Risky Business - Risky Business #801 -- AI models can hack well now and it's weirding us out
Episode Date: August 6, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. Google security engineering VP Heather Adkins drops by to talk about their A...I bug hunter, and Risky Business producer Amberleigh Jack makes her main show debut. This episode explores the rise of AI-powered bug hunting: Google’s Project Zero and Deepmind team up to find and report 20 bugs to open source projects The XBOW AI bug hunting platform sees success on HackerOne Is an AI James Kettle on the horizon? There’s also plenty of regular cybersecurity news to discuss: On-prem Sharepoint’s codebase is maintained out of China… awkward! China frets about the US backdooring its NVIDIA chips, how you like ‘dem apples, China? SonicWall advises customers to turn off their VPNs Hardware controlling Dell laptop fingerprint and card readers has nasty driver bugs Russia uses its ISPs to in-the-middle embassy computers and backdoor ‘em. The Russian government pushes VK’s Max messenger for everything This week’s show is sponsored by device management platform Devicie. Head of Solutions Sean Ollerton talks through the impending Windows 10 apocalypse, as Microsoft ends mainstream support. He says Windows 11 isn’t as scary as people make out, but if the update isn’t on your radar now, time is running out. This episode is also available on Youtube. Show notes Google says its AI-based bug hunter found 20 security vulnerabilities | TechCrunch Is XBOW’s success the beginning of the end of human-led bug hunting? Not yet. | CyberScoop James Kettle on X: "There I am being careful to balance hyping my talk without going too far and then this gets published 😂 maybe the countdown timer is just too ominous! Risky Bulletin: China with the accusations again - Risky Business Media 美情报机构频繁对我国防军工领域实施网络攻击窃密 SharePoint Exploit: Microsoft Used China-Based Engineers to Maintain the Software — ProPublica China fears Nvidia chips could track, trace and shut down its AIs - Asia Times SonicWall urges customers to take VPN devices offline after ransomware incidents | The Record from Recorded Future News Gen 7 SonicWall Firewalls – SSLVPN Recent Threat Activity ReVault! When your SoC turns against you… Nearly 100,000 ChatGPT Conversations Were Searchable on Google Microsoft catches Russian hackers targeting foreign embassies - Ars Technica The Kremlin’s Most Devious Hacking Group Is Using Russian ISPs to Plant Spyware | WIRED Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats | Microsoft Security Blog Russia blocks popular US-made internet speed test tool over national security concerns | The Record from Recorded Future News
Transcript
Discussion (0)
Hey everyone and welcome to risky business.
My name's Patrick Gray.
We've got a great show for you this week.
We'll be hearing from Adam Boilow in this week's news segment.
We're going to talk all about the last week's cybersecurity news.
And in that segment, we'll also be hearing from Heather Adkins of Google.
She is a VP of security engineering at Google.
And our very own Ambly Jack will also be joining us in this week's news segment to have a talk about
Russia's answer to
WeChat. Let's just
put it that way.
This week's show is brought to you by
Devisey and Devices
Sean Ollerton will be joining us
in this week's show to talk about how
enterprises out there just
generally aren't
prepared for Microsoft's
upcoming end of support for Windows 10.
So that's coming up, I think, October
sometime and yeah, that's
if you haven't done it already, you
probably not going to get it done. So he's joining us to talk through all of that. That is a
fun chat and it's coming up later but yeah it is time for the news now and Adam the first thing
we're going to talk about is Google's announcement that it's found a bunch of bugs in commonly
used open source software. Now I didn't interview this morning with Heather Adkins of Google and
she's going to join you know we're going to play that in just a moment but I just wanted to get a
sense from you of what your gut reaction was when you saw this headline?
I mean, I think my reaction is, you know, AI bug hunting is a thing that's been coming for
a while and, you know, the natural feeling is skepticism, but that said, we are talking about
Google Project Zero who have, you know, some amazing bug hunters and an amazing track record,
and Google, who have all the computer in the world, and Google who have, you know, all of the
training data in the world. So, like, if anybody is going to do an amazing,
amazing job of this. This is probably the crew that's going to do it. So that definitely makes
you think, you know, take it a bit more seriously, right? And they're not going to come out
with a bunch of crummy bugs. And we haven't seen the specifics of the bugs yet because
they're still embargoed. But, I mean, it's probably pretty real. And yeah, it's a while time.
I mean, it was trendy to kind of like crap on this stuff a year or two ago. And it's sort of
feeling like these days that's getting harder. So as I mentioned, Heather joined me for this
interview. We spoke just this morning, my time. She is, of course, in Las Vegas for the Black Hat
Conference. And here's what she had to say about Google's Big Sleep, AI-powered bug discovery stuff.
Enjoy. This is a project we call Big Sleep. It's a collaboration, a research collaboration
between Google, DeepMind, and Project Zero. And many of your listeners will remember Project Zero's
goal is to make zero day hard. And that's precisely what they want to do with big sleep,
is they want to start to apply large language models, modern AI, to the problem of finding
vulnerabilities. The actual vulnerabilities have been disclosed to the projects. And, you know,
per our disclosure policies, those details will become visible once the projects are fixed. So I
do not want to drop O'Day today. I mean, why not? Come on. Let's go. That's what this point. I mean,
Look, I understand you don't want to give us the intricate details of the bugs,
but maybe a sense of whether or not these things were, you know, big deal bugs or little deal bugs,
like as in nice to fix or, oh, my God.
Yeah, so these are big deal bugs.
And, you know, if you want to give a flavor of it,
the team blogged about a bug they found in SQLite in July,
alongside the Google threat intelligence group.
That was a big deal bug, being actively pursued by commercial surveillance vendor
in order to, you know, cause chaos and mayhem.
So, look, anytime you're doing vulnerability research, you know you find a little bit of not big deal bugs and some big deal bugs.
I think the team has wanted to make sure these were high quality reports and to make sure that, you know, the maintainers are understanding clearly sort of how the technology is being used, how the bugs are being found.
And so those details will come out as the maintainers fix them.
Now, we had a bit of a chat about this yesterday.
You were just like tipping me and say, hey, check this out.
You seem pretty jazzed about this.
You think that this AI stuff is going to really quite, you know,
change the game when it comes to finding bugs.
I mean, it's been a couple of years now since large language models have been out there.
I mean, why don't you give us your sense for where this is going?
Because I feel like we're still split into two camps, which is there's the skeptics and the, you know,
the boosters.
You seem like you're in the booster camp now.
I'm in the booster camp.
And, you know, I'm not optimistic about much technology on the security fronts.
in terms of what we have available to us.
And so, you know, to be able to see it applied in a real way that yields results
that will be helpful for maintainers who are not security experts.
And look, I think the thing that I'm really jazzed about is being able to defend
against the threats we're being warned about at the moment.
I'm here at Black Hat.
Saw a talk this morning about how the bad guys are going to use.
this technology to build a mountain of zero day. And they're going to sit on it and use it as they
want. And I think the thing that I'm really energetic about is making sure that the good guys
have the same technology to find those bugs and fix them. And you could imagine putting that
really early in the software development life cycle and actually reducing the amount of Oday
available in the code bases across the world just to begin with. And I think this is maybe the
first time I've been able to feel optimistic about technology actually working in that
way. It's funny, you know, chatting with a mutual friend of ours actually a couple of years ago
about this, you know, he said he came up with this hypothetical, which is what if these things
get really good at finding bugs? You know, isn't that like a disaster for defenders? And I said,
well, no, because it's going to be a symmetrical thing, right? Like it's going to make finding
bugs a lot easier for defenders too. So we're just going to have this really rapid acceleration
in patching and improving software.
I mean, hopefully, there's probably going to be
a bit of a messy period in the middle, right?
Which we're probably on the cusp of.
But is that about how you feel this will shake out as well?
I think so.
And, you know, the thing to emphasize here
is that it's still early research.
And so the pace at which we are going to find the bugs
is sort of unknown.
But we also know that large language models
are also good at writing code.
And so there's opportunities all along the way
to make this not only a different,
discovery phase, but also a fixing phase. And I think that if you're an open source
maintainer right now, that's primarily what we're using this on at the moment, as you can see from
the bug tracker, it's going to get easier and easier to maintain your code. And I think
anybody would tell you who's run an open source project, that will be super useful. Yeah, I mean,
I was going to ask actually how the FFMPEG people responded when you're like, here's a giant
bag of Ode, you know, and then they have to go and fix it, right? Like, were they, were they cursing?
Well, I'll leave the FFMPEG folks to comment on their own.
They've got a Twitter account.
You can follow them.
Yeah, yeah, nice.
Been commenting.
But I think, you know, we have also got a look at the long arc here, which is a lot of
open source maintainers have been doing this for 20, 30 years.
Like, they're going to want to retire at some point.
They're going to want it to be easier.
The next generation of maintainers are going to want it to be easier.
I think this is a really good leg up for them.
So the idea is this will be able to write the commits as well, something like this.
I mean, I think in an ideal state, again, research quite early and, you know, I don't want to preempt any announcements from the teams at Deep Mind and Project Zero.
But, you know, I think it's fair to say you want to look at all aspects of the problem, not just the finding.
We get the real impact by the fixing.
Yeah, all right.
Heather Adkins, thank you so much for your time and enjoy the rest of your time in Vegas.
Great.
Thanks, Pat.
Okay, so that's Heather Adkins there talking about all of that.
I mean, I just have a feeling that the security industry is going to look quite.
quite different in five years from now, right?
I think you're probably right.
I mean, the thing that struck me about that particular conversation with Heather is,
like when Heather says, I'm optimistic for the first time in a long time, right?
Heather's been to Google a very long time.
She's sent a lot of stuff.
And that's a pretty big call because, I mean, people who work in security are inevitably
super jaded and super cynical and really skeptical of, you know,
anything that claims it's going to solve all of our problems because we know how hard those problems are.
So when Heather's saying that, it definitely made me feel a little bit like, oh yeah, like this is
worth paying attention to. Okay, so that's on the vulnerability discovery side. I want to talk now a
little bit about the so-called AI pen testing stuff. There's quite a few startups now trying to
AIify pen testing. And one of them has got a great marketing hook. Exbow or crossbow is a startup that's
doing AI pen testing. Their head of security is Nico Wiseman, who I think you worked with like
a million years ago at immunity. Is that right? Yeah, yeah. I worked with Nico. He's,
he knows what he's doing. And, you know, that's, uh, some of those Argentinia hacker cats.
Like that scene has produced some amazing work over the years. So yeah, Nico is very legit.
Yeah. So, uh, I mean, Crossbow, they raised recently a series, I think it was a series B round of
like $75 million. Right. So this is not some like garage project. And I think the thing that
makes crossbow interesting and it's something we might have mentioned on the show before
is that by a few metrics or by a few ways to rank it it's actually leading the hacker one
leaderboard right for bug bounties which is I think very interesting but also you sort of look at
the way that it's achieving that and it seems to be what the AI in the pen testing space is best
at the moment is going after fairly simple bugs at scale which
shouldn't be a surprise because if you talk to people who do really well in bug
bounties that's their approach as well which is they find some sort of bug they figure out
how to you know sort of auto discover it the best they can then they go out and they hit like
200 programs at once so it shouldn't be a surprise that AI is doing this but again what's
your gut reaction when you start reading about stuff like crossbow as someone who has like
decades of experience as a pan tester when you read this do you start seeing the possibilities
Or do you still say bah humbug?
I mean, there's always a little bit of bar humbug
because that's in our nature.
But like the reality is that most pen testing work
isn't glamorous, finding exciting novel,
curious, weird and wonderful wacky bugs.
Most of it is ultimately not very exciting.
It's things you've seen before,
things you're going to see again,
and yeah, finding them.
Like if you can get to the point where you can do it at scale,
right, because you've got a, here is a set of bugs,
here is a way to discover them and fingerprint the remotely or whatever else, you know,
and then go find them, report them at scale.
Like, as you said, that is how bug bounty kids that are very successful do it, right?
The other half of bug bounty kids steal source code using file rebugs and then do actual security
work to find the ones that they're then going to report and don't say how they got them.
Yeah, no, that was totally a black box test, man.
What are you talking about?
Those are your two options, basically.
Scale or, you know, a little bit of, you know, unsolicited.
research. And we're not, we're not, we're not talking about any specific incidents at all
that are coming to mind at all. No, no, not of that. No one would ever turn a file read into
stealing jars and then reversing source. No, never happened. Shut up. Never happen.
So like this, yeah, you're right. This absolutely makes sense, right? If you can do this at scale,
you're going to do it really well. The, you know, the specifics of the kinds of bugs you're
finding are, you know, that's really interesting to me. But the important thing,
is if you can do it at scale, you're going to find it and also fix a whole bunch of stuff.
And I think, you know, Heather in the previous bit, you know, talked about, you know,
it's one thing to be able to find this stuff, but then also being able to fix it,
being also able to, you know, contribute code or propose patches or review patches or even write
test cases, you know, test harnesses, test cases, because it's pretty similar kind of process
to find the stuff in the wild and then also be able to find it in the test environment,
tested against code that you're developing. So, yeah, I mean, I, there is a lot of,
real smart stuff here and although it feels scary to someone who grew up doing this by hand in the
mines you know the old-fashioned way it is still really exciting it is i mean on the von dev
side or von discovery side i feel like that is going to be an arms race and it's going to get
messy for a bit as we just have you know competing engines uh competing models finding this stuff
and it's like i think we will generally outpace the malicious malign actors you know as you point out like
Google Project Zero doing this stuff at scale, you know, that's going to be pretty effective,
maybe more effective than some amateur or quote unquote amateur or some cybercriminal
trying to do it in their basement. So I think there's going to be some disruption there.
And then you look at this sort of more applied pen testing stuff. And you just sort of wonder
how long it's going to be before this stuff gets sort of glued together, right? And it can go
from start to end. I mean, what I find fascinating is, you know, we could be in a position one day
where you ask an AI agent to fingerprint a target,
figure out what software they're running,
go find O'Day in it, and get some shells.
Like, that'd be cool.
I mean, that's what we did at work, right?
When I worked back in Somer, that was the process.
So, like, if you can do each one of those steps,
you know, even with some degree of automation,
even it's not completely automated, you know,
just reviewing a list of targets and then saying,
hey, this feels likely.
Like, that's still a significant force multiplier.
You don't have to have the AI do the whole thing.
Like, there's some room for a little bit of intuition maybe.
But, you know, having tools that do stuff computers are good at
and leaving humans to do the bits that humans are good at.
And if we reduce that, if that balance changes over time
as computers get better at human stuff, then, you know,
it's just going to be a force multiplier.
So, like, it's pretty cool.
Now, critically, no one is claiming
that these models, either the crossbow people or Google,
are claiming that the models just did it by themselves.
There was definitely some human involvement and expertise here.
But I think, you know, we've set up this conversation well
in that this is where it's kind of going, right?
Is it's going to be LLM-driven stuff
for, you know, various parts of pen testing
and various parts of vulnerability discovery?
Where I, where my skepticism hat comes on,
like, okay, so it's black hat at the moment, right?
In Vegas, and everyone's going to go off and present their research.
and then you've got James Cattle's research upcoming talk is being hyped at Black Hat.
I don't think he's done the talk yet, but that's coming, I think, tomorrow or overnight for us, right?
How do you think, first of all, like what is, because we've seen a little bit about what James is going to present,
and it's usually got the goods, right?
So every year at Black Hat he will present something that's really sort of devastating and fun.
Devastating and fun, you know, we like that.
So first of all, what do we think he's presenting on?
And second of all, do we think that an AI model is going to get to a point
where it can do James Kettle-style creative research and then weaponise it?
Because that's the thing that I find interesting.
I honestly don't think that it will, but I've been wrong on this stuff before.
So I want to know what you think.
Yeah.
So to answer the first question, he's talking.
about something that feels like probably requests smuggling or whatever else against CDN networks.
So I'm thinking like some of the big global CDNs probably have some like request canonicalization,
request smuggling kind of flaws where you can bypass some of the controls or make requests to the back.
And that's probably what it feels like.
And in the past he has delivered like cache poisoning bugs, for example, against, I think he did one which was like Mozilla's Foyle's.
update, Mozilla's browser update services, so you could like patch everybody's Firefox
with malicious code in the world in one go. So usually he delivers the goods, and we'll wait
and see what the specifics are. Now, you know, he has such a track record of really interesting
and in many cases unique. I mean, some of it's derivative, but it tends to be derivative from
his own research. So he'll like refine his techniques. And one of the things that's great
about his work is that he works at Portswig, the company that makes the burp, you know, sort of
web security Swazami Knife tool is that he then goes and implements it into their tooling.
And so all of a sudden everybody can find these kinds of bugs in the same way that he has
been working on. And that's, you know, that's really cool. And do I think that a, you know,
an AI collection of LLMs and a trench coat could replace him? Probably not. But I bet you
are there are pretty significant parts of his workflow that are amenable to being, you know,
automate and things like I came up with this idea, you know,
build me some proof of concept tools to go, you know, find this, you know,
how widely applicable is this particular thing?
Like if you can do that by tasking an LLM to go, go away and give me the data tomorrow
about, like, how many people are vulnerable to this type of cache confusion or whatever
it is, you know, that's the sort of thing that feels like a, you know, James Kettle
sidekick.
So I think, yeah, LLM sidekick, an AI sidekick for him, hell yeah.
You know, he feels pretty special.
Like, he's a national treasurer in the UK,
so they should protect him and not let him be replaced by software.
Well, you know, I think we both agree that that ain't on the immediate horizon, right?
But where it does get interesting, okay, so you were talking about it being his sidekick.
What I find more interesting is the idea that instead of using a tool like burp, right,
which is your sidekick as a pen tester, you could have a little AI James Kettle.
Do you know what it ain't?
Like, James can teach the little AI agent how to do this like request smuggling exploitation.
And then you as a pen tester, you don't need to really know that technique.
You don't need to know the fingers on keyboards, the actual keystrokes to do that technique.
You could just get the model to do it for you.
And I feel like this is a better model to run a pen testing industry, right?
Which is get all of the dumb stuff automated.
You don't need to make every single tester an expert in every single technique.
they just have to be familiar with the basics of it
and then they can get something else
to actually do the thing.
I mean, I feel like this is where AI is going to push us.
You know, with testing.
I feel like it's going to be, you know, fewer people
doing high-quality research
that then gets, you know,
internalized by these models
and then they can go off and do the thing.
Yeah, I mean, the 15 years
of running a Pentech company in me
still says, like, I want testers who are able to, if necessary, go down to the, you know,
as deep as needs to be to solve the problem or to understand the issue or to give good
recommendations. Now, is that actually necessary for 80% of the work that they did? Probably
not. Like, I still want it, but maybe that's old man and me, and maybe it doesn't, you know,
like, for example, those testers didn't need to be able to, you know, replicate Roehammer
at the hardware level.
They didn't need to understand
how many electrons
are in the little memory cell bucket.
That wasn't necessary.
And maybe I'm saying the same things,
maybe I'm asking the same thing here
about details of cache poisoning
or whatever else.
Like that, maybe it isn't actually necessary.
But the traditionalist of me wants to say
it is important that we understand
as deep as we need to these issues
so that we can give good advice and explain it,
but maybe I'm old-fashioned.
But I mean, couldn't you get the models
to do that part of it?
I mean, I guess the point that I'm getting at
is the hard part is actually defining
these categories of things that you can exploit.
Yeah.
That's the hard part.
Actually doing it isn't the hard part.
Yeah.
And I think I agree with you.
And like if you were starting from scratch
with the security testing industry,
given modern tech,
then yeah, it would be ridiculous
to suggest that you would do all of this stuff
by hand and make humans do it, right?
You would absolutely build tools and automation.
I mean, Burp in itself automates so much web app testing, right,
and is already such a force multiplier for being a web app tester,
the idea of that, you know, an AI equivalent of burp,
something that felt like burp,
a Swiss army knife that just does everything that you need
and then leaves you to think about the problems
and lets it and does the actual implementation of it.
You know, that's, yeah, it's a pretty natural fit.
Well, I don't think you would have an AI equivalent of burp,
you would have the AI driving burp, right?
Yeah, they're built on top of it.
Yeah, this, but this came up in a conversation we had with Josh Camdrew, which is in a recent soapbox episode, Sublime Security, you know, whatnot.
They did, they did, they've built AI into their, into their product like everybody sort of has these days.
But Josh actually made a really interesting point, which is like, you know, I've been joking about how no one needs to learn these vendor-specific query languages anymore and thank God for that.
And Josh made the point of like, well, you still need the query languages.
You actually still need a well-architected product that can do the things.
the difference is you're just getting the AI to actually do the queries.
And I'd imagine it would be much the same with like an AI burp.
You're not going to try to re-engineer burp and it's going to be this unstructured, unarchitected
sort of mess where the LLM's just like yoloing it.
You're going to have an AI agent that knows how to use burp.
Yeah, exactly, right?
It provides an interface on top of and abstracts out some of the complexity, but without,
you know, as you say, like it doesn't need to be one big pile of AAM of LLM that does everything.
and just needs to have defined interfaces into existing tools
that if you need to go in human introspect, you can.
If you need to go drive by hand, you can.
But that seems to be kind of where we're heading already
with all of the mechanisms for gluing, you know,
model context protocol, gluing stuff into AIs
and having AIs provide the kind of like human IO part of it
and then dealing with other bits of the computer ecosystem
that were designed for humans.
so ingesting unstructured data
or other computers
that you don't necessarily have the tools for
so ingesting data that's in other weird formats
so it's kind of you know
it's a pretty natural synergy
and it's uncomfortable
in the same way that I imagine
being a person that makes horseshoes
probably felt at the beginning
of the automotive industry
you know?
Yep, yep.
People who touch computers for a living
probably going to have an interesting deck
I think this, where are you coming from with that?
All right, well, that was very interesting, Adam.
Thank you for that.
Let's move on now because we've got other stuff to talk about this week.
And this week, I think this is my favorite headline ever to run in one of our newsletters.
And funnily enough, it was an accidental headline because I spoke to Catalan about this.
I'm like, that was a really good headline.
He said, that was a placeholder.
And I forgot to change it, but it's such a good headline, which is China with the accusations again.
So it turns out this, what is it?
The cyberspace administration of China
has issued a sternly worded letter, Adam,
accusing America of doing heaps of hack on it.
Now, what makes this extremely funny to me
is their very wordy post that we've linked through to.
It's in Chinese, but you can machine translate it,
basically accuses the United States government
of hacking their military R&D centers.
which I mean oh no isn't that exactly what they're supposed to be doing like this is like they
they are accusing the United States of doing very tightly scoped and well targeted legitimate
intelligence collection that has military relevance I just think this is and and the whole post
sort of drips with outrage and you just think you're doing them such a favor here do you not realize
that yeah but you could absolutely imagine this post being tabled at a Senate committee
about, you know, like, has to be an overreach in the intelligence agencies or whatever else,
or are they operating within their scope?
And it's like, actually, yes, the Chinese think that we are.
Yeah, so it's pretty funny.
And there's a few, you know, other fun details in there, like one of the campaigns they talk
about is compromising a military contractor, I think, using exchange vulnerabilities.
And it's like, do you remember when Joanna hacked every exchange on the planet in like this wild
frenzy of compromise without really tightly scoping any of that.
No, I mean, you've got to let the Americans use it to own one or two, you know, like, come on.
Exactly.
But yeah, they got domain admins, so good job Americans and had a rummage around, had some
nice backdoors, yeah, a few fun details.
And, yeah, basically it sounds like American intelligence agents.
She's doing a good job, you know, two thumbs up.
How dare they target our military research.
It's just so funny.
Anyway, people can have a read of that.
It's linked through to in this week's show notes.
Now, staying with China, this journal, Renee Dudley over at ProPublica, just keeps scoring the greatest hits lately.
I think she's tapped into a rich vein of sourcing of someone either at the US government or someone either at Microsoft who just really has a dim view of Microsoft's business practices when it comes to doing stuff in China.
Because she's got a follow-up to a blockbuster story about, you know, Chinese support agents accessing DoD Cloud.
And this story is about, really, it's a very simple story.
It's about the fact that SharePoint on-prem is actually maintained by Microsoft China,
which is pretty funny when you think about it,
because now it's China going around and owning all of the sharepoints.
Yeah, by finding a bug in the code base maintained in their own country.
It's a crazy time.
But, yeah, like the fact that on-prem sharepoint maintained out of Microsoft China is just, yeah,
it's just funny.
Like, that's the whole story.
and like yes sharepoint's going to be end of life and they're going to move to the cloud
one but you really think there's no code shared between those sharepoints and do you really
think this is the only Microsoft product that's maintained in a country that isn't you know the good
old US of A so you know when you're trying to think about what your software supply chain looks
like it's you know it's it's very nice to stop at the corporate boundary like Microsoft is
an American company headquartered in the US URA but the reality is just a little
more messy than that. And, you know, Microsoft, certainly with that digital escorts thing,
like they, you know, letting the DoD and everybody else in that kind of side and their customers
forget about this that they probably had mentioned at some point, you know, very convenient
for them. And I think, you know, having to nationalize software development and kind of
separated across, you know, geopolitical boundaries is the reality that we live in, but it's not a
isn't process well and i bet you they're still using chinese support agents in other parts of
u.s government cloud right like it's just there there's no way that this is this is a practice
that's ended and we're going to keep hearing about it for the next couple of years i mean in the
end they do it because cost and skills right and if they could hire everybody they needed their
prices they were willing to pay in the u.s they probably would but that's not the world that
they operate in yeah i'd tell you too this whole thing reminded me of a conversation i had with an
executive at a defense contractor probably 10 or 15 years ago um where
we were talking about the fact that they were offering at that point defensive gateway services to
China and they were also because they're multinational they also did like I think exploit dev
services for the Brits and I said to him so you're trying to protect targets in China
with these gateways while you're simultaneously trying to help the Brits like own stuff
that is presumably behind those gateways and you know what this executive said to me
it's a funny old world
that stuck with me
it really is
now what's this
we've been seeing some coverage
you know Catalan's written about this as well
and we're seeing some independent coverage about this too
staying on China
is this idea that the US government
is trying to build like
sabotage trap doors in like
Nvidia chips or whatever they're trying to
they're trying to pass some legislation
that would mandate backdoors in the chips
where the US could kill
the chips if they popped up in the wrong geographic region in violation of sanctions or
whatever is this a real thing or is this like some bill that's been proposed that's never
going to go anywhere so it's a bill that's been introduced it hasn't been passed yet the and
it's supported in the u.s. legislative process but it's one of these ones where the high level
goal of the bill which is to say you know if you're going to ship really high performance
compute into other countries, we are worried about those systems being, you know, ordered
through fronts in other countries and redirected to some different ultimate destination and
used against us. And we would like that to not happen. And invidia is the obvious target because
of the AI future, but this applies to other technological systems as well. And there's been plenty
of history of sanctions, evasions, and things using, you know, by ordering stuff through fronts
and so on. So what they want to do is to stop that. And how.
how that translates is asking NVIDIA and other manufacturers to have geolocation capabilities
so they know where their products are and then the ability to like turn them off or restrict
them or whatever else when they are being used in a way that doesn't comply with U.S. export
requirements and the technical reality of that is kind of what we're you know what you end up
wondering about like how does a chip know where it is yeah and how does America turn off a chip
if it isn't in a place where they don't like it,
and that starts to sound pretty messed up.
But, you know, much like...
I imagine at that point you stand up teams
that have to troll drivers, like, looking for the...
You know, is this thing getting system information?
Is it going to knock on me?
Like, you know...
So that was my initial thought as well,
which is like, oh, there's no sort of practical way
for them to do this.
But then you think about how alive every computer is these days
with automatic updating and this and that
and, like, how complicated
you know some of these drivers are going to be like i don't know that you would necessarily be able
to prevent someone from you know disabling your chips remotely and still get good value out of
those chips right well that's the thing right i mean this uh in my mind it kind of compares to say
copy protection where you know we are trying to stop people from you know running software
without a license or without a dongle and that kind of arms race ultimately kind of failed
and we ended up with cloud-based licensing and so on.
And that's, you know, as this software becomes more and more complicated,
it does become difficult to go and ferret out these things from drivers or in hardware or in firmware.
And like even the line between hardware and software is so blurry now
because of embedded firmware and, you know, kind of, you know, Intel processes
that have a whole front end that looks like Intel instructions.
On the back end, it's a whole different thing with microcode and blah, blah, blah, blah.
like this stuff is complicated and ferreting out this kind of stuff is pretty hard and especially
with super tightly integrated, super complicated systems like AI, you know, inference and whatever
else.
So like it seems more practical to do than it probably ever has been.
Yeah.
And as you say, if you get this expensive hardware, then utilizing it in a way that we're
getting value for money and then also having to, you know, dig through and find these kinds of
It starts to become pretty complicated.
So it, you know, it actually seems like it might be doable.
Well, and this is why Beijing, apparently, not so happy.
Not so happy about this.
Beijing has asked in video to explain whether it's H2O artificial intelligence chips have backdoors
that could allow the United States to position and remotely shut them down, right?
So they are annoyed about this.
There is some delicious irony here after all of the drama we've been through with Huawei over the last 20 years.
and now the shoe is on the other foot now, isn't it, Beijing?
I mean, I think the shoe is currently on both feet,
given the previous story about SharePoint being maintained out of China.
We're also independent on everybody,
and the idea of separating our technological worlds along geopolitical lines
is fraught with complexity, but we're going to have to do it one way or the other.
It's a lot of feet.
We have to have world peace, which is more likely.
It's a lot of feet with a lot of shoes.
turns out um only fans up in here all right now john gregg over at the record has uh reported on
just some bugs in sonic walls you know sonic wall vpn uh you know SSL VPN presumably uh that are really bad
they're so bad in fact that sonic walls are like sonic walls advice is like yeah maybe take these
things off the internet or IP restrict them and it's um yeah that's that's that's not a that's
that's great when you're giving that sort of mitigation advice well the problem
here is they don't know what the bugs are.
Yes. So somebody is ransom wearing
Sonic Wall customers. No one's seen the actual
bug on the wire, but there are people
who have fully patched Sonic Walls who've rolled all
their cred since the previous compromise, who are still
getting owned. And everybody
seems to feel like probably there is
some Sonic Wall, zero day in the wild.
And if Sonic Wall doesn't know, what else can
they do other than turn off our product?
Well, I like one of the recommended mitigations.
Step 4. Enforce multi-factor
authentication. Enable MFA for all remote
access to reduce the risk of credential abuse.
Note, some reports suggest MFA enforcement alone may not protect against the activity under
investigation.
So it's like, I don't know, they're just throwing ideas out there, man.
You know?
Yeah.
Yeah.
The best idea not having a sonic all in the first place.
Yeah.
Now, some more serious research.
This is, comes to us via Cisco Talos.
This is a write-up from Philippe Lohleret.
I don't know.
I massacred his name.
I'm sorry.
I'm sorry, Philipp.
But yeah, there's a Talos write-up.
here about some research into like, you know, computer on a chip stuff in Dell, right?
So like the Dell secure enclave stuff is not so great.
Walk us through this one, Adam.
Yeah, so this is looking at the hardware and supporting software for Dell's kind of secure
enclave, kind of like security coprocessor kind of thing that they use to handle things like
biometrical authentication, fingerprint scanners, card readers.
So any type of, you know, more advanced orth stuff,
the research has looked at the driver's software on the window side
and then also the way that you talk to these things.
And I found the number of bugs kind of going in both directions
so you can exploit, you know, API calls into this embedded system
to gain control of it.
And then you can also exploit from the embedded system back into the windows.
They found like a deserialization floor, for example,
where they can then turn that back into code executive windows.
So this has a number of interesting.
options. One is for
bypassing orth and prevesk, so you gain
access to a Windows system, and you can
for example make the fingerprint pre to
allow anyone in. And the demo
video they have is very funny. It's a plastic figure with a
spring onion on it, which they use
to bypass off.
I was hoping they'd use a hot dog, you know?
The conductivity on a hot dog
may be not exactly what they need, so
maybe hence the spring onion.
And then also has a
long-term persistence vector, so once you've got
on there, hang out in the corporate system, you'll
survival windows reinstall.
There is also an interesting aspect where physical access to devices, like if you pop the lid
on a Dell laptop and you've got physical access to the thing, you can kind of plug into it
and modify its firmware and then use that to gain access to the underlying windows, which
would bypass things like disk crypto, like BitLocker, TPM backed BitLocker Disc Crypto, which, you know,
I know when in my, you know, insomnia days, we did a bunch of jobs that were given physical
access to a corporate laptop, can you steal the data? So is it safe to lose this in a cab or
whatever? So that's a pretty realistic attack vector for this kind of thing. And it seems easy
than sniffing it off the TPM, busts off the traces on the motherboard like, you know,
we did on some occasions. So all of these things combined in the fact that Dell is one of the big
US manufacturers that's very popular with US government and US corporations. Like these things
combined three maybe this is actually quite impactful so yeah good work yeah i mean it's just
drives home too that like you don't you don't see this sort of stuff in apple products
i mean no right you just don't like the apple secure enclave is pretty a little bit rarer than this
well and i think it's because you've got just such a center of excellence in apple because you've got
the software people and the hardware people working for the same company and you've just got this
incredible core of security expertise at that company but and that's what it takes that's no
Everybody is expecting Dell to be able to do this, right?
I mean, except the US government that buys it.
Yeah, but what do they know, right?
Oh, man.
All right, so just a quick story here.
Joe Cox over at 404 has written up this story that I saw circulating on social media
before he wrote it up, which is that some chat GPT conversations that were marked to be
publicly accessible, like shareable or whatever, somehow got indexed by Google and, yeah,
100,000 of them and some pretty embarrassing stuff in there that I'm sure the people who
generated those transcripts were not expecting to get out there. This is the sort of thing you
expect to happen with any sort of new tech, right? Yeah, yeah, pretty much. And I think, like,
the interesting angle here was that we had seen reports that this feature existed and
been indexed by Google and Google was delisting it at open AI's request. But somebody has
already scraped out, you know, 100,000 conversations or so. So that data is already out there. It's
The fact that it's being deleted from Google now is great, but it's kind of too late.
So it sucks to be the people whose conversations were scraped.
Okay, so now it is time to get into our last sort of discussion this week, Adam,
and we're talking about Russia.
And in particular, we're talking about how Russia has just, over the last few years,
been gradually ratcheting down, like, control of its local ISPs and networks with, we've
reported, you know, particularly Catalan has done some really good work just reporting on these
developments over there. You know, things like the SORM surveillance system and whatnot. We've talked
about how they're cracking down on various CDNs that allow encrypted client hello, which can be used
as a censorship bypass and whatnot. And now we see that they're actually weaponising the local
ISPs and using their position upstream to drop malware onto foreign embassies based in Russia. And this
is actually a pretty interesting little campaign because what the malware does is it
installs some like malicious root certificates into the user's computer into their browser presumably
and then that's it and I think you know this is the sort of thing that when you hear first hear it you
think well that's a bit silly and then you realize it's actually pretty smart because most edr software
is not going to be looking for rogue certificates right so if you can get some malware to do the
thing and then just disappear from the box you then have a persistent ability to
monitor traffic on the wire for select, you know, websites and whatnot if you control the
upstream ISP. So walk us through this one, because it is interesting. It is like if you control
the network, this is a good way to turn that control into surveillance. So this is the Russian
group, Turlow, which I think is generally believed to be the FSB. And they've been doing this type
of thing with ISPs, you know, upstream ISPs to redirect traffic in the past and some other
campaigns but this one's kind of interesting because they were so they're in the isps
upstream of embassies in moscow and in the initial connection process on a windows machine there's
a captive portal detection thing where the windows will go out to microsoft.com through a particular
clear text URL if it gets a redirect to msn then it knows it's talking to the real Microsoft if it gets
some other behavior it's probably behind a portal so they're hijacking this request sending you off to a thing that
drops an EXE file that pretends to be a Kaspersky certificate updater.
So it says, hi, certificate update.exe.
And if you click through, and if you're privileged, it will install it into your system-wide
route certificate store.
If you're not privileged, then it will kind of go off and get a second stage script
that tries to use UAC to elevate access so that you can install that certificate.
And then, as you say, disappears.
And that's if you're, you know, the naive thing is, well, like,
run on the exe on that host clearly I've already won but it's not that simple anymore right because
edr because all sorts of monitoring systems but having a thing that's like one shot and if you win
you've got a route certificate in place that plus the fact that they're in the network and now
you can man in the middle any network traffic silently is a super powerful position both for
access now in to communications but also in the future you can get in the middle of any other
software update of any other process, any login, you know, you can steal credentials,
that gives you so many great things, you know, great options in the future given that you're
already in the network. And as you say, very few EDRs going to be looking for that. It's not
a thing that, you know, threat hunters are going to immediately go. It's not the first thing a threat
hunter is going to look for. So, yeah, pretty smart. I mean, what about, I mean, certificate pinning
might kind of help in these situations, right? So it's not going to be like, you know, Microsoft.com
services, for example, aren't going to be man in the middle of all.
No, no, but I mean, it gets you a very long way, right?
And there's not much, like, cert pinning is very common in the mobile world,
but much less common in the desktop computer world, right, and in the Windows world, right?
Because people do deploy enterprise certificates, right?
There is plenty of cases where, you know, break and inspect, you know, is a thing you might do
in a corporate environment.
So, yeah, it's not like mobile.
Yeah, so you turned all of that stuff off, right?
So, I mean, one of the, one of the mitigations that I thought about for this and then kind of ruled out is, well, you could just tunnel all traffic through to a gateway in another country, right?
And that might seem like a good solution until you realize if the Russians own the network, they're going to see that you're doing that.
And they can just degrade your connection and make you not do it because they can make your life too hard.
And you will have to revert, right?
So I think this is actually a pretty tricky one.
You're going to need some tooling to check for rogue certs, like to get around this.
Yeah.
And that's a, you know, that tooling does exist, right?
I mean, it's a thing that enterprises already have to deal with.
But as you say, the...
But it's work, I think, is my point.
And people haven't been doing it until now.
And it's just one more thing they've got to do.
And they've got to now operate under the assumption that the network that they're transiting is, you know...
I mean, I guess we always have to operate under the assumption that upstream is malicious,
but now, like, that's confirmed, right?
Yes, yeah, yeah.
There's a difference between, like, in theory, and they are actively redirecting us and dropping AXEs on us, right?
a different kind of vibe.
And, you know, it's pretty similar, I guess, with any type of censorship circumvention,
like all of those technologies and all of the approaches for dealing with censorship circumvention
also apply to, you know, this kind of thing.
So like Russia's very experienced that, as you say, degrading the connections of pushing
people around and kind of making it hard to do anything other than, you know, the Russian way.
Yes.
You know, if you want to order a pizza or pay your taxes or, you know, buy a parking ticket to go,
you know, whatever, park your car, you know, they're not going to, like, if you're in a VPN going
outside of the country and then trying to come back in, that's not going to work.
There's all this pressure pushing you towards the way that Russia can intercept you and mess with
your stuff.
Yes.
Now, they have also just banned speed test, right?
Because this gives the company that runs speed test a lot of insight from the inside out
into what Russia's internet looks like.
And we also had a story today in the risky bulletin about how.
how Russia is banning the use of foreign ERP software,
that's been now being designated critical software.
So if you're a critical infrastructure operator,
you can't use it anymore.
And it just seems that what they're doing
is this gradual russification of their own internet, right?
So they're controlling the networks,
they're doing more censorship,
and they're doing this other thing,
which is they're building an app called Max Messenger,
or just Max, which is kind of looks a little bit
like a Russia's answer to WeChat.
So joining us now, and I'm very pleased
to be making this introduction to the audience
is Ambley Jack, who is a producer who works here
at Risky Business, who's been with us for it
about six months now, I think, Ambley.
Yeah, pretty close to six months.
Yeah, so Ambley works behind the scenes here,
working on the main show,
and working on the bulletin and doing all sorts
of wonderful stuff.
And this week, you've been looking into this app,
that the Russian government is, is, you know, putting together.
What can you tell us about the Macs app?
Like, you know, where did it come from?
Is everybody using it?
Like, what is it designed to do?
Like, what do we know about this app?
Yeah, for sure.
So essentially, it's a government-backed national messaging service,
which has been released by VK,
which is the social media network in Russia.
And back in 2021, through a stringer deals wound up with Gazprom, essentially having majority
shares of VK, which of course is state-owned.
At the moment, it's pretty much a WhatsApp clone.
But the plan is for it to become a super app where you can pay your taxes, you can sign
government documents, you can talk to your kids' schools, you can do kind of everything on
this app, not unlike WeChat.
So I had a little bit of a look into the timeline of this app.
And VK actually released a messaging app back in May 2022.
And it really didn't take off.
It didn't go anywhere.
No one was all that keen.
But in March this year, they came out and said, hey, we've got this messaging app.
It's also got built-in payment systems.
You can create chatbots and you can create mini-apps and it's going to be great.
And the next day, a beta version of it was made available.
And then in June, a law passes in Russia.
called the National Messenger Bill
and the law was basically
made to formally create this national messaging app
which will have messaging services
but also let citizens have access
to public and commercial services
confirm their proof of age
again not unlike WeChat
so that was in June
in the past month
schools have started testing it out
the St Petersburg State University is now using it
for all its internal corporate comms
VTP Bank is like
allowing payments and banking services through this app.
And from September, every phone sold in Russia will have to have this pre-installed.
And it's not super popular at the moment by the looks of things.
End of June, VK came out and said, we've got one million registered users.
And less than two weeks later, they came out and said,
now we've got more than two million registered users.
And 100% they're all real people.
WhatsApp, however, has about a.
100 million monthly users in Russia.
There's a ways to go.
There's a little ways to go.
Yeah, yeah.
But I mean, so one thing that you were telling me earlier,
like when you looked into this,
and you've already mentioned that, you know,
it's going to be the way to do business
with various banks and the Russian government and whatever.
It seems like it's one of those things
where if you don't have this app,
it's going to make life really hard, right?
Like that seems, do you think that's deliberate strategy here?
Because it feels like that's the strategy,
which is we're going to build this app
and you can't pay your taxes
or get a bloody bank account
unless you're using it.
It very much feels like it.
It's hard to say at this point
with these sort of government portals
that are migrating over
whether that's going to be the only way
that people can use their services.
But if you think about it,
you cannot communicate with your kids' schools,
you cannot communicate with your family,
you can't sign official documents
without this app.
Yeah, I think you're kind of
on the money there. It's not a big stretch to think that that's kind of aiming towards that
digital control of citizens and thenly hiding behind influencer endorsements and paid reviews.
Yeah, yeah. So we saw a funny one, a funny post on social media recently where someone had
cut and pasted in their review instructions along with their actual review about how wonderful
the Macs app is. Now, Adam, even with those paid reviews, though, on Google Play, it's still
sitting at about 2.6 stars.
Oh man, some project manager is going to get yelled out over that.
Yeah.
So, I mean, Adam, you would think surely that probably the next step here would be, you know,
to degrade those other apps, right?
You would think that eventually just degrading WhatsApp users' ability to reliably send messages
is what's going to drive adoption of this max thing.
I mean, do you think Russia could succeed here?
Because I do.
Yeah, I mean, I think that's, you know, it's the natural next move.
Like, once you've got a credible alternative, then you can start to push people
towards it and I guess the like WhatsApp is a pretty natural target because like
American backed technology it's pretty easy for them that there's such a lot of
precedent for them pushing foreign technologies out I guess where it becomes more
interesting is when we see something like telegram which is a bit more aligned with
Russian interests but you know if they really want it to become universal in the way that
we chat is like you really want there to be no other way to do things and maybe
they've got enough access to telegram already that's fine but you know if we start
to see moves against, you know, less easy targets than WhatsApp,
then I guess we'll know what's going on.
Yeah, Ambly, did you, during your research, you do all of this,
did you see any sort of stated policy objectives around this thing of like,
well, it'd be good if Russians didn't use, you know, telegram or WhatsApp
and use this instead?
Like, what's the policy rationale?
Like, how are they selling this to the public?
I have seen a few bits and pieces.
One senior lawmaker, I think the quote was something like WhatsApp should prepare
to leave Russia.
Okay, okay.
Okay, so they're being very subtle about it.
A little bit, yeah.
Very subtle, okay.
Very subtle, but yeah, they're definitely pushing this as, you know, the app to go to for everything.
And that definitely seems like the plan.
Yeah, right.
Yeah.
So there you go.
That is a brief subbery on Max, which is going to be Russia's answer to WeChat.
And it seems like, I feel like if they can do this, that becomes then just the, you know,
if you're not in a democracy, if Russia's done it as well, that's going to be the playbook, right?
Which is that the government will sponsor or co-develop an everything app or, you know,
give it to one of their cronies, right?
In this case, like it's VK, which is now owned by Gazprom.
I had no idea that it happened.
But, yeah, wild times.
All right, Ambly Jack, thank you for joining us to walk us through that research that you did
this week into the Max app.
And Adam Bailow, a pleasure to chat to you as always, my friend, and we'll do it all again next week.
Thanks, Pat.
There we're sitting. I'll see you then, Pat.
That was Adam Blilow there with the check of the week's news
and also featuring appearances from Heather Adkins at Google
and our very own Ambley Jack.
Big thanks to all of them for that.
It is time for this week's sponsor interview now with Sean Ollerton at Devicey.
And Devicey is a company that has built a platform.
that makes Intune actually usable, right?
So the idea is, if you want to use Intune,
you can do it with Devicey,
and they can really help you with that,
and yeah, they've built a whole bunch of features on top of it.
And as I say, they're just using that Intune plumbing
and making it very, very usable.
Now, one thing that's been on their mind lately
is Windows 10 support is ending soon,
and enterprises out there are just not ready for the switch.
So it's going to be interesting later this year
when Microsoft actually turns off security patches for Windows 10.
So Sean Ollerton has been in the device management space for a very long time.
And he joined me to walk through what's happening with the switch to Win 11
and how device he's thinking all about that.
And here's what he had to say.
I think that a lot of people are underestimating the change, like, or overestimating, actually.
So they think that it's too different to Windows 10.
they think that the original use case was like,
oh, just moving the start menu, our users won't be able to take that.
Yet most of the users are using Windows 11 at home by now
and are well adjusted to a start menu in the centre.
And little things like that that are just holding people back,
they feel like it's too big a change.
And also the Windows 11 is too new.
Well, they feel like it's a change in terms of like what,
just UX, like or UI,
for the users? Is it like, or are they worried more about things under the hood and like
their configurations and networks breaking? I think it's both. I think they're worried about
the user impact of the change and what they're going to do when, if it looks and feels a little
different, which I feel is an overrated worry these days. Like users are used to things changing
without a lot of notification in their personal space. And so they're much more accepting of it
in a business sense, but also there's those fears, oh, none of our apps are going to work.
And I think Microsoft tout something like 99% compatibility between apps of Windows 10 and
Windows 11, and we'll publicly say that they'll help you to fix something if it's not
working, if it's in that 1%.
Yeah, I mean, it's kind of academic at this point anyway, right?
Because if you aren't upgraded by October, like, you're going to.
I don't have a bad time.
Yep, yep.
You're either going to be paying, like, a lot of money.
I think the extended support for Windows is $60 a year per user, and it doubles every year
after that.
And that just covers you for Windows support.
Your office isn't supported if it's running on Windows 10 under extended support.
So there's a lot of complications to just thinking, I will be right to just keep running
Windows 10, or we'll just pay for the extended support because it adds up very quickly.
and it doesn't really give you the coverage you need to stay protected.
So how much of a problem actually is this, right?
Because, okay, we're sitting here saying,
okay, there's people out there still running Win 10.
But are there a lot of organizations running Win 10?
Do they tend to be like disorganized sort of, you know,
smaller companies in cash strapped verticals?
Or is this like a problem in mainstream, big enterprise?
The stats out there say that over 50% of enterprise devices
are still running Windows 10.
My God, man.
And if you look at it, there's something like 80% of businesses haven't moved fully yet.
So some of them might be on the journey and not finished, but others haven't even started.
And I kind of think if you're an organisation of any sort of decent size, if you haven't started yet,
then you're likely too late to get it done.
by the deadline. You're not going to make it. So, I mean, what is the process, I guess,
for doing these massive upgrades through an organization? Obviously, we'll talk about the way
that you can do that via Intune, because Devicey is built on Intune. But what are some of the
other ways? Like, you know, because I'm not in Windows land. I mean, I haven't touched a Windows
computer in so long, except for helping an elderly neighbor with an issue, which I had to
fumble around. I actually managed to nail it, too. It worked in the end, thank
God. But, you know, what's the process if you've got an entire Win10 fleet out there? I mean,
I imagine it's not as hard as it was, you know, back in the day, right? Because Microsoft's
built all of these wonderful all singing, all dancing management tools. You know, say you're not
even an Intune shop. I imagine it's still quite a sort of, you know, it's something you can bite
off and chew. It's not, it's not the end of the world, right?
It's not. But there's also, there's some key pieces that you do need to get on top of early in the
piece. So one of the big changes with Windows 10 to Windows 11 is some security hardware
requirements. So Windows 11 has a hard requirement for a TPM chip in the device, which then
comes with some sort of flow-on effects of minimum processor levels and things like that. And so
there is some physical hard there that is incapable of running Windows 11. So that's your first
step is make sure you've actually got hardware that'll run it. Yeah. And
And Microsoft has some tools for gathering that information, depending on the way you're managing those devices at the moment.
You can see at a glance, okay, am I even ready to upgrade to Windows 11?
And that's probably an even bigger concern because of how big a change it is and the fact that everyone needs to do it.
A lot of hardware vendors are sort of touting if you didn't have your devices ordered at the beginning of the year, then you wouldn't have got them by.
the October deadline.
So if you're in a situation where you've got a lot of hardware that's not going to support Windows 11,
then you're really going to have to go down a path of mitigation while you work through that.
But look, you've got to be talking five plus year old hardware that's not going to support it, right?
Yeah.
Anything that's of any decent age is going to have the right elements to it.
So most organisations I feel at least going to be having capable hardware to upgrade.
Yeah.
So once you understand that you've got the correct hardware in place,
I imagine that it's a fairly easy process to roll out some sort of upgrade package, right?
Like it's not, is it a nuke and new can rebuild,
or is it just like something you drop on win 10 and it goes and does the thing in the background
while the users at home and then they're on win 11?
I think in best case scenario, you're starting fresh, you're doing a nuke and
and rebuild in a monitored and managed platform.
Again, from a timing perspective,
it is possible to just do some in-place upgrades
and get to that supported state
while you're now working on
what's your new way of building machines moving forward.
Yeah, right, okay.
Now, tell me about the Intune way of doing this
because I'd imagine like in Microsoft's dream world,
everyone's using Intune and fair enough too,
because it's actually quite a powerful and awesome platform.
Like, it's very, very good.
And of course, for those,
who aren't familiar, Devicey, the company you work for, you know, that's what you've done
is to take, take this plumbing of Intune and actually make it somewhat usable. I guess also a bit
of a hybrid service in that Devisee will help you if you're trying to do a project or, you know,
roll out a new app or make some configuration changes or whatever, like you're, you're there
to help people. But really the key thing is you've sort of made Intune something that's, that's much
more usable. So what does the process look like, you know, with Intune when you're just trying to
upgrade like a fleet of say 10,000 boxes that are all singing and swimming and dancing and
very, very happy and Intune enrolled. I imagine that is like exquisitely simple, really. But
then again, you know, you tell me. No, it is. And if you're in Intune in that state already,
then you're going to have access to that Windows Update readiness reporting that will tell
you, okay, we're good to go. And then it's as simple as just like rolling out a regular monthly
update. So enabling the feature upgrade to go from Windows 10 to Windows 11, you can pick the
release. A lot of people are still not quite happy with 24H2, although I thoroughly recommend
it. The next release is about to drop in a month or two. So if you don't go with that one now,
you're going to be one behind, almost straight away. And so create a feature update. Think about your
rings, right? You want to make sure you're rolling it out to a select group, a pilot group first
and getting it tested and vetted that there's no show stoppers in your environment. Then you want
to expand that to your user acceptance group. Is that all sort of built in via Intune or is that
more of a device you featured like the ringed rollout stuff? No, look, that's built into Intune.
So you can create your groups, you set your delay times and you can, Inchun, will,
then handle the rollout in a staged approach based on the members of those groups.
Devisey obviously helps with getting that configuration to a best practice state,
but we're just using the the Inchion plumbing underneath, like you said.
Yeah, well, I mean, that's kind of the whole point of Devisey, right?
Which is what I was trying to explain, which is like, Inchut'll do all of this stuff,
but like, good luck figuring it out, right, without some extra tooling.
Exactly.
So, like, you know, how bad is this going to get, right?
Because you seem like, you know, you're very calm person.
But you seem a little bit freaked out about what's going to happen in October, right?
Like, I think what you seem to be saying is, like, this is a bigger problem than people realize.
And there's a lot of companies that aren't going to be ready.
I mean, what are the odds that Microsoft says, okay, we'll give you another few months?
Because they have done that in the past, right?
They have.
I don't think they've done it at this level.
You look at, I mean, the last time this happened was Windows 7 to Windows 10.
Yeah.
and there was the same level of, not freak out, but the same level of Windows 10 isn't ready and
we can't move away from Windows 7, why are we ending it? And then now we're at the same boat again, right?
It's just history repeating. And I think that organizations are underestimating the impact
that it's going to have, right? Yep, come October. Nothing's going to stop working. Nothing's going to break.
but suddenly if something is, if there is a vulnerability or if there is something that needs
patching, Microsoft answer is going to be, we'll fix it in Windows 11.
And now if you're an org that is still on a fleet, if you've got 10,000 Windows 10 devices
out there and every single one of those is vulnerable to something that's now out there
in the wild and known and isn't getting a patch, you've got, you're either, yeah, you're
stuck with forking out a whole lot of money and Microsoft might fix it, or suddenly rushing this
process that if it's done in a controlled way, is quite a simple upgrade.
Hey, just one more question too on Intune. Like, what licensing tiers get it? Is it across all
licensing tiers? Is Intune just something that's like, well, because it's native, you know,
it's like a native Windows thing, like everyone gets it? Or do you have to be on some sort of E5 license
or something to get it at no extra cost? It's pretty broad. So,
like it's part of business premium, it's part of E3, E5.
Yeah, okay.
A lot of the frontline worker, the F skews get it.
Like the F-1s have Intune built into them.
So it's pretty broad.
It's not just a blanket.
The other part of it where you have advantage is if you're on something like an E3 or an E5
is having that Windows Enterprise license underneath as well that unlocks some additional
capabilities within Intune.
So really, what's your excuse, I guess, is the question?
Exactly, right?
Okay, well, you heard it here first.
Windows 10 users, repent for judgment days coming.
Sean Ollerton, thank you so much for joining us to have a chat about that.
Very interesting stuff.
Thanks, Sammy. Great to be here.
That was Sean Ollerton from Devisey there.
Big thanks to him for that.
And big thanks to Devisey, a fine Australian company, for being this week's sponsor.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back next week with more security news and analysis, but until then, I've been Patrick Gray.
Thanks for listening.