Risky Business - Risky Business #805 -- On the Salesloft Drift breach and "OAuth soup"
Episode Date: September 3, 2025On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: The Salesloft breach and why OAuth soup is a problem The Sa...lt Typhoon telco hackers turn out to be Chinese private sector, but state-directed Google says it will stand up a “disruption unit” Microsoft writes up a ransomware gang that’s all-in on the cloud future Aussie firm hot-mics its work-from-home employees’ laptops Youtube scam baiters help the feds take down a fraud ring This episode is sponsored by Dropzone.AI. Founder and CEO Edward Wu joins the show to talk about how AI driven SOC tools can help smaller organisations claw their way above the “security poverty line”. A dedicated monitoring team, threat hunting and alert triage, in a company that only has a couple of part time infosec people? Yes please! This episode is also available on Youtube. Show notes The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft – Krebs on Security Salesloft: The Leading AI Revenue Orchestration Platform Palo Alto Networks, Zscaler customers impacted by supply chain attacks | Cybersecurity Dive The impact of the Salesloft Drift breach on Cloudflare and our customers China used three private companies to hack global telecoms, U.S. says CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF Google previews cyber ‘disruption unit’ as U.S. government, industry weigh going heavier on offense | CyberScoop Ransomware gang takedowns causing explosion of new, smaller groups | The Record from Recorded Future News Hundreds of Swedish municipalities impacted by suspected ransomware attack on IT supplier | The Record from Recorded Future News Storm-0501’s evolving techniques lead to cloud-based ransomware | Microsoft Security Blog The Era of AI-Generated Ransomware Has Arrived | WIRED Between Two Nerds: How threat actors are using AI to run wild - YouTube Affiliates Flock to ‘Soulless’ Scam Gambling Machine – Krebs on Security UK sought broad access to Apple customers’ data, court filing suggests ICE reactivates contract with spyware maker Paragon | TechCrunch WhatsApp fixes 'zero-click' bug used to hack Apple users with spyware | TechCrunch Safetrac turned staff laptops into covert recording devices to monitor WFH Risky Bulletin: YouTubers unmask and help dismantle giant Chinese scam ring - Risky Business Media
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business.
My name's Patrick Gray.
We've got a great show for you this week.
Plenty of interesting stuff going on and we'll be talking about all of that with
Adam Boilow in just a moment and then we'll be hearing from this week's sponsor.
And this week's show is brought to you by Drop Zone.
Drop Zone is a company, I'm an advisor to Drop Zone.
They make an AI-powered Tier 1 sock analyst basically that can do a lot of the grunt work in a sock.
And Ed Wu, who is the founder over there, super smart guy, he's a real thinker, and I always enjoy talking to him.
And this week's sponsor interview is all about how AI might finally actually do something to move the security poverty line, right?
So it's Ed's position that AI might actually start, you know, allowing small to medium enterprises to have security controls and detections and all of those nice things that are normally reserved for the 1%.
he puts forward a pretty compelling case
and he also talks about the blurring of the lines
in the AI and sort of cloud and SaaS age
all of those things are sort of merging into this weird situation
where the lines between what is a service
and what is a product are getting somewhat blurry
so that is a really interesting conversation
with Ed coming up after the week's news
I do hope you will stick around for it
but yeah it's time to get into the news now with Adam
Boiloh
and Adam the first thing we're going to
talk about today is this breach at a company called sales loft they have they make an
AI chat bot that customers can put on their on their websites to like you know fill their sales
funnel and all of that good corpority sort of stuff and there's been some sort of breach
where the orth tokens that are used by that sales bot by that AI bot to interface with their
customer sales force instances all went missing we don't know how
And this has resulted in a bunch of Salesforce data belonging to various customers of Salesforce going missing.
How's that for a summary?
Yeah, that's a reasonable roundup.
There's quite a lot of moving cloud parts in this story.
So it can be a little hard to wrap your head around.
But yeah, the attackers stole, you know, O-Worth authentication tokens, bearer tokens that were that sales loft were holding on behalf of its customers so that its, you know, AI systems could interface with their sales source.
but also in many cases, Google Workspace, Amazon, other bits and pieces that store customer data that is relevant for making those AI, you know, sales systems work well.
So the attackers, which I think are some kind of like com affiliated kids, I think there's no suggestion that it is exactly shiny hunters, but it's sort of, I think Brian Krebs had some ideas that it's probably related to that crew, if not, you know, just kind of like similar methods.
Anyway, they broke into Sales Loft, stole these credentials for tokens for access to other cloud
services, and then started rummaging around to see where that would get them.
And that's turned into a breach in a number of Sales Loft's customers.
Yeah.
Well, I mean, not a breach in the customers, a breach of the accounts that they use, right?
So we've got to be kind of clear.
In the case of Salesforce data, but as you pointed out, I didn't even mention this, it's
looks like, yeah, other services, there were tokens for other services as well, including
Workspace, S3, as you're in Open AI. I mean, I don't know why you'd be integrating your
website, chat, AI chat bot with these things, but I don't know, I'm not an enterprise guy, I guess.
I mean, Cloud O-Worth is difficult, and I think, you know, that's, you know, sort of big picture,
that's one of the interesting points of this, you know, kind of this whole episode is, you know,
doing authentication between third-party cloud systems and scoping that authentication properly,
storing it robustly, handling it safely.
Like there is something for kind of everybody in the story.
Like there's something for sales loft as a cloud company holding sensitive orthokens for
their customers.
There's something for those customers, you know, choosing who they integrate with and what
the impact of a breach at that, you know, vendor is.
And then there's the downstream customer customers, you know, the people who are, you know,
using services from, say, Cloudflare, which is one of the organizations that was involved in this,
you know, customers of Cloudflare who are interacting with support ticketing systems at Cloudflare
that are integrated with Sales Loft, which have now been stolen, and that in some cases includes
tokens for access onwards into people's Cloudflare services. So it's a pretty, you know,
it's a twisty, turny maze of CloudWa. And this is a thing that we have, you know, kind of expressed some
concern, dismay, you know, head scratching about, you know, over the last couple of years
as we talk about the cloud future. Now I know, you know, Bloodhound, they have like the open
graph now. I sort of wonder what it looks like when you start throwing in all of these
oath relationships into something like, you know, a bloodhound graph and what it looks like,
because I have a feeling that if you were able to automagically run like a Bloodhound
but Oath against all of the relationships, the Oath relationships that touch your company,
and every account in your company, that's going to be a horror show, right?
I think this is just a great example of that.
Yeah, and I think that, you know, if anything was good for those guys to go sell their,
you know, Cloud version of Bloodhound, like, this is probably a great example of understanding
what your exposure looks like and modeling these relationships, because it is complicated.
And, you know, kind of, I think, guys, so Cloudfair was one of the companies that ultimately
had data breached in this process, and they had a blog post where they've written up their experience,
of it. And one of the things I really liked about Cloudflare's right up of this is like up front,
they say, we chose a supplier, that supplier had a security issue, that has issues for our
customers. This is ultimately on us because we chose the supplier, we own the data, we take
responsibility for it. And, you know, there's lots of places that are very quick to say, well,
this was a third party, something, something, it wasn't our fault. And I think CloudFlair, you know,
for once doing a good thing and actually, you know, take an ownership of it.
in their write-up
they went through and looked at
the attackers interacting with Cloudflare systems
after they had got access to data
and doing things like
finding tokens
in the support history
and then seeing whether those had been used
against Cloudflare's infrastructure
rotating them all that kind of thing
so like pulling that thread
so yeah I mean kind of good work there too
well yeah there's one funny thing they said though
which is they're going to do
weekly rotation of these sort of things and I don't really know what that would have got you in
this case if I'm honest you know what I mean like and we still don't know how sale these sales loft
tokens went missing whether or not it was some social engineering thing or a different token that
got into the token store or you know what I mean like we there's a lot we don't know here but as
you point out like it looks like it was some sort of com affiliated shiny hunter you know something in
that whole mix and probably they're just going to try to ransom these companies to delete the data
but it doesn't look like it's super sensitive data.
Named companies affected include Palo Alto networks and Z-scaler and whatnot.
But yeah, it's certainly a big story this week.
And as you point out, it's an interesting one just for the OWTH soupiness of it all.
Yeah, yeah, exactly.
And we were actually we were chatting about this in our Slack earlier on today.
And Brett Winiford used to work at RiskyBiz now at, now at Octa, popped up to say,
well maybe they should be using this particular like obscure o-off extension that lets you
going to bind key usage so that they can only be used from certain places and we got
quite a good conversation about that because there absolutely are some controls you can use to
try and prevent this kind of token sprawl and so on but you know o-off and federated authentication
and this kind of like intercloud authentication there's so many nuanced moving parts and as a customer
you have very little control over how your vendors implement these, you know, these technologies
as well. So like trying to do it right might be possible. But, you know, for a technical point
of view, there might be, you know, you can like cryptographically bind these things so that you
can't just steal the tokens. You have to also be, you know, access to the key store that's
blah blah blah blah blah. There's a bunch of stuff. But making this actually happen in the real
world, you know, it's, there's a lot of complexity here. I mean, Octa has done.
minor sponsorships here and there of risky biz over the years. And I remember once having their
chief architect on the show. And, you know, this architect was begging CISOs to include in
procurement documents that the SaaS vendors that they were using had to have like the, you know,
the logout features included in their apps because they built all of these wonderful features
where, you know, you've got Universal sign in, you know, like one touch sign in,
but no one touch sign out, right?
And he's like, we've built it, please.
The only way that the SaaS companies are going to do this is if you start putting it
in your procurement documents.
So I think there's, you know, you've got limited options in terms of what the IDP can do here.
And then you've got some sort of old world controls that we were talking about,
like IP restricting the ranges where these things can be used from.
But, you know, as you point out, everything's so dynamic.
now with machine to machine, even with machine to machine, right, in the cloud that like
the IPs where these tokens are going to be coming from, like it would not be unusual if they
change. Like one of the reasons we use these tokens is so we don't have to have that old school
type of machine to machine trust, right? So this is not an easy thing to fix. And, you know,
it's something that I've been, you know, frankly, crapping on about quite a lot over the last,
you know, five years, which is just like this OAuth stuff is hard. Like it's not.
that observable. Do you know what I mean? It's not really, there's only so much you can do
as a customer because there's only so much of it in your control, which is what we're talking
about now. And yeah, anyway, it's an interesting story. Yeah, it really is. And to change it,
like to improve this kind of ecosystem, all sorts of people kind of need to be able to move
in lockstep, right? IDPs have to implement new features, the things that consume applications
that rely on an IDP have to update how they, you know, for example, handle controlled signout.
And then people who are giving out tokens, like the actual end users, like, okay, we need to constrain these tokens to have only these behaviors or only to be usable in this context.
So everybody needs to improve, you know, kind of in lockstep.
But at the same time, these are all different organizations, different companies.
Like, it's a real, you know, it's a real soup.
And changing your soup after you've made it, it's kind of difficult, right?
Yeah, I mean, people would normally say unmaking the omelette, but unmaking the soup, sure.
let's go with that
I'm making the soup
all right so the other big news that happened over the last week
is there's been a massive advisory
released by a whole bunch of different agencies
let's see we've got NSA SISA FBI
the Department of Defense Cybercrime Center
ASD the Canadian Center for Cybersecurity
the Canadian Security anyway you get the idea
but it's NCSC as well like everybody the B&D
and it's an attribution
document around
salt typhoon and a roundup of a bunch of the stuff that salt typhoon have been doing the most
notable and interesting thing here is the advisory names a bunch of chinese contractors so the
sishuan juchin network technology company uh the Beijing huang kiong tiang chong information technology
company and the sishuan jishin i don't even i can't even guess at the pronunciation of that one
Ruggi, maybe network technology company.
The point is these are these contractors that we're increasingly seeing talked about
that are doing a whole bunch of APT-like activity, right?
So we saw Sophos go after one of them, for example, and they just keep popping up.
And it looks like Salt Typhoon is a contractor operation.
I did reach out to a few people, and my big question was, well, we know contractors are doing this.
Is it on spec?
And that's a journalism term, actually.
on-spec is when like a freelance journalist will write a story before having an editor who's
agreed to buy it so in this case it would involve collecting a bunch of intelligence and then trying to
sell it and we know that some chinese contractors do that so i asked around i'm like you know do we
think this is on spec or is this state directed and i'm told that um you know in this case this is
state-directed activity so this is the contract is being asked by the government to go and get it
but this is interesting for a number of reasons but uh before we get into what i think about it
What do you think about this?
I think it's good to have some clarity
because this is the set of intrusions
that was breaking into telcos all over the place.
And, you know, that, you know,
telcos have access to some of things.
There's many reasons why you want to break into a telco.
So seeing, you know, getting some understanding
of who was behind it.
And I think, you know, the fact that it was private companies,
you know, A speaks to the range of expertise
you can buy in the, you know, in the commercial market in China.
Like, they're pretty good at this whole capitalism game.
But also, you know, they're, what you can do once you're in a telco is just, it's less useful to private companies and more useful to governments because you can use it for tracking people, you can use it for identifying, you know, how your other operations are being looked at, you know, by looking at traffic flows and monitoring.
And we saw, like, you know, intrusions into lawful intercepty, you know, systems for understanding like counterintelligence.
Like there's lots of reasons that governments love breaking into telco.
So farming out to the private sector is quite interesting in that respect.
So that's fun. There's also the like there's a bunch of technical details here about how they were doing it, how they were hiding their activity inside the telco routing environments. And frankly doing some stuff that, you know, I like telco networks. I've broken into telco networks. There's some bits and pieces in here. They're like, I don't know that I would feel comfortable doing that live on a telco's network. Like there's a little bit more config changey, you know, plumbing stuff around, you know, turning on packet sniffing and network spanning and then pumping it up and down tunnels around the place.
Like, there's a little more, you know,
they're a little bit yolo, I think is what you're saying.
And I would feel comfortable.
Yeah, they're not being careful.
Although you don't forget that when Syria lost internet access at one point,
everybody thought it was because Bashar al-Assad, you know,
shut down their big internet gateways.
This is a long time ago now.
But it turned out, as far as I know, like I think this leaked eventually,
but it turned out it was like a misfired implant that someone at Cyber Command.
Like they rebooted it, it just didn't come back.
And that was a bit orcs.
I heard that was a fun day in the office.
But that's the exception, I guess, because generally the Western services are much more careful not to do things like that.
It doesn't always work out, but they are more careful.
But you know, what's interesting here to me is, you know, I talked about how some of these contractors, like ISense was the big one where there was a data breach.
And we learned a lot about these Chinese contractors, thanks to that.
Oh, Aisun, sorry, Aisun, not to be confused with Aisense, the reputable security company, which was a lot of these Chinese contractors, thanks to that.
with iSense the reputable uh security company which uh was that Alex Stamos's one no that was ISEC
anyway yeah yeah yeah yeah so I sec partners um but look when when something's on spec and I believe
that these contractors may actually do on spec work as well when it's on spec it's not an
exercise of state authority when it's a contractor it's not an exercise of state authority it's
just cybercrime right which is which is an you know something that we really need to think about here
now I remember having a conversation with a couple of
contractors in the United States who'd worked at Fort Meade, I'll just say it, right?
They'd work there.
And they'd express frustration to me that every time that they were going to do certain
things like run a command or, you know, whatever, they had to stick their hand up and get
the guy with Camo to come over to their workstation and hit enter, right?
And they did not like this.
And they said, well, you know, contractors should be able to do more.
And I'm like, no, the reason the guy in the camo needs to hit enter is because he or she
is exercising state authority
and you actually need to be working for the state
to exercise state authority
and what was interesting about that conversation
is I wound up turning these guys around
which was it's rare when you can convince someone
because they were like contractors need to be able to do more
and ultimately the way I turned them around I said
say you've got a contractor you know working for NSA say right
doing ops say there's an OPSX slip up right
is the boss going to report that if it's a minor op-sex slip-up or are they going to bury it
because it risks their bonus and this is the thing this is you know this is just one of the many
many problems with outsourcing these sorts of operations right and China no doubt is bumping into
these issues already but there is a reason that captain camo needs to hit enter when you're trying
to like run metasploit right so there's good reasons for that now the other interesting idea here is
what do you think should be the Western response to these Chinese contracting firms
who are doing this sort of stuff, Adam?
Well, that's a great question.
I mean, the traditional would be, well, I mean, if there were cybercrime groups,
we would, you know, try and arrest them through multilateral law enforcement, you know,
which clearly not a thing when it's in China.
Then you've got sanctions and other kind of like financial mechanisms to try and make doing
business, you know, like let's not sell them in video GPUs.
you know there's things like that you can do but when it's you know kind of half state
directed but also you know private sale like it gets a little bit complicated at the very
least they probably can't go to disney world so like this is that at least okay what about
torching their networks now i'm going to give you the i'm going to give you the case four
and the case against the case four is you're going to make their life a lot harder you're
going to slow them down right if they all of a sudden understand that they're operating an
environment where if they get detected, they get shelled and RMRFed and everything gets burned down
and they have to rebuild and it takes them offline for a week, right?
That's going to slow them down.
Now, it's not going to stop them, but it will slow it down.
Now, an argument against it is this could be escalatory because currently, once they're getting
into a telco, getting what they need, they're not burning it down on the way out.
So would they...
other than all of those of the
what was the
baracuda
other than all the baracudas where they
did well they didn't burn them down they just
they just went deeper right like I see what you mean
they made a mess right yeah yeah yeah yeah they made a mess
so could it be escalatory
right and the answer is yes
but here's why I think it doesn't matter
because if you burn one of these contractors
Say you just, you detect them doing salt typhoon stuff, you go in, you RMRF everything,
you make their lives miserable, steal a bunch of data, put it out there as torrents, right?
Just really make their life hard.
I don't think the Chinese government would view it favorably if they then responded by going
and doing the same thing to a US government agency.
I think that's the escalation risk.
It would be entirely up to them whether or not this escalated into a proper, like,
I'm going to say it, cyber war.
But what do you think?
I mean, yeah, I mean, we burn their tools, right?
So if we, you know, we went to this like a few years ago when the US started, like,
dropping attacker tooling on, you know, on GitHub or whatever
so that they would have be forced to have, you know, their tooling ripped out from underneath them
and they'd have to go reinvest in tooling.
And that's kind of like similar sort of thing,
but without the sort of quite as much agro, you know, into their networks.
but I mean you can totally see it would make sense to go
back to delete their stuff try and make their lives as difficult as possible
pull that thread as far as you can to maximize the costs that you're imposing
you know then you've got to ask like well why don't we access to building
control systems and torch that and lock them all in their buildings so they can't go
to the bathroom anymore you know or we go you know I mean I've been I've gone back to
playing cyberpunk the video game lately it's like maybe we need some bad ice
it'll burn their brains out, you know, while they're trying to hack us.
So, you know, you've got a range of options.
And, you know, I know that I've broken into building access control systems
and been in a position to lock people in their instant response room.
And it is kind of tempting to say, well, what are you going to do now when you can't leave?
But, you know, health and safety and liability insurance means we probably can't do that.
But, you know, maybe the USGov could, in fact, do that.
And, yeah, as you say, I think the escalatoriness of it is overcorrected.
for because we're already you know things are already pretty escalatory around here
and like you know they're already hacking all the telcos you know China's already hacking US
telcos and in prepositioning for everything else like you know how much further can they
escalate without it actually you know getting real yeah I mean it's yeah that's what I wonder as
well I'm like on one you know on one level it's like it seems like an escalation risk but then
you game it out and it's like I don't actually think so I don't think so and we've got
white house at the moment that is is getting serious about being much more aggressive they're
talking about how they want to be much more offensive you know tom your end our colleague has
written about how like look that's good do that but that's not going to solve problems like
you know the court system getting hacked like you know you can't off sec your way out of
everything but it doesn't mean you shouldn't do it and i think certainly in this case i reckon a
little bit of hand release might um might make sense you know if they're looking to adopt a more
offensive posture. I think these these contractors would be a great place to start. Now, speaking of
getting a little bit more offensive, Google is talking about launching what they're calling,
I guess, a disruption unit, which is interesting. It's a little bit unclear exactly what they
mean by this, whether or not it's about, you know, lawful takedowns or whatever or whether
they're just going to yolo it. But we've got a piece here from CyberSoup that quotes Sandra Joyce,
who's the VP of Google's threat intelligence group.
I've met Sandra.
Honestly, I think we could probably solve the ransomware issue
by giving her a parachute and a pistol
and like kicking her out of a plane over Russia.
She's a hard charger, a very smart woman.
And yeah, anyway, what did you make of this?
What exactly do we know about what Google's trying to do here?
So they're a little bit vague about it.
And, you know, there is absolutely a kind of a continuum between, you know,
taking down, you know, stopping ongoing operations that you detect in flight, you know,
by burning their tools or burning their intermediate boxes, through to, like, you know,
kind of disrupting infrastructure proactively.
So when you see domains getting set up, maybe you can go take those domains.
And if you see C2 systems, you know, standing up, you could maybe go get those shut down
somewhere to try and interfere with operations that are in the process of standing up.
And then there's the kind of like the sort of thing that some of the threat intel companies
like to do where you actually, you know, go hack,
into those C2s and you pull the threads to identify victims, you head back towards their
workstations, towards their, you know, orb, networks, whatever other infrastructure you can get through
behind that once you're starting, once you are willing to start doing crimes, right, breaking the
law and hacking stuff. And so, like, we don't know exactly what Google's talking about, we're on
that spectrum. And, you know, certainly when you've read, we read some of Google's other
attributions over the years, you do get a sense that there's probably a bit of shell pop and going on
somewhere like that they'll of course deny it but that's crazy talk what do you talk no
trade intelligence people popping shells it never it that doesn't happen yeah but it does feel like
with the u.s administration being a little more willing to consider this and you know tom's
conversation about you know cyber letters of mark um where you know private organizations would
get a license to be able to go do you know what would otherwise be crimes or you know kind of
offensive hack and they're you know and i think if anyone was going to be doing it google is pretty
well equipped both in terms of people and reach and whatever else to be out there on the you know
the pointy end of the you know the letter of mark's uh spear so we don't know exactly what
they're up to but you know the fact they're saying anything at all about it is a change from
you know some years in the past yeah it's interesting note because we're just talking about the
disadvantage of contractors for state work yeah yeah right but i guess you know letter of mark
to target like ransomware people
it feels a little bit different, doesn't it?
You know, like that's, is that a, is that a sort of...
A little bit.
Yeah, is that a state authority that it's okay to farm out?
Like, maybe.
I don't know.
I mean, in the era of piracy, I guess we decided that it was.
And then, you know, maybe now in the era of computers, we can decide that as well.
But it certainly is very interesting, the contrast, the, you know, the centrally managed kind of like almost, you know,
command economy approach that the U.S. has to do in cyber versus the very free market,
you know, capitalist approach that the Chinese have, which is kind of, you know, ironic in a way.
But, you know, I think everybody's got a little bit to learn from everybody else in this
about, you know, how to approach these things.
Yeah, I mean, we've long joked that it's free market communism, right?
Yes.
It's a joke in China.
But anyway, now let's have a bit of a chat about ransomware because John Greig over at
Recorded Futures, what is it, the record Masthead, has written an absolutely cracking feature,
actually. I think this is a terrific write-up. And really, it's talking about the way that the
ransomware ecosystem has splintered. And just the number of groups out there has just, is just
really proliferating. And there's a great quote in here from Alan Liska from Recorded Future,
who said that it's now incredibly dangerous to be a large ransomware as a service group. And
was really the point of these takedowns and various actions of you know law
enforcement with assistance from you know SIGAN agencies and whatnot so you
know it's it's look it's just a great write-up about where we are the story is
quite balanced on I guess what this means you know because it's saying that
ransomware is kind of up and that's the number of new groups that are that
proliferating that's sort of responsible for that I read this though and I
feel like this is a positive development I think once you've knocked
out the ability for these groups to kind of scale
and they're splintered off into these little different groups
and they're using sort of recycled old ransomware source and whatnot
I feel like that's actually progress even if the numbers might be bad at the moment
I do feel like this is progress yeah I'm inclined to agree with you here
I mean the you know it's very easy to kind of choose the numbers to support the story you want
to tell and like number of ransomware groups is a great example of a metric that's
you know maybe looks like it's going up
But, you know, the amount of money being brought in, a number of people involved.
There's lots of ways that you can kind of look at this.
Well, you can't even measure impact on money or a headcount of organization.
And, you know, criticality is like such a rubbery thing, right?
Yeah, yeah.
No, it is, it's difficult to kind of come up with sensible metrics.
And so there's quite a lot of vibe in here.
And that's, you know, the vibes feel good.
Because we've been, you know, we've long talked about disrupting the kind of like trust in the marketplaces of just in time crime pipelines
that these kind of groups use
where they're buying initial access
from one people
and using ransomware
and farming out the money laundering
to someone else
and all those kinds of things
like introducing friction
and it was part of the whole point of this
and that feels like it's been successful
and one of the points that this piece makes
is that, you know,
ransomware groups that are big
are now having to much more tightly control
who they're willing to work with as affiliates
or as suppliers or whatever else
because they're being infiltrated
by threat into a group.
and law enforcement and whoever else.
So they have to be much more restricted,
which means there's a whole swathe of actors that want to be in the game,
but can't get into one of the premium groups
and then have to go use recycled code, lower quality stuff, more vulnerable stuff,
you know, things that have, you know, bad crypto or whatever else.
So all of this cost, you know, imposing feels like it's kind of working, which is great.
Yeah, it is.
And I'm guessing there's still a few vulnerable points that they can press on, right,
like in the money laundering supply chain.
I'm guessing a lot of these people, they're not getting paid, right?
They might even be collecting around.
but good luck turning that into cash, right?
So I just think, you know, you've heard me describe it as mowing the lawn, right?
It's not going to be a one-time thing.
I feel like the lawn is still a bit woolly,
but it's, you know, getting a little bit more under control.
The giant weeds have been removed.
Man, I'm really stretching that metaphor a little bit too far.
But, look, speaking of ransomware,
Alexander Martin also at the record,
has reported that something like 70% of the municipal government
in Sweden have been ransomware
and that's causing some drama there.
Yeah, this is a shared service provider
that provided like some kind of HR functionation
like managing sick leave, I think was one of the examples.
So they got compromised in ransomware
and that has impacted employee data
from Swedish municipalities
and also availability of these services
at Swedish municipalities all over the country.
And it's a great example of a pretty niche vendor
but one that is dominant in its niche
being a great target for this type of ransomware
because you have big impact for, you know,
relatively, I'm assuming one kind of one relatively straightforward hack
but you've got, you know, big impact across the whole country like Sweden
and lots of people to go and shake down for money.
Yeah, yeah, that's it.
Now, staying with ransomware,
and this is a fantastic write-up from Microsoft
about a group they call Storm 0501,
which is the cloud ransomware stuff they're doing.
And this is just top-tier right up here.
I think if there's one thing you would want to read that we've spoken about this week,
this would be it.
And I mean, it's a tragedy too, because you get the impression that the target in this instance
was actually doing some stuff right.
Like there's a great section where they talked about how they had some creds, but they
couldn't get into the Entra tenant because there were conditional access policies in place, right?
So then they wound up founding another like linked tenant, which didn't have condition.
access policies in and then away they went and they were able to federate in their own malicious
tenant and onwards and onwards. And it's just a really great write-up of what this sort of like hybrid
on-prem up into the cloud, you know, lateral and then federating in your own IDP basically looks
like. And yeah, they're doing what they're doing is they're copying out all of the cloud data
and then burning the actual cloud instances, including the backups and then ransoming that data.
a back so that they can do the recovery, which seems a good way to do it, but you sort of wonder why
or how an attacker is able to permanently delete backups, right? Like there should be a way
to structure your cloud backups in such a way that attackers can't do this. But then, of course,
you think, well, you know, what's the dwell time of the attacker? And if they're in there for like
three months, you know, can they just gradually corrupt backups or whatnot? But either way,
what were your thoughts on this write-up, Adam? Yeah, no, it's a really good write-up and absolutely
worth reading. So this is a group that I think in the past has done more traditional on-prem
ransomware and they clearly have updated their, you know, their goals in life and they are
doing this, you know, kind of exclusively in the cloud. In this case, they pivoted through
all of the on-prem infrastructure to get there. And I think that's quite interesting. So they
attacked their on-prem AD, got in through all the normal kind of mechanisms there, and then
leverage some of the synchronization between on-prem and intra-D to then eventually take over a
global admin account. As you mentioned, there was, you know, some good configuration. But like many
big organizations, this victim had, you know, a bunch of different divisions that had different
infrastructure managed by different teams with, you know, slightly varying levels of security
across them. And they're able to, you know, find the weakest link and then use that to pivot up
into the cloud where it is much more shared and connected together. And then enumerate virtual
machines, enumerate data stores, runs around, steal the data. To your question about, um,
About the backups, Microsoft writes that they were able to enumerate some of the storage policies around these things.
So you can set like some data storage bits to be immutable so they can't be deleted or virtual machines to have, you know, snapshots and other backup mechanisms.
And they were actually able to enumerate all those and then wherever possible disable them so that they could then actually delete the data.
And then when they couldn't delete the data, they resorted to encrypting it in place.
So they're making that difficult.
So the overall process of recovering from this was still really quite complicated.
And I guess, I don't know Microsoft said whether they actually managed to get a ransom
for all of this work or not.
But they certainly gave it a good go.
Well, it's the sort of thing that you read and you think, oh man, like that is such a bad day.
And you also think this is a type of attack that could play out pretty much anywhere.
Oh, yeah.
Yeah, absolutely.
You know, and it's, and like, as you said about our different teams and what
whatever like they were doing a lot of the right stuff and as you point out man like you you kind
got to be perfect everywhere uh for that's the problem right once you glue everything together like
this and this was an organization that had multiple you know standalone windows domains that had some
degree of trust but were i i assume this is like a merger like a merger and acquisition kind of
where a company has been built from lots of different uh smaller acquisitions that have different
different kind of setups and policies and things.
So you can certainly see how you end up
with that kind of variability in a real world environment.
But once you glue them all together in one intra
or one set of entrants that are connected together
such that you can navigate between them,
then you end up inheriting the weakest link.
Man, you know, Brad Arkin, who's a friend of the show,
he's actually the CSO over at Salesforce.
I remember when he was CSO at Adobe back in the day,
like the number of acquisitions they were doing it was like one every two months or something right yeah but like but smaller things right like they just they are acquisition hungry company at the time i don't know if they still are but yeah i mean the horror stories he would tell me about like you know they come in and they're like hey we just bought this company you go take a look and you're like oh my god how have you not been completely owned and destroyed already and then you know what do you do with that when the pace of the acquisitions is like that i mean his response in the end was to come up with like four
five different architectures that they would have to move to, that were diverse enough that
everyone would fall into a category where they were closest to at least one of them. And that was
kind of how he solved that problem. But it was like, I mean, solve is a strong word. I'd just
something. That's how he sort of tackled that problem. And, you know, you would imagine, too,
that at a bunch of companies that are doing these sort of acquisitions, you know, they don't
even have someone even thinking about it. I think one of those big healthcare data,
of breaches in the US was, you know, this is going back a historical one, that was via a merger
and acquisition and some temporary link they put between the two networks and whatever.
We actually had the person on the show talking about that, you know, some years after it had happened.
But yeah, anyway, we've also got a great piece here from Wired, written by Lily Hay Newman and
Matt Burgess, looking at, you know, the way AI is impacting ransomware.
I mean, ransomware is software.
AI is impacting ransomware development.
So no surprises there.
I guess what's interesting though is, you know, Tom and the Gruck had a good chat about this on the Between Two Nerds podcast.
We've linked through to the YouTube version of that if people want to take a look.
But really, I think the thinking is if you're doing crime, vibe coding is even better than if you're like doing normal software because it doesn't have to be resilient.
It doesn't have to be beautifully documented.
You know, you could just get something working at works once and then you get your, you know, you get your payment.
Yeah, yeah, exactly.
And that conversation that Gruck and Tom have is pretty funny.
They talk through, this is all based on a report from Anthropic,
looking at how their AIs are being used by various actors, including criminals,
to go and do cybercrime.
And, yeah, the conclusion seems to be that actually it's a better fit for crime
than it is many other, you know, more traditional software development
kind of sets of problems you have to solve
because, yeah, it doesn't need to be quite as repeatable,
It doesn't need to be as well integrated.
And, you know, that's kind of funny, actually, in a way.
That, you know, some people are really struggling to find the value in these AI systems
because the amount of work that it causes versus what it saves you.
But yeah, criminals apparently seems to work well for them.
So, yeah.
AI is great for criming, as it turns out.
Speaking of criming, Brian Krebs over at Krebs on security has a fun write-up.
I mean, I don't know.
Is this cybersecurity?
It's like it's cybercrime, I guess.
yes, online crime, but he's taken a look at some of these like fake casinos as a service
programs where you can basically just spin up a fake casino and get people to register for it
by promising them free credits. And then of course they're, you know, you want to recover all of
your winnings, your $10,000. Oh, you need to pay a $100 verification fee through Bitcoin or
whatever. And, you know, that's how you can cash out. And of course, they just run away with the
money. Just a nice write-up of this, of this, you know, little crime ecosystem here.
Yeah, I like it because it's one of those sort of innovation in cybercrime.
That's, you know, sort of a regular segment on the show. It's interesting innovations in
cybercrime. And making a, like, legitimately good online casino that has good quality
games and, like, looks slick, works well. And then just kind of like selling that as a service
to other criminals to scam people with. It's, you know, I guess ransomware doesn't pay so well,
when this kind of quality innovation is coming up,
but maybe it's because, you know,
if everyone was making hell of money out of ransomware,
then you wouldn't see this.
And so this is kind of a good example of, like,
you know, we've trimmed the lawn over here,
and so now someone's selling flowers over there.
So, you know, it's good, making the metaphor even worse.
Meanwhile, we got a little bit more information
around what actually was going on in England
when it came to Apple and, like,
apparently the, you know, the UK government issued
a technical capability notice to Apple,
which resulted in them nuking the advanced data protection feature set for British customers.
And now we've got a write-up from the Financial Times who got their hands on some legal filing,
presumably leaked to them by Apple, which doesn't contain the technical capability notice
because that has to remain confidential,
but there's a bunch of assumed facts in there which kind of spell out the rough shape of what Apple was after,
which includes, yeah, a bunch of data not just data covered under 8.
but it looks like this whole thing where the Americans and, you know, Tulsi Gabbard were claiming there was some huge backdown.
It looks like that hasn't actually happened.
No surprises there.
I mean, we kind of said that at the time that we didn't think anything had actually changed.
And this reporting would seem to suggest that we were right.
Yeah, and it also seems to suggest that the British were seeking kind of broader access to iCloud than what was protected by ADP.
Because in some of the conversations we had, I think, earlier on we're saying, like, there's a bunch of stuff on,
cloud that is end to encryptor but isn't covered under the ADP program you know and
some things like like our backups for example have their own sort of unique properties and so
it sounds like the UK was seeking pretty broad access to that so yeah the TCN included
obligations to provide and maintain a capability to disclose categories of data stored within a
cloud-based backup service which I don't think is particularly I don't know controversial is
it? No, it's what you'd expect them to be asking for, because I mean, we've certainly seen
how useful iPhone backups are for forensic purposes and for investigating things. So that,
you know, kind of makes sense they would ask for it. But as to exactly what, because like ADP is
a thing Apple could turn off to make a point. But, you know, backups of your phone into
ICloud, like that's not a thing they can just turn off so easily. So, yeah, we'll be interesting
see how this kind of unfurls. Yeah, that's right. I think Tom's going to take a look at this
one tomorrow as well. In other news, Immigrations and Customs Enforcement in the United
States, they had a contract with Paragon, the Israeli spyware maker, worth about two million
bucks. I think they suspended that contract after there was some controversy involving
Paragon's dealings with the Italian government. Sorry?
Italian government, maybe it was Greek government, one of the Europeans.
There was the Italians, I think. But yeah, there was also a, yeah, they did a stop work order to
make sure that the contract complied with an executive order on commercial spyware,
which was a great executive order. We spoke about it at the time. But it looks like that contract
is now back up and running. Two million dollar contract, not really a big one in the context
of this sort of stuff, if I'm honest. Yeah, yeah, not a huge contract. I think part of the reason
that's getting coverage is it was specifically the immigration customs enforcement ice part
of DHS that was doing this. So, you know, that's a thing that's rather a hot button topic in the US
at the moment. So them hacking your stuff with Paragon would be of concern to a few people,
I'm sure. Yeah, yeah, that's right. And look, staying on the spyware theme, I guess, Zach Whitaker
over at TechCrunch reports that WhatsApp has patched O'Day in its iOS and Mac apps that was
being used in the wild zero-click. So the good stuff. Yeah, this was the way. So how we talked,
maybe it was last week. I don't remember if we mentioned it, that Apple had patched a bug in image I.O.
So it looks like that bug in Image I.O.
It was being used with images sent through WhatsApp,
through like device synchronization messages.
There was some bug in WhatsApp
where you could send like unorthed device sync messages.
So basically you could deliver an image to an iPhone
in a way that it wasn't clear that that's what had happened
and without the end user seeing it,
and without having to interact with it,
and then exploited the Apple bug and onwards to compromise.
So yeah, it's a pretty expensive bug that someone got burnt.
Now, a quick report on some different spyware here.
We've got this amazing report out of Australia's financial review
where a company here in Australia was using some software called SafeTrack.
And is it, was SafeTrack the customer or the software?
I can't remember.
But anyway.
SafeTrack is the customer and the software was called something else.
Okay, okay.
So a company called SafeTrack was using software to listen to its employees
through their microphones on their laptops when they were.
on their laptops when they were working from home.
Now, they're being investigated by the police for this
because as far as I understand it,
this is really illegal in Australia.
Like, you know, look, the laws may have changed,
but I remember writing about this workplace surveillance stuff
like 20 years ago,
and you have to make it really explicit to people
in their workplace that you are surveilling them.
Like, if you want to put cameras up and stuff,
you need big signs saying this area is being surveilled and whatnot.
And I cannot imagine this did not run afoul of that.
So that's an interesting write-up and a really good and interesting report from David Marin Guzman over at the Finn Review.
So anyone who's interested in that can go have a read of it.
But not only is that very likely illegal, but if it's found that this was not illegal, it very likely will be illegal soon.
Let's just put it that way because that is a type of practice that is massively out of step with what Australians expect their privacy and the workplace.
place to be. And finally, Adam, we got a report from our very own newsletter from Catalan Kimpanu
where a couple of like YouTube like scam beaters helped bring down a fairly substantial scam
operation. So this is a good news story to end the week on. Yeah, I'm sure many of us have seen,
you know, the scam baiters on YouTube that will, you know, kind of engage with the scammers to
either, you know, kind of lead them on and waste their time or in some cases we'll, you know, go and, you know,
hack back into some of the call centres and other organisations
that are running these types of scams and docks them and out them and whatever else.
Watch them over CCTV, which is always fun.
Yes, yeah, that's always always kind of fun.
So this was scammer payback and trilogy media who both have
YouTube channels that do this kind of thing.
They were looking into money mules in the US who were receiving
payments, you know, receiving goods that have been purchased,
you know, with gift cards or whatever else,
at the behest of scammers
and they would actually go and confront them in person
and some of this video footage
in some cases the people
receiving these stolen goods or gift
cards or whatever else
admitted their role in this
like say yes I got paid by so and so
and we're doing it blah blah blah so some of that footage
ended up being I think the
Department of Justice said critical
in this biggest wave of arrests
they arrested I think 25
people across the US
over the last few days
So, yeah, interesting to see those scam baiters actually, you know,
cooperating with law enforcement and delivering a pretty good takedown.
Yeah, yeah, you love to see it.
All right, mate, that is actually it for the week's news.
Yeah, great discussion this week, heaps of fun,
and I'll look forward to doing it again next week.
Yeah, thanks very much, Pat.
I will talk to you then.
That was Adam Boyle there with a check of the week's security news.
big thanks to him for that. It is time for this week's sponsor interview now and we're
chatting with Ed Wu who is the founder at Drop Zone and Drop Zone is a company that makes
offers an AI tool that really acts like a Tier 1 SOC analyst right so sits there hooks into
your seam looks at what's going on and can tell you when something's actually going on right
so a lot of people are using this for like out of hours sock monitoring is one use case that's
really popular a lot of people are just using it because Tier 1 sock operation
operations are like really boring and just having this thing in there doing that first line
of work and triage just actually makes life more bearable either way drop zone's doing really well
it's an interesting product we published a demo to the youtube channel which you should be able to
find and yeah very cool stuff ed woo he's been in infosec for a long time like he was the guy
at extra hop networks who developed the sort of security part of that product and then he
wound up founding drop zone indeed one of the investors in drop zone is action
the former founder and CTO of ExtraHop, right?
So that's a vote of confidence right there.
Anyway, so I spoke to Ed about, I guess, a couple of things in this interview.
And one of them is his opinion, and I happen to agree with it, that AI is actually going
to change where the security poverty line sits, right?
Because for so long, unless you're a company that can afford good people and good
tooling, you are under that security poverty line and you are at risk, right? He thinks that
AI is really going to democratize a lot of sort of security stuff like monitoring and whatnot,
and his case there is compelling. He also puts forward the case that, you know, in a SaaS and
AI world, what is a service and what is a product, that line's getting a little bit blurry. So here is
Ed Wu talking about all of that, and I do hope you enjoy it. For the 80% of the organizations
on the planet, where they have less than 5,000 in
employees, Gen AI, and such as technologies we're building, should really allow them to, you know,
essentially kind of up-level and get to a place above the poverty line. They should be able to
achieve, like, an organization with 200 employees or 50 employees should still be able to get
24-7 alert coverage, you know, EDR alerts or their VPN or, you know, identity alerts, right?
Maybe organizations that's below 1,000 employees can now have some sort of automated threat hunting or vulnerability management.
And this is where, like for us in addition to working with enterprises, we have been working with a number of security service providers.
And what we have seen with those security service providers is the additional augmentation of software and AI really allows them to provide, you know, better service at,
a lot of times, you know, lower cost.
And that I think will really help, again, more organizations to be able to get more security
within the same budget.
I mean, sometimes it's ironic, right?
You look at a 500 people organization, and realistically, most of these companies only have
like one or two security people.
But it's also a little bit scary because the amount of data.
The value of data that a 500 people organization can gather is monuments, and yet they only have maybe a fractional seesaw, right?
And maybe one compliance person that's part or infrastructure person that's part timing looking at alerts for them.
And I'm not aware of there's like any formal study, but I do wonder that yes, you know, see Fortune 500 enterprise
of the world getting breached
will cause a lot of
societal damage, right?
But at the same time, I wonder
how much of the damage
caused by cyber attacks
are actually occurring
in smaller organizations,
like organizations with 500
people or local hospital
with 1,000 workers.
And that's
kind of where, yeah, I think it will be
really interesting to see
when the cybersecurity
poverty line is
reduced, like how much it helps, not only the haves, but also the have-nots.
Yeah, I mean, the whole concept of security tooling for small to medium businesses,
and particularly for small businesses, it's always been the white whale, I guess, for a bunch of
people out there, which is like, if you can crack that problem, like the small business
market is actually massive, because there's so many participants in it, but it's always
been that expense issue, right? Which is no one is going to spend the money. I mean, I even
remember like 20 plus years ago going to like semantic events and, you know, Checkpoint did this as
well where they would launch these tiny little gateways, secure gateways, like for your small
business. And they were a couple of thousand bucks. So they're very cheap. I don't really think
they delivered all that much benefit. But the point is they put all of their marketing behind these
things and they didn't actually do that well. Yeah. Even at that price point.
Right. So I guess I'm understanding what you're saying here, which is that this is actually a very different sort of thing because you can start to deliver a real benefit for very small amounts of money.
It does make me wonder what this means for those managed security providers that you were talking about, though, because I imagine at the moment it's a case that their margins are expanding as they find efficiencies with Gen AI.
But as their competitors all start to do the same thing, eventually there's going to be margin compression and it's going to be a very difficult time for them.
So I don't know where all this leads up.
I mean, first of all, do you think that's maybe how this is going to play out for some of the MSSPs?
Yeah, as we all know, MSPs or MDRs is a very fragmented market, right?
There's no cross-strike of MSPs.
There's no, you know, whiz of MSSP or MDRs.
It's very fragmented for a variety of different reasons.
And, like, for us...
I mean, I see what you mean, because even the big ones don't have all that.
much market share, right?
Like you bred canaries and whatever.
Yeah, I think, yeah, a lot of them have less and, you know,
close to just single digit percentage, right, in terms of market share.
So, and this is where, like, obviously for us, we are leveraging GenAI to build, like,
software.
But I have noticed recently, just around Blackhats,
they're having a number of startups coming out that's solely focused on, you know,
Gen AI powered MDR, right?
And I think those, a couple of them even, you know, kind of boasted, hey, we replaced, you know, expel, we replaced Arctic Wolf in a number of deals already in their investor conversations.
And I think this is where, like, these AI-native MDRs will start to apply pressure to, you know, the existing MSPs and MDRs, which for the longest time have been very labor-intensive, right?
It's a service business.
And I do think, and we have a.
already seeing that because we have partners with a number of MSSPs who are, you know,
technology progressive, and they're realizing that, hey, the new generation of software-inabled
service providers or startups are coming for us, and we really need to up-level and change
how we deliver the service from a labor or human-intensive kind of model to a software-augmented
model. Well, I mean, it always has been a labor cost plus margin business, right? I guess the
argument you're making now is that those days are numbered. Yeah, yeah, absolutely. And this is where
both the expectations of customers will start to increase. There will be a downward,
you know, pressure on pricing, right? We have seen cases where some of our service providers
leveraging our technology are able to reduce their SLA down to like 20 minutes.
And there's no way, regardless what kind of humans you have
and regardless which continents they're living
for a 100% human service to get to a 20-minute SLA.
So this is where we start to see, you know,
technology forward service providers starting to, you can say,
disrupt the market.
And in addition to that,
what I have also seeing is, like,
a lot of us have been playing with chat GPT.
right. And we have seen the breadth of its capabilities. So I am definitely hearing stories about
even for clients, you know, whether it's a local hospital or legacy manufacturers that has no
security expertise and have been outsourcing, you know, for two decades, they have higher
expectation of their service providers as well. Because nowadays themselves have been, you know,
playing with chat GPT, right? They can see, hey, this thing is a lot more efficient. And they are
kind of the expectation of service providers, you know, frankly, it is increasing across the board,
not only on cybersecurity, but, you know, if you look at SDR service providers or accounting
service providers, right, like I think the expectation on all service providers have been
increasing, and a lot of that is also happening within security.
Well, there's also this thing, right? We were talking about this before we got recording,
which is there's this sort of blurring of the lines between what is a product and what is a service.
And I can really understand that when you look at something like Drop Zone, right, which is a product.
But I mean, is there really a difference between offering Drop Zone as a product for people who've got Seams versus selling it as a service?
Because it almost is kind of like an MDR in a box already, right?
I mean, do you, is it a product?
Is it a service?
Is it both?
Yeah.
I've definitely seen, you know, a number of startups kind of trying to resolve.
in different spaces within this
spectrum. I think product and service
at this point, it's not binary. It is a spectrum.
We have seen service companies
having a lot of automation,
right? So they have a product, but they
don't call that a product. It's just
internal tools to help the service.
And then we have seen product companies,
you know, having
an army of humans
offshore to help
you maybe plug some of the gaps
within the product, right?
And then there's like
pure play product companies like us. In my mind, a big difference between product and service at this
particular moment is boils down to, is there somebody you can call in the middle of the night
if your CEO has clicked on an email that he or she shouldn't have? Like, if yes, then I will say
that's a service, right? If no, then to some extent it's still a product. That's a good. That's a nice
simple definition. I like it. I mean, are you tempted, like, so the interesting thing is for you
though, right? Like, you know, you're actually selling your technology to MDRs, right?
Yep. Which would make it a little bit difficult for you to say, hey, congratulate, like,
now we're an MDR company, right? So, like, have you excluded yourself from that end of the market?
Correct. Yeah, for us, we do not work with small, medium-sized businesses directly at all.
So we sell our technology to MSSPs and MDRs
and helps them up-levels their capabilities,
up-levels their efficiency as well as effectiveness.
We ourselves do not have a service arm.
There's nobody in the drop zone.
You can call in the middle of the night
if you ended up clicking on a ransomware executable.
And also keep in mind,
the product we are building is only automating
tier one. Maybe, you know, if you squinted a little bit, maybe it's automating a little bit
tier 1.5. But it's nowhere close to automating tier two or tier three. So at this moment,
you know, another maybe a quick test on whether it's a product or service is like if I get breached,
like will you help me undo all the damages and rewind clock essentially? Yeah, or will your,
Will your model pick up the phone and call in Mandiant?
Probably not.
Yeah.
Or write up a report to our board explaining kind of what happened.
And again, make all the remediation, the corrective actions,
as well as sometimes unfortunately rebuilding of the systems.
I'm not aware of any AI security agents that's capable of determining here are the five workstations we need to nuke.
here are the eight user accounts we need to nuke
and rebuild from scratch.
Yeah, but presumably that's coming
in the next few years, you would think?
I think we will see
because some might say,
hey, look at the growth trajectory of models.
They are getting smarter and smarter.
I think opening I just mentioned
they have an internal model
that just won the international Mass Olympics
or something like that, right?
and you might think, okay, if the large language models
can win the international mass Olympics
and they surely can do, you know, IR work or Tier 3 work.
But the reality is when you look at this,
what makes IR in Tier 2 and Tier 3 work difficult
is actually not about raw intelligence.
In fact, I mean, if you take an IQ 10,
take the average IQ of Tier 2 and Tier 3 analysts,
I don't think that's like meaningfully higher
or statistically hires in tier one analysts,
what's actually, the difference is actually experience
in organizational context.
And this is where regardless how smart the model is,
if the model does not have access
to all the organizational contacts,
it's not going to be able to make the right decision.
And the fortunate or unfortunate reality
is that a lot of the organizational contacts
are gathered through experience.
Yeah, they're in people's heads.
yeah and there's no API keys
you know there's no APIs to people's hands
maybe you know your link will help
solve that maybe
maybe in the future
in this dystopian hellscape
Ed Wu
we're kind of going over time at this point
mate so we're going to have to say goodbye but
thank you very much for joining me for that conversation
fascinating as always
thank you
that was Edward Wu of Dropzone there
and you can find them at Dropzone.A.I
big thanks to them for being this week's
podcast sponsor
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back next week with more security news and analysis.
But until then, I've been Patrick Gray.
Thanks for listening.