Risky Business - Risky Business #770 -- A Russian IR guy discovers extremely cool spookware
Episode Date: November 13, 2024On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Apple frustrates law enforcement with iOS auto-reboot CISA ...says most KEV vulnerabilities in 2023 were first used as zero days Russians roll incident response on some sweet Linux spookware Regular users can create mailboxes in M365? Tor tracks down the source of its joe-job abuse complaints And much, much more. This week’s feature guest is former FBI agent Chris Tarbell, who arrested Silk Road operator Ross Ulbricht way back in 2013. As suggestions swirl that an incoming Trump administration might release Ulbricht, Chris talks about the reality of the Dread Pirate Roberts. This episode is sponsored by software supply chain security firm Socket.dev. Founder Feross Aboukhadijeh thinks that we need a CVE-like catalogue for supply-chain attacks, and he makes a solid argument. The show is also available on Youtube. Show notes Jason Koebler: "New: We’ve confirmed Apple quietly introduced a feature in the new iOS that is preventing cops from hacking iPhones that they have confiscated as evidence. Apple really did say ACAB www.404media.co/apple-quietl..." — Bluesky Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops Exclusive | U.S. Agency Warns Employees About Phone Use Amid Ongoing China Hack - WSJ Surge in exploits of zero-day vulnerabilities is ‘new normal’ warns Five Eyes alliance The Elusive GoblinRAT: How a Linux Backdoor Infiltrated Government Infrastructures Microsoft Bookings – Facilitating Impersonation | Cyberis Limited TrustedSec | EKUwu: Not just another AD CS ESC Russia’s internet watchdog blocks thousands of websites that use Cloudflare's privacy service Defending the Tor network: Mitigating IP spoofing against Tor | The Tor Project Law enforcement operation takes down 22,000 malicious IP addresses worldwide - Ars Technica Press Conference - Parliament House, Canberra | Prime Minister of Australia DHS nominee Kristi Noem stood alone for rejecting department cyber grants to state, local governments | CyberScoop Patrick Gray: "Allies will feel comfortable until these guys get fired in their first 100 days for opposing Trump’s proposed annexation of Iceland or something. People have forgotten… Trump is out of his gourd" — Bluesky
Transcript
Discussion (0)
Hey everyone and welcome to another edition of Risky Business. My name's Patrick Gray.
We've got a great show for you this week. I'll be chatting with Adam Boileau about all of the
week's security news. We're also going to take a look at some of the things that President-elect
Donald Trump has promised to do. And we're also going to hear from Chris Tarbell, who is a former FBI agent and the man
who actually put handcuffs on Ross Ulbricht in that library over a decade ago. And he's joining
us to fill us in on some of the details about the Ross Ulbricht Silk Road case that people seem to
have forgotten. This week's sponsor interview is with Feroz Aboukadije of
Socket. You can find them at socket.dev and what socket does is to basically
ensure that you're not including dangerous packages in your software
projects, right? So it's like a supply chain security product. I'm about to
publish a demo of that one to our YouTube channel in a couple of days.
You'll be able to check that out and this week Feroz is talking to us. He's I'm about to publish a demo of that one to our YouTube channel in a couple of days.
You'll be able to check that out and this week Feroz is talking to us.
He's joining us to make the case that we should look at Trojan packages. We should look at tracking them in the same way that we track CVEs.
So someone like NIST needs to actually track these things, have timelines, have an index, much the same way we track CVEs.
It's actually a pretty compelling case.
That interview is coming up later.
But Adam, we're going to start off this week by talking about the news
that iOS 18.1 has a new feature.
And that new feature is that if you don't unlock your phone
in a 72-hour period, it reboots.
And what that means is it winds up in a state which is called BFU, or before first unlock,
which makes it much more difficult to crack.
So this is something that law enforcement has discovered recently, and they are not
happy about it, at least according to reporting from Joe Cox over at 404 Media.
Yeah, when the police seize people's iPhones,
if they don't immediately have access to unlock them,
they will typically plug them in,
stick them in the Faraday bag and put them on a shelf.
That's A, so the process can kind of work through.
They might get access to the passphrases
through some other means from the people
who originally owned the phones.
But they've been discovering that yes those devices have been rebooting themselves which makes it a whole bunch more complicated and you know Apple's relationship with law enforcement
has been pretty complicated you know over the over the last few years you know they've been
unwilling to provide unlock assistance for phones.
And law enforcement has kind of settled into a, you know,
a middle ground where they can use exploit techniques,
hacker techniques to bypass them,
or they can kind of wait for, you know,
over time as unlocks become available with, you know,
older versions of the software, you know,
to be able to unlock them later on.
And that, Apple has, I mean, that relationship has been complicated, I think.
And you and I have talked several times about kind of like where that game ends for Apple and law enforcement, because it's, you know, it's a difficult situation for both sides.
It is.
I mean, I think that the interesting thing here
is that there was a bit of a status quo
when it came to unlocking seized devices,
which, as you say, stick them in a locker somewhere,
wait for an unlock against that version of the software
to become available down the line,
and then use that unlock capability against those phones.
That was the status quo.
This changes that.
And I can see Apple's point of view,
which is that they are a
privacy-first company. They also have customers who might be located in places that aren't really
down with due process, right? So protecting users against authoritarian states and whatnot
seems like a pretty good idea although i think this disproportionately impacts places that do have due process because in the places that don't have due
process when they discover that they can't unlock these devices they're just more likely to pull
someone out of a cell and beat the crap out of them until they get the passphrases whereas
you know the fbi at least at the moment can't do that So I do feel that perhaps this is going to disproportionately
impact, you know, the law enforcement in democratic countries. And I don't think that's great.
Yeah. And, you know, this sort of resolving this tension between, you know, privacy and security
and law enforcement oversight and, you know, the ability of the government to try and make communities safe, right?
This is a tension we've seen played out in so many parts of the tech industry
as, you know, we've got to the point where it is legitimately difficult
to intercept communications, to unlock devices,
and, you know, the traditional tools of wiretaps and pen registers
and whatever else, you know, have been gradually chipped away.
And, you know, we haven't really figured out how to resolve that tension.
I mean, you know, the traditional sort of cypherpunk approach of,
you know, if there's an intercept mechanism or an observation mechanism
that that can be abused by third parties is a risk that
means we should have end-to-end crypto or whatever else like you know we've seen intrusions into
um lawful intercept systems and telcos you know that we're talking about in the news at the moment
so you know that that tension is playing up in a bunch of places and this is just kind of one and Apple's maneuvering
to kind of position themselves as a privacy first company as a you know is it because their
competitors in the marketplace are you know more advertising centric don't make quite so much money
out of devices right there you know it's in their interests to be seen that way and also to kind of
follow through right not just talk talk they have to you know deliver way and also to kind of follow through, right? Not just talk, talk. They
have to, you know, deliver code and devices that live up to that. So it's a, you know, a tough
set of trade-offs for them and for law enforcement. Yeah. Well, I think this is, this is really going
to annoy law enforcement, particularly in the United States, given that's where Apple's from,
right? So I think that's going to, that's going to really drive them a bit nuts. But you're right, we are talking about
intrusions into surveillance systems. And we've got an interesting story here from the Wall Street
Journal, where a US agency, it's the Consumer Financial Protection Bureau, has warned its staff
not to use cell phones, don't use cell phones, like plain old cell phone calls and text messages
to conduct agency business you've got to
do that stuff on microsoft teams and i think this is a really interesting development now obviously
they say this is because telcos are a little bit secure insecure upstream you know they don't i
don't think they explicitly say it's because of this campaign but that's you know kind of implied
in the advice they're giving to staff here. What I find interesting about this, though, is that Teams, as best I know, is not end-to-end encrypted.
That material can be obtained, you know,
an intruder into Microsoft would be able to get that material.
So I think what's interesting here is they're saying,
don't use, don't trust the telcos,
but you can trust Microsoft, right?
Which kind of shows us that telcos do have a problem when it comes to
being able to secure their networks. You know, it really does. They really do. Yeah. Yeah. I mean,
you know, I've long said that, you know, telcos are the natural enemy of my people, my people
being hackers. Like it's where we all learned how trade is breaking into the telco, stealing phone
company manuals and linemen handsets. Like that's just what hackers did in the old days. And so,
you know, they're huge
complicated environments and they're very very difficult to secure but you know in some respects
like you look at teams if anything teams is more friendly to be able to um you know steal content
i mean like it will automatically transcribe you know to text meetings and calls that you have and
then store them and restore video recordings
of meetings and all those sorts of things like this there is a lot in teams to help yourself to
which is you know better like less well protected than you know lawful intercept in a telco in many
cases despite the fact that the telcos are also trash so i mean it's definitely it's a it's a
bold move to say use teams instead of the phone, but you're right, telcos have a long and rather poor security history.
And, you know, Microsoft also not doing super great, but hopefully better.
Hopefully better than the average telco.
There's also the rumor going around that the salt typhoon intrusion, and hopefully we find out from the CSRB investigation,
but there's also a rumour floating around that most of that activity took place on networking equipment, right?
Which is why maybe they didn't see it via their EDR.
I can't wait to get that CSRB report into salt typhoon.
It's going to be a good one. I'm super looking forward to that because I do love telco gubbins.
So yeah, I'm very much here for that. Good luck CSRB board.
We are ready with bated breath for your report.
Now let's talk about some data that's come out of CISA,
which has resulted in a Five Eyes Alliance
kind of warning about it.
There's been an interesting move in stats
around the types of vulnerabilities
that are popping up being used in the wild.
In previous years up to last year um it was quite often like end day bugs that were being
most commonly used to attack targets and pop shells and whatever that changed last year two
thirds or 10 out of the 15 most frequently exploited vulnerabilities uh last year were Oday. So this is new, and it was all enterprise software tech.
And it also represented a huge swing towards edge devices. And this is stuff that we've talked about,
you know, so much over the last couple of years, which is these like VPNs and, you know, file
transfer appliances, things like that at the edge of your network. It's good to see some hard data
here that is pretty difficult to refute
you know what i mean like you you look at this and you're just like okay well this is definitely
a thing now uh what's your take on all of this yeah yeah i agree it's nice to have data that
lines up with our experience you know what we've been reporting on you know over the last little
while um you know is that that that pivot was happening and it gets nice data that supports that.
And, you know, the, you know, it is long past time for the vendors of edge equipment to
take that stuff kind of seriously.
And it's an interesting, like the landscape for network edge devices compared to, you
know, like how many years ago,
10 years ago now when we pivoted
from server-side exploitation to client-side,
you know, ActiveX control bugs and Acrobat,
PDF reader bugs and Flash bugs,
you know, that set of software
that always had those problems, Acrobat and Flash,
seemed kind of more fixable in a way
that fixing
Fortinet and Cisco and Citrix do now.
Although I guess it didn't feel that way at the time.
So maybe I'm, you know, maybe I'm.
Well, I mean, that's why Adobe couldn't wait to kill Flash.
You know, they didn't really like.
They really didn't want to kill it.
Security leadership at Adobe did not sign up for having the most, you know, widely used, complicated client software on the planet.
You know, that's not really what they wanted out of the Macromedia acquisition.
But that's just sort of how it turned out.
But you're right.
I mean, that's the case of one vendor having to fix something versus, in this case, a whole bunch of others with, you know, all of their own approaches to development and whatever.
But I will say, too, that you were having a good old chuckle
about Fortinet, you know, committing to the Secure Code initiative
in our Slack the other day.
And I'm like, what, you're laughing at them for trying?
That seems a little bit uncharitable.
I mean, you know, if it was a good faith effort.
But I just kind of feel like Fortinet is,
you know,
and this is modular,
us both knowing plenty of good people that work at Fortinet.
Like the time for a good faith effort was,
you know,
not now,
it was several years ago when they saw this coming.
And,
you know,
I'm,
I'm a little salty about,
you know,
how much marketing dollar they spend versus how much they should probably spend on product QA.
Well, I mean, they should have seen this coming,
I think is the point, right?
Yes.
Like they should have seen this coming many, many years ago.
Yeah, I agree.
And when you see the insides of some of those products, right,
they had plenty of opportunity to do some of this stuff, right?
Because some of these bugs are, you know, really brain dead, you know, stuff that even a, you know, even a basic code review, basic pen test of the product before you shipped it would have picked up, you know?
So, yeah.
I've been burnt by many Fortinet products, so I have feelings.
You do.
Now let's talk about some incident response research out of Russia. And we are looking at Goblin Rat,
which is what looks to be a pretty sweet bit of Linux malware
that is popping up in all sorts of interesting places in Russia.
Your money is on this being West and SIGINT.
Walk us through the research here, the teardown of this backdoor,
and also build the case for us
as to why you think this is probably some friends of ours.
So yeah, this is some malware that was discovered
inside some Linux boxes in critical infrastructure services.
We don't know exactly where.
A Russian company has written it up
and actually done some conference presentations about it as well. We're't know exactly where. A Russian company's written it up and actually
done some conference presentations about it as well. We're going off machine translation,
so there's always some room for error there. But this is a piece of Linux malware that provides
the usual sorts of things, like remote access, files copying up and down, shells, network
pivoting, that kind of thing. But it has a number of kind of relatively stealthy
relatively sophisticated features so uh one is you know obviously kind of process hiding stuff
two is command and control uh is done with like port knocking configurable port knocking it's
written in go so it's nice and portable uh and it has um uh you know a whole bunch of stealth mechanisms
that just feel like things that SIGintas would do.
So for example, it'll drop binaries into DevSHM,
which is like a RAM disk,
so you don't leave traces on disk.
It will overwrite when it gets told to delete itself off disk.
It will overwrite with data from a random device
to defeat disk forensics
and a whole bunch of long-term persistent stealthiness.
It runs, and the bits that do the initial persistence
hide themselves as various,
like a type of a system process,
like one letter different from a system process.
And that's different on every box. And then the C2 process and that's different on every box and then
the c2 endpoints are also different in every box uh using domains that are only used for that
purpose there's strong crypto everywhere like cert auth on all the bits uh and you know it just feels
well engineered and then uh the people who did forensics on this actually pulled memory images
from a bunch of systems to try and, you know,
identify infections of this stuff and found a few fragments
in like unallocated memory that kind of showed some
of the usage patterns and it feels human driven, right?
There is someone hands on keyboard making choices,
choosing what to do on a particular box that, you know,
there's a degree of skill involved in that. And that's a thing that, you know, to do on a particular box that you know there's a degree of skill involved in that and that's a thing that you know to do at scale you have to be a significant agency you have to
be someone that's got the people who are sufficiently skilled to do this not just off a playbook yeah
so this is less vault typhoon and more maybe eagle tornado if we had to guess, or perhaps T-Fog.
I'm just trying to come up with these names on the spot so you can catch my drift,
but it does kind of feel like that, doesn't it?
I think Pink Apple may well be what it's called,
because one of the domain names used that particular name in a few bits
when they went back and looked at some passive DNS history and so on.
Anyway, it feels like the Russian in question
who stumbled across this thing
when they were investigating something for a client,
I feel has probably stumbled across some.
I fear I was too subtle,
because what is more American than an eagle tornado?
And what is more British than tea and fog?
You know, that's just...
Anyway, we've linked through...
They won't be friends of ours, so good work if it was because like yeah
it's look pretty reasonable code yeah we've linked through to the original write-up which is in
russian but translate actually worked pretty well on it so uh people can check that out if they are
interested in it now we're going to talk about some you know two bits of really interesting
research here talk us talk to us about this Microsoft bookings one
where like email aliases get created.
Like this whole thing is a bit of a head scratcher.
So yeah, we'll start with this Syberis research
into a Microsoft bug, a cloud services bug.
Talk us through it.
So in Microsoft Azure LAN,
you can like arrange bookings for meetings and things,
and you can invite other people to meetings and so on and so forth.
One of the features is when you create a booking for a meeting,
it will create a mailbox to receive messages.
So you can kind of create repositories to collect attendance information or whatever else.
And so these email accounts will get created
kind of programmatically based on the name of the meeting.
And they get allocated a non-billed,
like secret Microsoft 365 mailbox
that still functions as a real mailbox,
but doesn't charge your license.
That's nice if you want to get some free mailboxes.
But you can use this as a low privileged attacker
to create mailboxes on a domain.
And there's a number of places where that might be useful.
You could create mailboxes that impersonate other people.
So there's some limits as to what characters you can have, but you could make mailboxes that lookate other people. So there's some limits as to what characters you
can have, but you could make mailboxes that look like legitimate people. You could make mailboxes
to bypass things that do domain control with indication via emails, like buy certificates,
for example. Or you can reactivate old employee accounts if the accounts that it makes are in the
kind of the style of of the normal you know email
format for that organization so it's a really interesting tool to go from low priv to i can
create new email accounts and then i can use that for social engineering or technical tax or whatever
else um and this is probably surprise to many organizations um because hey the cloud future we
have no idea what crazy stuff microsoft is doing and this seems a little on on the crazy side so yeah very useful for yeah but it's also one of
those weird edge case kind of bugs that you wouldn't necessarily think to look for in a
standard audit that's why i find it interesting right because some of these like business logic
bugs are always the best because they are subtle and they are hard to find and And, you know, they give some examples of the types of email mailboxes
you could sort of register here.
And it's like administrator at domain, hostmaster, postmaster,
webmaster, admin, root, you know, those are going to come in handy, right?
So I just thought that was a, you know, really interesting bit of research.
We've also got some research out of Tr sec from uh justin bollinger here which
is amazing actually um involving dodgy like certificate signing requests talk to us about
this one yeah so this is some research that built on like the classic 80 certificate services attacks
that came out of um like specter ops the specterps career a few years back. And this is a variant of one of those
where essentially you can land on a box as a user
and then get a certificate issued
where you control some of the contents
and using like the normal kind of templates
for certificate requests that Windows has.
And this was like a trick, I guess,
where you could change the like the purpose
of the certificate that was being issued in this case you could change the subject of the certificate
was being issued in ways that are surprising and the guts of this is that it turns out there's kind
of two ways to specify specify the specifics of the certificate that you're getting issued
there's a Microsoft way
and there's a standard way and it turns out that if you specify both it prefers the Microsoft way
and then will issue a certificate where you can like you know get a certificate a user certificate
for administrator and then onwards to for domain admin and onwards to great victory
and yeah this you know was a it's the sort of nuance that lurks in ADCS that traps all sorts of people.
And the researchers that trusted Seku found this, ended up looking at a number of their customers and found that this was applicable there.
Microsoft were a little confused about the bug report, about whether it was kind of like intended behavior or not, but it clearly is not good.
And given there's already, what, 15 ways or something like that
to get privileged access, to escalate your access
through 80 certificate services, like yet another one is not good
because these are real workhorse bugs for people
escalating access in Windows environments.
Yep, they are, right?
And it's a fun write-up,
and we've linked through to that one in the show notes.
Moving on, and Darina Antoniuk over at The Record
has a report on Russia doing something that China already did,
I think a year or two ago,
which is to block Cloudflare encrypted client hello.
So essentially ECH, what did it used to be called?
It used to be called-
ESNI was the-
ESNI, encrypted server name indication, right, yeah.
So it used to be ESNI and now in TLS 1.3, it is ECH.
And what that essentially is,
is like domain fronting by design.
I mean, it gives you what domain fronting would give you
in that you could just connect to a CDN
and then in your client hello, specify where you to go and then and then you connect there right but
that's all encrypted and it's not observable so this ECH can really be used to bypass censorship
which is one thing that's very useful about it and why China and Russia are blocking it now
the reason I've been banging on about ESNI and ECH for years is that it's also
a really, really cool way to do C2 in a way that is very, very difficult to detect because you're
just going to see packets going out to Cloudflare. So that's something that I think people need to
think about when they're architecting like network detection. This is also a solid argument for
doing more instrumentation of browsers so that
you can actually know where the browsers are going. And then like, if that data doesn't match
with other data that is going off to Cloudflare CDN with a, you know, domain name that you have
no idea about because it's encrypted in the client, hello. Yeah, it's interesting. So Russia
and China have blocked it for censorship reasons, but this stuff is going
to be a problem eventually. I think the one mitigation here is that when you are pushing
your C2 through a CDN, you are vulnerable at that point to the CDN squashing your campaign.
But if you, you know, if you're writing decent enough malware, you can build a bit of redundancy
in there. Frankly, I'm surprised we don't see this sort of C2 being widespread. But everyone I ask
about that just says, well, people don't need to do that yet, because it's not like they can't get
functioning C2 just with basic techniques. But I guess the long story short is I think
encrypted client hello is the future of malware C2. And I'm not surprised to see Russia join
China and ban this when they're starting to get more
restrictive about what people can see on the internet. Yeah, absolutely, and I think Cloudflare
has done quite a bit of the engineering work and also deployed this by default in their environment,
which I think has probably pushed Russia's hand a little bit. You know, I think China was kind of
slightly ahead of the game, but Russia is now seeing it being a practical problem for them which I think was the
point right that's why Cloudflare did it but yeah I agree with you that you know like domain
fronting was so useful back in you know before we had to worry so much about how we were going to
get detected and this as it does the same things that domain frontend kind of delivered for us
in a way that's even harder to observe without being in the browser,
without being in the network stack.
Well, yeah, and without having some sort of logic
to like compare different data source.
Like it's a pain in the you-know-what to try to get around,
like to try to detect this.
Yeah, yeah, exactly.
And with like the main challenge with
the sni was it relied heavily on dns to get the keys to send the encrypted sni and if you just
blocked the dns that particular part of the dns request it would kind of fall back so you could
see it whereas ech is kind of designed so that in the even in with an attacker observing the dns and able to control
it you've got kind of more options uh for getting the right key material out for client like it can
send key material new key material like midway through the tls handshake so that the client can
then send the encrypted uh client hello encrypted correctly without having to trust the dns which that
complying with combined with dns over https which again cloudflare did a lot of the work on like all
these pieces kind of joined together to make it pretty technically difficult to do anything other
than just straight up block this yeah yeah so just one to keep an eye on, I reckon, is just how that all progresses, right?
Because I think eventually, yeah,
enterprises, maybe other networks
are just going to say,
you know, we're seeing so much abuse
with some of this, you know,
via ECH through some of these CDNs.
We might need to block them.
I doubt they're going to block Cloudflare.
That's Cloudflare's thing though.
They're so big that you can't block them
and it's just going to cause headaches.
But Cloudflare is certainly used to doing that.
It looks like Tor has published a write-up on how they've managed to mitigate the ip spoofing attack that was uh targeting their relays so i think we spoke about this on the show i can't
remember if we actually spoke about this on the show or if it was just in Risky Business News, our other podcast. But the idea here was people were spoofing SSH scanning activity
from Tor relay IPs, right?
So they'd find the IPs for Tor relays,
they would spoof SSH connections,
which would result in abuse complaints being directed to the ISPs
where those relays were located.
So this is like what we used to call a Joe job
when it came to, you know, email, like spamming from an address that you didn't like to get that address
sort of black holed. Similar sort of thing here, but with SSH scanning. And it looks like though
that Tor has been able to sort this out. How did they go about sorting out something like this?
Because I would have thought that would be pretty difficult. I think there's kind of two aspects to it. There's one, like whoever was spoofing the traffic,
I guess they figured out where it was coming from and managed to shut that down. And the
specific of how they did that is a little vague. They did say that it was done in cooperation with
old mate Andrew from Grey Noise. So that might give you some idea of kind of what was involved.
The other half was there was an organization that
was sending abuse complaints kind of you know in an automated willy-nilly kind of fashion
that was amplifying the effectiveness of the spoofed packets so I think they managed to get
a bunch of people to ignore that particular organization that was just generating I mean
the organization said
like billions of abuse complaints or something so like i don't know what the hell they were doing
but so i think that was the two-pronged approach that they took but they have been a little bit
cagey about the specifics from you know what they did with the spoofing origin yeah now speaking of
bad stuff being uh kicked off the internet uh talk to us about this operation that Dan Gooden has reported on that has resulted in something like 22,000 malicious IPs being taken down. How does one take down an IP, Adam? It's an operation I think led by Interpol called Synergia 2, and it took down a whole bunch of malicious servers associated with address space
and some other bits and pieces.
But most of the targets of this operation appear to actually be in China.
The reporting says that there are like 1,000 servers taken down in Hong Kong,
another couple of hundred, 300 in Macau,
and then a few other bits and pieces in Mongolia and Madagascar and Estonia. So a worldwide,
you know, police operation, law enforcement operation, but, you know, the bulk of it
inside China. And I haven't seen any specifics about exactly kind of like what sorts of cyber crime they were doing.
And the number of like 30,000 potentially malicious IP addresses have been bandied about in the press release.
And I'm not quite clear, you know, what they were doing with them.
But either way, wrapping up a thousand boxes, I think in Madagascar, they seized like what like they said say rest of like 11 people
so like it's a pretty reasonable sized operation 93 in mongolia 93 people so like quite a big
police thing but not a whole bunch of details about what the cyber crimes in question actually
were yeah and uh interestingly enough the three private organizations that participated in this were Group IB,
which are based in Singapore these days but were originally Russian,
Kaspersky, and Team Kumry.
So an interesting little mix there.
Yeah, interesting get-together there.
Exactly.
It is time for us to have a little bit of a chat about last week's election.
Donald Trump has been returned to the
White House and he will be inaugurated next year. I do recall some months ago saying on the show,
when we were talking about the possibility of Trump coming back, you expressed some skepticism
and having traveled to the US a couple of times in the last year, I think I said, well,
you know, I wouldn't rule it out because voters were really waiting for Joe Biden with baseball bats. So I'm not terribly shocked that Trump has been returned to the White House, but this will
have implications for the intelligence community, for tech policy, for cybersecurity. The TikTok ban
that was going to kick in in a couple of months. I don't think that's happening anymore. Trump has, it was his idea, and then he changed his mind.
So it looks like TikTok will remain a going concern in the United States.
The forced divestiture, I don't think that's going to happen.
There's one other thing that Trump promised to do
in the lead up to the election, which is very controversial,
which is he's agreed, well, he has pledged to release Ross Ulbricht from
prison so Ross Ulbricht was the was the founder and administrator for the Silk Road which was the
first really big illicit online marketplace you could buy heroin there you could buy body parts
you could buy euthanasia drugs and Ulbcht was also alleged to have organized something like six murders for
hire. And somehow over the last decade, people seem to have forgotten a lot of the particulars
of the case. I interviewed this morning, I interviewed the guy who actually put the handcuffs
on Ross Albrecht, who is a now former FBI agent named Chris Tarbell. And we're going to play that interview in just a
moment. But before we do, Adam, what do you make of this political support that Ross Ulbricht has
received over the last few years? Because I agree that his sentence actually might, you could argue
that his sentence is excessive, but I don't see why there's so much political pressure to get him out after
spending only a decade in prison given he was a drug kingpin who you know a convicted drug kingpin
who put out hits on people you know but what's your what's your take on this yeah i guess the
the comparison with say assange is the one that is the most obvious right where there has been a long undercurrent of support
for Assange that you can kind of understand why right you can see the lines for that whereas with
with DPR Dreadpire Roberts slash Ross Ulbricht it was never quite so clear I mean people would make
have made the argument about you know Silk Road was in some respects a safer place to buy drugs than your local
streets.
But as in the interview that you're going to play in a second, you make the point that
it made it a lot easier to get drugs full stop, which overall increased the harm because
more people had access to harder drugs. drugs and i think that there's sort of a you know the long war on drugs that america has you know
has fought i think there's a degree of sort of i was going to say like that's now just not the
right word there's a degree of sympathy for the extent to which anti-drug policies have not helped
and that may be legalizing or reducing penalties or whatever else might actually be a
better option and well we've seen that i mean you walk you walk through the streets of washington dc
now and it's reeks of weed you know like we've seen decriminalization in a bunch of states right
i just i'm not look i agree that a war on drug users is ridiculous.
On people who are selling small quantities of drugs to support their own habits,
those people don't belong in prison, right?
Like, I 100% agree with that.
And I think we've got to differentiate between people like that getting into trouble
and drug kingpins who order murders at the drop of a hat
to protect their multi-million dollar profits,
which is what Ross Ulbricht was.
You know, so this is the thing where I start to get a little bit,
you know.
Yeah, but I think those two things do get kind of smushed together
in people's heads, right?
Yeah.
Because it's very, it's easy for some people to look at someone
like Ulbricht and say, this guy is, you know, progressive
and, you know, is kind of on our side if you're into harm minimisation overall.
And as you say, he is not, right?
People will hear the list of the interview in a second,
but he really isn't.
And I think it is good to remind people some of the specifics of that case
because it does seem kind of hard to support letting him out,
even if two lifetimes seems like quite
a long sentence for someone but yeah it's i think it's timely i mean i think i think the guy has
reasonable prospects at rehabilitation right i don't think he should die in prison but i also
think 11 years for for what he did and you know just on the drugs accessibility thing i know
that if you take a heroin user and drop them onto the surface of Mars, they will be
able to find heroin. Okay. It's a hell of a motivator, right? It is. They will find it,
right? So I'm not arguing that there's this huge accessibility problem with drugs for drug users.
But I think in the case of Silk Road, there were documented instances of people who did not
otherwise have access to drugs as accessing, you know, very dangerous substances via Silk Road, simply
because they could, because they drop into a chat and people were talking about these drugs, I'll
just add to cart, right? And that's dangerous. That's, that's really dangerous. So I think,
you know, they definitely needed to send a message. But the idea that a pro law and order candidate,
you know, is or president is going to commute the sentence of someone
who committed these crimes just seems absolutely insane to me.
So, Adam, let's you and I wrap it up and then I'll play that interview.
But thank you, as always, for this week's news discussion.
Always great.
And I'll chat to you next week.
Yeah, thanks so much, Pat.
I will talk to you then.
So that was Adam Boileau there
with a wrap of the week's news.
And here, as promised,
is my interview with Chris Tarbell.
Now, Chris was the FBI agent
who led one of the investigations
into Silk Road.
He was actually the agent
who put the cuffs on Ross Ulbricht
in that library back in, I think, 2013.
And he joined me for this conversation
about the proposed release of Dread Pirate Roberts,
aka Ross Ulbricht. Now, it's important to note that Chris is not advocating that Ross Ulbricht
should stay in prison, but he does want to make sure people remember the facts of the case as he
remembers them. So here's Chris Tarbell. My big problem is that there are a lot of misstatements or misunderstandings exactly
of what's going on in this case. And you use the word allegations, and that's correct. There is
some allegations. Ross was found guilty of numerous crimes, including, you know, kingpin status,
and that's really what carried the heavy weight, two counts of it. And that's selling a large
number of drugs, profiting over a certain amount,
and having a certain number of employees under your employment was that one.
But there were also allegations.
And again, he was never found guilty or charged with these crimes.
There were six murders for hire, six people where he paid,
ordered and paid to have them killed because they had stolen money from him. There
were numerous deaths on the site that he took no responsibility for. And in fact, he sort of let
the operation continue on, even though he knew people were dying from the drugs taken from his
site. So I just want to make sure the facts are out there and the people making the right decisions
are in the facts. The people that are advocating for his release or his stay in prison know the
facts of what's really happening in this case. All right, so let's start off with the overdoses,
right? Because DOJ were able to pin down or attribute six fatal overdoses to the site,
and I'm guessing there were a lot more. Advocates for what Ross Ulbricht was doing with Silk Road said that this was a safer way for drug
users to acquire drugs. And therefore, you know, if you believe in harm minimization, that, you
know, Silk Road was a net positive. The counter argument to that, though, is that it made hard
drugs accessible to people who otherwise would not be able to obtain them. And indeed, in some of
these overdose cases cases where we saw
letters from the parents, it certainly looks like these people were getting access to drugs that
they otherwise probably wouldn't have. I'm wondering what your feeling is on that part
of this discussion. Yeah, it certainly wasn't just weed and mushrooms and what people would call lighter drugs. It was high-grade
Afghan heroin. You could get really quality stuff that wasn't stepped on. And when I say
quality stuff, I mean, from a drug user, it's very high potency. But kids died from it because
they didn't realize what was in it. The advocates will say it was safer because the kids didn't have
to go into the streets and deal with someone.
They could be shot or, you know, in a dangerous part of town.
I don't buy that argument.
That seemed to hold water with me.
You know, we were given access to drugs that were used for people ending their lives at the end of their life if they wanted to.
In some countries, that's legal.
But kids underage, there were no ID checks. there was nothing to what these drugs were being used for so the site just
gave access to people um to drugs that they wouldn't be able to get access to normally um
so i don't say it's safer um they they had much more access to much more powerful drugs
yeah yeah i mean i think the argument there though is that, yeah, it would be a change to the criminal ecosystem,
which would make the process of buying drugs safer. But yeah, I think some of these people who are buying hard drugs
on Silk Road perhaps wouldn't be as motivated to go into, you know, a dangerous neighborhood where there are
cornadillas, right? To go and buy heroin otherwise.
I mean, that's my opinion on that.
Sure.
But, I mean, what about the postage handlers, the people handling the drugs?
What if the package breaks?
You know, we can play the what-if game all day.
They're putting those people at risk.
Those people didn't decide to handle hard narcotics or some sort of fentanyl that got on their skin and have an attack.
You know, you're putting those people at risk because you didn't want to, you know, go get your drug somewhere. You know, we could do the counter argument to each one of
these. I understand where you're coming from, but there are no documented cases as far as I'm aware
of that, of that having happened. Not that I'm, not that I'm at all defending Silk Road or Ross
Ulbricht. Now let's talk about the murders for hire, right? Because you said there were six
murders for hire. Now, what we do know about these murders for hire is that in all cases,
I believe, Ross Ulbricht was actually getting scammed by people who were claiming to be
assassins. So he paid the money. And in some cases, murders were staged so that there were
death photos sent back to him. And he's like, ah, good. You know, this person is dead. I paid for
it. You know, here is your money. But no one actually died, did they, in these murder for
hire plots? the the six
we discovered and again the evidence of these crimes these murder for hires came directly
either from the logs that ross albert kept on his computer systems um or his diary that he kept on
his computer system um this this that was the evidence of these so once we investigated them
yes we figured out that it most likely was a scam um based on
time frames and locations we never found you know reported bodies or the found bodies you know these
were all in foreign countries um except for the the two in the united states uh that was done
through law enforcement through the baltimore um task force um yeah yes you are correct no bodies
were found but again he ordered them he paid them, and then he bragged about them afterwards. Yeah. Now, a couple of these, was it one or two,
were actually stage managed by law enforcement. So the apparent assassin was actually law
enforcement saying, yeah, I'll take the job and then staging the photos and whatnot.
Was that one or two of them or was that all of them?
That was just one. That was a former admin on the site,
someone who helped run the site before Ross
had stole cryptocurrency from him.
And so in a ploy to try to get that money back,
law enforcement staged the murder.
So that was just one out of the six, right?
Because I think there's a perception out there
that all of these murders for hire,
there was like law enforcement
were somehow involved in these,
and that's not the case.
No, the other five were not.
They were just being tricked by someone
kind of egging him on to do this.
And to get into his bona fides,
try to get, you know, lift him up
and say that, you know,
hey, we should do this and get this done.
Again, it turned out to be a scam. But at one point, you know hey we should do this and get this done again it turned out to
be a scam uh but at one point you know the murder for the murderer the murder for hire um told ross
you know hey i can't get to this guy he's got three other roommates you know i we were not able
to to get to him without you know doing other things and ross was just said kill them all
so he was willing to kill everyone in the house. And again, this comes from the logs that he collected on his own conversations that we
were able to get a copy of.
Now, why were these crimes?
They were mentioned in charging documents, I believe, initially, not the final criminal
complaint, but they were mentioned at some point along by DOJ.
Why were these crimes never charged?
Because that is one of the things that
Ross Ulbricht supporters say, which is, oh, they talk about these murder for hire, but if it was
real, they would have charged it. You know, is it the case that, you know, DOJ just had such a
solid case on the drug stuff that they didn't want to complicate proceedings? Like, can you explain
to the listeners why it is that Ross Ulbricht was never charged with murder for hire?
Sure. So the decision was made in a much higher level than me.
Very high in the DOJ was that.
But, you know, he was sentenced to, again, two life sentences plus 40 years in the federal system of the United States.
Life means life.
The only way you can get out is if the Supreme Court rules and all those options have gone for against Ross or if a president lets you out, rules and all those options are have gone for, uh, against Ross or if a president
lets you out, commute your sentence. Um, I, again, it would have been just piling on top,
uh, to keep going that and the law enforcement murder for hire, um, with the agents that were
involved, whereas out of Baltimore, um, that case sort of fell apart because those agents were later
arrested for committing crimes, um, in this case And so, again, that muddies the water.
Why have a case against someone who's already serving two life sentences plus 40 years
in a case where there were bad agents involved?
Yeah, so for those who are unfamiliar,
those agents were actually caught stealing Bitcoin as part of this operation, right?
They stole the Bitcoin that Ross wanted back
for the first murder. For the admin that was killed, supposedly killed,
they ended up taking the cryptocurrency. So, I mean, that would have been the obvious one to
charge, right? Because you had law enforcement observing blow by blow this murder plot. But
as you say, this was complicated by the fact that those agents committed crimes during
the course of this investigation.
Correct.
And again, I'm not totally intimate with all the details, but I'm remembering that their
crimes were committed after Ross had ordered the murder.
So, but it's still, again, all the facts would have come out in trial that, you know, and
it just would have made the case much more difficult.
Yeah, yeah, that makes sense.
And what about the other murders for hire?
Is it the case that just trying to prosecute those crimes based on chat logs would have been a heavy lift?
Because I'm guessing that would have been a big part of it for prosecutors.
So, yeah, again, I'm not a lawyer, so I wouldn't want to argue that.
So I presented my facts to the Southern District and they decided what we were charging.
And I guess, you know, it would have been it would have the case we had was solid.
And you see the results from the three hour jury verdict to the judge's sentencing.
It would have been further complicated the case to add more charges to it that obviously were attempts for murder for hire.
So why is it that you think, given that we know this is a person who allegedly committed,
there is evidence that they committed murders for hire or at least solicited murders,
cold-blooded murders in one case involving an entire household full of people,
who had sold hard drugs to people who overdosed on them,
was selling, I think, human body parts at one point, was selling euthanasia drugs. And you
mentioned that euthanasia is legal in some countries. It's very heavily regulated where
it is legal, right? You can't just go to a pharmacy and buy a suicide pill. So why is it
that you think Ross Ulbricht has found political support among people like libertarians?
I mean, he has a very strong following. I know his mother, Lynn, is a big advocate for him and
has kept the free Ross alive. But I think some of the policymakers and decision makers may not know
the full facts of the case. So I appreciate you getting the word out there of some of the facts of the case that has just sort of been perverted over time or sort of lost over the last 10 years.
Because there does seem to be this perception out there that, oh, he just ran a website,
you know, and how can he be held responsible for what happened on this website? But I guess
you're arguing it was a little bit more than that and that he had knowingly constructed an
illicit marketplace and was profiting from it to the tune of millions of dollars.
Well, I don't have to argue that.
He was found guilty of that.
So those facts have already been decided by a jury.
Now, look, you seem reticent to express an opinion
one way or another about whether or not he should be released.
I got to be honest, and I've spoken with journalists too
who covered
this like people who are in the court all the time people who know the family and they say the whole
thing's really weird because you know irl like in real life ross ulbricht seems like a perfectly
reasonable nice person who was just a monster when given anonymity and and a keyboard and this and
this sort of um virtual empire so i don't know what an appropriate uh
sentence for him is it does strike me though that 11 years is a little bit light you know you can't
tell me you have absolutely no feelings about the way this will go i mean that's what you said when
we started this conversation i don't believe you chris i mean what what do you think about the idea
that he could be out in a couple of months it must must, I mean, isn't it crazy making for you?
Well, you are correct that I do have feelings.
I don't publicly make those feelings out there, but you are, you're also right.
Ross is a nice guy.
I mean, I was with him for, you know, a couple of days.
I arrested him one afternoon. We spent that afternoon together through the booking process and that sort of thing.
And he, you know, he asked for a lawyer, so I couldn't question him, but we could still
talk as human beings.
And I bought him breakfast the next morning as I took him out of jail and took him over to court.
So he did seem like a nice person.
But remember when I was trying to hunt for him and find him, I spent nine months learning who DPR was.
And DPR doesn't necessarily mean that's Ross.
People flex what I call their e-muscles online. We see it
every day. People have a voice on extra Twitter that they would never use in a public setting.
They would never say the same things to someone's face. I arrested a guy named Hector Monsegur,
who was Sabu in Anonymous. Hector and Sabu, two different people. The online persona is not the
person you meet. And so you are right. Ross is a good person
and a nice person. But DPR, Ross's persona online, did a lot of horrible things.
So do you think that that is, do you think that that actually mitigates their culpability a little
bit? I mean, that's the core question in all of this, right? And that's the thing that I find
really funny is like, do we cut people a little bit of slack for the crimes they commit when they think they're shielded by internet anonymity? And I mean, that doesn't seem right.
I don't believe so. I don't believe just because your crimes are online versus
inside a bank or inside a store, it's no less of a crime.
All right. Well, Chris Tarbell, thank you so much for joining us to talk about all of this
fascinating interview. Great to meet you and
we'll talk again, I hope. Thanks, Pat.
Yeah, it was great. Anytime.
That was
Chris Tarbell, a former
FBI agent there with a discussion
about Ross Ulbricht or the
Dread Pirate Roberts, as he is known.
It is time for this week's sponsor
interview now with Firas Aboukadej from Socket. Socket is a software supply chain security
company which can basically flag bad packages that you might be bringing into your projects.
So if someone's hijacked a package and put a bunch of malware in there it'll let you know. If a
package is trying to do stuff like send, you know, environment information off to some random server in Russia, it'll let you
know that. If it's trying to download and run executables, it'll let you know that, right? So
just a good idea in this age where we're constructing software out of so many pre-built
packages. But Feroz has made a good point, and he's here to make the case that we need to
start tracking bad packages the same way that we track CVEs and that there needs to be some sort
of central repository for this information. So here's Feroz Abukadije to make that case.
We're detecting about 100 supply chain attacks per week in NPM, RubyGems, Maven, and some
of the other popular ecosystems.
And the big problem is that when we find these threats, our options are very limited.
We can obviously protect our customers.
We can give them that data.
We have a lot of ways to do that, and we have a lot of folks already using that. But
to protect the broader community, our options are contact the registry and let them know that this package is malicious. We get various levels of responsiveness from the different registries.
We see that a lot of these are volunteer run, right? Like PyPy is volunteer run, for instance.
And so they're under a lot of load, the folks maintaining these registries. And so there's usually a pretty long period where these packages
remain live before they're taken down, if at all. I mean, we're tracking some stuff that's been up
for years and is still not taken down and just got lost in the mess. And then the problem is,
like, once it is taken down, there's no way for a company to figure
out whether or not they ever installed that package in the past. You don't get a CVE issued.
NVD and that whole system, they very rarely issue a CVE for one of these types of findings. They
just consider it out of scope. Not to mention the other problems they have around just the
backlog and inability to do what their current purpose you know, purpose is today, right?
So it's not a good situation, right?
So then the only way for people to find out whether they might have installed one of these packages is to come to a vendor like us,
and we can help them look through their artifactory or whatever they might be using internally to mirror packages
and to see if they're, you know, in some cases still mirroring packages that have already been removed for being malicious in the public registry, but it's still being served to developers inside
the company, for instance. So yeah, it's a huge problem. But do you currently publish this
information to your website though, right? Like stuff that you find not just for customers,
but I guess what you're arguing is it shouldn't just be up to a private vendor to catalog this
stuff. I think so. Yeah. You know, it feels like something,
this data feels like it's analogous to what the National Vulnerability Database does, right? The
NVDs cataloging this, cataloging vulnerabilities, and we need something analogous for malicious
packages. If they don't want to do it, someone needs to do it. We put them on our website today
for folks to access. And, you know, we're
not today publishing them in like a consumable format, but folks go and search for a package,
you know, they can get all the information that we have. Yeah. So you're not like publishing
standardized data, like some sort of XML feed that people can ingest and then, you know,
throw around. I guess that makes sense because that's kind of valuable IP at that point, right?
That's right. Especially because of the time delay, right?
I mean, we find stuff within a second or two of it being published
since we're replicating the feed in real time,
and we have basically every package and every new version of every package.
And so that is kind of part of the value-add of what we can do for folks
is give them that coverage while they're waiting for the takedown to happen.
But we do take it down, right?
We do want to make sure that the community is protected
and they don't have...
We're sharing our information with the registries right away
when we find stuff.
It's just that they're the ones who are taking time
to actually get it removed.
Yeah, I mean, I think it's probably worth pointing out
at this point that NVD is having trouble.
Like you alluded to that earlier,
they're having trouble even doing their current workload.
There's been new contracts issued and whatever.
But I mean, at some point,
they just stopped enriching vulnerability data
earlier this year, right?
Like, do you know, have you been tracking that much?
I've been following it somewhat.
Yeah, I know that at one point
there was more than 50% of VOLNs on the Kev list,
you know, the known exploited vulnerability list
that were missing that enrichment data.
So all the valuable details and context
that that would provide.
And so that's just that backlog
and that whole, especially not having stuff,
even on the Kev isn't even that many vulnerabilities
in the grand scheme of things.
So I just think it really undermines
the reliability of CVEs
as the kind of primary means
of assessing software security.
And that's something that's always frankly bothered me is that when folks throw a package into a vuln scanner and say, oh yeah, there's no CVEs as the kind of primary means of assessing software security. And that's, that's something that's always frankly bothered me is that when folks throw a package into a Vaughn scanner and
say, oh yeah, there's no, you know, there's no CVE or, you know, it doesn't match. They think
it's safe to run that package, but like, you know, it's always been bigger. It's always been a bigger
problem than that. Right. Yeah. Now just speaking of the problem, you said earlier that you track
something like, you know, 100 malicious packages every week.
Are there any places where they're popping up more than others?
Are there particular types of malicious packages that are, you know, more likely to do the rounds at the moment?
Like, what's a rough breakdown of what that threat environment looks like?
Yeah, there's a bunch of campaigns that we've posted about recently.
There was recently a massive malware campaign that was using Ethereum smart contracts to evade detection.
They were using that as kind of the command and control.
And it was a huge kind of spam campaign.
It went and posted a bunch of packages and squatted a bunch of names.
There was a recent thing we found too that's quite interesting, something we're kind of calling an author typo squatting attack, where the attackers were able to impersonate a popular maintainer on NPM by faking important metadata in the package that ended up kind of showing up on the official package website so it's you know there's there's it's always evolving um there's
always like new stuff a lot of it obviously is going to be like really you know just in terms
of volume is going to be pretty uh silly and and not um uh not the most uh eye-popping things you
get like a lot of just people just stealing all the environment variables as soon as the package
is installed that type of thing we catch all the time what mystifies us is just how little effort
is put into like even attempting to obfuscate what they're doing, right? I mean,
it's like they know no one's looking, you know what I mean?
Well, I mean, you're the one who's looking, right? Which is why it's mystifying to you
because you could see it. But as you point out, most people don't look, right? So they're not
going to see it. You know, you just mentioned, well, most of it's pretty dumb. Most of it's like
not eye-popping. There's no obfuscation.
What's some of the more advanced stuff that you've seen?
Can you talk a little about that?
Yeah.
I mean, we've seen stuff that's just like heavily, heavily obfuscated, stuff that targets
a single organization through, you know, checking different facts about the environment and
only activating in those scenarios.
And what sort of organizations are they targeting there?
Is that like, I'm guessing crypto exchanges
are going to feature pretty heavily there.
They often target crypto wallets
so that they can get built into one of those wallets.
And a lot of those tend to be built with Electron, right?
So you got a lot of JavaScript dependencies
in those wallets.
It's like, it's such a target, right?
You get into the wallet and you can just
wreak havoc and steal the keys. Yeah, it's such an incentive to go after, right? When you have
just all that juicy, juicy crypto sitting right there. Can you think of examples where that's
been successful? Yeah, yeah, for sure. There was an incident not too long ago in a package called, let's see, which story do
you want to tell?
Because there's actually been multiple of these.
There's, I mean, my favorite one, this is the one that actually caused me to start the
company, to be honest with you, right?
So there was a package called Events Stream.
It was, got about 6 million
weekly downloads, a very popular package made by a maintainer who is very prolific. He has published
over 500 packages, one of these mega maintainers. Some of the packages not very well maintained,
as you can imagine, one person trying to manage that many projects. But one of his projects was
very widely depended upon by the ecosystem. It was used in almost all of
the dependency trees of a lot of Node.js users. Someone approached him and said, hey, you're
not really maintaining this package. There hasn't been an update in two years. Could
I have commit rights to be able to help maintain this because we use it at my company? This
maintainer um
was like yeah sure of course like whatever i'm not even using this anymore i've already moved
on and made a replacement for this library that i like better so he gave the access to the person
and even removed himself and fully was like i'm done you have the package and um that person
proceeded to make good uh publishes for about uh a month And then they took the permission they had and used that to put
an obfuscated backdoor into the package. If this is sounding familiar, this is something that
happened this year with XE. The XE utils compromise. It's almost the exact same pattern.
This happened back in 2017. So you can see how that we've improved as a security community when it comes to these things
the best part of all is you know the way that the
so the way that the backdoor triggered is it looked at the
Context in which it was executing and if it was running inside the particular, you know
electron app I would it would it would
Decrypt the code successfully and and then execute it. Otherwise the decryption would fail
but the way the community caught it was, it's going to sound a lot like what happened with XC. You got a nerdy programmer just kind of looking at things. So what happened was the
Node.js runtime deprecated a function used by the attacker in their attack code.
And it broke?
No, it didn't break. Just a warning was printed. But it happened, the deprecation
happened a couple days after the backdoor was added.
And so they didn't know that this deprecation was going to happen.
And so folks that were running the bleeding edge version of the node runtime were getting this deprecation warning and traced it back to this chunk of obfuscated code.
And we're like, what the heck is this?
It looks super out of place, right?
Yeah, yeah, yeah.
And doesn't that sound so similar to XZ?
You got this, you know, total accidental accidental discovery, you know, it makes you it makes you right? We've never really had one central repository for malware signatures, hashes, whatever.
So, I mean, aren't these supply chain infiltrations a little bit more akin to malware than to CVEs?
I mean, I guess it's complicated, isn't it?
Because you are talking about a building block of software, and that's often what CVEs are used to, you know, you want to track those issues as you're
importing stuff into your code. So it seems like this sort of straddles the line a bit between
being, you know, more like a CVE or more like a malware SIG. Yeah. I mean, it's certainly not a
vulnerability that we're talking about here. It is different. But the thing about the CVE system is
it's actually one area that we've actually done pretty well as an industry. We've widely deployed CVE scanners and, you know, CVE scanners are oftentimes they're in the compliance
requirements and things that we have to cover as, you know, as security practitioners. So
given that we have this system and given that it's already widely deployed, you know, it might be
just, it might be the case that we should just use it for more things, you know, because everyone's
already hooked in in some way to this system. So that's the argument for using it for
more than just vulnerabilities. Yeah, yeah, I think it's a pretty good one. All right, Firas
Aboukadeje, thank you so much for joining us this week to talk through all things software,
supply chain security. A pleasure to chat to you as always. Cool. Yeah, thanks, Pat.
That was Firas Aboukadeje there from Socket,
and you can find them at socket.dev.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back soon with more risky business for you all.
But until then, I've been Patrick Gray.
Thanks for listening.