Risky Business - Risky Business #793 -- Scattered Spider is hijacking MX records
Episode Date: May 28, 2025In this week’s edition of Risky Business Dmitri Alperovitch and Adam Boileau join Patrick Gray to talk through the week’s news, including: EXCLUSIVE: A Scattered... Spider-style crew is hijacking DNS MX entries and compromising enterprises within minutes The SVG format brings the all horrors of HTML+JS to image files, and attackers have noticed Brian Krebs eats a 6.3Tbps DDoS … ‘cause that’s how you demo your packet cannon Law enforcement takes out Lumma Stealer, Qakbot, Danabot and some dark web drug traffickers Iranian behind 2019 Baltimore ransomware mysteriously appears in North Carolina and pleads guilty CISA’s leadership is fleeing in droves, even though the US needs them more than ever. This week’s episode is sponsored by Thinkst Canary. Long time friend of the show Haroon Meer joins and talks through where he feels the industry is at, having just returned home from the AI-fueled hype at this year’s RSA conference. This episode is also available on Youtube. Show notes China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud environments, person familiar says - Nextgov/FCW Risky Bulletin: SVG use for phishing explodes in 2025 - Risky Business Media KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS – Krebs on Security Midwestern telco Cellcom confirms cyber incident after days of service outages | The Record from Recorded Future News Microsoft leads international takedown of Lumma Stealer | Cybersecurity Dive Who said what? on X: "Message from the administrator of Lumma Stealer on the forums about the recent events🕊️👀 https://t.co/MOjCSMMErK" / X Ransomware hackers charged, infrastructure dismantled in international law enforcement operation | The Record from Recorded Future News Oops: DanaBot Malware Devs Infected Their Own PCs – Krebs on Security DOJ charges man allegedly behind Qakbot malware | The Record from Recorded Future News US, Europol arrest 270 dark web drug traffickers in Operation RapTor | The Record from Recorded Future News Iranian pleads guilty to launching Baltimore ransomware attack, faces 30 years behind bars | The Record from Recorded Future News Decentralized crypto platform Cetus hit with $223 million hack | The Record from Recorded Future News Nearly 70,000 impacted by Coinbase breach involving $20 million ransom demand | The Record from Recorded Future News USA: Crypto investor charged with kidnapping, torturing man in an NYC apartment Vietnam orders ban on Telegram messaging app over security concerns | The Record from Recorded Future News Exclusive: Hacker who breached communications app used by Trump aide stole data from across US government | Reuters CISA loses nearly all top officials as purge continues | Cybersecurity Dive White House dismisses scores of National Security Council staff - The Washington Post
Transcript
Discussion (0)
Hey everyone and welcome to Risky Business, my name is Patrick Gray.
We've got a great show for you this week.
Adam and I are going to talk through the week's news and we're joined by a special guest co-host,
Mr. Dmitri Alperovic, who is best known I guess in cyber security for being the co-founder
of CrowdStrike.
These days he is the chairman of the Silverado Policy Accelerator.
And yeah, he's gonna join us and we'll walk through
all of the week's happenings of which there have been many.
This week's show is brought to you by Thinkst Canary
and Haroon Mir is joining us in this week's sponsor interview
to do the Haroon Mir thing of giving like a post-RSA,
giving us all a post-RSA report report just about how everything is AI at the moment and
how 90% of what's on the trade floor is
quite bad and not very useful and you know, he's here to make some good points. So do stick around for that one.
It's a lot of fun. But of course it is time to get into the news now and Adam we're gonna start with a
item that hasn't been reported elsewhere.
I suppose it makes sense to sort of introduce how we came to be talking about this but you
were just having a chat with a former colleague at CyberCx which is a large Australian cyber
security company and he mentioned to you that they'd been dealing in their incident response side with a bunch of interesting attacks.
Now they were, you mentioned this to me and that caused us to reach out to them and said,
well, do you mind if we talk about these publicly?
And they provided us with some details.
But essentially what's happening is there's a scattered spider-like group doing domain
takeovers of Australian enterprises, it seems to be
a heavy focus on Australia at the moment, changing MX records and then taking over
the whole shebang. But what makes this really interesting is the speed at which
they're moving. Yeah exactly, yeah this crew appears to have a pretty polished
workflow to turn social engineering, a domain
registrar into control of the DNS and then from control of the DNS hijack the MX, hijack
inbound mail and pivot very, very rapidly from there into a bunch of cloud applications.
So in particular Atlassian stuff, Slack, Microsoft 365 and Azure and then going in a very, very rapid way into then
now stealing a whole bunch of data, and I think in this case, attempting to extort people.
But for most organizations, the idea that you would be able to respond to this in the
kind of timeframe we're talking about, which is tens of minutes in some cases, whilst your
email is broken, because the people who are doing this
don't even bother forwarding your email onwards,
they change the MX, steal all your email,
and then just junk the rest, they're not forwarding it on.
So you're, as an organisation, you're sitting there going,
our email's broken, we don't know why.
Having the MX record changed out from underneath you
is not the first thing you're gonna think of looking for,
and by the time you've figured out that's what's going on,
they've already looted your Slack for creds,
pivoted onwards into your cloud infrastructure
and are having a party in your cloud.
Yeah, I mean, we're talking full entry compromises here.
They're getting the whole enchilada.
And once they've taken over these registrar like
accounts if the company is hosting their DNS records there they just change the
MX and if they're not they just change the name servers and host their DNS for
them and as you point out they're not doing any email pass-through it's just
like you know smash and grab don't care about being detected. But some of these incidents have resulted
in these enterprises spending weeks
trying to evict the attackers.
Yeah, because throwing someone out
who's got domain admin in your windows, like on-prem life,
that's no fun.
And it's a hard road.
But it's still a whole bunch better understood
than throwing people out of your cloud infrastructure.
Because at least you know,
hey, we have to roll the curb TGT,
we have to do these things in a Windows environment.
Trying to even build a map of
how does my identity work in the cloud?
Where do I have to change things?
What bits are security critical?
Which bits have been stolen?
Like that's a complicated process in the best of times.
And mid-intrusion while the attackers are still in there,
you know, mucking stuff up,
is really not the best of times.
Yeah, and figuring out which cookies
you've got to invalidate,
and how you would invalidate them.
And yeah, just an absolute nightmare.
So it looks like, you know,
there's a heavy focus on Australia,
but it is affecting organizations globally as well.
They're not quite sure why they're doing it.
There seems to be a for the lulls component to at least some of these as per CCX.
So yeah, just a crazy one, really.
Yeah, it really is.
But yeah, Dimitri, I wanted to ask you what you thought about this, right?
Because this is, you know, your career was very much around endpoint and whatever.
I mean, this is what it looks like now a modern enterprise gets targeted.
Like it's a whole new world.
Yeah, well, as you know, you know, I served on CSRB and we did a report on lapses and
related groups where you basically had very similar trade crafts, no malware, no exploits, no touching the endpoints, right? Just social engineering. In that particular
case, they're mostly using SIM swapping. This is just a next gen of that, right? You're
not SIM swapping to get the 2FA code. You're redirecting email or hijacking email as is
the case here. Of course, none of this trade craft is new. I mean, DNS hijacking goes back
decades. I remember Melbourne IT hack of New York Times and Twitter,
what was it, like 2013 era hack.
And you've had crypto platforms that
have been hacked the same way, I think, five, six years ago
through GoDaddy.
But this is the case with these teenagers, oftentimes,
in Brazil and elsewhere, that are not
super technically savvy. But if they can do social engineering either
direct into the organization through a supply chain route like the domain
registrar they can do so much more damage than even you know some of your
best ransomware groups. Yeah I mean I wouldn't underestimate their technical
knowledge to be honest because they seem to have a very good understanding of how
all this stuff is glued together. I mean reading through this it reminded me of
geez I don't know was it like five years ago or something when Uber had an
incident and what made that one interesting is people were tweeting
about it and like we had a lot of visibility into what was happening and
it was an incident where like these kids just kept out running the responders and
the vibe on Twitter that day was like a bird had flown into the classroom.
You know what I mean?
Because everybody was just like, oh my God.
But you know, just, I think the thing that's new,
like you point out that, you know,
DNS hijacking is not exactly new.
I think the thing that's interesting here though
is the speed.
Yeah.
And these guys are often so fast,
it's remarkable to watch and so difficult to respond, particularly, you know, when these guys are often so fast, it's remarkable to watch, and so difficult to respond, particularly, you know,
when these guys are basically 24-7
and the security teams are not, right?
Yeah, yeah.
Well, big thanks to CyberCX for providing some detail
on that and letting us talk about it.
Very interesting stuff.
Now, let's move on.
We've got like TTP related news to get through.
Adam, you found this one, which is
Silk Typhoon were apparently rifling through Commvault cloud environments. And this is like a
Commvault's like a backup, isn't it? Yeah, they provide all sorts of backup software solutions.
And this was their cloud product, which there were some attackers in, I think there were some
vulnerabilities in their software. We've seen like they pointed to a CVE that's like
no detail but it's remote code exec
in their web server product.
But interestingly, this was spotted apparently by Microsoft
because their cloud service runs inside Azure
and Microsoft happened to spot weird stuff happening there
and then told Commvault, hey, did you know
that there's a bunch of Chinese APTs all up in your business rummaging around, stealing keymat and whatever else.
Commvault have said that customer backup data wasn't impacted, but I mean,
I don't know what else you do when you're in an environment full of backup data.
Yeah, I mean, an infrastructure as a service provider actually doing some
useful detections for a customer seems to be the most amazing thing about this.
But yeah, that one's pretty much self-explanatory.
Now the next one I want to talk about a little bit more is actually a piece from our colleague
Katalin Kimpanu.
It's a bunch of companies have sort of come together and raised the alarm on the fact
that fishing crews are now using SVGs, right? A lot. It represents something
like 1% of fishing and it's on the up. And you know, until recently, I didn't
fully understand what an SVG image was. And you remember, Adam, we talked about
this like a few months ago where you were explaining to me that an SVG, okay,
so it's like, you know, it's like a vector image format.
Sure.
But you can also stuff all of the horrors of like active internet content, you
know, JavaScript and whatever into them, which means you can kind of get cross
site scripting primitives in an image, which you can embed in an email, right?
And that, that seems to be what's happening here.
Yeah.
I mean, essentially SVG is to images
what HTML is to text.
So it has all of the functionality of HTML
because it is basically a superset
or it's XHTML like HTML is.
But yeah, you can stick JavaScript in there,
you can reach up in some cases into the surrounding DOM
of the browser that's rendering it. It really is a whole web document format that just happens to be for images.
And the way I keep thinking, for some reason, the thought that I'm stuck
with is it's like my space in a GIF.
You know, exactly right.
You can, you can do almost anything you want.
And for most people it is like you said, it's just an image format.
Why do I have to think specifically about it?
And places that accept image uploads,
might say you can allow JPEGs and PNGs and SVGs
and not think about it twice,
but safely handling SVG images is the same as,
I would like you, my untrusted user,
to upload an HTML file,
and I'm gonna stick it in
and render it in other users' contexts.
And that should be absolutely terrifying,
but that's exactly what an SVG is.
So it makes sense that it's being abused.
As to what to do about it, I mean, option one is,
you know, rasterize those SVGs out to a proper,
you know, raster image format somewhere before you use it.
Why couldn't you just filter out SVGs?
How many legitimate emails actually have
SVG traffic in them?
That's the other option is just throw out SVGs,
but unfortunately people use them for like company logos
because the designer has made that beautiful vector,
arbitrary scalable logo, and people don't want it to be like
aspect ratio squished in their mail footers
and they're not meet corporate branding guidelines.
So yeah, it's a mess.
But I mean, couldn't you have a vector image format
without allowing it to be stuffed full of like XML and JavaScript?
You totally can't.
You know?
Yeah, there are other vector image formats.
It's just we got the web one.
And unfortunately, the web one is the nasty one.
Yeah, Dimitriri you had some thoughts
Well, look I started out my career in email filtering back 25 years ago
So I always have a soft spot for these criminals because they're so incredibly innovative, you know breaking through spam filters breaking bays
filters breaking
Word based filters with image spam and so forth
So this is just the latest iteration of that,
using basically images as code, as Adam said.
But there's countermeasures to all of this,
and I think some of the more advanced filtering companies
are able to detect it fairly quickly,
because as you pointed out, Patrick,
there's image that is encoded in SVG,
and then you can look at other things that it's trying to do
where it's basically a self-contained phishing delivery platform, right, and has a lot of other
links and HTML and so forth that you can determine as malicious. So if you've got a modern filter,
I don't know why it would struggle with detecting this. Well, but I mean, where do you apply the
filtering, right? And this is a problem for all of the email companies
at the moment, where people are putting
their phishing campaigns behind,
like Cloudflare Turnstile and Captures
and all sorts of stuff, right?
So, you know, ultimately the place to deal with
is gonna be in the browser.
Yeah, but you know, these images are actually
being sent as attachments, I believe, right?
Yeah.
Within the email.
So you are able to filter it out
just doing the scans of the emails content.
Yeah, I mean, now, right?
I'm worried, like, I don't know.
I just see, you see a story like this,
and sometimes something like this bubbles up
and then it goes away.
And then sometimes something like this turns up
and it's a starter's pistol,
and in a year from now you're talking about
the great 2026 internet SVG
meltdown, right?
So let's hope that's not happening.
Now to some happenings.
This is a great story.
I love this story.
Brian Krebs has written about the latest DDoS to hit his website.
The last one, which was a tenth the volume of this one, was enough so that
Akamai, who had been providing him with DDoS protection back then, actually said, would you
mind finding another host because you're starting to present some problems to the integrity of our
network and our ability to protect other customers. The latest DDoS to hit the Krebson security website, 6.3 terabits per second.
I mean, wow.
That sure is a lot of UDP.
And fortunately for Brian, he is running on Google's DDoS prevention platform.
They have one that they use for, you know, like public interest stuff or whatever, which
is perfectly capable of syncing six terabits of bandwidth apparently,
although they did say, Google said this is actually the biggest they have seen as well
when they were comparing notes with Cloudflare.
And it seems like it's the same botnet, same crew that were responsible for Cloudflare's
biggest one, which I think is the biggest full stop.
So yeah.
Brian, of course.
I just love how if you're in D dos like the equivalent of popping calc is to
Is to D dos Brian Krebs website and it's great advertising as well because you you D dos his website and then he writes about it
Yes, this is literally what I found most fascinating. They weren't trying to take him down
This was literally a test it's sort of equivalent of peeing local host or print hello world and coding, right?
You're gonna use Brian as a punching bag because he's so well known and notorious of course in the cybercrime circles. I mean he has
such a odd relationship with those circles as well because you really do
get the impression that the people in the underground like quite like him and
you know they all read his articles and stuff so but then he goes into this
whole section where he writes about like the guy behind the botnet who's some
young guy probably in Brazil called Forky who claims like, Oh, it's got nothing to do with me. I haven't
done this stuff for years. And then Brian's like, well, what about these posts from like
December last year? And he's like, well, you know, I'm not sure they like him. I think
they have begrudging respect for him. Yeah. What he's able to do. Yeah. It's a complicated
relationship I guess is, uh, is what I'm getting at.
Now let's turn to this piece.
Look, this has been going on.
We could have reported on this last week,
but it sort of slipped through
because we had other stuff to talk about.
But John Grieg has a report up at the record
about this telco in the Midwest called Cellcom.
And Cellcom has had some sort of incident
which has affected like voice and text for its customers but the crazy thing is it's like ongoing it's been going a while and
it's actually affected the ability of their subscribers to port out to other
carriers so they're just sort of stuck with a service that they can't use and
they can't even port out their number like that's a bad situation for the
company and their subscribers because surely you would think once they restore service a lot of people are just going to churn away
from it.
Yeah, there seems to be like a small kind of like family run regional telco.
I think I've got about 300,000 subscribers, so like pretty large nevertheless.
But yeah, they are definitely having a rough time.
The CEO put out like a YouTube video video like talking pretty candidly about their problems
and saying nice things to their customers but it's going to be a must be a rough day
at the office they're trying to deal with.
The CEO was sending thoughts and prayers right?
She did a pretty good job of being heartfelt and honest and you know of CEOs of telcos that
I have seen apologize for outages. It's amongst the better ones.
But yeah, it must be rough being their customers.
And we haven't seen any particular details
about what it is, but it feels like someone got in
and ran some weird deleted bunch of stuff
or locked up a bunch of stuff,
because they're having a rough time.
Yeah, I mean, you had a reaction to this one, Demetri.
I remember when you were reading through the news list,
you were like, wow.
Well, they're talking about impacts to customers,
missing job interviews, missing calls from family members.
They're really important, right?
And I just have a hard time thinking
that this company is going to survive,
or is it going to be just a Shalva its former self?
Post this, because imagine your customer that
has had that type of impact, that's been without a phone
for days on end.
Are you really going to stick around and hope that next time they'll do better when you have other options? Imagine your customer that has had that type of impact, that's been without a phone for days on end.
Are you really gonna stick around
and hope that next time they'll do better
when you have other options?
So, this might be one of those cases
and they're usually few and far between,
but where this is an existential threat to the business
in the case of this ransomware outage.
Now, they are not the only people having problems
in their data centers.
Let's talk now about the Luma or Luma Stealer,
however you want to say it.
This was a bit of malware that relied on a bunch of domains.
It's been around for quite a while.
Microsoft took part in a law enforcement takedown
of this botnet.
There was another one too
that we'll talk about in a moment.
In fact, it's one of the only weeks you can ever say
it's been a bad week to be a cyber criminal
because there's been a lot of law enforcement action.
But what's really interesting about this one is
these guys got RMRF'd and all of their domains seized
and just had a really bad time.
But what's been interesting is seeing the people
who actually operate the botnet sort of pop up
with a post-incident review.
And what's crazy is they're like, yeah, okay.
So our whole server got nuked.
So we spun it back up and put extra logging on and it got nuked again,
and it didn't turn up in the logs. So now they're thinking they got, um,
popped through some sort of vulnerability in like, I, drac, right?
Which is like data center stuff. Adam, talk us through this one.
Cause I know that this type of hacking is near and dear to your heart.
Yes, it certainly is. Yeah, it, um, it seems like, uh, so the FBI shelled their box somehow, put up a phishing page, uh,
searching for, you know, trying to lure credentials and IPs, uh, from their users.
Apparently, we'd also try and turn on the webcam so the FBI can, you know, snap the traditional pick out the webcam of whoever they hack.
And I'm sorry, just a second though.
Like how, I mean, you know, how dense do you need to be as a cyber
criminal who is now logging into essentially a phishing page?
Like when are you going to log into your criminal portal, right?
As a criminal, where you're going to do crime and then it asks you for
permission to turn on your webcam. Who clicks yes? But anyway, sorry.
Even if it's not law enforcement doing it, but your vendors in the cybercrime area who can now
use it against you for blackmail. But that's my point.
Not a good idea to say yes, right? What? Anyway, continue, Adam.
Anyway, so their stuff was hosted in some kind of bulletproof hosting somewhere, well
out of reach of law enforcement.
But it appears that law enforcement had some bugs in the Dell iDRAC lights out management
system and we're using that to get in is what their assertion is.
I, as you say, I have enjoyed some other vulnerabilities in lights out management systems over the
years so that seems entirely reasonable. Obviously, if you can get into the lights out management systems over the years of that and seems entirely reasonable and
Obviously if you can get into the lights out management, you can do anything you want
You can boot the server off disk. You can mount USB sticks, you know, virtually across the network
You can you've got you know, it's like you're standing there in front of the server itself
So it's a great place to go and do hacking
It sounds like it was so they the limousine admins
It sounds like it was, so they, the Luma Steel admin said
that the DRAC interface was connected to a whole different network somewhere else.
So, you know, we have seen law enforcement break
into bulletproof hosting providers and kind of,
you know, rummage around and do things.
But either way, it's quite fun watching them have to,
you know, pull that thread and figure out how they got hacked
or law enforcement or whatever we're you're going to call it.
I mean, I just think they're lucky it wasn't ASD behind this one because ASD
went and nuked an entire bulletproof host.
Like they didn't just take down one box.
They just torched the entire thing.
So I guess, Dimitri, why do you think they kept this, the RMRRF shark so tightly
leashed during this operation?
I mean, that seems like
more of an FBI approach doesn't it? We'll just stay on this one target instead of raining
hell on the entire thing.
Yeah, I mean usually you have corridors around certain things so it's tightly defined in
terms of the scope of the operation so they can't necessarily deviate from it. But you
know the the the funniest thing I saw in that post in Russian, obviously
from the cybercriminal, I think all three takedowns we're talking about are
Russian cybercriminals of course, but the last line that he had is that yes we
got access back to the server, we turned off iDRAC, but I do think they have other
cards to play so we will have future notes for you, stay tuned. Yeah. They
appreciate that this is not over. Yeah, they're like these guys have game and I will just say, you know court orders court orders of the cowards Dimitri
Come on, let's let's go, you know for G men. That's right. Come on G men
Get that get that RM RF shark, you know
Shark let it do its thing now look as you just alluded to there's been a bunch of other takedowns as well,
including, what is it, DanaBot,
which is another malware family.
This one's been taken down.
What if there've been arrests or there's just domains down?
Like, there's so much going on.
Adam, walk us through it.
Yeah, so this one was a joint law enforcement operation
called Operation Endgame 2,
and it took down a whole bunch
of botnets, which DanaBot I think was one of the bigger ones.
16 people arrested and a bunch of domains and other infrastructure seized.
So we've seen this kind of thing happen a lot, but it's been a very busy week for being
cyber criminal, running botnets, running infostealers, that kind of thing.
So yeah, rough day in that particular crime ecosystem.
The interesting thing here is that, like in past botnets emanating from Russia that we've
seen, there was an espionage variant where they were targeting diplomatic communications
and particularly looking at countries' communications with the United States and the two leaders obviously
are from Russia but one of them looks on Artyom Kalinkin actually works for
Gazprom as an IT professional his Facebook profile I loved mafiosi was
was the actual nickname not not very subtle but the fact that he works for
Gazprom obviously state-owned gas company in Russia,
makes you wonder of how he got connected with customers or perhaps people that are his roof, his krisha,
as they say in Russia, protection, in law enforcement that are also giving him taskings.
Yeah, so it was an interesting aspect to this where you've seen multiple botnets over the years
where they've been doing crimeware and then all of a sudden there's like a forked
version which is designed to do espionage and this was certainly one of them.
But you know, this is not exactly what you would call the espionage A team because according
to this piece from Krebs on Security, from Brian Krebs, the way the FBI was able to unmask
some of the operators of Dana Bot is because they accidentally infected themselves with their own malware
Which is you know, all right who hasn't done that? Yeah, it's just happens to the best of us among us, etc
And yeah, we've also seen our dear the DOJ unseal charges against the
people behind the quack bot, quack bot, QAK.
Quack bot, yeah.
So yeah, just like a lot of law enforcement action
over the last week.
And also another one, 270 dark web drug traffickers
have been arrested by American and European officials.
A whole bunch of stuff taken down,
144 kilograms of fentanyl or fentanyl-laced narcotics,
and 180 firearms confiscated. So just so much happening. So much happening.
Yeah, the QuackBot one is interesting because this has been around for a long time. You guys,
I'm sure remember it. You know, apparently it was created back in 2008 days, right? So you have
almost two decades of non-stop activity from this guy, Rustam Galyamov, another
Russian that created it.
So for him to get caught, or at least identified and indicted after such a long career, actually
tells you that he was probably quite good.
Now we finally got some closure on the Baltimore ransomware attack.
Now this was a big deal when it happened back in, when was that, 2019, where, yeah,
it was like the city's network got ransomed.
And one of the reasons this one made such big news
is because the New York Times incorrectly reported
that the way that this network was hacked
was using Eternal Blue, which was a leaked,
like, you know, Shadow Brokers exploit or whatever. So, you know, shadow brokers exploit or whatever.
So, you know, this was just massive news at the time.
An Iranian national has just pleaded guilty to conducting that attack and
mysteriously has pleaded guilty in North Carolina where he was arrested and the
Bulgarians have been thanked by American authorities.
And no one's really quite saying how he wound up in North Carolina,
but Adam, walk us through this one.
Yeah, there was a number of people that were kind of tied up in this
particular thing, and they were all located in Iran.
And it's kind of funny that this one guy just, you know, pops up for no reason
and then pleads guilty in the US courts.
He's facing up to 30 years in prison
when they hacked Baltimore.
I think they asked for what, 13 Bitcoin,
which at the time was like $70,000,
which seems so quaint by modern ransomware standards.
But yeah, I mean, it caused a whole bunch
of disruption at the time.
I don't know that we had seen these days attacks
on city administrative, local government or whatever.
It's pretty workaday common hack.
And but back then this was a big deal.
So the wheels of justice turned slowly,
but for this guy they've definitely turned.
And I'm interested to see if there is a story
behind how he ended up in the US
or whether it's just something dumb
like he went to Disneyland.
Well, I think, I mean, just reading between the lines it reads to
me like maybe the bulk he was in Bulgaria the Bulgarians arrested him and
you know he was extradited or whatever but it is a little bit light on the
detail. Do you think there's anything more to it there Dmitri or is it
probably just something simple like what I said? It's hard to say the DOJ thanked
Bulgaria for providing evidence and helping collect evidence,
not necessarily for extradition, which presumably they would have done. But,
you know, what is interesting about this crew is that they seem to have been particularly focused
on local municipalities. It wasn't just the city of Baltimore, but city of Greenville,
in North Carolina, and in Oregon, and New York, York and elsewhere where they've targeted this.
So they seem to have realized, hey, cities providing vital services like garbage collection
and 911 and healthcare ambulances, et cetera, are really prime target for ransomware pretty
early on.
Obviously nowadays, as Adam said, it's common practice.
Yeah.
I mean, I do find it interesting that in this John Grieg piece from the record,
the last line of the story is, the DOJ did not respond to requests for comment about
when he was arrested or if he was extradited. So it is like there's just this lingering
little air of mystery about exactly what happened there that I think is interesting.
Now in a sign of the times when this story first appeared in our news run sheet, Adam removed it.
Because, eh, you know, it happens all the time. And I'm like, man, we've got to put this one back, given the amount of money involved.
Some decentralized crypto platform called Cetus, C-E-T-U-S, got 233 million bucks worth of crypto
removed from it.
I mean, I think that's, I mean,
I know there's crypto attacks every day,
but I think 223 million dollars being stolen from a DeFi
platform is still kind of newsworthy, Adam.
Can we just admit that crypto is now
just a wealth transfer mechanism
from rich countries to North Korea?
Isn't that all it is now?
Well, and to answer some criminals too, I mean, you know.
Sure.
Yeah, the criminals taking the cut of the North Koreans'
money whilst they're laundering it.
But yeah, I think when we were going through the run sheet,
I said, look, mate, I don't get out of bed
for less than a billion dollars worth of crypto stolen,
like 200 million per share.
That's not worth the column inches.
Next year, 11gillion dollars was stolen. I just find all of this really interesting.
I think the most interesting thing, the buy-bit attack, of course, that was what, 1.4 billion
dollars in crypto. I mean, that one was just so interesting given the way that it unfolded. I
mean, this one looks a little bit more workad day. I did really appreciate when I later did a sponsored interview with someone from Trailer
Bits who's really, you know, knows a lot about all crypto stuff. And I asked them, was the way
Bybit managing this stuff kind of standard in the crypto industry? And they just said, no.
So I think there's probably ways to operate these exchanges and platforms which don't
result in hundreds of millions or even billions of dollars going missing, and it would probably
make sense for those companies to adopt those methods.
Yet another one from John Greig here, he's just done a little bit of follow-up reporting
on the Coinbase breach and we've got some numbers there, which is 70,000 users have been impacted.
Dimitri, this one seems to have connected to you because you say you've been getting
just since this breach just absolutely insane amounts of crypto phishing like Coinbase related
phishing attempts to your phone and email because you had an account there a million years ago and
you're like you're like a no coiner who just happened to be in this data set.
Is that what we're guessing?
Yeah, I don't own any crypto for the record for the listeners out there.
Don't come and chop Dimitri's fingers off.
He does not have any crypto.
But I did have an account back in the day just to play around with it
and see how it works and so forth literally over a decade ago.
And it is annoying.
I was wondering about this because for the last month, works and so forth, literally over a decade ago. And it is annoying, I was wondering about this
because for the last month, month and a half,
I've been getting daily nonstop phishing emails
about my Coinbase account was hacked,
give a call to this number or withdrawals in process,
or you got an authentication code,
if you didn't request it, give us a call,
a variant of one of those messages at least once a day,
sometimes multiple times a day, sometimes multiple
times a day.
So I don't know if it's directly connected to this breach, but it certainly seems quite
coincidental.
Well, I mean, what I wonder about, right, because you sent me some of the text messages
that you were getting, what I wonder is, like, if it's one threat actor who has this data
set, they're kind of overdoing it with the phishing attempts, right?
This would suggest to me- It's annoying at this point. actor who has this data set, they're kind of overdoing it with the phishing attempts, right?
This would suggest to me...
It's annoying at this point.
Well, and that's the thing.
Like, given the different phrasing, different structure of the messages and the fact you're
getting so many of them, I wonder if maybe quite a few people have this data set now.
Yeah.
They probably sold it or it got leaked and lots of people are now trying to take advantage
of it.
Yeah.
And don't forget, we should not forget that included in this data set are transaction histories,
balances, and home addresses.
And that is a dangerous thing.
We alluded to that last week when we were talking about all
of the people who are being sort of tortured
and having various bits of them chopped off by criminals
in an attempt to extract their like passphrases and whatever.
We've got, and just as soon as we put down last week's show,
I think a day later, this crazy story broke out in New York
where this cryptocurrency investor
apparently kidnapped a guy and was torturing him
over a period of weeks in a townhouse in New York.
Eventually the guy managed to break loose.
He told the guy, okay, I'll give you my password.
It's on my laptop in the other room.
The guy went to get the laptop. He ran out the front door,
managed to flag down a cop and he's okay now. What I find fascinating about this story though,
is that this guy who was like 28 years old or whatever was being tortured for weeks and
did not give up his crypto. Adam.
That does seem a little bit extreme. Would you have to go to like, you know,
special forces, you know, search and evasion training
just to be able to responsibly hold your crypto wallet.
I mean, the whole crypto ecosystem
doesn't feel particularly good.
Like it's not a good time to be, you know,
in charge of a lot of crypto.
And like, I'm amazed that this guy, I mean,
I guess what do you do, right?
It's not like you can make up a fake password because it's gonna test it straight away. So like yeah, I don't know
I don't know how you do. How do you deal with that?
We just you just be ultra hardcore like this guy
Yeah, I feel like there's more to this story though
Like that because the two are known to each other like I wonder if there's some sort of business dispute and the guy who was
Like wrench attacking him, you know
He apparently has been,
I think he's been denied bail
because he has access to a private jet
and stuff like this.
So you're just like, why are you beating a guy up
with a wrench and trying to get his phrases?
Anyway, Dmitry, you had something here.
Well, I just wonder how competent he was as a torturer
if it took him weeks and he didn't get what he was after.
You know, wasn't it simpler to just hire some Russian gangster
and get the stuff in a matter of minutes?
I mean, they know how to do torture, unfortunately.
Yeah, I mean, you know, what's wrong?
You know, don't you know how to water?
Bro, do you even waterboard?
I think is the vibe here.
Bro, do you even?
All right, so we've got another one,
yet another one from the record.
Great coverage from the record this week.
Darina Antinuk has written about Vietnam banning Telegram inside Vietnam.
Now, Dimitri, you and I had a bit of a chat about this before we got recording and you're like, what do you think about this, you asked me and I said, this feels like Telegram doing crime stuff. It's a convenient excuse for Vietnam to ban this because people are spreading
like quote unquote subversive material over Telegram.
I mean, it's look, it could be over genuine concerns about crime, given the
amount of cyber crime and fraud happening in that region.
It is a good reason to ban Telegram and yet you can't help but feel that perhaps the government there is
concerned, is motivated by other things. That's what it feels like and you know
of course Telegram and Dura for claiming that they have been cooperating and doing
takedowns you know who knows whether that's true or not and how aggressive
they were. Of course Telegramgram, as we all know,
is a kind of run by shoestring type of operation,
so even if they wanna cooperate,
they don't have that much staff
to actually respond quickly enough
to a lot of these abuse complaints.
But I do tend to agree with you.
Vietnam, very, very serious about content filtering,
very serious about suppression of any information that's not allowed within the
country, obviously run by a Communist Party, and I think that probably has more
to do with it than just the fact that they host some dark market telegram
channels. I mean I hear you and I have a foot in that camp, but I also have a foot
in the other camp which is you know the, you know, pig butchering stuff taking place in, you know, Cambodia, Laos and Myanmar is equivalent to 40% of the GDP ofise the region, right? Because you might wind up with this underground economy kind of corrupting those governments.
So I can see that there is also a very good legitimate reason to do this.
I mean, Tom Uren and I, our colleague Tom, we write Seriously Risky Business,
we did a podcast last week where we were talking about the takedown of one of these telegram markets,
which had 900,000 people involved in it, you know, and was just doing tens of billions
of fraud. And you just sort of think, I don't know, I sort of feel like if you're the Vietnamese
government, you kind of get two birds with one stone, I guess. What do you think, Adam? A minute. If you can do both of these things, like why not? You know, I imagine their interests line up,
but it may also be a case of, you know, they can shake someone down for a bribe to turn it back on.
Like maybe it's a triple whammy of win for, you know, whoever's responsible for regulating it there.
So yeah, it's kind of hard to say.
I don't actually know what the corruption
situation is like in Vietnam, because it's really funny,
because you get this situation where
in some of those countries, with old school communist
leadership, corruption is rife.
And in other ones, if you do anything corrupt,
you immediately get shot.
It's pretty pervasive in Vietnam.
It is?
Yeah.
Yeah, yeah, yeah.
All right, so let's look at this Reuters piece now
by Ajay Visen and Rafael Sata.
Last week, we talked about the leak of the, well, not leak,
the DDoS secrets, distributed denial of secrets,
getting their hands on the data breached from telemessage
scraped through some API endpoint that would give you a heap dump,
because that's what you want when you're running a secure
messaging service.
As we said last week, we were expecting that other media
would do a deep dive on that data and rummage around in it
and see if there was anything that interesting in it.
According to this piece from Reuters,
nothing too sensitive in it, which
is kind of what I expected, if I'm honest.
Yeah, you get the impression that they probably pulled the plug on this pretty quickly,
and the dumps that we were, that the Lost Secrets had access to, were from a pretty limited time window.
So clearly anyone who knew about this and had been doing this since TeleMessage started up
would have been able to see message contents
and stuff was going past.
But this particular dump,
other than kind of confirming through metadata
that there are phone numbers of people
in positions of power in the US government and other things,
we haven't seen much in the way of message contents.
There are some like group names and stuff
that give us hints of the nature of the conversations,
but nothing we didn't really expect.
Yeah. And I guess, because we had a little internal meeting about this when this data
was first made available to researchers and journalists, where we had a line, I think,
in some of our coverage in Risky Bulletin that said the data will contain private conversations
from senior White House officials. And we had a bit of a discussion about, well, we
don't know that.
And it looks like it looks like it didn't.
I mean, you would imagine there would be some size of relief
in the White House over this, Demetri.
But also, I mean, you just got to wonder at this point if,
you know, foreign intelligence services were exploiting this service
prior to it being publicly exploited.
And there's no real easy way to know that.
Well, this is the big issue I have with this story,
is that, OK, there's nothing totally valuable in this dump,
but the reality is that these servers of TeleMessage
are incredibly vulnerable.
And it's not just through this one vulnerability.
I've been hearing for weeks from other researchers
that have been looking into this of all kinds of issues that they've been discovering
with this platform so it's just not a platform that I would feel comfortable
any USG official really using for secure communications yes I'm classified but
nevertheless potentially sensitive even the subject of a kind of a group name
can be sensitive right if it talks about upcoming military action
or what have you, as we've seen in the past.
So I do have broader concerns
about this particular product.
I understand why it's been used.
You want to make sure that you preserve archives
of these messages to abide by legislation
that requires you to preserve communications,
but there's gotta be other options.
And if they're on, someone should build one.
I mean, I'm just sorry right now to make such a middle-aged point.
But to me, this seems like the big problem here is procurement,
because there are other options.
You've got Wicca, which is now an Amazon product, which I'm guessing
is not going to have the same issues.
I'm sure there's going to be stuff.
If you test it, you'll find stuff that is less than ideal.
But this was a clown show, this app, right?
So I just sort of wonder, like, in what world does an agency,
like I think CBP was like one of the agencies that
was using this, in what world do they opt for that app
and do absolutely zero sort of due diligence
in trying to figure out if it's any good, right?
So that's the thing that, and I think this just ties in,
government procurement is hard, right?
You know.
But it's also how it's done, right?
And I guarantee you that they probably did request
all kinds of security paperwork, FedRAM compliance, right?
All kinds of checklists that this company
did provide to them that didn't matter a whole lot
because there was no pentesting of the platform clearly or they
would have found a lot of this stuff and this is just a general problem of how
government procures and determines whether something is safe or not. It's a
checklist approach not an approach that's focused on really figuring out if
this is a secure solution or not. We finally found a case where pen testing
would have been absolutely 100% critical and useful. I remember being on a call with the
leadership of Exellion after we found some remote code exec bugs in the
file transfer product and they literally said, but we have FedRAMP, how is
this possible? I said, well I don't know what to tell you buddy, I got a shell on your
Exellion. To be clear, they weren't know what to tell you, buddy. I got a shell on your Exeleon, you know.
To be clear, they weren't your customer,
which is why you're talking about it.
You did that research off your own bat,
just in case anybody was confused.
Now, look, just to tie it off, this week,
we've got a piece here from Cybersecurity Dive.
I think it's following up on some reporting
from the Washington Post.
We also reported about this as well.
But basically all of the senior leadership at CISA have left the agency, some political appointees, some not, I think.
But you know, there is a massive exodus of senior leadership at CISA.
I mean, you know, what do you say about that? I think there's a lot of people leaving the federal government at the moment.
Yeah, there certainly seems to be some concern amongst the workforce left at CISA about the vacuum of so much talent and so much experience. Because some of these are people who've been
before CISA was CISA, back when US CERT days, that kind of thing. So it is definitely going to leave
a bit of a hole in their capability. And I think everyone's a that kind of thing. So it is definitely gonna leave a bit of hole in their capability and I think everyone's a bit
kind of worried about what that means
because it's not a great time to be gutting
your cyber security defense teams,
given the geopolitics and all that.
Yeah, and we've also got a story here
from the Washington Post about the National Security Council,
the staffing at NSC just being completely gutted.
What's going on here, Dimitri?
Well, look, I think this one is a little bit different
from the other stories about people leaving
the federal government because the NSC, of course,
is a vital White House organization
that really serves at the pleasure of the president.
So everyone who is there,
whether they're political appointees
or detaines from agencies,
are there to execute the president's agenda.
And the president, frankly, has a right to decide who he wants there, whether someone
he thinks is loyal to his agenda or not, or is going to stand in the way of executing
it.
And I think it's also fair to say that the NSC has gotten way too big over the last decade
during the Biden administration.
I think it reached its peak of well over 300 personnel and the process had become the thing that they focused on versus versus actually
solving the issues. And you know, for better for worse, President Trump, you know, believes
that he is the guy that's actually making policy, not his staff. And he just wants people
to implement it. So they're basically cutting it down dramatically and saying, you know, the tweets are the policy,
you guys ensure that the agencies execute them,
but I don't need you making policies anymore.
I mean, we are looking at, I mean,
towards the end of Biden's presidency,
the policy staff, there were 186,
according to Washington Post.
And, you know, under George W. Bush and Barack Obama,
they were at 204 and 222 respectively.
So this is a change, right?
Like it's, it's, it's, it's a pretty significant change going, like it's
going to be smaller than it has been in recent decades.
Um, I think this is a thing where this is a conversation that comes up
regularly in risky biz internally, right?
Is when we're reporting on US government stuff,
you gotta be careful not to have that reflex
which says that everything Trump does is dumb,
because he does a lot of dumb stuff, right?
And you gotta resist the urge to say,
Trump's doing it, therefore it's stupid.
But, you know, and sure, you know,
streamlining the NSC could make sense,
but you sort of wonder if this is the right time to cut down the number of
NSC staffers given everything that's happening in the world. Adam, what are your thoughts on this?
I mean, I think actually having expertise involved in decision making, you know, like proper experts
that study, have time to study and have the resources to go and make good choices is always
going to help. Now the NSC's role is kind of less about that sort of, it's more about
how it gets implemented. But at the same time, like the more expertise you have in these
things, the better I feel.
So I just don't understand the rationale here because the savings for government, we're
talking about like, you know, going from like 200 and something to like 100 and something, or, you know, maybe down to as few as 60. You know, this is a trivial dollar saving in the context of the US government. So, you know, I just kind of wonder what the advantage is here of removing policy experts from something like the National Security Council. Yeah, it does seem a strange place to go cut, you know, what's like, you know,
half of an F-35 worth of, you know, worth of budget in the context.
So, yeah, I just, I would like us to bring science and expertise and thought back
into, into policymaking, but maybe that's just me.
Well, on that note, guys, we're going to wrap it up there.
That is the end of this week's news segment.
Thank you both so much for joining me to discuss this week's news and Adam will do
it all again next week.
We certainly will, Pat.
I'll see you then.
Thanks so much, Pat.
That was Adam Boyleau and Dimitri Alperovic there with a look at the week's security news.
It is time for this week's sponsor interview now with Haroon Mir who is the founder of
Thinkst Canary.
Canary for those who don't know, they make great little hardware honey pots you can put
in your network that can let you know when attackers start interacting with them.
They also do amazing stuff around Canary tokens. Very, very great, you know, great tools, great company and Haroon of
course has been in the industry for a very long time and is somewhat of a
thinker. And Haroon was at the RSA conference last month and he has
thoughts and feelings about the way the industry is doing certain things. In
particular, he says the amount
of investment and attention being given to AI doesn't quite necessarily make
sense just yet and a lot of this stuff is going to turn out to be useless. He
joined me for this interview where we discussed all of that. Here he is. Part of
the reason I think people used to throw stones at the RSA trade show thing becomes very clear when
you see how AI dominated this year which is I think for sure AI is one of those life-changing
things like LLMs have been magnificent, we discover new stuff all the time, but I question
how much we understand the problems we've already started selling
solutions to.
There's a lot of people talking about selling AI solutions when I don't know that we've
understood AI problems well enough yet.
And again, I'm not a troglodyte, like I don't think people shouldn't be playing
with it. I think researchers should be knee deep in AI stuff. We're playing with a lot
of it internally. But like A16Z used to talk about backing founders who lived in the idea
maze long enough, like they've experienced these problems. And all the people currently selling solutions to Gen. AI problems, like we haven't even
seen what Gen. AI is in the enterprise yet.
Yeah, we haven't built the maze yet.
Now, like I would agree with you that a whole bunch of startups talking about solving like
Gen. AI security problems, that would be weird. I mean, there's a couple of startups talking about solving like gen AI security problems that would be weird.
I mean there's a couple of startups already, we had one of them in Snake Oilers, can't
remember their name, they're doing cool stuff though, you know, just stuff you need.
Like you know, tools that'll stop your AI customer service agent from saying insane
things and dishing out people's social security numbers.
Like there's already some products in the market that are needed around that and they are solving very much understood and present problems. But where I'm seeing
most of the AI stuff now is people applying reasoning models and LLMs to some pretty concrete
existing problems in InfoSec and that's where I'm interested in AI.
So I think it's interesting as an investor, but I think one of the things that people get, for example, like we pitch Canary as a solution, and we've never had to tell anyone that we use a vector database in the back to help our decision making, or we've never said we use Redis instead of MySQL.
instead of MySQL. Using LLMs as a back-end technology to help us do our stuff actually shouldn't matter to people. What matters is are we solving a problem and InfoSec gets hung up on
the stuff for a whole bunch of perverse incentives because if they say they're doing AI stuff,
they'll attract a whole class of investors which will attract a whole bunch of money.
And what I see more and more recently is it's not just attracting investors because you
know, I've been kicking VCs for years.
The problem goes deeper, right?
You get these big established InfoSec companies and now they're playing a different game because
what they need to do is convince
the market that they're still hot and worth it.
And the way they do that is by either playing with new technology or buying the latest technology
company.
And so what you're starting to see or what I'm becoming more and more aware of is these
big platform play security vendors every few years have to go through the hype cycle
and pick off the top three people and two years later they sunset those products because they
weren't really a thing but it's worked for them because they get to say yes we're doing something
in the agentic space we bought x company, we're doing something in the source space. We bought so and so. They get their market pop. The market is happy. But what
it means again is just this flood of uselessness and noise in the market.
Oh, there's like, I'm waiting for the point where we disagree because there is
an awful lot of stuff out there where they just slap the old sticker on it.
You know, you can fit, you know, tap on the lid.
You can fit so many LLMs in this bad boy.
Exactly right.
You know, like that, that is a hundred percent of thing.
And, but I mean, that said, I think that the future, like, I just caught up with
a mate of mine who's like a tech executive working for a company in here in Australia.
And, you know, he just went down and got a demo from Microsoft of what they're doing
with AI.
And it blew his mind.
And when he was telling me about it, blew my mind as well.
Like this stuff is coming.
So I'm sort of not surprised that everybody's trying to find a way to be an AI company because
everybody's going to be an AI company soon and for good reason.
But I think, you know, to your point,
a whole bunch of these people are just going to get wiped out, right? Yeah. So for me, and again,
I think the value in the idea maze, like one of the fundamental problems that I think InfoSec,
when you look at products and companies has had, is over-promising and under-delivering.
companies has had is over promising and under delivering. And part of the reason is that these incentives work for them. So show up at RSA and talk like you understand this thing
and you get the shiny booth and you get investors and then you actually get an acquisition because
they looking to tell the market that they playing in that space. But the net result is that people are not being rewarded or people are being
adversely rewarded for doing the wrong thing. What you want is people spending
enough time in that space to deeply understand it to come up with solutions
that work. And yeah I think it's one of the, if you take just the example, if you consider that
San Francisco now has Waymo's running all around, those Waymo's aren't a new thing.
Like Google's been working on that stuff for 10 years.
And it's why that stuff is now there.
Most of the real AI set companies showing up at RSA started two weeks ago and the ink
is still wet on their term sheet.
And that's part of the problem.
It's flooding the market with noise at a time when you actually want clarity.
Yeah, but it's not all crap.
No.
You know, like, so if I think of like, if I think of people who've spent time in the
problem maze, right, who are doing stuff in AI, like Edward Wu is a great example.
He's a founder of Dropzone AI, which one of the investors in that business is his former
boss who was the founder of ExtraHop Networks, which is where Ed built the security part
of ExtraHop's product, which sits in socks like this is a problem space he knows really, really well and realized, hey,
if we applied some reasoning models to tier one sock analyst work in a sock.
Yeah, there's goodness.
It's going to work and it does, right? So, you know, here is a place where someone's taken an AI
approach to solving a problem, which is just, you know, alert fatigue, which we've been dealing with
forever and it works.
So I'll tell you for me there's a, and I've thought about this on the spot, so it's likely
to be fraught with danger.
Let's hear your half-baked idea then, Haroon.
You'll notice we've never pitched Canary as deception.
Like nowhere on our site does it say deception.
We don't say we're a deception company.
We say we help defenders win.
We say we catch bad guys before they dig in.
Because actually we don't need to give it the hype cycle name to say here's the problem
we solve.
And if he solves the problem of alert fatigue and socks that work,
they, they solve the problem.
And it doesn't matter that they're using AI or machine learning or LLMs.
Well, but people, people want to know why, how is it, how is it different? How is it new?
So that's why they have to say that it's an AI product,
because it is an AI product.
So again, we didn't have to say we're a deception product, or we don't have to say it. And for
me, and it's not to say that they're not right, like I haven't looked at the product, they
might well be, but I'm saying that's the important thing that as an industry we get wrong, which
is people jumping on the next and you see
it in some ways just from the same people who hop from hot topic to hot topic.
So a bunch of the deception companies went on to be identity security people because
identity was the new perimeter and a bunch of them are now on to machine learning because
or AI because that's the problem and
And you see what they're doing is just how can we catch the next bit of free headlines or mind share or?
budget allocated at a company and
Stupidly the constant hopping like that stops them from ever staying in a problem domain long enough
to actually get good at it and actually solve that problem.
And like I say, in one respect it's tilting at windmills because you end up seeing that system
work for people. But the question is which people it works for. It works for founders who play that
game and then exit, but it doesn't necessarily work
for the market because the market ends up with half-baked products that end up disappearing
every few years.
Well, I'd posit that they only get to exit if something has gone right.
You know, I would suggest that, Haroon.
So I don't think so. Like I've seen a bunch of exits that are, again, like if you follow the 10 and this
is cynical because sometimes the stuff's decent and good and we all win.
But I've seen enough of catch the hype cycle, get the funding, use the funding for big shiny
booth, then big player needs to show they're doing something
in the space and so they make that acquisition
and now you've got the complete life cycle.
And in the mix, you've had lots of sales to customers
who've got now half implemented stuff
that's become abandoned ware
and the market hasn't worn from it.
Yeah, abandoned ware is a good term.
I'm going to steal that.
And it is look, I would say of everything that you've talked about.
I mean, there's one thing that I think is a serious problem, which is, you know, orphaned
products like that, you know, because these people, they've they've convinced people to
take a chance on a startup.
You know what I mean?
Then they sell it off to some big company and then it just gets shelved like that.
That sucks.
It's it's that and look, I that, that sucks. It's that.
And look, I'll tell you, one of the big challenges, like we don't have to tell the listeners,
they'll all know this pain, but distraction and noise, like what problem do I work on
next is one of the biggest challenges for C-cells.
Like they know their problems are X and Y, but suddenly
all the hype is on Z and they've got to start showing something for that. And so I don't
like that stuff. And look, just before RSA, it's kind of funny. I had a chat with an analyst
and we've chatted with this analyst in the past and then saw the analyst report that went out.
And we thought the analyst report was very heavily skewed to a company that partners with those
analysts. And so this year we did the analyst interview and after that I spoke to the analyst
saying, listen, like we are about ready to abandon these analyst interviews, we don't think there's value in it.
But I'm really keen to understand a few things like would you take 30 minutes and just chat
to us?
And the first thing I asked him is, I say, listen, like you guys do this radar of companies,
like you've got two companies listed here as the most innovative in the space.
Like how do you choose innovation? Like I'm not questioning it,
I just want to understand your criteria and there's a little bit of fumbling and a little bit
and so I say okay look let's make this simpler. Like we not in that most innovative space,
for some reason we are newcomers, but I say let's take us like go to our blog,
here's a year's worth of new things we think we've
invented in the space. What have these other people put out in that space for you to call
them innovative and so there's a bit of fumbling because both those blogs are just abandoned
marketing speak and I say okay let's ignore that here's canary.tools slash new like here's the new stuff we've
bought in the last year what have these companies done like like let's go look together at their
changelog for the last two years and bought those companies big companies bought deception products
literally haven't touched the stuff in two years and the analyst then goes like, no, like I think we got this wrong.
And so I say like, but that's like, that's your job.
Like that's the one thing.
That's your job.
And by the same token, because now I'm on a roll, I say like, look, you guys sent us
this questionnaire that says, do you have, like, what are your plans for Gen AI?
What are your plans for agentic deception?
I'm like, who chose those things?
Like, why do you think those things matter?
Because we are playing with LLMs inside, like our research labs have put out a paper.
I see where you're going.
Like, we're going to have to wrap this up, right?
Because we're over time.
But look, I absolutely see where you're going.
Everybody's describing them as an AI company AI company now, because that's the sort
of market expectation. Like I agree with you on that. Yeah, I where I disagree is I think
that, you know, a lot of this stuff is really going to be the future. Probably 90% of it
90% of it isn't right. I agree with that. So again, I think AI and LLMs are definitely the future. But I think if people are hanging a
shingle now saying we an AI ML security company, it's very unlikely that you nailed this so early.
Yeah. And again, people should totally be working on the stuff. People should be knee deep in the
stuff. But are we ready to be
selling this stuff and asking people to trust us on it? Mainly again it's
a question of doing stuff right and doing stuff long enough and look some
problems are low-hanging fruit and they should be grabbed and worked on now but
but more than anything else it's our complete comfort with just grabbing the new headline
and trying to flog it.
Look I'm working personally with a bunch of companies that are using AI.
In fact, earlier I told you about one that I'm doing some stuff with at the moment.
I explained the whole business to you.
It's an AI powered company and I didn't actually mention AI at all.
And that's when it wins.
Because that's not the interesting thing about the business, right?
Exactly. So I's when it wins. Because that's not the interesting thing about the business, right? Exactly.
So, you know, I'm absolutely with you.
And funnily enough, we're actually building out the Risky Business Wiki, which explains
in very simple terms what vendors do.
So it's a vendor Wiki where we're going to hopefully launch that in a few months.
And you know, we feel we need to step in because there is so much nonsense out there about,
well, we're an agentic this or that.
And you know, it's like, no, actually just tell us what you do. But, yeah. Thank you, Haroon,
for joining us on the show to make very good points, which you always do. And great to see
you, my friend. And I'll look forward to chatting to you again soon. Always cool. Thanks, Pat.
That was Haroon Mir there from Thinkst Canary. Big thanks to him for that. And you can find
Canary at canary.tools. But that is it for this week's edition of the show. I do hope you enjoyed
it. I'll be back soon with more security news and analysis, but until then, I've been Patrick
Gray. Thanks for listening. Thank you. Music