't put
EDR and an edge device. Let me use my eyeballs to go through and just make sure that the users
that I think are logged in or created that they're good. Let me make sure that the configs are good.
Let me make sure that it's not talking anything that it would. And I would again, I would say that
for the last five years, I would totally agree. I would say like, look, people say this stuff all
the time. What are you going to do? But at this point, no, I think you very meaningfully.
It's not like a maybe something's coming. It's that in that moment to someone, those devices are
vulnerable. So you need to just assume that that's the case, right? Like really assume that that's
the case and then trace through maybe it's tabletop, maybe it's looking at connections again with
your eyeballs, maybe it's actually going through, maybe it's rebooting those things because as we
found out from the bad candy report that the ASD just did, a lot of these are in memory implants
so you can just nuke it up down once and you've kicked off, you've booted them out of the
access and they're at least going to have to pop it again.
And you kind of know it's coming.
So this is where I think we end up on it.
Can you, should you freak out?
No, that doesn't do anything.
That doesn't help anybody, right?
But like, there are some things that, like, forget about cyber, right?
Like, a dude walks by in the middle of the night and he walks past your car.
I'm not freaking out, right?
The dude peers into your car.
I'm starting to get a little bit sketched out, but maybe he thinks it's his car.
The dude tries to open the door to the car.
The guy's trying to get into your car, right?
Like the dude's up to no good, right?
So these are some of, these are some things like that.
And it is going from a little bit of a voodoo art to like kind of a little bit of a science.
And I get a lot of sort of satisfaction out of knowing that it's, we're kind of both catching a potential like the vendor who might be asking a security research group or a nation state apparatus.
this, hey, there's a really big bad bug.
How many of these things are out there?
Where are they?
Because not all of these vendors really get that level of telemetry,
even though I would hope and assume that they do.
They don't, right?
Or maybe it's an offense team who's saying,
oh, we found out about a bug.
We got to figure out where all these things are
so that we can figure out all the accesses to go into.
And the 90 days is so fascinating
because that's kind of the perfect responsible disclosure timeline.
Right?
as soon as miter knows about something, as soon as the vendor knows about something,
then in very real terms, the clock starts 90 days.
So you think it's possible that some of these actors are getting an early indication
that a bug is coming down in something?
A hundred percent.
Absolutely.
So this isn't research that they've done.
No.
But then they're right.
Okay.
That's why I think it's so fascinating.
Somebody all of a sudden has a massive interest in.
figuring out where every single XYZ devices around the internet. And they're doing that for one of
two reasons. There is no third reason. Okay. So when you were saying, when you were saying a bug is
coming, you meant like a publicly disclosed bug, not one that shows up just as an O'Day then hitting
those devices. It may have been disclosed to the vendor. It may have been reserved by MIT.
But it's not. There is, but nobody knows about it, but the person who found it and maybe the vendor.
So what I find interesting there is because when you were originally talking about this,
I figured what you were saying is someone has found an O'Day in a product, then they're going out
and scanning to find that same person or same actor or same well-resourced organization is then
going out scanning and finding where it is.
But I guess what you're saying is they maybe have some insight into reporting channels or they
are reporting channels.
So, you know, if I were Acme Edge Company, I would definitely have research partnerships with
universities and there's certain things that as a, you know, a giant publicly traded company who has
XYZ gazillion dollar contracts with maybe the DOD, you know, insert wherever. I'm sure it's the same
in places like, you know, China and other giant countries. Like they have certain sort of
information sharing and disclosure sort of processes that they're going to go through. And someone,
somewhere along the way is going to be like, ah, we got to figure out where all these things are.
And we got to figure out. So you're not just saying.
that like an adversary might be sitting at a bug tracker, for example, which is, you know,
they're definitely doing that too, but that's not what I was saying. Yeah, so, but more that just
when the wheels start turning. Yes. On a bug disclosure. Yeah. You, you're going to see it in gray
noise. That's right. And the more, the worse the bug is, the more intense, the scanning that we're
going to see because the louder and faster they're going to have to enumerate those
vulnerabilities is or enumerate inventory those devices is. So there's a difference between,
hey, it's a bug that is like, you know, low severity information disclosure. It sucks, but it's
not the end of the world. It doesn't lead to full system compromise. Yeah, man, like slowly scan that,
kick that bad boy off from four different places, let it run for the next 90 days, whatever.
When we see 150,000 IP addresses suddenly start looking for an ultra-specific piece of software,
and they're not looking for anything else.
We're like, number one, someone with resources.
Number two, they are super interested in Palo Alto's, right?
And they're not interested in anything else.
Let me ask you something, though.
Like, why are these people doing these scans not using stuff like,
Shodan. Why are they not using stuff like census? And, you know, when it comes to, you know,
state-backed adversaries, like we just saw a leak out of a Chinese contractor that was like
owned by Tencent that looked like they had something similar to being like a Chinese census that no
doubt, you know, all the MSS people can log into and like look up stuff. So why, why do this?
Why show your hand by scanning from 150,000 IPs and showing Andrew Morris and friends
exactly what you're looking at.
So I would say like number one,
maybe it's because you're,
from everybody else's perspective,
you're probably not going to see it.
The only reason we see it so much is like,
we have no business value and we have
in 80 different countries
in close to 100 hosting providers
and thousands and thousands of places.
So to us, you're going to sick out like a sort of thumb.
To like, you know, Joe Random Network,
he's going to see one, two, three, four, five IPs
probing a path, whatever.
So to us, it just,
jumps out in a really big way. And the loop's not really getting closed there. And we, and maybe they
find all of our sensors, but we burn them and stand them back up pretty often. So who cares?
The second reason of why really does depend on which side of that you're on. If you're the, if you are
the defender, if you're either the vendor or the equivalent of the information assurance directorate
or the system. You don't care about getting caught because you're not doing anything wrong.
There's no, there's no caught to, there's no caught to get, right? You're just like, I got to find these things.
I think a more interesting question, though, is, is in the heart of what you ask, why not use census?
Why not use showdown?
Like, why not use one of these ones that are already inventorying it?
So I'd say for a couple of different reasons.
One, you're going to leave a log there of you having done that, I guess as opposed to leaving a billion of them when you do it yourself.
With Gry noise.
Yeah, instead of just giving them all to you.
Yeah, that's right.
Number two is that no matter how good and how thorough all of these are, and they are good and they are thorough.
Lots of people are going to block or redirect or mistreat these benign scanners because they don't see upside in allowing themselves to get inventoryed.
Whether I ideologically agree with that or not, you know, you're always going to get better mileage when you do the scanning yourself when you know what you're doing.
And then the last one is like a lot of these bugs are you want to figure out with very high certainty that the bug is there.
but you don't want to tip your hand to the path of the bug, right?
It's like the whole CVE, do you give a good description or a bad description?
Well, that can be hard because maybe you're checking not just a version,
but the presence of some module or something like that.
That's right.
That's right.
And maybe it's a module that census and Shodan don't check for.
So maybe they're looking for, you know,
they're looking for all these banners,
but maybe they're not looking for that one model-specific register.
Maybe they're not looking for that one stack trace that goes out in this place.
And that's what you need.
And you know this.
Like there are lots of bugs.
There's so many of them.
And so you know, so you, and so the nature of each of these bugs is going to be a little bit different.
And look, your census, your showdown, you're doing this.
You're already hitting 4 billion IPs just for the routable IPs, not even thinking about all the V hosts and all the web stuff.
So you're already doing a lot of requests every day.
You don't want to do two or three or four or five.
per software per thing, that's a lot of overhead. Like that adds up really quickly.
Well, it's almost like you think of, you think of like, I mean, I'm sure, I don't know,
but I'm sure you could probably go to census with a custom request, right? It's sort of like,
but at that point, it is kind of like tasking a satellite. It's like tasking a satellite at
that point, right? Yeah, that's right. I mean, so you can like a lot of these, I mean,
Shodan's been doing it for a long time, census, you know, they have on-demand scanning capability.
Like all of these different, you know, the real players who know what they're doing, they're going to
allow you to give them a little bit more nature of like what exactly you're looking for and then
they'll kick it off it's it's risky for them to do though because you you know that can kind of go
wrong when somebody slips in a you know directory traversal bug to this and all of a sudden you know
zikir goes to jail um but uh but you know so so and and they don't want to tip people right so it's
it's a funny cat and mouse game it's like not not in in it's a confection or confection or
something like that when you you you you have a solution and you have to figure out what the problem
is that somebody's solving for it's uh it's it's it's kind of the the definition of the reverse engineering
right like i don't know what people are looking for but i do know the specific request that they sent
and i know where they sent it to so i can surmise right yeah so they want to give me as little information
as possible if you're if you're out there bad guys uh you know you don't want to give me anything right
Well, but I mean, the point is, the point is, you don't know if they're the bad guys. You don't know if they're the vendor.
You don't know if they're like some security company that's found a bug and they're doing a survey for their marketing blog post when the bug drops in three months.
But I am simply un-inhibited by whatever the restrictions are that they're going through. I don't have any early access to this bug.
So as soon as I hear a credible rumor, this is a metaphor that I'm making, as soon as gray noise hears a credible rumor, you bet your ass we're going to tell everybody about it.
We got no reason not to, right?
Yeah.
And so as long as it, again, I'm treating the security community like adults here.
I'm saying, look, guys, don't just freak out about it.
Don't throw a bunch of money at some random vendor who says they're going to make your problem go away.
But yeah, if we say that the bugs coming in Cisco ASAs is, please review your Cisco ASA logs and, like, audit those things and go through it.
And I'm not picking on ASA.
Obviously, they've got some bugs going on right now, but it could be any of them.
And it is every time.
Yeah.
You know, one thing I want to talk to you about, right?
So I'm working with Knock Knock, as you know, right?
So it's sort of tangentially connects, connects to what you do, right?
Huge fan.
One thing that's been really funny, right?
My experience there is the border device problem is huge, right?
It is absolutely massive.
And where Knock Knock is getting traction is actually for the internal use case.
I mean, it is getting traction for external as well, for external attack surface.
But what's crazy is like, hey, it's growth.
I'll take it.
It's going well.
The hair, my back starts to sweat as soon as it.
I hear you say that.
I don't get it either, right?
Which is like, I think there's this perception among a lot of enterprises.
They think they're in a better, they think they're in better shape than they are, right?
When it comes to their external attack surface, does that vibe with your experience as well?
Because you're talking about like, oh, okay, we can tell them that there might be a bug coming down in three months.
So they're going to go and check the configs and this and that.
I feel like there's a real disconnect between what people, what is accessible from the outside and what they think is accessible from the outside.
Do you see that as well?
Yes.
I mean, so this is, this is my opinion.
I'm, I'm going to wax poetic for a second.
I think one of the biggest sins that, you know, more mature,
that advanced organizations have, especially those who spend a ton of money on security products
and with, you know, big master service agreements with different security vendors,
is that, like, they kind of forget the basics and they assume that they're better off than they are.
The way that, like, that people who work in off, I mean, I used to work in offense, right?
I really never had to do any super, you know, crazy matrix voodoo stuff to get into networks.
Like there's just a handful of things that just work.
When I look at the credentials that attackers are spraying right now, it's Autumn 2025 exclamation mark capital A.
And they're doing that because it works, right?
And it's going to fit inside the security policy, right?
So it doesn't matter how many different crazy fire.
firewalls and stuff that you've got, like somebody's password is going to be autumn,
2025, exclamation mark, capital A, they're going to get in, right?
So that's one, two, my bigger point here.
And I'm very glad that we're literally on the soapbox right now because, boy, I'm climbing
on it.
This whole attitude of like, oh, this is a single player game.
I'm just going to protect my network and it's okay that the whole rest of the internet is
screwed. That can't affect me. It doesn't work, man. Like the ISP's doing nothing. The vendors
doing nothing. Like, the government in certain cases doing nothing. The hosting provider's doing
nothing. And just being like, good luck, everybody. Update those firewalls. Right? The firewalls
are the ones getting popped. Right? Like, and so the, if the expectation from my perspective,
if the expectation here is that like, we're going to duplicate effort intentionally so that we don't
muck around with like the free part of the internet,
I'm over here like,
why would you invite somebody who has COVID-19 to your wedding?
Why would you do that?
No, no, I'm with you.
Even if your guidance,
even if your guidance to all the guests is,
hey, by the way, you better be vaccinated
because some dude's going to be here with COVID-19.
I'm like, no, if you know someone's got COVID-19,
he's not allowed to come to the wedding, man.
That's the bigger problem in my view.
Yeah, no, I get it.
I mean, but you've always had that vision of wanting to fix the internet, right?
Which is like, talk about thinking big.
You know, I remember talking to you years ago and you're like,
my dream end state for this is someone does a mass scan on the internet.
They're immediately detected.
Persona non-grata.
Exactly.
We kick them off the internet, right?
That's right.
So where that gets interesting, though, and as I say, I've been spending a lot of time with my head in this space.
Where it gets interesting, though, is when you've got all of these residential proxy networks at the moment.
This is a problem for, well, this is a problem-ish for...
We, and in particular...
Well, hang on, let me, let me...
Yeah, yeah, right.
So what happens is you've got these residential proxy networks,
you know, thousands of compromised devices,
and, you know, the Chinese have developed these things
in response to companies like yours doing a better job, right?
Like a well-oiled machine.
Yeah, 100%.
So they can pop out of some compromised residential machine,
and they're popping out of a otherwise...
They're popping out a grandma's toolbar in the brain.
browser. Exactly. And they're popping out of a clean CG Nat gateway, right? So it's like a major
ISPs gateway for a certain region in the United States. And from a grey noise perspective,
like, that's hard. From a knock knock perspective, that's hard, right? Which is why I'm talking about.
And I think, you know, you've got to realize that with a lot of this stuff, it's like, you know,
you can massively reduce the risk. And indeed, we're building eventually a grey noise integration so
you could pop your gray noise, gray noise, um, API key into knock knock. So if someone is trying to
get a network port from a bad IP, it'll just say no. Yeah, or an IP that's ever touched us,
right? Because yeah, people who are using knock knock are probably not randomly scanning
the internet right from the same box right before they do it, right? Yeah, yeah, exactly. Right. So it's,
it's like, it's like, you know, that's that massively reduces the risk. But like, I guess where I'm
going with all of this, right, is that a lot of what we're talking about, we're trying to patch over
the shortcomings of IPV4.
And the longer you spend in this space,
the more you realize that, like,
wouldn't it be nice if we lived in an IPV6 world?
Now, don't get me wrong,
that's going to bring with it a different category of problems.
You're going to have issues that are different, like,
problems around discovery.
First of all, you're going to have to rewrite every security product on the market right now
because none of them support it, right?
So there's that.
You're also going to, yeah, you're going to have issues around,
like, how do you discover assets, you know,
But that's a problem for the bad guys as well.
But I guess my point is, like, it sort of feels at this point that IPV4 is just not fit for purpose.
And I wanted to get your thoughts on that being Mr. Network guy.
Yeah, I think, I think, Nat, so like, I think this whole notion of, like, non-routable IPs,
the existence of non-routable IPs as like a, let's just call it a kind of a gloss over sort of real quick and dirty solution to, like, not having enough IPs on the internet.
Like everything is not now. Everything is not. It's crazy.
So everything is that. And so the issue is that it was never meant to be a security control, ever, right?
It is not a firewall. It is not a firewall.
Sorry, but it's really good at obscuring the origin of something, right? Which is a problem for gray noise, problem for us.
It's kind of become a de facto firewall. And the old gray beard, crotchety old security guy in me, if you can believe him, he's there.
He's saying that if you architect the network the right way, it doesn't matter.
or if you're on the internet or if you're on the inside of somebody's if you're on a corporate
network or if you're on the internet it's all the same that that's what that's what you would say
I mean my definition my definition of zero trust has always been very different from everybody
else's where my definition is it's just about treating every single computer in your network as
if it is directly attached to the internet that's what you kind of need to do and so that's why I'm I'm
it's like I respect the place that that that Nat and IPV4 had and all these routable and non-routable
IP addresses, right? I respect that. It's good. It got us through the internet boom, and everyone
can get online. Let us get away. Let us get away with some bad behavior. Let us get away with murder, man.
Get away with murder. It's like, you know, you let, I mean, you let your, your kids when they're
growing up and they're like, mommy, daddy, can I eat ice cream? And you're like, sure. Like,
you can I do whatever I want? Sure. Do you want, can I put my finger in the socket? Sure.
It's one of these days, it's going to blow up in your face, right? Like, it's, it's going to, it's going to, it's, it's
incurring a kid with diabetes getting electricated, basically.
That's right. And so this is it. You've, we made that bed, right? And it's never too late
to do the wrong thing. So from my perspective, it is. I mean, it's, it's now we're,
we're in a problem of our unmaking, right? But let's just start pretending that every single
thing on the internet is routable. Routable. No, I know, but that's what IPV6 is. Like, and I'm saying,
Why do we want to pretend?
I can't hear you over me directly pinging your laptop right now
because we're both on IPV6.
It's awesome.
It's just, I just, you know, so much of this goes away.
And it also, like the thing about it is,
it would not make grey noise disappear.
No.
It would make grey noise like much more valuable
when you've got such granular, you know.
It makes bright eye, bushy-tailed,
20-something-year-old Andrew grey noise go away
when I had no idea, you know,
where the technology was going to take us and what problems that we were going to ultimately, like,
fall into because people don't have the exact same IPV4 noise problem. You don't trip and fall into,
you know, IPV6. IP is the same way that you do with IPV4. Bugs are still going to be exploited on the
internet. Compromised devices are still going to try to, you know, attempt to whether it's using
neighboring protocols, enumerating quad A records on the internet, scraping for resources, you know,
predicting the brute forcing random number generators in the DHCP leases of embedded devices
that are handing out all these IPV6, you know, DHCP leases like, whatever, whether it's any
of those, you're going to have bad guys attempting to figure out where these things are.
Gray noise looks very different in an IPV6 world because, you know, you're at the point now
where in the IPV4 world, you're everywhere, right?
It's a small enough IP space that you've got your honeypots.
Like, they're going to get touched.
If someone's doing mass scanning, they're going to get touched.
In an IPV6 world.
Billions of times a day, as it turns out.
Yes.
In an IPV6 world, that just doesn't happen.
So, you know, it's a different game at that point.
Like the paradigm of like there is a company that can tell you who's doing exploitation
of a large number of devices.
Like, that still exists, but the mechanics of how that works is completely different.
It's different.
But look, look, Andrew, the good thing is, we're never.
going to an IPV6 world.
So why are we even talking about it, right?
We have to.
That's the thing.
We have to.
Of this, I am certain.
We have to.
We're kicking a can down the road right now.
I get it.
I love the meme of like cancel IPV6.
IPs were never supposed to have letters.
I do love that.
But we have to, man.
Out with the old and with the new.
The only constants change.
You got to do it.
And forget about IPV6.
It doesn't even matter about IPV6.
It's about changing the mindset of like,
Like, you got to assume everything's on the internet.
And that's very easy to do when literally everything's on the internet.
Yeah.
Well, I mean, that's why, you know, I'm doing the work with Knock Knock as well, which is like, you know, in a V6 world, like, that solves so many problems when every single connection is a allow listed and pin to off.
You know?
So let's let's pretend that the world isn't in the middle of lots of big, awful wars.
Let's just pretend that that's the case for a second, right?
I would so much rather every horrible, vulnerable device that is going to get the crap hacked out of it, I'd rather it happen now.
I don't want it to happen when there's a fourth, fifth, sixth war going on, right?
It's better to happen in fair weather.
So, okay, all right, all of our routers are going to get popped.
All the IP cameras are going to get popped.
All of these edge systems are going to get popped.
Let them.
It makes them get stronger.
You have to assume that that's going to happen anyway.
You can't sweep it under the rug.
So I'm, I know, I'm soapboxing, but if I can't do it here, I don't know where I can.
Well, you can't do the soapboxing on the soapbox.
But look, final question, we're going to have to wrap it up, right, because we're kind of running out of time.
But my final question here is like, okay, you say we have to.
We have to go to an IPV6 world.
I mean, I agree, but like, why aren't we there yet?
And what gets us there?
Because IPV4 exhaustion is a real thing.
It's already happened.
But it seems like there's still enough dumb stuff with IPV4 statics.
that, you know, gradually the prices come up and the dumb stuff, like, that gets reallocated to the pool.
Prices are just creeping up.
They haven't exploded.
Like, what is the thing that ultimately gets everyone to switch?
Capitalism.
I mean, it's got better.
Yeah, but where's the economic driver in capitalism?
That's what I'm saying.
If the economic, capitalism states that if there isn't, especially with something like security, where it's a cost center, right?
Like security doesn't make money for anyone other than the security business.
It just costs people money.
Right.
And so like there is no economic incentive to move on from it.
And because there's no economic incentive to move on from it, we're not going to do it.
So there needs to be either.
I mean, there needs to be a massive amount of pain as a result.
And I do not think not for a second that if I snap my fingers and everything's over on IPV6
and we've gotten through it that we're all of a sudden 100 million times safer or whatever.
I don't think that's true at all.
But I do think that you, if there is no reason to do it, it won't be done.
And if it's not being done and people are trying to do it, that means there's too much money in it not happening.
And I was making a funny little bit joke earlier, but I was dead serious.
I think I know three or four network security products off the top of my head and logging stacks that support IPV6 end to end.
I there was a great hacker news article maybe a year ago where a guy just he just disabled IPV4 on his home network
he was mainlining IPV6 and he just started browsing the internet to see what worked and what didn't
almost nothing worked yeah almost nothing worked we only turned v6 on for risky dot biz like a few months
ago yeah so so it had the internet at table stakes the internet has to work man the chinese have been
on IPV6 for a long time right
Well, that's because we were monopolizing the V4 address space.
Yeah, that's because for every one billion IP addresses, you know, that's because of like what?
That was out of necessity.
We're like, no, you can't have them.
We're using them.
Yeah, the exhaustion is real.
Let the meet V6, I think is what we said to the Chinese.
She didn't say that, I believe.
That is what she said, right?
Yeah.
Oh, man.
Oh, look, so before we wrap it up, like any cool new stuff with gray noise, cool new features?
or is it just more research, refinement, that sort of vibe at the moment?
My mind is paralyzed with fear at the staggering rate that we're either getting better at finding
exploitation of edge devices or that it's just going up and getting worse and getting faster.
And I don't know which one it is, but that's what's dominating my mind right now.
We are putting a lot.
So there's two things.
One, we're putting a lot of effort and energy into making gray noise a multiplayer game so that we can functionally share data across our customers across many perimeters to be able to sort of, you know, kind of deputize anybody who wants to either from a research perspective or companies that actually want to figure out, hey, what's hitting me versus my 10 competitors who are also part of the program.
So that's one.
And then two, and please get in touch with me if you're interested in this.
our raw data, which then becomes labeled data, is a goldmine for AI models that are making decisions for routing packets at line rate.
I have about 10 yards away from me as we speak.
And Invidia Bluefield 3, one of the most, one of the coochiest contraptions ever made.
It is basically a GPU on a network card.
And it can grind packets at 400 gigs per second.
So I've got right now, I mean, I've got basically a little box that says if you look like you're bad, you're going nowhere.
If you look like you might be bad, you're going to go slow.
And if you look like you're good, you're going to come on through.
So that's my fun little project that I'm working on with a couple folks from my team.
But I am not a data scientist.
So we want to get as many security researchers out there in AI labs that have use cases like this that need good labeled training data day and day out.
I've got billions of labeled malicious, suspicious, benign, encrypted, unencrypted network traffic.
And if you want me, if you are working on something around this, please get in touch with me.
And I'll give you a live feed of it all the time as long as you, you know, show me what you're working on.
So those are some of the things we're working on that I'm very excited about.
It's funny what the LLMs can turn up, right?
So like, you know Damien Lucie, right?
I do.
I know him well.
Yeah, yeah.
So the stuff he's doing with Nebulauk around, um,
vibe hunting.
Vibe hunting, baby.
That's right.
So vibe-based threat hunting where the LLMs are really good at grabbing those low
and informational findings that might be in a log source and actually stringing it together
into something.
You know, I mean, it's always possible that your LLM is going to wind up like the peppy meme.
Yeah.
Making some, you know, connections that aren't there.
But like that's easy to sort of tune out of it as well.
But yeah, so I do find it interesting that we're in a state with LLMs.
you can throw,
you could throw, like, as you say,
like unlabel packets and whatever.
Yeah.
And all our stuff, I mean, we,
I'm not even really looking at LLMs for this.
I'm using small language models in certain cases,
not really reinforcement learning,
but functionally just looking at things like bite headers and stuff like that,
gradient boosted decision trees,
things like BERT that are basically all they're doing is saying like,
how gray noisy do you look?
You look pretty great noisy.
You're going real slow from now on.
You don't look great noisy at all.
Come on in.
And at least for edge devices, if you put one of these things in front of like a massive network,
it can actually make a pretty big dent.
So it's pretty cool.
Yeah, I shouldn't say LLMs because that's the.
I know.
I'm not trying to like.
No, no, you're right though.
I'm not trying to actually you like, you know, we're not on Hacker News.
This is real life.
But we're seeing the most success from non-LM.
No, I get it.
LLMs are the ones that tell me to check the fuel pump in my electric vehicle.
LLMs are the ones that tell me I'm exactly right.
I can totally invent a quantum time machine with, you know, like whatever.
You've invented time travel.
Congratulations.
Yeah, yeah, yeah.
And then I'm like, this is sick and I have like a psychotic breakdown.
You wake up in a hospital going, where's my time machine?
They stole it.
They stole it from me.
Yeah, that's right.
Man, this weighted blanket is great.
Yeah.
All right, man.
Great to chat to you as always.
It's always heaps of fun.
Chatting with you, Mr. Andrew Morris.
And, you know, I'll look forward to chatting to you next year, dude.
Take care.
I can do this all day every day, man.
It's good to see you.
Thanks again for having me on, man.
Cheers.