Risky Business - Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects

Episode Date: March 19, 2025

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news: Github Actions supply chain attack loots keys and secrets from 23k proje...cts Why a VC fund now owns a minority stake in Risky Business Media (!?!?) China doxes Taiwanese military hackers Microsoft thinks .lnk file whitespace trick isn’t worth patching but APTs sure love it CISA delivers government efficiency by re-hiring fired staff… to put them on paid leave …and Google acquires Wiz for $32bn This week’s show is sponsored by Zero Networks, and they have sent along a happy customer to talk about their experience. Aaron Steinke is Head of Infrastructure at La Trobe Financial, an asset management firm in Australia. Aaron talks through bringing modern zero-trust goodness to the reality of a technology environment that’s been around 40 years. This episode is also available on Youtube. Show notes Risky Bulletin: GitHub supply chain attack prints everyone's secrets in build logs - Risky Business Media China says Taiwan's military is behind PoisonIvy APT China identifies Taiwanese hackers allegedly behind cyberattacks and espionage | The Record from Recorded Future News Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds | The Record from Recorded Future News Lazarus Group deceives developers with 6 new malicious npm packages | CyberScoop Poisoned Windows shortcuts found to be a favorite of Chinese, Russian, N. Korean state hackers | The Record from Recorded Future News 'Mora_001' ransomware gang exploiting Fortinet bug spotlighted by CISA in January | The Record from Recorded Future News Black Basta uses brute-forcing tool to attack edge devices | Cybersecurity Dive Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court | The Record from Recorded Future News CISA works to contact probationary employees for reinstatement after court order - Nextgov/FCW ‘People Are Scared’: Inside CISA as It Reels From Trump’s Purge | WIRED The Wiretap: CISA Staff Are Cautiously Optimistic About Trump’s Pick For Director White House instructs agencies to avoid firing cybersecurity staff, email says | Reuters Signal no longer cooperating with Ukraine on Russian cyberthreats, official says | The Record from Recorded Future News Telegram CEO Pavel Durov allowed to leave France amid investigation Appellate court upholds sentence for former Uber cyber executive Joe Sullivan | The Record from Recorded Future News Google buys cloud security provider Wiz for $32 billion | The Record from Recorded Future News Pat Gray, Founder of Risky Business, Joins Decibel as Founder Advisor - Decibel

Transcript
Discussion (0)
Starting point is 00:00:00 Hey everyone and welcome to Risky Business, my name is Patrick Gray. We've got a great week of news to get through with Adam Bralow in just a moment and then we'll be hearing from this week's sponsor. And this week's show is brought to you by Xero Networks who make a really cool micro-segmentation product. And those words don't normally belong together, which is a really cool micro-segmentation product. But Xero basically automates a lot of micro-segmenting your network. And joining us this week, instead of someone from Xero Networks, they actually had me speak with a customer, Aaron Steinke from Latrobe Financial in Melbourne. And yeah, he talked through why they rolled out Xero and what that experience was like,
Starting point is 00:00:45 the upshot is Aaron says it actually does what's on the tin which even surprised him. That was actually a really fun interview so do stick around for that one. But it is time to get into the news now with Mr Adam Boileau. And mate we're going to start off with a story that we actually were the first media outlet to break which is this supply chain attack That targeted a github action and it is starting to pick up now in other media reports But this looks actually quite bad Yeah, yeah, this is an interesting hack. We don't know who pulled this off, but what happened is there was a github action who pulled this off, but what happened is, there was a GitHub action that people were using
Starting point is 00:01:26 called changed files that you would use when you're kind of assembling a workflow pipeline for building your software in GitHub. You can pull in third party bits of tooling, and this was one that would figure out which files are changed in your repository. So like a pretty widely used utility function. Somebody gained access to some kind of
Starting point is 00:01:47 access token for one of the maintainers of this changed files utility and then they backdoored it to rummage around in the memory of the server that's running the builds. In this case this is going to be a server at GitHub, but presumably in a virtual machine, and rummage through the memory and find credentials. So secrets, passwords, credentials, tokens, keys, whatever in memory, and then write them out to the build log of this build process in GitHub. So this is running in your GitHub account,
Starting point is 00:02:22 but those build logs are yours as well. But in the case of public projects, those logs are also public. So the net result of all of this is that anyone who was using this utility had the memory of their build system scraped for credentials, and then those credentials logged in a place that probably the attacker or indeed other people can get to, which is bad. We're talking like 23,000 repositories used this.
Starting point is 00:02:50 And, you know, triaging what this means for each individual project is pretty difficult. But suffice to say, if you've been using this thing, then yeah, you probably are going to be rolling all of the credentials ever because this thing was yeah used an existing Tool for scraping creds that appeared to be pretty good at it. So yeah smooth really. I mean it is smooth, but it's kind of a Bit of an interesting approach right which is to just crap out like private Material into a build log because people are gonna notice that right so? So I, you know, I'm not quite sure I understand the thinking here. I mean, getting, you know, getting it to connect back
Starting point is 00:03:30 to an attacker and dump stuff, I mean, well, you know, could you even do, I don't know, I just, I've got, I don't know what my feelings are about this one. I don't know if it's really smart or really stupid, basically. Yeah, I mean, if you were connecting, like if they had it kind of connecting back out to you or putting in these things in a format that only the attacker could get them. It was like, for example, you were connecting, like if they had it kind of connecting back out to you or putting in these things in a format
Starting point is 00:03:45 that only the attacker could get them. It was like, for example, you could publicly crypto them before you dump them in the logs. So that only you can get them. Yeah, that was one thing I thought about. But also like the reason they're probably not doing a connect back is because you couldn't do that with a GitHub action.
Starting point is 00:04:00 Yeah, I'm not sure what constraints are on that environment. Like it may not, it may be limited in what kind of outbound connections it can make. But yeah, you could have done this in a way that meant that only you got the creds. But on the other hand, there is some kind of safety in numbers where if everybody's got access to the creds, then no one's going to know that it was you that then used them. And if you knew this was going to happen and there was a couple of specific things you were targeting, like if you were a North Korean, for example, and you were going after a very
Starting point is 00:04:25 specific thing, this might be a good way to sort of, you know, hide in the North. It's not that North Koreans care. So that's a bad example, but you know, like there might be some smart as a fox thinking here, or it might just be dumb. And we can't tell anymore. Yeah, that's right. Like can't tell if smart or stupid. But I mean, what we can say is it's high impact and there's going to be a lot of can't tell anymore. Yeah, that's right. Like, can't tell if smart or stupid. Yeah, exactly.
Starting point is 00:04:45 I mean, what we can say is it's high impact and there's going to be a lot of people out there who are affected by this and who don't know because they might have run a build with this script and there's a whole bunch of their creds sitting around in a public build log and they don't know. And that's the bit that's bad here. And I mean, I imagine that the team at GitHub, who have proven themselves to be really smart over the years, you've got to wonder what they're doing here, whether or not they're like, trying to figure out how to scale Truffle Hog to like, go through every build log that
Starting point is 00:05:12 was done over a certain period of time. But it's a mess. Yes. Yeah. And I think they are communicating with repository owners and things. Because obviously, if you aren't a public project, then the exposure is kind of different. Like if you're a project where there are less trusted contributors, they can see the logs kind of thing, then maybe there's some impact there.
Starting point is 00:05:31 So yeah, a lot of repository owners are going to have to go read the advice from GitHub and then try and figure out what it means for them. So yeah, messy. Yeah, definitely messy and not the sort of thing that you enjoy as a public project maintainer. Something like this happening. Let's move on now and some interesting developments in China. The Chinese government, its Ministry of State Security has done some public attribution
Starting point is 00:06:01 looking at some Taiwanese military fellows here who apparently are behind this APT group that targets various systems in China. I mean, we've seen the United States do this to China and a bunch of other countries previously. You get the impression China would love to do this to NSA but can't really because NSA is pretty good at OPSEC. If they could, they would. So there's that angle to it. But I think the thing that makes this most interesting, and it was our colleague, Tom Uren, who's our Policy and Intelligence editor here, his thinking around this is that it's quite threatening because there is always the possibility that in the medium term future, Taiwan will
Starting point is 00:06:45 be invaded and annexed by China and that would make these guys' positions pretty precarious. So there is that threat side to this, which I don't think we've seen before. Yeah, there's also a deterrent aspect in terms of recruiting new people. You might think twice about going to work for the Taiwanese security services if you were worried about a mainland China invasion future, which I'm sure they are worried about. So yeah, it's an interesting kinda, I mean, the actual kinda attribution part of it,
Starting point is 00:07:17 like China is kinda clumsy with it, and the press release from the Chinese Ministry of Defense is kinda comedic in that Iraqi information minister kind of way where they're all on about abandoning the fantasy of Taiwanese independence and so on and so forth. So that's kind of worth a read just for the comedy aspect. But yeah, it's an interesting, you know, I would be a little concerned if I was in Taiwan for lots of reasons.
Starting point is 00:07:44 And yeah, if I was working in the cybers, that would definitely a little concerned if I was in Taiwan for lots of reasons and yeah If I was working in the cybers that would definitely one of them too Yeah, communists always do the best press releases though on stuff like that because it's always so although I gotta say You know the Trump admins are getting there They do some pretty florid writing but I remember during Trump term one some of the Releases out of North Korea when the whole Rocketman thing was happening, they were just so funny.
Starting point is 00:08:09 What else have we got here? We got a crypto exchange named OKX shutting down a decentralized exchange that they operate because some of the Bybit funds were being rinsed through it apparently. And this exchange in particular appears to be really on the ropes because everybody's yelling at them for, you know, kind of, you know, allegedly allowing this sort of thing
Starting point is 00:08:30 to happen previously. And meanwhile, they're denying it and saying, we do have everything that's required of us by law to, you know, stop these sorts of things from happening. But you know, to me, this is just one more example of the crypto ecosystem kind of speed running like regulations and you know compliance. Excellent write-up from John Greig by the way over at The Record. Well done John and we've linked through to that in the show notes but what was your take here? I suppose the interesting aspect here to the extent that anything cryptocurrency is interesting is that this company is a front
Starting point is 00:09:03 end to other exchange platforms. So instead of being an exchange themselves, they are a distributed exchange front end. So they aggregate other exchanges trade offers and they provide a unified API for you to use it or split your transfers across multiple exchanges. So like it's kind of a money launderers delight. And the fact that if their platform that makes money laundering Or using other people's platforms to make exchange, you know to exchange currencies and stuff Like the fact that then get that then gets used for money laundering seems to surprise absolutely no one
Starting point is 00:09:38 I mean, it's a bit it's a bit dr. Strange Lovian right like this is the war room. You can't fight in here How dare you use our money laundering machine to launder money? Yeah, exactly. Anyway, so they've said that everything the EU is asking us to do, we're doing, and they've shut down their distributed exchange platform for a little bit whilst they think about what they've done. But this is just the nature of the crypto ecosystem being what it be. Yeah, yeah. And staying with North Korean crypto hacks, apparently a bunch of malicious NPM packages have popped up as well, you know, attributed to Lazarus Group. One of them, though, pretty funny. Talk us through it.
Starting point is 00:10:16 Yes. So this was this was based on a report from Socket Security. I think we've had on the show as a snake order, maybe at some point. You know, they've been a sponsor. Yeah, they've been a real sponsor. Yeah. For us, a book of DJ. maybe at some point. They've been a sponsor. They've been a real sponsor. Yeah, Farros a book of DJ. Yeah. Yes, Farros has been on Farros. Anyway, so they wrote up this particular campaign, but it's a little personal because one of
Starting point is 00:10:33 the NPM packages that the North Koreans are typo-squatting here was one that Farros wrote himself back before Socket started, but kind of a bit personal for him. So yeah, I don't know whether that's a case of you know, the North Koreans Doing it specifically because socket keeps a track of North Korean supply chain attacks or whether it's just coincidence that for us wrote a popular Package, but either way that was a funny nuance in it. I thought yeah So what this is just plain old typo squatting is it plain? It's just plain old typo squatting. Yes Yeah, yeah. Oh, and just to follow up on last week, like we were talking about how the Bybit developer downloaded and ran a Trojan Docker container, and I was wondering if that
Starting point is 00:11:17 was like supply chain. Since then, I've heard from, you know, and been pointed to a bunch of information about the likely threat actor in this case, and they always do social edge. So it's very unlikely to have been a supply chain thing. What they normally do is they put out some made up job where people can apply and there's like a coding challenge and they'll pay you to do the coding challenge even if you're not gonna take the job, right? So they'll give you 500 bucks to do this coding challenge.
Starting point is 00:11:45 Just download this Docker container and off you go. And it looks like that's probably more like what happened here, which again, I mean, nice. Yeah. I mean, and exactly really. And I mean, clearly you would hope that an employee at a company like Safe Wallet wouldn't be running their future job application Docker images you know the thing they're gonna like some work that
Starting point is 00:12:09 they're looking for on their corporate machine but hey everyone's working from home everything's you know everyone's just you know winging it on their developer Macs and you know North Koreans know how to work that game so yeah sure do they should do and look I know they're not a VM, right? But like VMs, much like VMs, trying to put security controls around things like Docker containers, that's hard. Well, I mean, and if the normal out of the box Docker experience, there really isn't any actual isolation, right? You have to go out of your way to make it even slightly isolated
Starting point is 00:12:42 from your host OS and a lot of people don't really join those dots. They think of it like a traditional VM when it's kind of not unless you you know push the right buttons and have the right config and so on so But I guess my point is more that visibility is a problem with both not so much that there's separation You know like there's no you're right. there's no separation like there is with a VM, but there's, like it's a bit of a black hole in terms of like security tools being able to see inside what's happening in them. Oh yeah, yeah, yeah, absolutely, yes, yes. If you have like EDR or something on the desktop, right, yeah, you're pretty blind as to what's going on inside a
Starting point is 00:13:17 container image. Yeah. Now moving on to another story, and this is another one from John Grieg over at The Record here and he's written this story about state-based actors abusing LNK files to do various things, which you know, your first thought is like, what year is this? But then you look at the actual nature of the quote unquote bug that's being used here, which Microsoft kind of reasonably argues isn't actually a bug. It's not really a vulnerability. And you know, the piece sort of goes on from there. But walk us through exactly what the what the feature abuse is, or the UI abuse is here, Adam, because it's kind of it's it's actually kind of funny.
Starting point is 00:13:58 Yeah, so Windows LNK files are let you you kind of, shortcut files I guess is what they also get called, they let you kind of wrap up a file or a command line in one kind of convenient blob. And if you see a shortcut file, I have a little arrow kind of over there, I'm gonna right click on them, you can see the command they're actually gonna run or the file they're associated with.
Starting point is 00:14:23 And the trick here is that you make an LNK file with an innocuous looking name and an innocuous looking icon that links to, you know, command.com or PowerShell or EXE, and then hides what it's doing by putting a whole bunch of white space in the command field. So when you right click and inspect it,
Starting point is 00:14:43 you probably will see either nothing in the command or something kind of that, you know, is designed to confuse you because they've used a bunch of white space characters, you know, line feeds or tab characters or whatever else to push it off the side of the text box. And Microsoft kind of rightly says that that's not really a security issue, but- Well, it's not a vulnerability but it is a security issue because it's an absence of security like thought, right?
Starting point is 00:15:12 Where maybe you should have some sort of format checking on these things to make sure it doesn't happen but that's not an easy thing to do because we're talking about this before we got recording. It's like, well, you know, you could just prevent multiple spaces from being in there. And it's like, oh, well, then you got tabs and then you got this and the Unicode. And, you know, so you would actually need to introduce some sort of, you know, format checking and parsing and like it would be it would actually be kind of hard to fix. Yeah, I mean, it's fiddlier than it first appears,
Starting point is 00:15:40 although clearly within Microsoft's ability to do something about. There is actually a CWE, the common weakness enumeration designation for this kind of floor. It's called like a misrepresentation of critical information, user interface misrepresentation of critical information, which is what this is. Clearly, the fact that a bunch of APT groups, I think the record piece says
Starting point is 00:16:06 like 11 different APT groups have been seen using this so clearly it works for them. Well now herein lies the argument for Microsoft to do something about it right, which is that like you can say oh it's not a problem but if you know every APT group under the sun from here to Timbuktu is using it, well you know maybe you want to get on that and put a few people on it, you know? Yeah, I mean, in the end there are plenty of other places in like a decent set of layered controls that would stop this being a problem, but the fact that they are using it says that yeah, it's useful for something. Yeah, exactly. Now, let's look at ransomware stuff. Yet one more from John Greig today,
Starting point is 00:16:47 and there's this Mora underscore zero zero one ransomware gang, which looks like it might have spun out of the remains of LockBit. They are exploiting the Fortinet bugs that Cissa was warning about in January and just going off and, you know, ransom wearing because of that. Like, I mean, it's just God rinse and repeat same headline over and over right? Well exactly you know and clearly the fact that your security appliance gets you compromised by ransomware like it's just deeply ironic and funny in the kind of tragic way but yeah like how many times have we seen this headline and how many times are Fortinet customers
Starting point is 00:17:25 going to get rinsed as a result of their fine security products? Yeah, yeah. And in the next piece we've got today, which is from Cybersecurity Dive, Rob Wright has written about some work out of, I think it was Eclectic IQ, who took a look at the Black Buster chat logs and discovered that they have their own in-house brooding, like BruteForce tool, which they've been using to go after the same sort of devices at the edge, like VPN devices and whatever, just brute forcing their way in and dropping ransomware. And you just, you know, it's depressing. These last two stories are depressing. Yeah, it is kind of depressing.
Starting point is 00:17:58 And the BruteForce tool that was written in PHP, which is like, that's kind of hard mode, like respect to the BlackBastar developer that did that because like... Coded in PHP for efficiency. It would be so much easier to write it in literally any other language because PHP is such a pain to write stuff in. The thing I thought was actually amusing about this was the BlackBastar leaks where this, you know, revelation came out of this, you know, the details about this tool the Black Basta leaks where this revelation came out of, the details about this tool were in. There was also some analysis which suggested that these logs were the result of infighting because this particular brute forcing tool had been used against a Russian bank. Well, we saw that at the time. We did have a bit of an idea that the infighting was because someone had used the
Starting point is 00:18:46 tools to hit targets in Russia. And that's dangerous if you're a Russian threat actor to have your tools associated with targets. And then my fun little bit of speculation about that was, well, if I'm Cyber Command or ASD, I'm grabbing their tools and throwing it against Russian targets to get them in trouble like that. You know, because you're not really, look, brute forcing a shell at a Russian bank makes a lot of noise. You're not going to have to do any damage to cause them trouble. You know what I mean?
Starting point is 00:19:16 So I'd imagine if there's something that's going to actually pass the legal checks that would be required to do an operation like that. I reckon with the right lawyers on your side, you could probably build a case that that one's okay. So. That is how I feel as well. So like if it was some friendly five-way spooks or their associates, then good job. And hats off to you and your lawyers.
Starting point is 00:19:39 Now staying with ransomware and an alleged developer of the LockB bit ransomware has been extradited to the United States from Israel. He's a Russian Israeli national, 51 year old Rostislav Panev. He was arrested back in August 2024 and off he goes. He's in a world of hurt. Like you do not want to be extradited to the United States for doing lock bit stuff. He's going to do time.
Starting point is 00:20:04 Yeah. Like it's not going to be extradited to the United States for doing lock bit stuff. He's going to do time. Yeah, like it's not going to go super well for him. And he was one of the developers of a bunch of the kind of tooling and plumbing. And he was getting, so they've got like chat logs of him communicating with lock bits up. And he was making, you know, a couple of hundred thousand dollars a year writing tooling for them. So yeah, like he's, I don't think going to have a good time with the US legal system. No, I mean, if you're him, you have to flip as quickly and as violently as possible, right? And just because really too underground a year, like, oh my God, what are you thinking? All right, so now let's have a bit of a chat about what's going on in the American government and we've got a few pieces to get through here because we've seen a bunch of people fired, a bunch of probationary staff
Starting point is 00:20:51 fired from CISA and that might be people who've just been put in new roles or whatever. I'm not even clear on what probationary means in the context of United States government HR systems but you know who else is not clear? Is Doge, right, who's been instrumenting these firings. It looks like a court has ordered that CISA rehire the probationary people who were fired, but they come back and they go on administrative leave, which I guess means they're all getting a free holiday,
Starting point is 00:21:24 which just screams government efficiency. So well done, Doge. It's so farcical. Oh, God. And then we've got also the White House telling US federal government agencies not to fire cybersecurity staff because it falls under the umbrella of national security work. So stop firing cybersecurity people. You sort of wonder how many have been fired already. A little bit difficult to get insight there. And then we've got a story from Wired written by Eric Geller, which talks about the vibes inside CISA at the moment,
Starting point is 00:21:55 which are really extremely not great. And then to bookend it all, we've got another story from Tom Brewster over at Forbes, which says that people inside SISA are broadly happy about Sean Planky being nominated as the new head of SISA. So a bit of a mixed bag here. And I think really, the reason we don't try to cover this too much is because I don't think anyone really has a complete picture of what's going on because it is very chaotic at the moment.
Starting point is 00:22:24 Yeah. I think that definitely is the overriding feeling you get here is there's just a whole bunch of chaos happening and I'm sure there are a great many people, you know, still at CISA and perhaps, you know, on administrative leave right now who really just want to do their jobs, do good work, you know, look after securing America's stuff and then, you know, all of this is happening around them. And it must be a very trying time to be someone that cares about their work and their country, trying to work through this madness. And I kind of hope they get it over and done with sooner rather than later, but we've got
Starting point is 00:22:59 the whole West of the Trump administration to go, so who knows? But I think it's fair to say we feel for all the people that work at CESA because there aren't many listeners there and yeah. Well in FedGov generally right like it is not a great time to be working for the for the federal government in the United States and obviously there's a lot of people downstream from all of that who are affected I've spoken to founders just in the last couple of weeks and you know government projects are just stalling out. I mean, there should be no surprise there, but it's just like dead for a lot of stuff. It's just, you know,
Starting point is 00:23:30 stuff is no longer moving forward. You do wonder about the, you know, the knock-on effects to economic growth in the United States too, as all of this stuff happens. But we're also seeing a bit of pushback finally against,back finally against Musk just randomly flipping switches and firing people inside the government. And you sort of wonder if things are going to start to settle down because you definitely get the impression that it can't continue like this. But yeah, woof, not a great time. We had some actually reporting in today's Risky Billet in about a call amongst European tech leadership to
Starting point is 00:24:05 start working on a European cloud stack and a European technology stack because they can't rely on the Americans and the American tech stack anymore because of all of the uncertainty and you know there's so much of America's economic success is because of being a world leader in this stuff and developing all these things and encouraging people to come from other parts of the world to work there. And you gotta look at it and think like, what's this gonna do to that pipeline, you know?
Starting point is 00:24:32 And all of that leadership. I mean, I think if you wanna have, play crystal ball with how that's gonna unfold, I think that's gonna be a heavy lift, if I'm honest. I think it's gonna be very difficult for Europe to have like its own Amazon or something like that. But if you want to see what that looks like when it really picks up steam, I mean, just look at what's happening with defence tech and spending in Europe. We've already seen Portugal
Starting point is 00:24:54 back out of the idea of buying F-35s. Canada obviously not so interested in the F-35 program anymore. We're going to see massive investment in things like air defense, R&D and manufacturing. In Europe, we're seeing former Volkswagen factories being considered as new sites to build defense material, huge amounts of capital being committed. So I do think that there's about to be a big shift in defense spending. When it comes to broader enterprise tech though, like the R&D lift that would be required there is just mind boggling. So I'm not too, you know,
Starting point is 00:25:33 I think they'll use local where they can, but try, you know, what are you gonna wind up with like, you know, EU Linux, like a Red Star Linux equivalent? Like, I just don't think that's realistic. Do you sort of see where I'm coming from with that? Yeah, obviously Linux kind of came out of Finland in the first place, but yeah, it's obviously global open source. Well, I'm saying that's the one that I'm saying they can have,
Starting point is 00:25:53 but they can't have, you know, Windows. Like in a viewer or, you know, or an Amazon. Yeah, like there's a long way to go there. So, but you know, it's just the, it's so mad, right? I mean, you just, you know, you want to throw your hands in the air. Well, and there's going to be a lot of work, I think from the major technology providers,
Starting point is 00:26:10 they're going to have to spend a bit of time working out how to soothe the Europeans, right? Whether that's through restructuring their businesses, somehow licensing deals, you know, different processes for distributing updates. I don't know how that's all going to work out, but yeah, it's an uncertain time, that's for sure. Now, we've got a really intriguing story here from Dorina Antoniuk over at The Record,
Starting point is 00:26:35 which is about the Ukrainians saying, hey, Signal is no longer cooperating with us. They're no longer cooperating with Ukrainian law enforcement regarding Russian cyber threats. And what makes this intriguing is a statement from Meredith Whitaker, who is the, I think, what is she, the president of the Signal Foundation or whatnot. You know, she came out and said,
Starting point is 00:26:56 oh, well, we don't have formal, you know, cooperation agreements with anyone or official cooperation agreements. And it just seemed like a pretty carefully worded statement, which didn't exclude the possibility that Signal was assisting Ukraine in the first place. So it's a little bit hard to know exactly what happened here. But
Starting point is 00:27:17 yeah, we've done a bit of speculating around the office. You know, why don't you tell people where we landed? Yeah, and I guess the I guess data point of what is you wouldn't expect the Ukrainians to be feeling like they had lost something and saying it out loud if they hadn't in fact lost something, you know, they hadn't lost some benefit. Now, whether it's a, you know, some individuals inside Signal, you know, who have sympathy for Ukraine's plight and are happy to help them out, you know, have been sharing information, answering their queries or whatever else, you know, because signal doesn't have a whole bunch of information to share, but presumably whatever they do
Starting point is 00:27:50 have, you know, they may have been sharing in some capacity. But yeah, it was a little, yeah, it was just kind of a strange one because, you know, that wording of we don't have any official cooperation. Well, I'll read the quote, which is we don't officially work with any government, Ukraine or otherwise, and we never stopped. We're not sure where this came from or why. So why isn't it we don't work with any government? Why did you need the qualifier that it's official? You know, like that's the bit where I'm a little bit like, well, what's, what's, you know, what's going on here? That's a bit strange.
Starting point is 00:28:24 Yeah. And you've got to think, what could they possibly be providing? Things like IP addresses that are accessing a particular account, because we've seen reports of devices being seized in the battlefield and then used for QR code, account linking, phishing, and stuff into signal groups. So there may be some cases where IOCs.
Starting point is 00:28:43 Well, that would be very useful information. IP address information would be extremely useful. Yeah. But I mean, this is coming from the Ukrainian. Yeah, this is coming from the Ukrainian police, I think Ukrainian law enforcement. So I mean, they're not even talking about it in terms of like military intelligence, which is where you expect this to come from. I don't know. My point is that this whole story is just a bit strange. Yeah, yeah, it is a little bit strange. And bit strange and you know, it's hard to know without having better sourcing but I guess we just wanted to flag it for everybody because it's kind of interesting, you know?
Starting point is 00:29:13 Yeah, yeah. On a similar topic, Pavel Durov, the founder of Telegram, founder and CEO of Telegram, he has been allowed to travel home to Dubai from France. He was arrested there last year, you know, because of all of the bad stuff that happens on Telegram and his absolute failure to do anything about it. You know, obviously since then, Telegram has taken some, you know, small but significant steps toward actually improving moderation on its platform. It's committed to doing something about the CSAM all over its platform, which is, in my view, a positive thing. And now he's managed to negotiate going home and has put out a statement talking about
Starting point is 00:29:57 how Telegram's great at doing moderation, cooperation, and fighting crime for years and years and years. So he's put out a statement just saying, yeah, yeah, law enforcement. I'm very happy. And he's, and he's gone back to Dubai. I mean, I guess anything that moves the needle is good. And, you know, it's hard not to look at this as a model for like, regardless of how successful it is, specifically in the telegram base, they did manage to get some leverage through this approach.
Starting point is 00:30:27 And you have to think like if you were the owner of another social media network and you were traveling around the place and you didn't want to be, you know, and you. You want to be able to go to Paris for it when you cannot go to Paris. You want to be able to go to Paris or wherever else, then maybe that would be a thing to consider that,
Starting point is 00:30:43 you know, this might be a model they could apply to other people. Yeah, yeah, exactly. And we'll see if that cooperation ceases the second he sets foot in, you know, off the plane in Dubai. Another one from the record, another one from John Grieg, which is a report about Joe Sullivan, who was the former Uber Chief Security Officer. And of course, he was convicted of like a bunch of stuff, including like misprison of a felony for failing to report
Starting point is 00:31:10 to the FTC that there had been a data breach, which you know, the FTC's contention is that he covered it up because he tracked down the people who actually did this breach, got them to sign a bunch of documents and agreed to delete data, which, you know, Sullivan kind of argued, well, that meant that it wasn't illegal and we didn't have to report it and everything's cool now. And I remember years ago when all of this happened, I had some sources inside Uber and I got a pretty good idea of what had happened. And even then I said what they had done with these guys in terms of tracking them down,
Starting point is 00:31:39 paying them a bounty and getting them to sign documents was fine. Where they messed up was failing to report it. And ultimately the courts found that to be the case. He was convicted of a bunch of crimes. He didn't have to do any prison time. He copped a fine and whatnot. And he's appealed it and his appeal has been overturned. Now through the whole Joe Sullivan thing, regular listeners would know that I thought it was a bit off base that people, CISOs, other CISOs were really worried about like DOJ going after CISOs for doing normal CISO stuff because when you looked into the details of this case, he was not doing normal CISO stuff.
Starting point is 00:32:22 I mean, I saw him as recently as like RSA last year. He turned up to a thing I was at and did a talk about it. And you know, it's still his line that this is terrible precedent and whatever. It's like, bro, you know, two courts now have found that you broke the law. Like time to just accept it and move on. And I think it's time for people to stop worrying about this. Like until you've read the details of the case and what he's alleged to have done, stop worrying that the FBI are about to come and arrest you. Like it ain't happening. Yeah, I mean in the end it's the cover-up that gets you, you know, in this particular case. They could have been more forthright with what they were doing.
Starting point is 00:32:57 Yes, kind of retroactively claiming something was a bug bounty is a little bit weasely, but in terms of the data that went out and then preventing it from going further and causing more harm you know. But they were in the middle of an FTC investigation like there were requirements there for him to report exactly this sort of thing happening and you know anyway look he argues and it's fair enough that the DOJ were using charges against him to try to get him to flip on Travis Kalanick, the CEO of Uber. And look, that might be the case, but that's what happens when you commit crimes around other people that the DOJ are looking into.
Starting point is 00:33:36 They're going to use that leverage and the decision is yours whether or not you want to wear the charges or flip. And he chose to wear the charges. I just wish he'd stopped complaining about it. I mean, I've got a bunch of friends in common with Joe Sullivan. I can't say I've met him before, but only briefly. I can't say I know him. He seems like a decent guy, but he's just got to let this go.
Starting point is 00:33:55 Yeah. Yeah. That's dragged on for long enough and yeah, time to time to get on with life. Yeah. Um, now in some business news, my God, um, wh Wiz, which was founded in 2020, has just been sold or just been acquired by Google for $32 billion. Now, that's not a bad payday for five years. That's incredible.
Starting point is 00:34:21 That's wild, you know? What, 32 Instagrams? Is that the metric? What, 32 Instagrams? Is that the metric? Yeah, apparently. Which, you know, that's pretty funny. And of course, they rebuffed the Google offer, was it last year for something
Starting point is 00:34:35 like, was it 23? I think it was like 23, you know? And like how they've managed to add, like what, $9 billion in enterprise value in that amount of time. Like how? How did they, like what are they, did they hypnotize?
Starting point is 00:34:46 Like I don't know. I guess clouds, you know, the cloud is a big deal these days and securing your clouds also a big deal. But like, this is the, I think it's the biggest security acquisition ever, right? Like not just Google's. We're trying to think of a bigger one and Splunk was like 28 billion.
Starting point is 00:35:04 Yeah, like Cisco and Splunk seemed pretty big, but... I just think the thing that spins me out about it is like how quickly they built a $32 billion company. And to be honest though, like everyone you ask about Wiz, they're like, oh yeah, Wiz is great. Like, you know, talk about satisfied customers. Everybody sort of loves it for its core, you know, for its core stuff. It just kind of works and does a bunch of good stuff. And I think the only thing we ever
Starting point is 00:35:27 had to do with Wiz is we had, we had them into a snake oiler slot once just to promo one of their new product lines or whatever. And you know, it's a company that does kind of ooze competence, right? So it is nice to see, you know, just such a success story for founders like, Oh my God. Yeah. I mean, it's certainly, you know, congratulations to, to Wiz. And then, you know, I guess we will see what Google does with it. Cause I mean, you know, we've seen sort of Google acquisitions. Cause they're so good at enterprise sales, right? Well, yeah. Right. And you know, you've also got to wonder if you're a customer that's relying on
Starting point is 00:36:00 Wiz for services on other platforms than Google. Like if you're using it in your Amazon environment, using it in your Azure environment. You know, part of Google's competences. I'm less worried about that. I mean, you know, Google have got their sort of cloud scene product and that's not just tied to, you know, the Google platform and whatever. I think, you know, they're trying to build
Starting point is 00:36:17 a product portfolio that's not just relevant to GCP because that would be really dumb, you know? And they're not, they might not be great than enterprise sales, but they're not that dumb. So I'm, I'm, I'm less concerned about that. Um, now just before we wrap it up, we've actually got a little bit of sort of risky business related news, uh, to talk about, which is that I have a new gig. Hmm. A new gig you say, Jessica? Yeah. So I am, I've taken a role with Decibel Partners, which is a US-based venture capital firm,
Starting point is 00:36:50 as a founder advisor. And I'll just sort of explain a bit of the backstory of how we got here, right? So for many years, I've been working with companies that have been founded by this fund, right? Like not through any sort of arrangement, they just tend to invest in the sort of startups that by this fund, right? Like not through any sort of arrangement, they just tend to invest in the sort of startups that I find interesting, right? So like RunZero is a great example of that, right?
Starting point is 00:37:11 And HD more over there. And they're a cool fund, they do like early stage stuff. And I got to know John Ciccota, who's the head honcho over there, over the last couple of years. And at the same time, I started thinking about the future of this company, right? Because we are a small media company in a niche. What's the future for a company like that that I've been running almost for 20 years?
Starting point is 00:37:38 And around the same time, there was some discussions with major vendors about potentially acquiring risky business, which why don't we get you in here to explain why you found that deeply traumatizing? I guess there's a couple of aspects. One is I've also recently been through the process of selling off 15 years worth of work in a big acquisition and that has upsides and downsides. And really for me, I've been doing risky biz for almost as long as you, right? I've been here, what, 16 out of those 20 years? Something like that, 16, 17, whatever it is.
Starting point is 00:38:16 And so I'm pretty invested in risky biz being a thing. And I am concerned about anything that kind that really changes what it is we're trying to do here. Ultimately, I like learning about interesting new stuff happening in InfoSec and talking about it. Anything that changes that is concerning to me. Being bought by a vendor may come with constraints. Well, yeah.
Starting point is 00:38:43 Ultimately, you're going to wind up, after I mean, ultimately you're going to wind up at, you know, after a few years, you're going to wind up working for a CMO who's interested in pushing their underperforming product line and they're like, get on your microphone monkey dance. Right. And that was going to be the issue. And so Risky Business has always had a very different model, right? You would notice, like, I'm guessing a lot of the people listening to this, they listen to other podcasts and they are, their fingers are sore from hitting the 30 seconds
Starting point is 00:39:07 forward button every time someone, you know, breaks from their programming to read a script for like BetterHelp or NordVPN, right? So we've never really wanted to have that model for as long as we've been around, we've kind of worked with sponsors and people are like, well, but does that give you conflict? And not really, you know, it's like not really the way that it's turned out because we put a lot of effort into picking who we put on this platform to begin with. And now we're just kind of moving that a little bit earlier, right?
Starting point is 00:39:37 Where I'm gonna be working to try to start startups with founders, you know, practitioners who might have ideas, you know, by all means, get into my inbox and tell me what your ideas are. We'll see if it's something that we can develop. And that's going to be exciting. And then, of course, once they're ready for that, we might start floating their ideas in the show.
Starting point is 00:39:54 They can sponsor the show. And I can work with them on refining their message and all that good stuff. And this was John's idea, right? John Cicciotta, who runs Decibel, he really came to me with an alternative to selling risky business to some vendor and then making, destroying what I think has sort of become a bit of an institution, right? So this is a new business arrangement we can come to
Starting point is 00:40:19 that keeps risky business doing what risky business does. That's certainly my, the thing that made this appealing to me was their incentives are very much aligned with ours, right? We want to do what we do and not really change what we do. And, you know, their interest is... For us to keep doing what we're doing, right? For us to keep doing. Clearly, we have right? For us to keep doing. Clearly we have similar taste in tech firms because the such a lot overlap between our sponsors and their stable. Yeah, that's right.
Starting point is 00:40:51 And I've already helped one company raise money through Decibel, that's Knock Knock, which everybody would know I'm a huge fan of. I'm on the board of Knock Knock now, so they got a little seed round through Decibel, which was just announced today. And I'm working in an advisory capacity with about five or six of their companies. Push Security is one, RunZero, Authentic, Prowler, which is super cool,
Starting point is 00:41:11 speaking of Wiz selling for 32 billion. Prowler's got an open source platform that does some of the stuff that Wiz does, but it's very good for cloud security checks and stuff, and even remediations. But you see what's happening here is I'm already, uh, you know, just, just motor mouthing about it because I'm actually into this stuff. And you know, so what, what it means is that I've been appointed to this new gig.
Starting point is 00:41:33 Uh, decibel has invested in risky business, which means that we can grow, hire some more staff, but we're not going to mess with it. And that's the thing that I really want people to understand is any changes we make here, we're going to think about them carefully because we respect our audience. As you can probably tell from this conversation, we think being transparent is really important. But that's basically it. Like this deal, this change, you know, more than anything just sort of seals, you know, the future of risky business being risky business.
Starting point is 00:42:02 And that's why we did it. And you know, I think that's about it, isn't it? Yeah, yeah. I mean, having a way to fund us continuing to do what we've been doing for so long without it being your personal sacrifice for 20 years and turning it into a thing that has a path forward that, as you say, doesn't involve shilling nor VPN.
Starting point is 00:42:24 Yeah, no better help scripted reads and no working for a single product vendor who's just gonna get us to push stuff like it's just you know, obviously at some point something has to happen with the business after 20 years and I'm just really glad it's this and I am the interesting thing for me is like it took a long time to get this thing over the line and the thing that has maybe happiest about it is like, now I get to start doing the work with the founders. I'm actually very excited about that. I am not just saying that I enjoy that sort of work and I'm looking forward to trying to develop some new companies and new ideas and whatnot.
Starting point is 00:42:58 So as I say, if you've got an idea for a startup, you know, let me know. I'm, I'm all ears at this point. That is my job. Uh, in addition to hosting this podcast, but mate, we me know. I'm all ears at this point. That is my job in addition to hosting this podcast. But mate, we're going to wrap it up there. That is it for this week's news segment. Thanks a bunch for joining me. We'll do it all again next week. Yeah. Thanks, Pat. I will look forward to it and I'll see you then. That was Adam Bailo there with a check of the week's security news and big thanks to Adam for everything that he's done for this podcast over the last at least a decade and
Starting point is 00:43:33 a half. It's time for this week's sponsor segment now and this week's show is brought to you by Xero Networks who make a really, really cool micro segmentation product which orchestrates existing gear within your network to deliver micro segmentation product, which orchestrates existing gear within your network to deliver micro segmentation. And the way it deploys is actually pretty cool because you throw it out there and it learns which machines talk to which machines, and then you can sort of put it in an enforcement mode
Starting point is 00:43:58 and bang, you have micro segmentation. Now a lot of products have promised to do this sort of thing over the years, and they don't really, like the experience doesn't live up to the marketing claims. So this week instead of having someone from Zero Networks actually on the show to talk about their product, instead they suggested I speak with one of their users. Aaron Steinke works for Latrobe Financial which is a financial services firm based in Melbourne Australia and yeah he rolled out Zero Networks and is a very happy customer. Obviously, a vendor is not going to give you one of their unhappy customers.
Starting point is 00:44:31 But I will say I spoke with Aaron, I don't know, for a good half an hour after we recorded this interview. You know, this is a guy who knows his stuff. Absolutely, 100% knows his stuff. And, you know, I find I found this interview interesting because he really does mount a compelling case that what Xero claims it can do is actually what it can do which is more than you can say about a bunch of vendors. Anyway here's Aaron Steinkie from Latrobe Financial in
Starting point is 00:44:58 Melbourne talking about his experience in installing and spinning up Xero Networks network micro segmentsegmentation product. Enjoy. We're a financial institution. We are very paranoid. That's the nature of working in finance and getting those controls over lateral movement in our network is really essential and it's a hard thing to do and we knew it was a hard thing to do before we committed to it. But like all the most effective controls, there's a fair bit of work to get it done. We have actually found that with Xero's product, there's actually a lot less hard work than there is in some of the alternatives that we have played with in the past. This is in our first rodeo.
Starting point is 00:45:39 And there's been a few failed attempts in the past to get to a proper segmented and micro segmented network with varying degrees of success. Yeah. So that's the interesting part, right? And I think that's one of the reasons it's not, you know, a commonly done thing as yet, right? Is it is hard to do. It's been hard traditionally to do it. Well, like what were the sticking points with other attempts that you'd had at this with different tooling? With some of the other tools, you've got a huge complex rule base that you end up having to maintain manually. There's a lot of work and a lot of feeding and watering. And even when it goes to new product rollout where the documentation is never what it should
Starting point is 00:46:23 be, you're putting in a system created by someone else and you know there's some weird little port that only gets used once a month that pops up. The tooling with Xero has really made that whole automated learning process work really well which is another one of those features that everyone promises and it... I was actually about to say so like what you're saying is that this time it's not all lies, right? Because everybody's like, you just drop it and it automatically does everything. And you know, yep.
Starting point is 00:46:52 And that's the way the weather rubber hits the road. It really has done what that, what it said on the sticker. Yeah. Well, that's good. I mean, so look, I mean, it can't have all been a hundred percent smooth sailing, right? I'm guessing there's still a few corners to round off. Like, you know, if someone's thinking about doing this,
Starting point is 00:47:07 like what should they prepare themselves for? There's a little bit of trial and error in it, as you would expect. We also, so here at BluTrope, we have a network that has been chugging away and evolving for, since the 80s. There's some weird little hollows of legacy horror shows in there, like there are in most places.
Starting point is 00:47:30 A few of the headaches we had were things where people had in the past tried some odd little tricks with group policies. And I think this is where Zero really shines is that a lot of those problematic bits and pieces that we have tried in the past that were really complex became a lot simpler. We have the things that require like agents is where we've had a long struggle in the past and I've got to admit too that I was a little bit cynical when we first started talking to Peter about how the whole product runs on WinRM, which has also been a bit of a horror show for those of us who have been around for a while. I was cynical that it could actually perform and do its job in a timely manner. And they've
Starting point is 00:48:20 clearly done a fair bit of work in the background and got that working, and got that working quite reliably, and it's scaling pretty well. We haven't had any issues with latency at least not yet. And it's funny what you were talking about, the nature of your network is like what came across was like, yeah, there were a few sticky parts, but that was our fault, not theirs kind of thing. And it is. And that's actually a problem that I've seen in the our fault, not theirs kind of thing. And it is.
Starting point is 00:48:45 And that's actually a problem that I've seen in the past too with other Microseq products. They work great if you're in a cloud native environment, if everything is modern and shiny and new. And we down here in the real world where you and Adam like to rubbish us a bit, we have to deal with some pretty horrible old school protocols that don't play nice, that aren't predictable. And it means things like the zero trust approach to a lot of our software has been really difficult. With zero networks and the way that it is identity aware at the point where you're
Starting point is 00:49:18 making a network connection has let us retrofit a lot of those smarts to products that really haven't let themselves to it that would have needed an inordinate amount of development time in their authentication mechanisms to get us to that sort of continuous identity. Yeah, so we're talking like essentially bolting on at least some sort of identity aware access control onto like on-prem legacy crap, horror show, awful stuff that you can't do it any other way. Yep. And I'm well, I mean, you can always do it another way, but it's not necessarily cost
Starting point is 00:49:51 effective. And bear in mind too, that some of these products are things we have already, we already have a ax hanging over their head, but it's a multi-year process and hundreds of thousands, if not millions of dollars to get rid of them. We have to do something to get us over that gap. And it's been a real godsend. Well, yeah, and I'd imagine too. So I work with a company that does something similar, but for external resources, not so much internal resources.
Starting point is 00:50:17 And one thing that's really interesting that we keep hearing from people around that one, and I imagine it's the same for the internal use case, is the that one and I imagine it's the same for the internal use case is the the user attribution you get on who's doing what on the network like actually tied down to a user who actually exists in a directory somewhere who you can who you can identify imagine that's that's something you're probably doing something with that yep our security guys love it the feed that's going into Splunk is making their eyes water in a good way. Yes. They are tearing up misty tears of joy.
Starting point is 00:50:48 We've even had a bit of a tinker with those high risk protocols, the SSH into boxes, IDPs into things. It's also letting us put in an MFA step before the firewall even gets opened, which is really nice. That's historically been incredibly hard. We've had a few shots of that with other products that don't necessarily work in that sort of segmentation model, but where they intercept the authentication mechanism, they tend to add latency, cause bugs, cause errors,
Starting point is 00:51:15 cause headaches, because this is happening before it triggers, where you're finding it's a lot more successful and less intrusive. Yeah. So, you know, like have you racked up any, you know, any tangible wins since you've started doing this? Like, is there something you can point to and say, well, that saved our bacon? One of our biggest wins is a common audit question every time the auditors come through, which is every five and a half minutes in a financial institution, we're getting asked why we're not doing MSA on certain products and protocols. And it's given us a way of implementing that. That's probably the biggest
Starting point is 00:51:50 the use case we didn't really expect to be solving that it's really got us a nice little green tick for. Yeah, it's funny, actually, Benny, who's the you know, the founder of Zero when I've had him on the show previously and asked him like, what's driving growth, because I know they're growing. And he's like, man, the amount of compliance stuff that people are just like, oh my God, I can just get this in and it solves that problem. Like they, the security benefits like a nice benefit to the compliance side, which is like not the way it should be, but hey, I don't know, maybe it's a good news story about compliance. I think it is. And the other thing it has solved for us is, you know, we don't have a huge team here.
Starting point is 00:52:27 We're not, you know, we're not a noble con bank. Um, we need something that's reasonably easy and straightforward to manage so that we can get the best out of our, out of our people and that it really is quite straightforward to add exceptions where we need them to respond to do all those things. I like to think of it as doing a bit for our network segmentation, what the likes of Airlock do on... Yeah, yeah, yeah, yeah, for files, right? It's similar thinking, it's similar thinking, right? Which is default deny and open up only where you need to. So, yeah.
Starting point is 00:53:04 Now we were chatting before we got recording and I actually asked, like, did you hear of Xero Networks from the podcast? Because you are apparently a long-term listener who's listened when I used to put music at the end of the shows and whatnot. And you said, yeah, you remember us talking about their remote access product, right? So this is for people who aren't familiar, they've got their micro segmentation thing, but Xero developed a remote access solution for people who are wanting to throw away their horrible VPNs and get something in place that was less risky.
Starting point is 00:53:32 What they've done is they've got a VPN where all ports are closed until you MFA, until you go through your IDP, it opens up the port and then you can go through and it's sort of IP restricted and just a lot safer. This is good thinking is good thinking, but you that's where you actually started with them, right? And what's funny is I know from talking to people at Xero that like that product has been like way more successful than I think they've realized it would be, which in retrospect, I guess kind of makes sense. But you wanted to talk about that too, because you're a big proponent of it. I'm a big proponent, not just because the whole ecosystem of VPN solutions sucks but also
Starting point is 00:54:08 because when we look at more modern approaches to VPNs, the Zero Trust Network Access, the SASE solutions, the enterprise browsers, they're pretty useless to us. We have a whole lot of legacy protocols and legacy applications and things where we have users who directly interact with SSH, FIT clients that use RPC all over the place, those sorts of things which the more modern approaches don't really work that well with. We've tried enough of them to have zero confidence in them actually being a fit for the solution. So we've sort of stuck with a more traditional VPN type of approach. And what we had been going down the road of was sort of stuck with a more traditional VPN type of approach.
Starting point is 00:54:45 And what we had been going down the road of was sort of segmenting our users as they VPN in so that we could get some sort of classification and firewalling there. And it, again, went back to a really deep. Well, yeah, that gets complicated real quick. And even trying to get the sort of same class of service when you are on prem versus remote
Starting point is 00:55:03 has been a real nightmare. Whereas once you put the two together, the Connect and the Segment product, you end up with that. The user gets the same user experience, whether they are remote or in the office, and we get that same level of security. Whereas historically, we found that you often end up in a scenario where people have more network access when they're on the VPN because you can't categorize them and classify them well enough. So that's really, I think, hugely improved with a typical workforce that we have where people are
Starting point is 00:55:36 regularly working remotely these days, which they weren't pre-COVID. It's given us a much more robust solution to how we treat those remote workers without having to completely throw out our entire stack, which as I said earlier is not a cost-effective solution at least not to happen in three months' time. All right, well Aaron Stanky, thank you so much for joining us on Risky Business to sing the praises of one of our sponsors, which is Zero Networks, which is certainly a company we think makes cool stuff. Great to meet you and fantastic to chat to you. Cheers. Thank you. That was Aaron Steinke there talking about his experience of being a Zero Networks user. And again, Zero Networks doing one of those companies that's taken an old concept and actually made it workable, much like Airlock Digital.
Starting point is 00:56:25 I did find it funny actually in that interview when Aaron made an Airlock reference because that implies that he's an Airlock user. And I can just imagine being a very sad pen tester if you landed on a network that is running Xero Networks and Airlock Digital at the same time. That's a bad day at the office. But yeah, that is it for this week's show. I do hope you enjoyed it. I'll be back tomorrow in seriously risky business,
Starting point is 00:56:48 but until then, I've been Patrick Gray. Thanks for listening.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.