Risky Business - Risky Business #793 -- Scattered Spider is hijacking MX records

Episode Date: May 28, 2025

In this week’s edition of Risky Business Dmitri Alperovitch and Adam Boileau join Patrick Gray to talk through the week’s news, including: EXCLUSIVE: A Scattered... Spider-style crew is hijacking DNS MX entries and compromising enterprises within minutes The SVG format brings the all horrors of HTML+JS to image files, and attackers have noticed Brian Krebs eats a 6.3Tbps DDoS … ‘cause that’s how you demo your packet cannon Law enforcement takes out Lumma Stealer, Qakbot, Danabot and some dark web drug traffickers Iranian behind 2019 Baltimore ransomware mysteriously appears in North Carolina and pleads guilty CISA’s leadership is fleeing in droves, even though the US needs them more than ever. This week’s episode is sponsored by Thinkst Canary. Long time friend of the show Haroon Meer joins and talks through where he feels the industry is at, having just returned home from the AI-fueled hype at this year’s RSA conference. This episode is also available on Youtube. Show notes China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud environments, person familiar says - Nextgov/FCW Risky Bulletin: SVG use for phishing explodes in 2025 - Risky Business Media KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS – Krebs on Security Midwestern telco Cellcom confirms cyber incident after days of service outages | The Record from Recorded Future News Microsoft leads international takedown of Lumma Stealer | Cybersecurity Dive Who said what? on X: "Message from the administrator of Lumma Stealer on the forums about the recent events🕊️👀 https://t.co/MOjCSMMErK" / X Ransomware hackers charged, infrastructure dismantled in international law enforcement operation | The Record from Recorded Future News Oops: DanaBot Malware Devs Infected Their Own PCs – Krebs on Security DOJ charges man allegedly behind Qakbot malware | The Record from Recorded Future News US, Europol arrest 270 dark web drug traffickers in Operation RapTor | The Record from Recorded Future News Iranian pleads guilty to launching Baltimore ransomware attack, faces 30 years behind bars | The Record from Recorded Future News Decentralized crypto platform Cetus hit with $223 million hack | The Record from Recorded Future News Nearly 70,000 impacted by Coinbase breach involving $20 million ransom demand | The Record from Recorded Future News USA: Crypto investor charged with kidnapping, torturing man in an NYC apartment Vietnam orders ban on Telegram messaging app over security concerns | The Record from Recorded Future News Exclusive: Hacker who breached communications app used by Trump aide stole data from across US government | Reuters CISA loses nearly all top officials as purge continues | Cybersecurity Dive White House dismisses scores of National Security Council staff - The Washington Post

Transcript
Discussion (0)
Starting point is 00:00:00 Hey everyone and welcome to Risky Business, my name is Patrick Gray. We've got a great show for you this week. Adam and I are going to talk through the week's news and we're joined by a special guest co-host, Mr. Dmitri Alperovic, who is best known I guess in cyber security for being the co-founder of CrowdStrike. These days he is the chairman of the Silverado Policy Accelerator. And yeah, he's gonna join us and we'll walk through all of the week's happenings of which there have been many.
Starting point is 00:00:32 This week's show is brought to you by Thinkst Canary and Haroon Mir is joining us in this week's sponsor interview to do the Haroon Mir thing of giving like a post-RSA, giving us all a post-RSA report report just about how everything is AI at the moment and how 90% of what's on the trade floor is quite bad and not very useful and you know, he's here to make some good points. So do stick around for that one. It's a lot of fun. But of course it is time to get into the news now and Adam we're gonna start with a item that hasn't been reported elsewhere.
Starting point is 00:01:06 I suppose it makes sense to sort of introduce how we came to be talking about this but you were just having a chat with a former colleague at CyberCx which is a large Australian cyber security company and he mentioned to you that they'd been dealing in their incident response side with a bunch of interesting attacks. Now they were, you mentioned this to me and that caused us to reach out to them and said, well, do you mind if we talk about these publicly? And they provided us with some details. But essentially what's happening is there's a scattered spider-like group doing domain takeovers of Australian enterprises, it seems to be
Starting point is 00:01:46 a heavy focus on Australia at the moment, changing MX records and then taking over the whole shebang. But what makes this really interesting is the speed at which they're moving. Yeah exactly, yeah this crew appears to have a pretty polished workflow to turn social engineering, a domain registrar into control of the DNS and then from control of the DNS hijack the MX, hijack inbound mail and pivot very, very rapidly from there into a bunch of cloud applications. So in particular Atlassian stuff, Slack, Microsoft 365 and Azure and then going in a very, very rapid way into then now stealing a whole bunch of data, and I think in this case, attempting to extort people.
Starting point is 00:02:32 But for most organizations, the idea that you would be able to respond to this in the kind of timeframe we're talking about, which is tens of minutes in some cases, whilst your email is broken, because the people who are doing this don't even bother forwarding your email onwards, they change the MX, steal all your email, and then just junk the rest, they're not forwarding it on. So you're, as an organisation, you're sitting there going, our email's broken, we don't know why.
Starting point is 00:02:58 Having the MX record changed out from underneath you is not the first thing you're gonna think of looking for, and by the time you've figured out that's what's going on, they've already looted your Slack for creds, pivoted onwards into your cloud infrastructure and are having a party in your cloud. Yeah, I mean, we're talking full entry compromises here. They're getting the whole enchilada.
Starting point is 00:03:21 And once they've taken over these registrar like accounts if the company is hosting their DNS records there they just change the MX and if they're not they just change the name servers and host their DNS for them and as you point out they're not doing any email pass-through it's just like you know smash and grab don't care about being detected. But some of these incidents have resulted in these enterprises spending weeks trying to evict the attackers. Yeah, because throwing someone out
Starting point is 00:03:56 who's got domain admin in your windows, like on-prem life, that's no fun. And it's a hard road. But it's still a whole bunch better understood than throwing people out of your cloud infrastructure. Because at least you know, hey, we have to roll the curb TGT, we have to do these things in a Windows environment.
Starting point is 00:04:13 Trying to even build a map of how does my identity work in the cloud? Where do I have to change things? What bits are security critical? Which bits have been stolen? Like that's a complicated process in the best of times. And mid-intrusion while the attackers are still in there, you know, mucking stuff up,
Starting point is 00:04:31 is really not the best of times. Yeah, and figuring out which cookies you've got to invalidate, and how you would invalidate them. And yeah, just an absolute nightmare. So it looks like, you know, there's a heavy focus on Australia, but it is affecting organizations globally as well.
Starting point is 00:04:45 They're not quite sure why they're doing it. There seems to be a for the lulls component to at least some of these as per CCX. So yeah, just a crazy one, really. Yeah, it really is. But yeah, Dimitri, I wanted to ask you what you thought about this, right? Because this is, you know, your career was very much around endpoint and whatever. I mean, this is what it looks like now a modern enterprise gets targeted. Like it's a whole new world.
Starting point is 00:05:14 Yeah, well, as you know, you know, I served on CSRB and we did a report on lapses and related groups where you basically had very similar trade crafts, no malware, no exploits, no touching the endpoints, right? Just social engineering. In that particular case, they're mostly using SIM swapping. This is just a next gen of that, right? You're not SIM swapping to get the 2FA code. You're redirecting email or hijacking email as is the case here. Of course, none of this trade craft is new. I mean, DNS hijacking goes back decades. I remember Melbourne IT hack of New York Times and Twitter, what was it, like 2013 era hack. And you've had crypto platforms that
Starting point is 00:05:53 have been hacked the same way, I think, five, six years ago through GoDaddy. But this is the case with these teenagers, oftentimes, in Brazil and elsewhere, that are not super technically savvy. But if they can do social engineering either direct into the organization through a supply chain route like the domain registrar they can do so much more damage than even you know some of your best ransomware groups. Yeah I mean I wouldn't underestimate their technical
Starting point is 00:06:20 knowledge to be honest because they seem to have a very good understanding of how all this stuff is glued together. I mean reading through this it reminded me of geez I don't know was it like five years ago or something when Uber had an incident and what made that one interesting is people were tweeting about it and like we had a lot of visibility into what was happening and it was an incident where like these kids just kept out running the responders and the vibe on Twitter that day was like a bird had flown into the classroom. You know what I mean?
Starting point is 00:06:47 Because everybody was just like, oh my God. But you know, just, I think the thing that's new, like you point out that, you know, DNS hijacking is not exactly new. I think the thing that's interesting here though is the speed. Yeah. And these guys are often so fast,
Starting point is 00:07:02 it's remarkable to watch and so difficult to respond, particularly, you know, when these guys are often so fast, it's remarkable to watch, and so difficult to respond, particularly, you know, when these guys are basically 24-7 and the security teams are not, right? Yeah, yeah. Well, big thanks to CyberCX for providing some detail on that and letting us talk about it. Very interesting stuff. Now, let's move on.
Starting point is 00:07:20 We've got like TTP related news to get through. Adam, you found this one, which is Silk Typhoon were apparently rifling through Commvault cloud environments. And this is like a Commvault's like a backup, isn't it? Yeah, they provide all sorts of backup software solutions. And this was their cloud product, which there were some attackers in, I think there were some vulnerabilities in their software. We've seen like they pointed to a CVE that's like no detail but it's remote code exec in their web server product.
Starting point is 00:07:51 But interestingly, this was spotted apparently by Microsoft because their cloud service runs inside Azure and Microsoft happened to spot weird stuff happening there and then told Commvault, hey, did you know that there's a bunch of Chinese APTs all up in your business rummaging around, stealing keymat and whatever else. Commvault have said that customer backup data wasn't impacted, but I mean, I don't know what else you do when you're in an environment full of backup data. Yeah, I mean, an infrastructure as a service provider actually doing some
Starting point is 00:08:22 useful detections for a customer seems to be the most amazing thing about this. But yeah, that one's pretty much self-explanatory. Now the next one I want to talk about a little bit more is actually a piece from our colleague Katalin Kimpanu. It's a bunch of companies have sort of come together and raised the alarm on the fact that fishing crews are now using SVGs, right? A lot. It represents something like 1% of fishing and it's on the up. And you know, until recently, I didn't fully understand what an SVG image was. And you remember, Adam, we talked about
Starting point is 00:08:59 this like a few months ago where you were explaining to me that an SVG, okay, so it's like, you know, it's like a vector image format. Sure. But you can also stuff all of the horrors of like active internet content, you know, JavaScript and whatever into them, which means you can kind of get cross site scripting primitives in an image, which you can embed in an email, right? And that, that seems to be what's happening here. Yeah.
Starting point is 00:09:22 I mean, essentially SVG is to images what HTML is to text. So it has all of the functionality of HTML because it is basically a superset or it's XHTML like HTML is. But yeah, you can stick JavaScript in there, you can reach up in some cases into the surrounding DOM of the browser that's rendering it. It really is a whole web document format that just happens to be for images.
Starting point is 00:09:50 And the way I keep thinking, for some reason, the thought that I'm stuck with is it's like my space in a GIF. You know, exactly right. You can, you can do almost anything you want. And for most people it is like you said, it's just an image format. Why do I have to think specifically about it? And places that accept image uploads, might say you can allow JPEGs and PNGs and SVGs
Starting point is 00:10:14 and not think about it twice, but safely handling SVG images is the same as, I would like you, my untrusted user, to upload an HTML file, and I'm gonna stick it in and render it in other users' contexts. And that should be absolutely terrifying, but that's exactly what an SVG is.
Starting point is 00:10:31 So it makes sense that it's being abused. As to what to do about it, I mean, option one is, you know, rasterize those SVGs out to a proper, you know, raster image format somewhere before you use it. Why couldn't you just filter out SVGs? How many legitimate emails actually have SVG traffic in them? That's the other option is just throw out SVGs,
Starting point is 00:10:53 but unfortunately people use them for like company logos because the designer has made that beautiful vector, arbitrary scalable logo, and people don't want it to be like aspect ratio squished in their mail footers and they're not meet corporate branding guidelines. So yeah, it's a mess. But I mean, couldn't you have a vector image format without allowing it to be stuffed full of like XML and JavaScript?
Starting point is 00:11:15 You totally can't. You know? Yeah, there are other vector image formats. It's just we got the web one. And unfortunately, the web one is the nasty one. Yeah, Dimitriri you had some thoughts Well, look I started out my career in email filtering back 25 years ago So I always have a soft spot for these criminals because they're so incredibly innovative, you know breaking through spam filters breaking bays
Starting point is 00:11:38 filters breaking Word based filters with image spam and so forth So this is just the latest iteration of that, using basically images as code, as Adam said. But there's countermeasures to all of this, and I think some of the more advanced filtering companies are able to detect it fairly quickly, because as you pointed out, Patrick,
Starting point is 00:12:00 there's image that is encoded in SVG, and then you can look at other things that it's trying to do where it's basically a self-contained phishing delivery platform, right, and has a lot of other links and HTML and so forth that you can determine as malicious. So if you've got a modern filter, I don't know why it would struggle with detecting this. Well, but I mean, where do you apply the filtering, right? And this is a problem for all of the email companies at the moment, where people are putting their phishing campaigns behind,
Starting point is 00:12:29 like Cloudflare Turnstile and Captures and all sorts of stuff, right? So, you know, ultimately the place to deal with is gonna be in the browser. Yeah, but you know, these images are actually being sent as attachments, I believe, right? Yeah. Within the email.
Starting point is 00:12:46 So you are able to filter it out just doing the scans of the emails content. Yeah, I mean, now, right? I'm worried, like, I don't know. I just see, you see a story like this, and sometimes something like this bubbles up and then it goes away. And then sometimes something like this turns up
Starting point is 00:13:02 and it's a starter's pistol, and in a year from now you're talking about the great 2026 internet SVG meltdown, right? So let's hope that's not happening. Now to some happenings. This is a great story. I love this story.
Starting point is 00:13:16 Brian Krebs has written about the latest DDoS to hit his website. The last one, which was a tenth the volume of this one, was enough so that Akamai, who had been providing him with DDoS protection back then, actually said, would you mind finding another host because you're starting to present some problems to the integrity of our network and our ability to protect other customers. The latest DDoS to hit the Krebson security website, 6.3 terabits per second. I mean, wow. That sure is a lot of UDP. And fortunately for Brian, he is running on Google's DDoS prevention platform.
Starting point is 00:13:57 They have one that they use for, you know, like public interest stuff or whatever, which is perfectly capable of syncing six terabits of bandwidth apparently, although they did say, Google said this is actually the biggest they have seen as well when they were comparing notes with Cloudflare. And it seems like it's the same botnet, same crew that were responsible for Cloudflare's biggest one, which I think is the biggest full stop. So yeah. Brian, of course.
Starting point is 00:14:22 I just love how if you're in D dos like the equivalent of popping calc is to Is to D dos Brian Krebs website and it's great advertising as well because you you D dos his website and then he writes about it Yes, this is literally what I found most fascinating. They weren't trying to take him down This was literally a test it's sort of equivalent of peeing local host or print hello world and coding, right? You're gonna use Brian as a punching bag because he's so well known and notorious of course in the cybercrime circles. I mean he has such a odd relationship with those circles as well because you really do get the impression that the people in the underground like quite like him and you know they all read his articles and stuff so but then he goes into this
Starting point is 00:14:59 whole section where he writes about like the guy behind the botnet who's some young guy probably in Brazil called Forky who claims like, Oh, it's got nothing to do with me. I haven't done this stuff for years. And then Brian's like, well, what about these posts from like December last year? And he's like, well, you know, I'm not sure they like him. I think they have begrudging respect for him. Yeah. What he's able to do. Yeah. It's a complicated relationship I guess is, uh, is what I'm getting at. Now let's turn to this piece. Look, this has been going on.
Starting point is 00:15:27 We could have reported on this last week, but it sort of slipped through because we had other stuff to talk about. But John Grieg has a report up at the record about this telco in the Midwest called Cellcom. And Cellcom has had some sort of incident which has affected like voice and text for its customers but the crazy thing is it's like ongoing it's been going a while and it's actually affected the ability of their subscribers to port out to other
Starting point is 00:15:55 carriers so they're just sort of stuck with a service that they can't use and they can't even port out their number like that's a bad situation for the company and their subscribers because surely you would think once they restore service a lot of people are just going to churn away from it. Yeah, there seems to be like a small kind of like family run regional telco. I think I've got about 300,000 subscribers, so like pretty large nevertheless. But yeah, they are definitely having a rough time. The CEO put out like a YouTube video video like talking pretty candidly about their problems
Starting point is 00:16:25 and saying nice things to their customers but it's going to be a must be a rough day at the office they're trying to deal with. The CEO was sending thoughts and prayers right? She did a pretty good job of being heartfelt and honest and you know of CEOs of telcos that I have seen apologize for outages. It's amongst the better ones. But yeah, it must be rough being their customers. And we haven't seen any particular details about what it is, but it feels like someone got in
Starting point is 00:16:53 and ran some weird deleted bunch of stuff or locked up a bunch of stuff, because they're having a rough time. Yeah, I mean, you had a reaction to this one, Demetri. I remember when you were reading through the news list, you were like, wow. Well, they're talking about impacts to customers, missing job interviews, missing calls from family members.
Starting point is 00:17:10 They're really important, right? And I just have a hard time thinking that this company is going to survive, or is it going to be just a Shalva its former self? Post this, because imagine your customer that has had that type of impact, that's been without a phone for days on end. Are you really going to stick around and hope that next time they'll do better when you have other options? Imagine your customer that has had that type of impact, that's been without a phone for days on end.
Starting point is 00:17:25 Are you really gonna stick around and hope that next time they'll do better when you have other options? So, this might be one of those cases and they're usually few and far between, but where this is an existential threat to the business in the case of this ransomware outage. Now, they are not the only people having problems
Starting point is 00:17:41 in their data centers. Let's talk now about the Luma or Luma Stealer, however you want to say it. This was a bit of malware that relied on a bunch of domains. It's been around for quite a while. Microsoft took part in a law enforcement takedown of this botnet. There was another one too
Starting point is 00:18:00 that we'll talk about in a moment. In fact, it's one of the only weeks you can ever say it's been a bad week to be a cyber criminal because there's been a lot of law enforcement action. But what's really interesting about this one is these guys got RMRF'd and all of their domains seized and just had a really bad time. But what's been interesting is seeing the people
Starting point is 00:18:20 who actually operate the botnet sort of pop up with a post-incident review. And what's crazy is they're like, yeah, okay. So our whole server got nuked. So we spun it back up and put extra logging on and it got nuked again, and it didn't turn up in the logs. So now they're thinking they got, um, popped through some sort of vulnerability in like, I, drac, right? Which is like data center stuff. Adam, talk us through this one.
Starting point is 00:18:43 Cause I know that this type of hacking is near and dear to your heart. Yes, it certainly is. Yeah, it, um, it seems like, uh, so the FBI shelled their box somehow, put up a phishing page, uh, searching for, you know, trying to lure credentials and IPs, uh, from their users. Apparently, we'd also try and turn on the webcam so the FBI can, you know, snap the traditional pick out the webcam of whoever they hack. And I'm sorry, just a second though. Like how, I mean, you know, how dense do you need to be as a cyber criminal who is now logging into essentially a phishing page? Like when are you going to log into your criminal portal, right?
Starting point is 00:19:22 As a criminal, where you're going to do crime and then it asks you for permission to turn on your webcam. Who clicks yes? But anyway, sorry. Even if it's not law enforcement doing it, but your vendors in the cybercrime area who can now use it against you for blackmail. But that's my point. Not a good idea to say yes, right? What? Anyway, continue, Adam. Anyway, so their stuff was hosted in some kind of bulletproof hosting somewhere, well out of reach of law enforcement. But it appears that law enforcement had some bugs in the Dell iDRAC lights out management
Starting point is 00:19:53 system and we're using that to get in is what their assertion is. I, as you say, I have enjoyed some other vulnerabilities in lights out management systems over the years so that seems entirely reasonable. Obviously, if you can get into the lights out management systems over the years of that and seems entirely reasonable and Obviously if you can get into the lights out management, you can do anything you want You can boot the server off disk. You can mount USB sticks, you know, virtually across the network You can you've got you know, it's like you're standing there in front of the server itself So it's a great place to go and do hacking It sounds like it was so they the limousine admins
Starting point is 00:20:25 It sounds like it was, so they, the Luma Steel admin said that the DRAC interface was connected to a whole different network somewhere else. So, you know, we have seen law enforcement break into bulletproof hosting providers and kind of, you know, rummage around and do things. But either way, it's quite fun watching them have to, you know, pull that thread and figure out how they got hacked or law enforcement or whatever we're you're going to call it.
Starting point is 00:20:46 I mean, I just think they're lucky it wasn't ASD behind this one because ASD went and nuked an entire bulletproof host. Like they didn't just take down one box. They just torched the entire thing. So I guess, Dimitri, why do you think they kept this, the RMRRF shark so tightly leashed during this operation? I mean, that seems like more of an FBI approach doesn't it? We'll just stay on this one target instead of raining
Starting point is 00:21:09 hell on the entire thing. Yeah, I mean usually you have corridors around certain things so it's tightly defined in terms of the scope of the operation so they can't necessarily deviate from it. But you know the the the funniest thing I saw in that post in Russian, obviously from the cybercriminal, I think all three takedowns we're talking about are Russian cybercriminals of course, but the last line that he had is that yes we got access back to the server, we turned off iDRAC, but I do think they have other cards to play so we will have future notes for you, stay tuned. Yeah. They
Starting point is 00:21:43 appreciate that this is not over. Yeah, they're like these guys have game and I will just say, you know court orders court orders of the cowards Dimitri Come on, let's let's go, you know for G men. That's right. Come on G men Get that get that RM RF shark, you know Shark let it do its thing now look as you just alluded to there's been a bunch of other takedowns as well, including, what is it, DanaBot, which is another malware family. This one's been taken down. What if there've been arrests or there's just domains down?
Starting point is 00:22:15 Like, there's so much going on. Adam, walk us through it. Yeah, so this one was a joint law enforcement operation called Operation Endgame 2, and it took down a whole bunch of botnets, which DanaBot I think was one of the bigger ones. 16 people arrested and a bunch of domains and other infrastructure seized. So we've seen this kind of thing happen a lot, but it's been a very busy week for being
Starting point is 00:22:41 cyber criminal, running botnets, running infostealers, that kind of thing. So yeah, rough day in that particular crime ecosystem. The interesting thing here is that, like in past botnets emanating from Russia that we've seen, there was an espionage variant where they were targeting diplomatic communications and particularly looking at countries' communications with the United States and the two leaders obviously are from Russia but one of them looks on Artyom Kalinkin actually works for Gazprom as an IT professional his Facebook profile I loved mafiosi was was the actual nickname not not very subtle but the fact that he works for
Starting point is 00:23:21 Gazprom obviously state-owned gas company in Russia, makes you wonder of how he got connected with customers or perhaps people that are his roof, his krisha, as they say in Russia, protection, in law enforcement that are also giving him taskings. Yeah, so it was an interesting aspect to this where you've seen multiple botnets over the years where they've been doing crimeware and then all of a sudden there's like a forked version which is designed to do espionage and this was certainly one of them. But you know, this is not exactly what you would call the espionage A team because according to this piece from Krebs on Security, from Brian Krebs, the way the FBI was able to unmask
Starting point is 00:24:03 some of the operators of Dana Bot is because they accidentally infected themselves with their own malware Which is you know, all right who hasn't done that? Yeah, it's just happens to the best of us among us, etc And yeah, we've also seen our dear the DOJ unseal charges against the people behind the quack bot, quack bot, QAK. Quack bot, yeah. So yeah, just like a lot of law enforcement action over the last week. And also another one, 270 dark web drug traffickers
Starting point is 00:24:35 have been arrested by American and European officials. A whole bunch of stuff taken down, 144 kilograms of fentanyl or fentanyl-laced narcotics, and 180 firearms confiscated. So just so much happening. So much happening. Yeah, the QuackBot one is interesting because this has been around for a long time. You guys, I'm sure remember it. You know, apparently it was created back in 2008 days, right? So you have almost two decades of non-stop activity from this guy, Rustam Galyamov, another Russian that created it.
Starting point is 00:25:08 So for him to get caught, or at least identified and indicted after such a long career, actually tells you that he was probably quite good. Now we finally got some closure on the Baltimore ransomware attack. Now this was a big deal when it happened back in, when was that, 2019, where, yeah, it was like the city's network got ransomed. And one of the reasons this one made such big news is because the New York Times incorrectly reported that the way that this network was hacked
Starting point is 00:25:39 was using Eternal Blue, which was a leaked, like, you know, Shadow Brokers exploit or whatever. So, you know, shadow brokers exploit or whatever. So, you know, this was just massive news at the time. An Iranian national has just pleaded guilty to conducting that attack and mysteriously has pleaded guilty in North Carolina where he was arrested and the Bulgarians have been thanked by American authorities. And no one's really quite saying how he wound up in North Carolina, but Adam, walk us through this one.
Starting point is 00:26:09 Yeah, there was a number of people that were kind of tied up in this particular thing, and they were all located in Iran. And it's kind of funny that this one guy just, you know, pops up for no reason and then pleads guilty in the US courts. He's facing up to 30 years in prison when they hacked Baltimore. I think they asked for what, 13 Bitcoin, which at the time was like $70,000,
Starting point is 00:26:32 which seems so quaint by modern ransomware standards. But yeah, I mean, it caused a whole bunch of disruption at the time. I don't know that we had seen these days attacks on city administrative, local government or whatever. It's pretty workaday common hack. And but back then this was a big deal. So the wheels of justice turned slowly,
Starting point is 00:26:55 but for this guy they've definitely turned. And I'm interested to see if there is a story behind how he ended up in the US or whether it's just something dumb like he went to Disneyland. Well, I think, I mean, just reading between the lines it reads to me like maybe the bulk he was in Bulgaria the Bulgarians arrested him and you know he was extradited or whatever but it is a little bit light on the
Starting point is 00:27:13 detail. Do you think there's anything more to it there Dmitri or is it probably just something simple like what I said? It's hard to say the DOJ thanked Bulgaria for providing evidence and helping collect evidence, not necessarily for extradition, which presumably they would have done. But, you know, what is interesting about this crew is that they seem to have been particularly focused on local municipalities. It wasn't just the city of Baltimore, but city of Greenville, in North Carolina, and in Oregon, and New York, York and elsewhere where they've targeted this. So they seem to have realized, hey, cities providing vital services like garbage collection
Starting point is 00:27:51 and 911 and healthcare ambulances, et cetera, are really prime target for ransomware pretty early on. Obviously nowadays, as Adam said, it's common practice. Yeah. I mean, I do find it interesting that in this John Grieg piece from the record, the last line of the story is, the DOJ did not respond to requests for comment about when he was arrested or if he was extradited. So it is like there's just this lingering little air of mystery about exactly what happened there that I think is interesting.
Starting point is 00:28:23 Now in a sign of the times when this story first appeared in our news run sheet, Adam removed it. Because, eh, you know, it happens all the time. And I'm like, man, we've got to put this one back, given the amount of money involved. Some decentralized crypto platform called Cetus, C-E-T-U-S, got 233 million bucks worth of crypto removed from it. I mean, I think that's, I mean, I know there's crypto attacks every day, but I think 223 million dollars being stolen from a DeFi platform is still kind of newsworthy, Adam.
Starting point is 00:28:58 Can we just admit that crypto is now just a wealth transfer mechanism from rich countries to North Korea? Isn't that all it is now? Well, and to answer some criminals too, I mean, you know. Sure. Yeah, the criminals taking the cut of the North Koreans' money whilst they're laundering it.
Starting point is 00:29:14 But yeah, I think when we were going through the run sheet, I said, look, mate, I don't get out of bed for less than a billion dollars worth of crypto stolen, like 200 million per share. That's not worth the column inches. Next year, 11gillion dollars was stolen. I just find all of this really interesting. I think the most interesting thing, the buy-bit attack, of course, that was what, 1.4 billion dollars in crypto. I mean, that one was just so interesting given the way that it unfolded. I
Starting point is 00:29:42 mean, this one looks a little bit more workad day. I did really appreciate when I later did a sponsored interview with someone from Trailer Bits who's really, you know, knows a lot about all crypto stuff. And I asked them, was the way Bybit managing this stuff kind of standard in the crypto industry? And they just said, no. So I think there's probably ways to operate these exchanges and platforms which don't result in hundreds of millions or even billions of dollars going missing, and it would probably make sense for those companies to adopt those methods. Yet another one from John Greig here, he's just done a little bit of follow-up reporting on the Coinbase breach and we've got some numbers there, which is 70,000 users have been impacted.
Starting point is 00:30:26 Dimitri, this one seems to have connected to you because you say you've been getting just since this breach just absolutely insane amounts of crypto phishing like Coinbase related phishing attempts to your phone and email because you had an account there a million years ago and you're like you're like a no coiner who just happened to be in this data set. Is that what we're guessing? Yeah, I don't own any crypto for the record for the listeners out there. Don't come and chop Dimitri's fingers off. He does not have any crypto.
Starting point is 00:30:55 But I did have an account back in the day just to play around with it and see how it works and so forth literally over a decade ago. And it is annoying. I was wondering about this because for the last month, works and so forth, literally over a decade ago. And it is annoying, I was wondering about this because for the last month, month and a half, I've been getting daily nonstop phishing emails about my Coinbase account was hacked, give a call to this number or withdrawals in process,
Starting point is 00:31:17 or you got an authentication code, if you didn't request it, give us a call, a variant of one of those messages at least once a day, sometimes multiple times a day, sometimes multiple times a day. So I don't know if it's directly connected to this breach, but it certainly seems quite coincidental. Well, I mean, what I wonder about, right, because you sent me some of the text messages
Starting point is 00:31:34 that you were getting, what I wonder is, like, if it's one threat actor who has this data set, they're kind of overdoing it with the phishing attempts, right? This would suggest to me- It's annoying at this point. actor who has this data set, they're kind of overdoing it with the phishing attempts, right? This would suggest to me... It's annoying at this point. Well, and that's the thing. Like, given the different phrasing, different structure of the messages and the fact you're getting so many of them, I wonder if maybe quite a few people have this data set now.
Starting point is 00:31:55 Yeah. They probably sold it or it got leaked and lots of people are now trying to take advantage of it. Yeah. And don't forget, we should not forget that included in this data set are transaction histories, balances, and home addresses. And that is a dangerous thing. We alluded to that last week when we were talking about all
Starting point is 00:32:13 of the people who are being sort of tortured and having various bits of them chopped off by criminals in an attempt to extract their like passphrases and whatever. We've got, and just as soon as we put down last week's show, I think a day later, this crazy story broke out in New York where this cryptocurrency investor apparently kidnapped a guy and was torturing him over a period of weeks in a townhouse in New York.
Starting point is 00:32:39 Eventually the guy managed to break loose. He told the guy, okay, I'll give you my password. It's on my laptop in the other room. The guy went to get the laptop. He ran out the front door, managed to flag down a cop and he's okay now. What I find fascinating about this story though, is that this guy who was like 28 years old or whatever was being tortured for weeks and did not give up his crypto. Adam. That does seem a little bit extreme. Would you have to go to like, you know,
Starting point is 00:33:06 special forces, you know, search and evasion training just to be able to responsibly hold your crypto wallet. I mean, the whole crypto ecosystem doesn't feel particularly good. Like it's not a good time to be, you know, in charge of a lot of crypto. And like, I'm amazed that this guy, I mean, I guess what do you do, right?
Starting point is 00:33:24 It's not like you can make up a fake password because it's gonna test it straight away. So like yeah, I don't know I don't know how you do. How do you deal with that? We just you just be ultra hardcore like this guy Yeah, I feel like there's more to this story though Like that because the two are known to each other like I wonder if there's some sort of business dispute and the guy who was Like wrench attacking him, you know He apparently has been, I think he's been denied bail
Starting point is 00:33:46 because he has access to a private jet and stuff like this. So you're just like, why are you beating a guy up with a wrench and trying to get his phrases? Anyway, Dmitry, you had something here. Well, I just wonder how competent he was as a torturer if it took him weeks and he didn't get what he was after. You know, wasn't it simpler to just hire some Russian gangster
Starting point is 00:34:06 and get the stuff in a matter of minutes? I mean, they know how to do torture, unfortunately. Yeah, I mean, you know, what's wrong? You know, don't you know how to water? Bro, do you even waterboard? I think is the vibe here. Bro, do you even? All right, so we've got another one,
Starting point is 00:34:23 yet another one from the record. Great coverage from the record this week. Darina Antinuk has written about Vietnam banning Telegram inside Vietnam. Now, Dimitri, you and I had a bit of a chat about this before we got recording and you're like, what do you think about this, you asked me and I said, this feels like Telegram doing crime stuff. It's a convenient excuse for Vietnam to ban this because people are spreading like quote unquote subversive material over Telegram. I mean, it's look, it could be over genuine concerns about crime, given the amount of cyber crime and fraud happening in that region. It is a good reason to ban Telegram and yet you can't help but feel that perhaps the government there is
Starting point is 00:35:09 concerned, is motivated by other things. That's what it feels like and you know of course Telegram and Dura for claiming that they have been cooperating and doing takedowns you know who knows whether that's true or not and how aggressive they were. Of course Telegramgram, as we all know, is a kind of run by shoestring type of operation, so even if they wanna cooperate, they don't have that much staff to actually respond quickly enough
Starting point is 00:35:36 to a lot of these abuse complaints. But I do tend to agree with you. Vietnam, very, very serious about content filtering, very serious about suppression of any information that's not allowed within the country, obviously run by a Communist Party, and I think that probably has more to do with it than just the fact that they host some dark market telegram channels. I mean I hear you and I have a foot in that camp, but I also have a foot in the other camp which is you know the, you know, pig butchering stuff taking place in, you know, Cambodia, Laos and Myanmar is equivalent to 40% of the GDP ofise the region, right? Because you might wind up with this underground economy kind of corrupting those governments.
Starting point is 00:36:30 So I can see that there is also a very good legitimate reason to do this. I mean, Tom Uren and I, our colleague Tom, we write Seriously Risky Business, we did a podcast last week where we were talking about the takedown of one of these telegram markets, which had 900,000 people involved in it, you know, and was just doing tens of billions of fraud. And you just sort of think, I don't know, I sort of feel like if you're the Vietnamese government, you kind of get two birds with one stone, I guess. What do you think, Adam? A minute. If you can do both of these things, like why not? You know, I imagine their interests line up, but it may also be a case of, you know, they can shake someone down for a bribe to turn it back on. Like maybe it's a triple whammy of win for, you know, whoever's responsible for regulating it there.
Starting point is 00:37:21 So yeah, it's kind of hard to say. I don't actually know what the corruption situation is like in Vietnam, because it's really funny, because you get this situation where in some of those countries, with old school communist leadership, corruption is rife. And in other ones, if you do anything corrupt, you immediately get shot.
Starting point is 00:37:41 It's pretty pervasive in Vietnam. It is? Yeah. Yeah, yeah, yeah. All right, so let's look at this Reuters piece now by Ajay Visen and Rafael Sata. Last week, we talked about the leak of the, well, not leak, the DDoS secrets, distributed denial of secrets,
Starting point is 00:37:58 getting their hands on the data breached from telemessage scraped through some API endpoint that would give you a heap dump, because that's what you want when you're running a secure messaging service. As we said last week, we were expecting that other media would do a deep dive on that data and rummage around in it and see if there was anything that interesting in it. According to this piece from Reuters,
Starting point is 00:38:21 nothing too sensitive in it, which is kind of what I expected, if I'm honest. Yeah, you get the impression that they probably pulled the plug on this pretty quickly, and the dumps that we were, that the Lost Secrets had access to, were from a pretty limited time window. So clearly anyone who knew about this and had been doing this since TeleMessage started up would have been able to see message contents and stuff was going past. But this particular dump,
Starting point is 00:38:47 other than kind of confirming through metadata that there are phone numbers of people in positions of power in the US government and other things, we haven't seen much in the way of message contents. There are some like group names and stuff that give us hints of the nature of the conversations, but nothing we didn't really expect. Yeah. And I guess, because we had a little internal meeting about this when this data
Starting point is 00:39:11 was first made available to researchers and journalists, where we had a line, I think, in some of our coverage in Risky Bulletin that said the data will contain private conversations from senior White House officials. And we had a bit of a discussion about, well, we don't know that. And it looks like it looks like it didn't. I mean, you would imagine there would be some size of relief in the White House over this, Demetri. But also, I mean, you just got to wonder at this point if,
Starting point is 00:39:38 you know, foreign intelligence services were exploiting this service prior to it being publicly exploited. And there's no real easy way to know that. Well, this is the big issue I have with this story, is that, OK, there's nothing totally valuable in this dump, but the reality is that these servers of TeleMessage are incredibly vulnerable. And it's not just through this one vulnerability.
Starting point is 00:40:01 I've been hearing for weeks from other researchers that have been looking into this of all kinds of issues that they've been discovering with this platform so it's just not a platform that I would feel comfortable any USG official really using for secure communications yes I'm classified but nevertheless potentially sensitive even the subject of a kind of a group name can be sensitive right if it talks about upcoming military action or what have you, as we've seen in the past. So I do have broader concerns
Starting point is 00:40:30 about this particular product. I understand why it's been used. You want to make sure that you preserve archives of these messages to abide by legislation that requires you to preserve communications, but there's gotta be other options. And if they're on, someone should build one. I mean, I'm just sorry right now to make such a middle-aged point.
Starting point is 00:40:50 But to me, this seems like the big problem here is procurement, because there are other options. You've got Wicca, which is now an Amazon product, which I'm guessing is not going to have the same issues. I'm sure there's going to be stuff. If you test it, you'll find stuff that is less than ideal. But this was a clown show, this app, right? So I just sort of wonder, like, in what world does an agency,
Starting point is 00:41:13 like I think CBP was like one of the agencies that was using this, in what world do they opt for that app and do absolutely zero sort of due diligence in trying to figure out if it's any good, right? So that's the thing that, and I think this just ties in, government procurement is hard, right? You know. But it's also how it's done, right?
Starting point is 00:41:33 And I guarantee you that they probably did request all kinds of security paperwork, FedRAM compliance, right? All kinds of checklists that this company did provide to them that didn't matter a whole lot because there was no pentesting of the platform clearly or they would have found a lot of this stuff and this is just a general problem of how government procures and determines whether something is safe or not. It's a checklist approach not an approach that's focused on really figuring out if
Starting point is 00:41:59 this is a secure solution or not. We finally found a case where pen testing would have been absolutely 100% critical and useful. I remember being on a call with the leadership of Exellion after we found some remote code exec bugs in the file transfer product and they literally said, but we have FedRAMP, how is this possible? I said, well I don't know what to tell you buddy, I got a shell on your Exellion. To be clear, they weren't know what to tell you, buddy. I got a shell on your Exeleon, you know. To be clear, they weren't your customer, which is why you're talking about it.
Starting point is 00:42:30 You did that research off your own bat, just in case anybody was confused. Now, look, just to tie it off, this week, we've got a piece here from Cybersecurity Dive. I think it's following up on some reporting from the Washington Post. We also reported about this as well. But basically all of the senior leadership at CISA have left the agency, some political appointees, some not, I think.
Starting point is 00:42:53 But you know, there is a massive exodus of senior leadership at CISA. I mean, you know, what do you say about that? I think there's a lot of people leaving the federal government at the moment. Yeah, there certainly seems to be some concern amongst the workforce left at CISA about the vacuum of so much talent and so much experience. Because some of these are people who've been before CISA was CISA, back when US CERT days, that kind of thing. So it is definitely going to leave a bit of a hole in their capability. And I think everyone's a that kind of thing. So it is definitely gonna leave a bit of hole in their capability and I think everyone's a bit kind of worried about what that means because it's not a great time to be gutting your cyber security defense teams,
Starting point is 00:43:35 given the geopolitics and all that. Yeah, and we've also got a story here from the Washington Post about the National Security Council, the staffing at NSC just being completely gutted. What's going on here, Dimitri? Well, look, I think this one is a little bit different from the other stories about people leaving the federal government because the NSC, of course,
Starting point is 00:43:55 is a vital White House organization that really serves at the pleasure of the president. So everyone who is there, whether they're political appointees or detaines from agencies, are there to execute the president's agenda. And the president, frankly, has a right to decide who he wants there, whether someone he thinks is loyal to his agenda or not, or is going to stand in the way of executing
Starting point is 00:44:15 it. And I think it's also fair to say that the NSC has gotten way too big over the last decade during the Biden administration. I think it reached its peak of well over 300 personnel and the process had become the thing that they focused on versus versus actually solving the issues. And you know, for better for worse, President Trump, you know, believes that he is the guy that's actually making policy, not his staff. And he just wants people to implement it. So they're basically cutting it down dramatically and saying, you know, the tweets are the policy, you guys ensure that the agencies execute them,
Starting point is 00:44:49 but I don't need you making policies anymore. I mean, we are looking at, I mean, towards the end of Biden's presidency, the policy staff, there were 186, according to Washington Post. And, you know, under George W. Bush and Barack Obama, they were at 204 and 222 respectively. So this is a change, right?
Starting point is 00:45:08 Like it's, it's, it's, it's a pretty significant change going, like it's going to be smaller than it has been in recent decades. Um, I think this is a thing where this is a conversation that comes up regularly in risky biz internally, right? Is when we're reporting on US government stuff, you gotta be careful not to have that reflex which says that everything Trump does is dumb, because he does a lot of dumb stuff, right?
Starting point is 00:45:33 And you gotta resist the urge to say, Trump's doing it, therefore it's stupid. But, you know, and sure, you know, streamlining the NSC could make sense, but you sort of wonder if this is the right time to cut down the number of NSC staffers given everything that's happening in the world. Adam, what are your thoughts on this? I mean, I think actually having expertise involved in decision making, you know, like proper experts that study, have time to study and have the resources to go and make good choices is always
Starting point is 00:46:05 going to help. Now the NSC's role is kind of less about that sort of, it's more about how it gets implemented. But at the same time, like the more expertise you have in these things, the better I feel. So I just don't understand the rationale here because the savings for government, we're talking about like, you know, going from like 200 and something to like 100 and something, or, you know, maybe down to as few as 60. You know, this is a trivial dollar saving in the context of the US government. So, you know, I just kind of wonder what the advantage is here of removing policy experts from something like the National Security Council. Yeah, it does seem a strange place to go cut, you know, what's like, you know, half of an F-35 worth of, you know, worth of budget in the context. So, yeah, I just, I would like us to bring science and expertise and thought back into, into policymaking, but maybe that's just me.
Starting point is 00:47:02 Well, on that note, guys, we're going to wrap it up there. That is the end of this week's news segment. Thank you both so much for joining me to discuss this week's news and Adam will do it all again next week. We certainly will, Pat. I'll see you then. Thanks so much, Pat. That was Adam Boyleau and Dimitri Alperovic there with a look at the week's security news.
Starting point is 00:47:28 It is time for this week's sponsor interview now with Haroon Mir who is the founder of Thinkst Canary. Canary for those who don't know, they make great little hardware honey pots you can put in your network that can let you know when attackers start interacting with them. They also do amazing stuff around Canary tokens. Very, very great, you know, great tools, great company and Haroon of course has been in the industry for a very long time and is somewhat of a thinker. And Haroon was at the RSA conference last month and he has thoughts and feelings about the way the industry is doing certain things. In
Starting point is 00:48:03 particular, he says the amount of investment and attention being given to AI doesn't quite necessarily make sense just yet and a lot of this stuff is going to turn out to be useless. He joined me for this interview where we discussed all of that. Here he is. Part of the reason I think people used to throw stones at the RSA trade show thing becomes very clear when you see how AI dominated this year which is I think for sure AI is one of those life-changing things like LLMs have been magnificent, we discover new stuff all the time, but I question how much we understand the problems we've already started selling
Starting point is 00:48:48 solutions to. There's a lot of people talking about selling AI solutions when I don't know that we've understood AI problems well enough yet. And again, I'm not a troglodyte, like I don't think people shouldn't be playing with it. I think researchers should be knee deep in AI stuff. We're playing with a lot of it internally. But like A16Z used to talk about backing founders who lived in the idea maze long enough, like they've experienced these problems. And all the people currently selling solutions to Gen. AI problems, like we haven't even seen what Gen. AI is in the enterprise yet.
Starting point is 00:49:34 Yeah, we haven't built the maze yet. Now, like I would agree with you that a whole bunch of startups talking about solving like Gen. AI security problems, that would be weird. I mean, there's a couple of startups talking about solving like gen AI security problems that would be weird. I mean there's a couple of startups already, we had one of them in Snake Oilers, can't remember their name, they're doing cool stuff though, you know, just stuff you need. Like you know, tools that'll stop your AI customer service agent from saying insane things and dishing out people's social security numbers. Like there's already some products in the market that are needed around that and they are solving very much understood and present problems. But where I'm seeing
Starting point is 00:50:09 most of the AI stuff now is people applying reasoning models and LLMs to some pretty concrete existing problems in InfoSec and that's where I'm interested in AI. So I think it's interesting as an investor, but I think one of the things that people get, for example, like we pitch Canary as a solution, and we've never had to tell anyone that we use a vector database in the back to help our decision making, or we've never said we use Redis instead of MySQL. instead of MySQL. Using LLMs as a back-end technology to help us do our stuff actually shouldn't matter to people. What matters is are we solving a problem and InfoSec gets hung up on the stuff for a whole bunch of perverse incentives because if they say they're doing AI stuff, they'll attract a whole class of investors which will attract a whole bunch of money. And what I see more and more recently is it's not just attracting investors because you know, I've been kicking VCs for years.
Starting point is 00:51:15 The problem goes deeper, right? You get these big established InfoSec companies and now they're playing a different game because what they need to do is convince the market that they're still hot and worth it. And the way they do that is by either playing with new technology or buying the latest technology company. And so what you're starting to see or what I'm becoming more and more aware of is these big platform play security vendors every few years have to go through the hype cycle
Starting point is 00:51:46 and pick off the top three people and two years later they sunset those products because they weren't really a thing but it's worked for them because they get to say yes we're doing something in the agentic space we bought x company, we're doing something in the source space. We bought so and so. They get their market pop. The market is happy. But what it means again is just this flood of uselessness and noise in the market. Oh, there's like, I'm waiting for the point where we disagree because there is an awful lot of stuff out there where they just slap the old sticker on it. You know, you can fit, you know, tap on the lid. You can fit so many LLMs in this bad boy.
Starting point is 00:52:27 Exactly right. You know, like that, that is a hundred percent of thing. And, but I mean, that said, I think that the future, like, I just caught up with a mate of mine who's like a tech executive working for a company in here in Australia. And, you know, he just went down and got a demo from Microsoft of what they're doing with AI. And it blew his mind. And when he was telling me about it, blew my mind as well.
Starting point is 00:52:53 Like this stuff is coming. So I'm sort of not surprised that everybody's trying to find a way to be an AI company because everybody's going to be an AI company soon and for good reason. But I think, you know, to your point, a whole bunch of these people are just going to get wiped out, right? Yeah. So for me, and again, I think the value in the idea maze, like one of the fundamental problems that I think InfoSec, when you look at products and companies has had, is over-promising and under-delivering. companies has had is over promising and under delivering. And part of the reason is that these incentives work for them. So show up at RSA and talk like you understand this thing
Starting point is 00:53:33 and you get the shiny booth and you get investors and then you actually get an acquisition because they looking to tell the market that they playing in that space. But the net result is that people are not being rewarded or people are being adversely rewarded for doing the wrong thing. What you want is people spending enough time in that space to deeply understand it to come up with solutions that work. And yeah I think it's one of the, if you take just the example, if you consider that San Francisco now has Waymo's running all around, those Waymo's aren't a new thing. Like Google's been working on that stuff for 10 years. And it's why that stuff is now there.
Starting point is 00:54:20 Most of the real AI set companies showing up at RSA started two weeks ago and the ink is still wet on their term sheet. And that's part of the problem. It's flooding the market with noise at a time when you actually want clarity. Yeah, but it's not all crap. No. You know, like, so if I think of like, if I think of people who've spent time in the problem maze, right, who are doing stuff in AI, like Edward Wu is a great example.
Starting point is 00:54:47 He's a founder of Dropzone AI, which one of the investors in that business is his former boss who was the founder of ExtraHop Networks, which is where Ed built the security part of ExtraHop's product, which sits in socks like this is a problem space he knows really, really well and realized, hey, if we applied some reasoning models to tier one sock analyst work in a sock. Yeah, there's goodness. It's going to work and it does, right? So, you know, here is a place where someone's taken an AI approach to solving a problem, which is just, you know, alert fatigue, which we've been dealing with forever and it works.
Starting point is 00:55:28 So I'll tell you for me there's a, and I've thought about this on the spot, so it's likely to be fraught with danger. Let's hear your half-baked idea then, Haroon. You'll notice we've never pitched Canary as deception. Like nowhere on our site does it say deception. We don't say we're a deception company. We say we help defenders win. We say we catch bad guys before they dig in.
Starting point is 00:55:58 Because actually we don't need to give it the hype cycle name to say here's the problem we solve. And if he solves the problem of alert fatigue and socks that work, they, they solve the problem. And it doesn't matter that they're using AI or machine learning or LLMs. Well, but people, people want to know why, how is it, how is it different? How is it new? So that's why they have to say that it's an AI product, because it is an AI product.
Starting point is 00:56:27 So again, we didn't have to say we're a deception product, or we don't have to say it. And for me, and it's not to say that they're not right, like I haven't looked at the product, they might well be, but I'm saying that's the important thing that as an industry we get wrong, which is people jumping on the next and you see it in some ways just from the same people who hop from hot topic to hot topic. So a bunch of the deception companies went on to be identity security people because identity was the new perimeter and a bunch of them are now on to machine learning because or AI because that's the problem and
Starting point is 00:57:06 And you see what they're doing is just how can we catch the next bit of free headlines or mind share or? budget allocated at a company and Stupidly the constant hopping like that stops them from ever staying in a problem domain long enough to actually get good at it and actually solve that problem. And like I say, in one respect it's tilting at windmills because you end up seeing that system work for people. But the question is which people it works for. It works for founders who play that game and then exit, but it doesn't necessarily work for the market because the market ends up with half-baked products that end up disappearing
Starting point is 00:57:52 every few years. Well, I'd posit that they only get to exit if something has gone right. You know, I would suggest that, Haroon. So I don't think so. Like I've seen a bunch of exits that are, again, like if you follow the 10 and this is cynical because sometimes the stuff's decent and good and we all win. But I've seen enough of catch the hype cycle, get the funding, use the funding for big shiny booth, then big player needs to show they're doing something in the space and so they make that acquisition
Starting point is 00:58:30 and now you've got the complete life cycle. And in the mix, you've had lots of sales to customers who've got now half implemented stuff that's become abandoned ware and the market hasn't worn from it. Yeah, abandoned ware is a good term. I'm going to steal that. And it is look, I would say of everything that you've talked about.
Starting point is 00:58:49 I mean, there's one thing that I think is a serious problem, which is, you know, orphaned products like that, you know, because these people, they've they've convinced people to take a chance on a startup. You know what I mean? Then they sell it off to some big company and then it just gets shelved like that. That sucks. It's it's that and look, I that, that sucks. It's that. And look, I'll tell you, one of the big challenges, like we don't have to tell the listeners,
Starting point is 00:59:11 they'll all know this pain, but distraction and noise, like what problem do I work on next is one of the biggest challenges for C-cells. Like they know their problems are X and Y, but suddenly all the hype is on Z and they've got to start showing something for that. And so I don't like that stuff. And look, just before RSA, it's kind of funny. I had a chat with an analyst and we've chatted with this analyst in the past and then saw the analyst report that went out. And we thought the analyst report was very heavily skewed to a company that partners with those analysts. And so this year we did the analyst interview and after that I spoke to the analyst
Starting point is 00:59:59 saying, listen, like we are about ready to abandon these analyst interviews, we don't think there's value in it. But I'm really keen to understand a few things like would you take 30 minutes and just chat to us? And the first thing I asked him is, I say, listen, like you guys do this radar of companies, like you've got two companies listed here as the most innovative in the space. Like how do you choose innovation? Like I'm not questioning it, I just want to understand your criteria and there's a little bit of fumbling and a little bit and so I say okay look let's make this simpler. Like we not in that most innovative space,
Starting point is 01:00:37 for some reason we are newcomers, but I say let's take us like go to our blog, here's a year's worth of new things we think we've invented in the space. What have these other people put out in that space for you to call them innovative and so there's a bit of fumbling because both those blogs are just abandoned marketing speak and I say okay let's ignore that here's canary.tools slash new like here's the new stuff we've bought in the last year what have these companies done like like let's go look together at their changelog for the last two years and bought those companies big companies bought deception products literally haven't touched the stuff in two years and the analyst then goes like, no, like I think we got this wrong.
Starting point is 01:01:25 And so I say like, but that's like, that's your job. Like that's the one thing. That's your job. And by the same token, because now I'm on a roll, I say like, look, you guys sent us this questionnaire that says, do you have, like, what are your plans for Gen AI? What are your plans for agentic deception? I'm like, who chose those things? Like, why do you think those things matter?
Starting point is 01:01:52 Because we are playing with LLMs inside, like our research labs have put out a paper. I see where you're going. Like, we're going to have to wrap this up, right? Because we're over time. But look, I absolutely see where you're going. Everybody's describing them as an AI company AI company now, because that's the sort of market expectation. Like I agree with you on that. Yeah, I where I disagree is I think that, you know, a lot of this stuff is really going to be the future. Probably 90% of it
Starting point is 01:02:17 90% of it isn't right. I agree with that. So again, I think AI and LLMs are definitely the future. But I think if people are hanging a shingle now saying we an AI ML security company, it's very unlikely that you nailed this so early. Yeah. And again, people should totally be working on the stuff. People should be knee deep in the stuff. But are we ready to be selling this stuff and asking people to trust us on it? Mainly again it's a question of doing stuff right and doing stuff long enough and look some problems are low-hanging fruit and they should be grabbed and worked on now but but more than anything else it's our complete comfort with just grabbing the new headline
Starting point is 01:03:05 and trying to flog it. Look I'm working personally with a bunch of companies that are using AI. In fact, earlier I told you about one that I'm doing some stuff with at the moment. I explained the whole business to you. It's an AI powered company and I didn't actually mention AI at all. And that's when it wins. Because that's not the interesting thing about the business, right? Exactly. So I's when it wins. Because that's not the interesting thing about the business, right? Exactly.
Starting point is 01:03:25 So, you know, I'm absolutely with you. And funnily enough, we're actually building out the Risky Business Wiki, which explains in very simple terms what vendors do. So it's a vendor Wiki where we're going to hopefully launch that in a few months. And you know, we feel we need to step in because there is so much nonsense out there about, well, we're an agentic this or that. And you know, it's like, no, actually just tell us what you do. But, yeah. Thank you, Haroon, for joining us on the show to make very good points, which you always do. And great to see
Starting point is 01:03:53 you, my friend. And I'll look forward to chatting to you again soon. Always cool. Thanks, Pat. That was Haroon Mir there from Thinkst Canary. Big thanks to him for that. And you can find Canary at canary.tools. But that is it for this week's edition of the show. I do hope you enjoyed it. I'll be back soon with more security news and analysis, but until then, I've been Patrick Gray. Thanks for listening. Thank you. Music

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.