Risky Business - Risky Business #814 -- It's a bad time to be a scam compound operator
Episode Date: November 12, 2025In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: The KK Park scam compound in Myanmar gets blasted with actual... dynamite China sentences more scammers TO DEATH While Singapore is opting to lash them with the cane Chinese security firm KnownSec leaks a bunch of documents Necromancy continues on NSO Group, with a Trump associate in charge OWASP freshens up the Top 10, you won’t believe what’s number three! This week’s episode is sponsored by Thinkst Canary. Big bird Haroon Meer joins and, as usual, makes a good point. If you’re going to trust a vendor to do something risky like put a box on your network, they have an obligation to explain how they make that safe. Thinkst has a /security page that does exactly that. So why do we let Palo Alto and Fortinet get away with “trust me, bro”? This episode is also available on Youtube. Show notes Myanmar Junta Dynamites Scam Hub in PR Move as Global Pressure Grows China sentences 5 Myanmar scam kingpins to death | The Record from Recorded Future News Law passed for scammers, mules to be caned after victims in Singapore lose almost $4b since 2020 | The Straits Times KnownSec breach: What we know so far. - NetAskari Risky Bulletin: Another Chinese security firm has its data leaked Inside Congress Live The Government Shutdown Is a Ticking Cybersecurity Time Bomb | WIRED Former Trump official named NSO Group executive chairman | The Record from Recorded Future News Short-term renewal of cyber information sharing law appears in bill to end shutdown | The Record from Recorded Future News Jaguar Land Rover hack hurt the U.K.'s GDP, Bank of England says Monetary Policy Report - November 2025 | Bank of England SonicWall says state-linked actor behind attacks against cloud backup service | Cybersecurity Dive Japanese media giant Nikkei reports Slack breach exposing employee and partner records | The Record from Recorded Future News "Intel sues former employee for allegedly stealing confidential data" Post by @campuscodi.risky.biz — Bluesky Introduction - OWASP Top 10:2025 RC1
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business.
My name's Patrick Gray.
We'll be chatting with Adam Boiloh about all of the week's security news in just a moment
and then we'll be hearing from this week's sponsor.
And this week we are chatting with Harun Mia in the sponsor segment.
He is of course the founder and head honcho over at Thinkst Canary.
And he'll be joining us to talk about, I guess,
think to Canary's slash security page where they sort of spell out how they think about security
and the sort of security measures that they use.
to ensure that their product is, you know, sensible.
And Haroons along basically to ask other vendors,
where's yours?
You know, where's your equivalent to thinks slash security page,
which he thinks is kind of table stakes.
And I kind of agree with him.
So that's an interesting conversation coming up a little bit later on.
But Adam, let's get into the news now.
And look, it's a bad week to be someone who operates a scam compound in Myanmar.
Yeah, yes.
We've seen reports that the notorious KK Park scam compound in Myanmar,
at least some of the buildings there have been blown up with dynamite.
We have some pictures of, you know, like clouds of dust and smoke rising from the facility.
Local reporting is a little mixed.
The KKK. Park and a number of the other scam compounds in the region
kind of operate either directly with or under the kind of protection of the local, you know, military,
Junter and there's a reasonable kind of set of reporting which says, you know, this is just
performative and that the relevant people were escorted out of the building safely to be
established in other places whilst they blew up some, you know, buildings for the cameras.
But, you know, even if that's the case, there is definitely a lot of focus on these game
comments. They have gotten too big to really kind of continue as they were and there absolutely
is going to be pressure from the outside. But either way, it's kind of nice to see.
Yeah, so like, boom.
I went down a bit of a Wikipedia rabbit hole
trying to untangle bits and pieces.
It's right.
And it gets complicated because I don't think it was actually the junta itself
that was operating these scam compounds.
I think it was actually like a Buddhist militia,
a Buddhist militia, the Karen National Army or whatever,
and now it's the junta who's blowing bits and pieces of it up.
I mean, one thing that I predicted, like a couple of years ago
was eventually we would see various armed factions competing to control
this industry, given how valuable.
it is. We don't know that that's what's happening here. But I don't know who's blowing it up,
who was controlling it, who was profiting, or why. But as you point out, the KK Park compound is a big
one. I think there's something like 250 buildings there and they've blown up 25 of them. So,
you know, what this means, who can say. But we can say that China has sentenced another
five Myanmar scam compound kingpins to be executed, which we have. We have.
have seen before from China. We spoke about that a few weeks ago about how I happened to be camping
when the first news of that release. I was very surprised when I sort of stumbled on it later,
but it looks like this is China's approach to people who run scam compounds in Myanmar.
Yeah, and this is certainly a bit more meaningful than blowing up a few buildings, you know,
and some of the crime families that are, you know, the ones who were sentenced previously in
this round as well, like, you know, they are quite big organizations.
And also, like, their Chinese operations, like the Chinese crime families operating inside China or near China and the Chinese authorities cracking down on them.
So there's kind of a saying, I think, in China that, you know, when you're outside China, the people you can least trust are other Chinese because they're going to rip you off.
And that seems to be kind of the thing that the Chinese government are cracking down here is that their own people essentially ripping off Chinese people.
And the fact that they're doing it from outside China complicates.
a little bit, but we've seen, you know, the Chinese military and police cross the border
who had to go pick people up or assist with raids or whatever else.
Like, they seem pretty serious about cracking down on this.
And honestly, like, sentencing people to death does send a pretty clear message to the others, right?
Yeah, and I think there's that thing.
And it's, you know, it's an odd complex sort of political thing.
But, you know, because the Chinese do run an authoritarian state.
But they have this sort of historical communist thing about slavery.
You know what I mean?
About the exploitation of people for this sort of activity
is something that is so offensive to Chinese communist ideology
that I'm not surprised that these guys are getting lined up against the wall
and sort of taken care of, right?
Like, that is just...
Do you sort of see where I'm coming from with that?
Yeah, yeah, yeah.
Absolutely, yeah.
And, you know, the...
Like, the only thing that would make it worse
from a Chinese Communist Party perspective
is if there were religion involved.
You know, as if they were religious,
cults that were also exploiting people for commercial gains.
Then it was like they'd kill them twice, you know.
Yes, they would.
Oh, dear, oh dear.
Well, I guess the good thing is the scale of the scam industry has gotten some attention.
And we've seen it, you know, in Myanmar, we've seen it in around Thailand and Cambodia and Lao, Vietnam.
Like that whole region, there is definitely this kind of feeling that, you know, this has gotten too big.
And they're each kind of exploring their own ways to deal with it.
Yeah.
Yeah.
Good job China for once.
I mean, the whole thing feels a little bit Trumpy, I think, in the way it's like, you know,
the way they're hitting like alleged drugboats and stuff in the Caribbean.
It's like, yeah, right, okay.
So we got to the point where there's dynamite involved in executions and stuff.
And right, okay.
2025 is not really the year of nuance, is it?
No, it's certainly not.
Speaking of and staying with, you know, cyber scams in Singapore,
scammers and mules, money mules, are going to be sentenced to between.
six and 24 strokes each,
which sounds pleasant until you realize
they're talking about strokes from a cane.
They're not going to just gently stroke them.
They're going to lash him with a cane.
And these Singaporean like cane dudes
take it pretty seriously.
They do, yeah, they really like the cane in Singapore.
And, you know, one of the things that came out of this,
there's been existing laws around, you know,
caning as a punishment.
and they've kind of overhauled the levels and places where there's like mandatory caning,
discretionary caning, depending on the particular case or whatever else,
and the amount of lashes that you get.
One of the other stats that came out of this is that 60% of reported crimes in Singapore are scams,
which I thought was a really interesting number.
I mean, you know, Singapore is a famously quite safe place because of the strictness of their laws.
And, you know, it's a very small country, so they do have to kind of run a pretty tight ship to keep things civil.
But 60% was quite a big number.
Do you think it's because of the strict laws?
I don't know, man.
I think that Singapore's probably got some other things going for it
that make turning to a life of crime not such a, you know.
I mean, yes, I'm sure there are a number of factors,
but I mean, you know, you get on the train in Singapore
on the, you know, on the metro, the subway thing.
And there is no chewing gum on the seats of that train,
unlike every other country in the world,
because if you stick chewing gum on the train,
you're also going to get camed.
So, you know, it does provide some, you know,
compels people to behave themselves.
But yeah, there's a number of offenses, you know, things like running scams themselves, money mulling.
There's also things like supporting them with like registering SIM cards or providing like other services to scammers,
which may also see you like discretionary caned if they decide if you're a bad person.
But again, I guess the moral story is Singapore, probably not the place to do it.
China is certainly not the place to do it.
And the other place is, you know, a little bit getting more dicey by the day.
Yeah, it's funny, you know, I knew a few of the Australian Federal Police guys who worked on the Bali bombing case.
Bali bombing, of course, happened back in 2002 and killed a bunch of Australians, so the Australian Federal Police offered support.
It was really interesting talking to them about the Southeast Asian approach to law enforcement,
especially when they're combating something that they take seriously.
So they had a number of laws that actually were very useful, according to the AFB,
because a lot of those guys, they wound up going from those sort of tasks,
and a bunch of them sort of wound up in the cyber part of AFP,
which is how I knew them.
And yeah, many an interesting conversation over beer, actually.
It was interesting because they said the laws that enabled them to detain people for,
you know, a few days and sort of sweat them a bit were actually quite helpful
in solving that crime quite quickly.
But other things they did, the Australians were like, whoa, hey, take it easy, you know.
I think during the search for one of the bomb makers,
a guy I know in the AFP was showing.
in a video of where they thought he was in this hut and they just lit the hut up.
And I mean like machine gun fire, mortars, everything, didn't even say, hey, come out,
like just lit it up.
And the AFP guys were like, yeah, that's not quite how we do things, but, you know, you do you.
So I feel like, you know, once the wheels of justice start moving in Asia, yeah,
they certainly do grind inexorably towards an outcome.
Let's put it that way.
Oh, dear.
All right, so staying with Asia,
and there has been a breach of a Chinese cybersecurity firm called Nonesek.
What do we know about this one?
Because it does not appear to be of the same stripe as the Aisun leaks,
where they were doing a lot of hacking
and, you know, trying to sell stolen material to the Chinese government and whatnot.
This seems like a more professional and less Yahoo kind of outfit.
Like, what do we know here?
Yeah, so this is, there are some,
subsidiary of Tencent, and they are a pretty kind of like full service, you know, cyber security company.
There's a tranche of documents that were leaked on GitHub.
They've subsequently been pulled, so I haven't seen the full set.
And a few people have started analyzing, obviously they're all in Chinese, so that makes it more
complicated for Western analysts.
But we've got a few write-ups of some of the documents that people have seen.
And it's, yeah, it's not quite I assume level, like this is a crowd that's, you know,
running an APT or anything.
Like this is more, you know, there's a bunch of infrosek and cyber related services.
So things like they have a, I guess a thing like Showdown or Census that provides internet
survey and you can query it for devices.
And of course, some of those are flagged with, you know, vulnerable to particular experts.
Same kind of things you get with Showdown.
There's also some documents like describing some of the services that they can provide.
And you have to kind of read those with a bit of like marketing sales guy grain assault,
Like the Snowden Powerpoints that leaked from NSA.
Sometimes there's things that are aspirational capabilities
or things that they'd like to be able to do
or would like to sell but don't quite do.
Anyway, it's a little bit hard to read between those lines,
especially with the language challenges.
But there are documents about, you know, for example,
lists of systems in Taiwan and which of those are vulnerable
to particular like, you know, fireball bugs
or common, you know, exports that have been around.
There's some information around like their case.
of collecting data from various email providers, which covered basically everything in China,
and then also Gmail, which was quite interesting.
And they don't specify how they get their data, whether it's a lawful process, whether it's a
technical process, like exactly what it is.
But there, some descriptions of capabilities there.
And, you know, just a few other bits and pieces that people are like, you know, it's not quite
clear.
Like, for example, there's like Windows Trojan slash backdoor slash rats, which could be legit
services, could be hacker tools, could be both.
kind of difficult to say.
Sorry, we don't really know.
It doesn't feel exactly like I assume,
but it's certainly an interesting insight,
you know,
into these Chinese companies and the ecosystem.
Generally, you know,
someone will have to get hold of the whole trance
and really dig through before we know actually
whether it's interesting or just kind of like, you know,
work a day info leaks.
Yeah, yeah.
Is it a Penn Test company plus Shodun
or is it offering like rats to the MSS?
Like we don't actually know yet.
It could be either of those, right?
We're just going to have to wait and see.
Good news here, though, I guess, is that the, well, not for them,
but the good news for us is that this data is apparently being sold on, like,
telegram or something.
So someone's going to get their hands on it, and when they do, they'll do that analysis,
and we should know a little bit more.
Now, talk to me about the apparent breach at the Congressional Budget Office,
because we started seeing reports of this last week that they'd had an incident.
And now, I guess where it got more interesting is that we've got some,
subsequent reporting from Politico that says that this is still a live incident and that people are being
told like don't click on links in your own emails and whatnot because people are still like in there
not great especially during a government shutdown yeah exactly we haven't seen much in the way of
specifics obviously the shutdown doesn't exactly help that process it was being reported earlier in
the week as though it was like a thing happened and we're investigating and it's under control
Politico today was saying that it's still considered ongoing and that some other
organizations. So for example, Politico saw an email in the Library of Congress where staff
is there were told not to interact with the Congressional Budget Office, like not to go on
teams calls with them, not to Zoom meet with them or click on links to their emails.
So there's definitely some feeling that it's still, you know, live and ongoing and maybe
they haven't actually contained it yet. And that's obviously not great. Details are just super
sketchy though it's just you know bad stuff is currently happening as opposed to bad stuff did happen
and we will you know wait and see exactly what that looks like but you know i guess it's not a great
time to be a u.s government employee full stop at the moment so no and and if you have to interact with that
office yeah and lily hay newman has a report for wire just sort of i mean there's not much here
but you know basically the piece is asking what the result of this shutdown is going to be in terms of
security outcomes. You know, I think the vote to reopen has already happened or is about to happen.
I can't remember. It all gets a bit lost, but, you know, the government's going to reopen.
And the question's really going to be like, how much catch-up is there? So I believe that, like,
a lot of security personnel, they did still work through the shutdown. But, you know, you know what
it's like? You've worked security jobs. Quite often, as part of your job, you're going to be asking
other people to do things. And are those people there? You know, you need to meet with various people from
across the organization to actually do your job and a lot of them aren't going to be there.
So I don't think we really know how badly things have atrophied over the last five weeks of this
US government shutdown.
But yeah, look, one point the piece makes is that things have actually got better inside
the US government over time, like moving to more cloud-based systems and things like that
and actually some attention being put onto cybersecurity.
But, yeah, I mean, I think a whole bunch of people.
people are going to come back to work and then neglect will gradually reveal itself.
Yeah, I think it's hard to judge, but I think the combination of the shutdown and then the kind
of wider cuts across the government employee base, you know, over this year, you know, it's going
to be a pretty rough place because, as you say, you have to interact with other people to get
things done if those people are busy or don't exist anymore because they lost their jobs,
you know, getting anything done and getting it done comprehensively.
Because like you can make security changes, you can, you know, have initiatives, etc., etc.,
but you kind of have to be comprehensive about it.
You can't just do it in a little pocket.
You kind of have to do it everywhere.
And that kind of effective coverage is very difficult
when the organizations you're dealing with are compromised by, you know,
the availability of staff or resources or whatever else.
And yeah, we're not going to know for a while, you know,
what the cuts of the Sissor meant, what this, you know,
government shutdown has done.
It's going to be a mess and it's going to take a while to claw back,
you know, because everybody's going to be hyper busy when they get back to work.
and, you know, I'm sure the adversies will make hay while the sun shines, you know.
Well, they're always trying, right?
Yes, exactly.
Now, look, staying with the US, and we've seen the appointment of Donald Trump's former bankruptcy lawyer,
also the former US ambassador to Israel, being appointed to, what is he,
is the president of the board at NSO, or something, and this comes after the NSO group has been acquired.
by a group of US investors, which included the movie producer Robert Simons.
Look, it seems pretty obvious what's happening here, which is that, yeah, David Friedman,
who is the former ambassador.
Yeah, so he's the executive chairman.
Sorry, I'm just looking at it here.
We've got some good reporting from The Guardian that we've linked through to in this week's show notes.
It seems pretty clear what's happening here is US owners are taking over NSO,
and it is a matter of time before the...
they're going to move to have the sort of sanctions and entity listings against
NSO group dropped and they're going to be going after the US market.
Now, I think this is depressing in that NSO group sort of being resurrected from the dead
is not what we want to see.
I think seeing anyone involved in that enterprise sort of rewarded and legitimized is a bad thing.
And you do wonder who's driving this,
right? And what the plan is for NSO group's products under this current administration in the United States?
Yeah, I mean, it's a good question. I think the original founders are out as of the most recent kind of ownership change.
And you can definitely see the path that they're going there. As you say, like a pivot towards being a supplier into the US, you know, law enforcement and national security and other buyers there.
Well, Friedman says that that's his objective, right? He says he wants to take NSO and get at US government contracts.
Yeah, and given, you know, they bought it for really top and tapenny, right?
There was very, very little compared to what NSO used to be worth.
And so I guess they feel like there is still a lot of, you know,
latent value that they can claw back and, you know, make bank on that particular purchase.
They've just got to navigate this process.
And, you know, there's got a level of nepotism that we kind of expect in the US at the moment.
It makes sense that, you know, the guy's got the connections to Trump.
you know, there is a kind of a path for them to turn this into a real thing, which, as you say, is kind of depressing.
On the other hand, you know, the US as a steward of these, if we accept that these tools are going to be made somewhere and exist somewhere, the US is probably a better place for them to be beholden to because the US, you know, modular, the recent unpleasantness, basically believes them in the regular world order.
whereas, you know, we see what some of the players
that operate outside of those constraints
have been doing, like all the places that they've been selling.
And NSO in the past have sold to.
You know, it's not the worst place for them to land
versus, like, sell it to Russia or, you know, sell it to North Korea or something.
There are plenty of places where it could go that would be worse.
But it's still not great, as you say, to see people rewarded.
Well, I think, I think, you know,
given that the original founders and shareholders all sort of got hosed,
maybe that's not the worst part of it.
I just don't think this admin is going to do
particularly responsible things with NSO groups.
I did say, I don't know if you saw recently,
but the new president of Syria,
Ahmed al-Shara,
actually closed the office of his brother
who was trying to profit from the family name.
And I did say someone comment on social media
that, you know, it's kind of ironic
that the former al-Qaeda guy
seems to be, you know,
doing a better job on nepotism
than the United States president.
So, you know, straight, we do live in fascinating times.
But yeah, look, I think broadly speaking, you're right.
And look, even in my conversation that I spoke about last week,
the conversation I had with John Scott Raleton at Citizen Lab,
you know, it really is my opinion that when it comes to spyware,
the thing that really matters is the legal controls around it,
the legal framework around how it's allowed to be used, you know,
what the courts do, what the courts are allowed to do.
You know, this is where the rubber meets the road when it comes to,
spyware so it's really important that the government of the day is going to be a responsible steward now
whether or not that's this current government i don't i don't know but the midterm elections are
happening in 12 months from now so i i think you know what what unfurls from this is really going
to depend on who wins elections in the united states and who cares about this issue and it has seemed
in the past where there has been some sort of bipartisan concern around this i think the biden white house
did a pretty good job on this.
So, you know, it's all going to come down to who gets elected.
Yeah.
One question I had reading this particular story is, what about the injunction by meta against
NSA group?
Like this whole process, like let's say they get to the point where they, you know,
are back in the US government's good books or whatever.
Are they still not allowed to target Facebook or WhatsApp or, you know,
anything meta owned because of that particular injunction,
which puts them in somewhat of a competitive disadvantage compared to their peers that
can sell WhatsApp.
be exploits. I don't know. I mean, I think there's ways around that, which is you can sell the
exploit and the customer could use it and they've got sovereign immunity. And like there's,
there's going to be ways to skin that cat. I don't see that as being the end of NSO. I just think,
yeah, I'm not on the team that I think that is some crushing blow against them. But they're appealing
it anyway. So again, comes down to the courts, comes down to the law, comes down to, you know,
to what's allowed. So we'll just have to see. Now, look, staying with the US. And, you know,
the 2015 CISSA, not to be confused with the agency, but the Cybersecurity Information Sharing Act,
that lapsed after 10 years. So that lapsed on September 30. Been freakouts from various
quarters. Now, this is the law and the framework that allows companies to share data with the
government for that data not to be used against them in various ways. So it's been a, you know,
it's been a big deal. There wasn't, there hasn't been an immediate cessation.
of that sharing, right? So that's the good news. But it's also not a tenable situation where
people are sharing this information without cover. I think most organizations have been in a sort of
wait and see holding pattern with it, which is all well and good until it drags on a little bit
too long or something bad happens or there's some government action or, you know, so now it looks
like that law is going to be, it's going to go through with the reopening of the government.
It's going to get kicked down the road until about January 30. And there's a lot. And there's
a bit of an argument between the Dems and the Republicans as to whether or not they just do a
clean reauthorization of that bill or whether they actually whack some additional stuff in there.
One thing that some people want to go in there is immunity for people who've shared this
information while the bill has lapsed.
But it looks like it's going to get worked out.
And thank God for that because I've had a lot of people in my ear about this over the last
month or two saying that really if this thing goes away, it's a very big problem.
Yeah, yeah, it's been a lot of kind of conversation about it and quite how important it has been.
And, you know, it's funny how these things end up kind of casualties of the wider, you know, political situation, right?
I mean, this will end up being temporarily reauthorized, we presume, you know, with the government restart.
But it shouldn't have to be tied to that.
Like, they should have to have a functional democratic process that results in this being reauthorized in the normal way instead of lurching through with everything else.
but it is you know it does seem to have been a particularly important thing and you know
I think at the moment there is some kind of somewhat bipartisan support for extending it properly
like there's a few people holding out because you know there's been you know lots of concerns
around kind of weaponising these relationships you know with the private sector by the government
in you know one way or the other but this is you know it was a dumb thing to throw out with the
bathwater and I'm glad that even if it's temporary it's going to be moving onwards and
presumably they will get it right eventually. Yeah that's it. Now we've got a report from
Kevin Collier here who has it's a good report actually because he's noticed that in the Bank of
England's you know economic update it even mentions the ransomware attack against
Jaguar Land Rover. You know it says what do we got here? Headline GDP growth has remained
slightly higher than estimates of underlying growth over recent quarters you know blah blah blah blah blah
Blah, blah, blah.
Headline GDP is projected to have grown by 0.2% in Q3, a little less than expected in the August report.
That reflects weaker than expected growth in exports to the US, as well as disruption linked to the Jaguar Land Rover cyber attack.
So that's really interesting when you've got a central bank in a major economy saying, you know, this ransomware attack actually weighed on growth.
I mean, that means that that ransomware attack has measurably impacted the economy and thus measurably impacted the quality of life of Britons,
which is nuts.
Yeah, and there's one comparison that Collier makes,
which was that it's more impact than WannaCry had.
We remember what Wanna Cry was like at the time.
It was wild watching that bug go crazy across the internet
and knock all sorts of stuff online.
And so this particular, you know,
ransomware attack making a bigger impact,
like, what was it,
$2.5 billion worth of impact
with the UK economy,
a J-Rlamover,
like that's significant.
And it does kind of also, you know, makes me think about the kids that did this, like,
are mostly, you know, British or at least English speaking, you know, like, I wouldn't want to be
them.
Like, they may well have caught the, you know, being the dog that, you know, catches the car kind
of thing because they're, you know, it's going to take law enforcement a while to untangle
all of that comm mess, but they're going to get there.
And these guys are going to be, you know, looking at, you know, taking the rap for the Bank
of England saying the GDP is down because of, because of.
of him. That's not going to be good for your prosecution. That doesn't look good when you're in court
getting sentenced when you've got the, you know, the head of the of the Bank of England saying
this guy just hurt the economy. It's not good. It's not going to reflect well. What else are we got
here? We've got Sonic Wall saying that those attacks against their sort of cloud config backup thing.
This is when they were getting brute forced and didn't notice because they weren't doing any
brute force detection, which is, you know, malpractice.
if I'm, you know, expressing my true opinion on that.
They've now said that that was a state-backed actor who did that.
I don't think they've said who it was, but yeah, I mean, no surprise there, really.
I mean, look, smells like China.
Let's be honest.
It does smell that way.
I mean, it could be North Korea, I suppose, but it does kind of smell like China.
North Korea going after Sonic Walls?
I mean, how many crypto exchanges are using?
It doesn't, no.
It doesn't, yeah.
I'm just thinking, like, who would be behind it and do a good job, right?
It's kind of a short list.
Yeah.
the interesting thing about this Sonic Wall thing, right?
So they've said that it was probably a nation state actor.
When they originally reported it,
they mentioned brute forcing as a vector.
And it did seem, and they said like, oh, 5% of our customers.
And that felt like plausibly brute forcing.
But I think that they've kind of,
they don't seem to be doubling down on the brute forcing angle.
I think that there is another avenue
because the fact that it went to 100% of customers,
they got all of the backups does not feel like account brute force.
That feels like there was a bug in the platform.
form and that they originally spotted,
they were looking for something that was explaining these things getting
nicked,
saw brute force attempts in their logs,
pulled that particular thread that led to the 5% number.
That's kind of how it feels to me.
There isn't anything that substantiates this except that brute force violence
and a customer does not ring true.
Out of vibes.
I mean, you know, maybe they brute forced a privileged account.
Or a privileged or something.
You know, it's possible.
But like it feels like there was a.
plug in the platform and that resulted in all of the backups getting stolen and then of course
credential material from there and onwards to great victory but yeah either way nation state behind it
totally makes sense china makes sense uh and yeah if you have a sonic wall they've actually
provided some better guidance on like how to deal with this where you put in like the serial numbers
of your sonic walls and they will tell you whether or not those conflicts have been stolen
and what you should do about it based on the exposure of various services on the firewall so they've
done them you know as good a job as they could in dealing with this art
after the fact, but would be better if they hadn't had all of their conflicts
stolen in the first place.
Now let's talk about Japan and the NICA, the media giant NICA.
I'm guessing, do they operate the exchange?
I don't know. I don't even know.
But yeah, it owns the Financial Times and publishes a bunch of financial newspapers,
employs a bunch of people.
Their Slack got owned and it exposed data on 17,000 people.
This is a piece from Doreena Antinuk over at the record.
And I guess the thing that makes this interesting is,
I still feel like a lot of organizations,
they don't really think enough about what an exposure
of something like Slack actually means for them.
And this is just a good example of like, wow, okay, you know, that's bad.
Yeah, because this particular breach got into their Slack,
having started with them logging credentials, I assume, like, InfoSteeler, you know, almost from there,
includes chat histories for 17,000 users.
Like, it's one thing to get names and email addresses.
like that's not a great data breach.
Chat histories at a news organization,
like I feel like that's probably a thing
that is not ideal.
And I guess the benefit is
that stuff ages relatively quickly.
So like in terms of profiting off,
you know, financial reporting
ahead of the market or something like that.
That stuff doesn't last particularly long.
But I'm sure there is a great many juicy
and interesting things in all those chat logs.
And there are really some memes, right?
Because, I mean, if someone's got all of your,
If someone sold our Slack history, for example,
there would at least be some funny, you know,
some funny japes and stuff.
So that would be nice.
Well, there'd be some scuttlebut.
You know, we do talk about stuff.
You know, we talk about stuff in Slack that where it's like,
you know, high quality room in that you can't really report
or stuff sources have said and they've asked you not to talk about it publicly.
And like, there's stuff there.
I mean, media is always a great target for intelligence collection
because they are at the front line meeting with sources
and collecting a lot of stuff,
and often they don't publish it.
You know, we don't know that that's what this is, who knows.
But, you know, it's just that exposure.
Like, you know, the number of secrets as well
that you can pull out of Slack.
Like we've seen that a million times,
like API keys, cred pairs, all sorts of stuff in Slack.
It's just, you know, and it's one of those typical SaaS services
where you don't control it.
You don't control it.
And people are using it to do sensitive stuff.
And I just think this is a good example.
I don't think this Nick A company,
which owns the financial times and a bunch of financial newspapers.
I don't know that they operate the exchange.
Probably not.
Anyway, someone will yell at me.
They always do.
Tell me what I got wrong.
We'll talk about that in a minute, too.
What else have we got here?
Now, we've got a story from Catalan found this one,
where Intel has sued a former employee for stealing a bunch of confidential data.
It is the means of theft, Adam, that you think is particularly lull-worthy.
So walk us through it.
Yeah, so this guy had worked at Intel in like a design engineering role in Seattle, I think, for 14 years.
He found out he was going to be terminated.
He decided that maybe he would loot some confidential documents from Intel to help him out the door,
whether a future employer, whether he was planning on selling them, who knows.
He decided to do the obvious thing, which is you plug a USB stick into your computer and you copy all the files over to it.
Now, Intel being a sensible, cyber-enabled security-conscious organization had put controls in place, presumably at great cost, on desktop use of USB storage devices, maybe some DLP, whatever it was, whatever technology was.
It snapped this guy attempting to copy the data.
And so good job security controls. Everything worked as intended.
So to get around that, he just brought a NAS in and plugged into the network and copied that instead.
So like good lateral thinking.
Yeah.
Got the job done.
Unfortunately, you know, he's, you know, they found out what was going on overall.
But, you know, I just feel bad for the people that had to work such a long time getting USB controls in place.
And it's circumvented by plug-in NAS copy data to there instead.
Womp, womp, womp.
Yeah, I mean, that's just, that's just how it goes, right?
Which is, you know, inside a threat is hard.
And, you know, it doesn't take much to sidestep a lot of controls.
in practice. Although, I mean, he did get caught, right? And I'm guessing there's a nice,
juicy network logs there to help with the prosecution. Now, OASP has updated its top 10. And by and
large, I feel like this update, and it's not the first time we've said this when they've updated
it in the past. This update feels like progress, because when you see what's on the top 10 now,
it's less and less dumb stuff. Like, it's still dumb stuff, but it's like not the dumb stuff
that we were used to dealing with. I kind of feel it's good that we're dealing with
different dumb stuff now. I don't know.
Less ubiquitous dumb stuff,
which is cool. But walk us through
OOSP's new top 10.
Yeah, so this is the release
candidate, so they may still tweak
it before the final, but I feel like at this point
it's pretty locked in. So number one
is still broken access control, and that's a category
that covers all manner of
logic flaws around access control,
things like direct object reference, etc.
And that remains number one, which
is, I think, entirely reasonable
thing, like reasonable thing to be number one.
Would something like a PHP file include fall under broken access control?
Probably not, although like these categories are a little bit, you know, kind of flexible.
And I think quite a lot of the OWASP top 10, like when they arrange, you know, the numbers
and the categories stuff, there is quite a bit of massaging because they want a top 10 that
covers most of the things that need to be covered because many project managers and business
owners and whatever aren't going to fix things that aren't, you know, like top 10 bugs because
it doesn't seem like, you know, if you're doing, if you're not fixing things in the top 10,
then you're negligent. So there's quite a bit of sort of massaging to make things fit the way we need
them to. And, you know, the list is, you know, there's a bit of wiggle room, I guess, in how they
categorise. Well, I mean, I'm just thinking, the reason I ask that is because when I think about
a PHP file include, I can see like four categories or something here on the top 10 that it fits into, right?
Yeah, so there's, you know, they try and map these onto CWE, common weakness enumeration,
kind of categories.
And there's sort of a bit of fixy about some things are like symptoms and some things
are like root causes.
But the main thing is to give developers and security people some ammunition to use to say,
we actually need to fix this because it's a top 10 bug.
And so how they finagle the list to support that is indeed part of the process.
Although this is not just, it's not just finger in the air.
They do collect a bunch of data, you know, from application security firms,
from developers and whatever code review places to kind of.
to substantiate this, but there's a little bit of working backwards from what we want.
Well, it's impossible to build a simple taxonomy, as evidenced by the fact that
server-side request forgery is now a part of broken access control. So, you know, they've folded
that into that category. But look, I guess it's just like you used to look at the top 10 and it was
all real face palm dumb stuff. And it's like, it's more nuanced now. It's a little bit more
sophisticated. So I feel like that's good. Yeah. So broken access control number one,
security misconfigurations is up in number two, which kind of makes sense. It was a bit lower in the
previous one, there is a new one which kind of subsumes the previous category, which is software
supply chain failures. And that's one of the big changes here, because we have seen so much
focus on compromise of upstream packages of very complex dependency trees of software backdoors and
supply chain attacks, you know, pivoting through credentials and things, that this is a thing that
absolutely deserve to be higher up. I'm kind of more highlighted in the list. And I think of all of the
changes this year, that's probably the big one, is focus.
on supply chain and how people are going to address that because, you know,
especially in ecosystems that pull packages in very, you know, rapidly, you know,
things like the JavaScript ecosystem, you know, whether it's dynamically, whether it's
dynamic composure of software very close to runtime, as opposed to kind of build time or
earlier on in the kind of life cycle of software development.
So it makes sense for this to be a thing that people are focusing on.
So that's great.
They've collapsed down some other categories.
as well kind of rearrange them.
Cryptographic failures have gone down a little bit,
which I think is probably reflective of the fact
that the slightly less
crypto junk
with block shuffling
of AES ciphers and things
because that kind of bug class has been pretty
hammered out by Microsoft
and dot net and by bug bounty kids and so on.
So there's a little bit of wiggling, but that's
software supply chain is I think the big change
for me. There is one other new entry
which is mishandling of acceptance
conditions, which, you know, error handling is a thing that we should get right.
I guess it wasn't explicitly in the top 10 before.
Now it is, and that's good.
But, you know, everything else pretty much kind of how it was, have good logging.
So you're saying, what's this luxury doing in the top 10?
Well, but I think that's, to your point, I think that is also kind of progress, right?
The fact that we have, you know, logging and alerting and mishandling of exceptional conditions
have made them into the top 10 is a recognition.
that we are overall getting better, but also that, you know, previously we would have had separate
entries in this list for cross-site scripting, for SQL injection, for service site request,
for, you know, local file, include whatever, like, those were broken out.
Previously, the list is better organized now, and we've made room for more, you know, more important
things because we've kind of collapsed the categories of it.
And I think, you know, overall, I'm really here for this.
I think the OASP, like the team that managed the top 10, do a really good job.
of massaging it into exactly kind of what it needs to be,
even if it means a little bit of weaseling about, you know,
service type of press for you.
You can just kind of like go up into, you know, access control or wherever, whatever it is.
Because like the outcome we need, they get there one way or the other and, you know, good work and good job to them.
All right.
Now, that's actually mostly it for the week's news.
But we're going to do a bit of a follow-up conversation just quickly.
Last week, of course, we spoke about the FFMPEG Google Spat.
funnily enough both you and i have been chatting to people from google we're not going to name names but
you know you've spoken to someone at google i've spoken to someone at google uh i had a pretty negative
our comments got a bit of a negative reception with the person that i spoke to who was like look
we spend a lot of money with ffmpeg labs which is sort of the commercial arm of ffmpeg
we've contributed through summer of code like we've helped them a lot i think all of that's true
I don't think that changes really my position on this, which is it's time to have a conversation about the norms involved in reporting software bugs, particularly to open source projects.
And, you know, this 90s era codec where the bug was that we were talking about.
Like, that's not really part that's being commercially maintained based on contracts with Google.
Like, it's just, I just think I still maintain that it's time to have a conversation about this.
Yeah.
I've even seen a bug finder on social media saying,
well, I just submitted a pull request with my bug after everything that's happened this week.
And, you know, I think that turning that into a bit of a norm is not the worst.
But, you know, you had a conversation with someone who's quite senior at Google as well,
and they seemed more receptive to our position on that.
So I think opinion seems to be split everywhere on this.
Yeah, I mean, I think all of these things can be true.
like Google absolutely can contribute and has contributed to the wider FFMPEC and obviously, you know,
have a lot of people that write good code and contribute code to open source projects.
But at the same time, you know, disclosure has always been a real kind of like,
it's a thing that always kind of riles up the community because, you know,
it's such a nuanced, kind of complicated set of, you know, tradeoffs that we have to all make.
And there are different answers to all of these questions depending on your perspectives and so on.
And so I think, you know, it is nuance.
And I think, you know, if anything, Google understands that nuance.
Like, Google has a depth of engineering knowledge and relationships with these communities.
And all the people involved do understand all of these complexities.
You know, sometimes, you know, there are kind of blunt, you know, reporting bugs that came out of your AI.
It's kind of a blunt process.
And as you say, like, we're heading towards the point where they'll be able to submit code fixes in that kind of scaled way that we're talking about.
But, you know, overall, it's, you know, this stuff is complicated.
And I think, you know, getting to the point where at least showing up with a, you know,
like here's a bug I found and here's at least an attempt at a, like how we could fix it or
or something.
I mean, that's literally about what was, was what I was about to say, which is you don't, you know,
it's not going to be possible for a bug hunters to submit a patch every time because they might
not entirely understand how the software works, right?
Like they've, they've figured out a bug, however they've done it.
And they don't know, they don't understand the context in that code.
to be able to make a fix without breaking something or whatever,
but at least trying to be more constructive about it,
which is like, here's how far I got, you know, here's what I think,
but like who's the developer?
Like, let's have a call.
You know, I just think we need to move to a more collaborative model, basically.
But at least trying is a demonstration of good faith.
And like, if I'm reporting a bug to Oracle,
I don't feel like I need to demonstrate good faith in
because probably I don't have good faith with Oracle.
There's a difference between, hey, look,
I think I've found a security bug here,
and I'd like to work with you on fixing.
it, let's have a chat, versus here's a bug, here's a pock, you got 90 days, or I'm
going to full disk it and screw you.
You know, like, that's the difference.
Yeah, yeah.
And like, there are plenty of people in the hack community that are kind of from that, you
know, screw software developers, you know.
Yeah, but that was born of an era where Microsoft wouldn't fix really severe bugs in like
IIS or Internet Explorer, right, unless you put the screws on them.
They would just sit on bugs for a year.
They would never fix them.
So, like, that came from somewhere, and it makes sense,
and I still think it makes sense to turn the screws on a bunch of these little large
companies that need to be doing better.
But we just need to be a little bit more intelligent about it.
Anyway, we've spent enough time on that.
The other thing I wanted to quickly mention as well,
just, you know, a little bit of subsequent reporting on the Peter Williams' trenchant
leak situation is I have.
it from two sources now that one of the bugs that he stole and sold to a Russian
exploit broker was used by North Koreans which is you know it's it's not been
reported anywhere I figure it's probably going to come out you know more
officially than just people telling me and just you know it really puts this
thing into into context which is like how bad it is what he did like how
appalling his actions were and why I find it just insane
that he's not even going to do as much time as a ransomware affiliate.
Although, you know, let's see if his sentence is surprising to the upside in January
when it gets handed down.
Yeah.
I mean, when we started to see that kind of scuttle, but it does make you think,
what did you think was going to happen when you sold these bugs?
Where did you think they were going to go?
And the fact that would end up, not just in Russian hands, but like in North Korea's,
like, what did you?
I mean, I guess that's a number of people that have talked to were like,
what did you think was going to happen?
And how did you think this?
Why did you think this was a, you know, a plan that was going to work for you?
And let's really hope that it does not work well for him.
Because, you know, we'll see what the sentencing looks like, hey.
Yeah, I mean, the only thing I can think of is he hit, like, acute money trouble.
And when you look at when his activity started, it was when interest rates went up.
The crypto economy, like, collapsed.
Equities did badly as well.
Like, you know, 2022 was a time when a lot of people got into money problems.
You know, there's a married guy with kids.
You know, he's probably worried about his family situation.
and whatever, but, you know, out of the frying pan and into the fire is what this guy did.
Just epically, epically dumb.
He might even be listening to this from what I understand he was actually a risky business
listener.
So, Peter, you're a knob.
You're an idiot.
And you deserve everything you get, I'm afraid.
Adam, that is it for this week's news.
Big thanks to you for joining me and we'll do it all again next week.
Yeah, thanks so much, Pat.
I will talk to you then.
Hello, I'm Tommy Wren, the Policy and Energy.
intelligence editor at Risky Business Media. You can join the Gruck and I every Tuesday for the
Between Two Nerds podcast, which is all about cyber intelligence and cyber war. Deny, degrade,
discombobulate. You can find the Between Two Nerds podcast and more in the Risky Bulletin
podcast feed. Subscribe today by searching for Risky Bulletin in your podcatcher.
That was Adam Boyleau there with the check of the week's security news. Big thanks to him for that.
It is time for this week's sponsor interview now with Harun Mia, who is the founder and Big Cheese over at Thinks to Canary.
Things to Canary obviously makes hardware honeypots that you can just plug into your network and they can mimic whatever you want them to be.
So if someone is on your network poking around, you're going to get a very high fidelity signal that tells you someone's poking around on your network.
As you'll hear, they've got a bunch of cloud-based canaries these days as well because it is 2025.
But Harun joined me for this conversation really about how we should be.
demanding better from security vendors, companies that make security products. And it isn't the usual
just ranting about how we deserve better. He's talking specifically about how Thinks-Canary has a
slash security page, which you can go visit right now, canary.comptool slash security, go have a look at the
slash security page. And you'll see that it's a very simple list, really, of the security measures
that things puts in place how they think about their product, you know, what can happen
if there are breaches, I guess, at Thinkst and like what they've done to wall people off
and prevent things turning into a disaster.
Just really simple stuff.
And Harun's point here is, shouldn't everybody do that?
And I think he's absolutely right.
So here's Harun Mir.
Like part of the reason we have this page, like we have Slat Canada tool slash security,
is a, hey listen, here's how we think about this product.
Like, we're going to do some dangerous things.
You're going to trust this box on your network.
What security questions should you have about this device?
And let us try to assuage you that actually this is not a terrible idea.
And I think that all security vendors should be putting forward some of that.
Like, customers should be demanding some of that.
hey, you're going to be doing this dangerous in-kernel thing.
Show us that you're considering EBPF instead of just raw-dogging the kernel.
You're going to be doing this stuff on our network.
Show us that when you get owned, you're not going to also end up owning us just because of splash damage.
And I think all of the answers are going to be different.
I think, and one of the things that frustrate me is that you don't see.
see signs of this sort of thinking or innovation coming out in the security space, in part because
people don't demand it. What you should be seeing is someone with deep pockets, like someone like
Fortinet, someone like Paula Alto, coming out and saying, we've got a bajillionty lines of code
to audit, and that's why this is our code scanning solution. This is our SaaS solution. This is our SAST
But you don't see innovation in those spaces being talked about because they don't have to.
It's like, yes, there is this risk that they know they're carrying,
but they can just ignore it because instead they're going to talk about the next thing that the market cares about.
So they're going to buy the next agenic thing, and before that they bought the next saw thing,
and before that they bought the next.
But fundamentally, people need to be saying, hey, you've got a lot of code.
how are you auditing this code?
Take anyone who runs modern SAST, modern code scanners,
they've got the same problems that code scanners had since forever.
And so Cisco and Palo Alto and all of these guys
should be putting out white papers saying,
you know, when you have as much code as we have,
this is what we're doing.
This is how we're getting there.
And you'll notice for our stuff, it's very us-related.
It's we're going to run 3,000 EngineX instances.
How have we customized EngineX to not surprise us?
We've got to do stuff.
I've noticed actually that on your slash security page,
like you look at a lot of this and some of it's like,
okay, we're using MemSafe languages and whatever,
but a lot of it is just sort of architectural.
You know what I mean?
It's like we've chosen to deploy this way for this reason.
And, you know, it all makes sense.
But it is very specific to you.
No, no, absolutely.
And I'm saying everyone should have stuff that's specific to them for exactly this reason.
And what you see is...
But how does that work when it's like a domain-joined remote access appliance?
You know what I mean?
You can't re-architect that such that it's no longer a domain-joined edge device, right?
Like, that's always going to be an architectural problem.
Yeah, so there are some things that can't be done safely.
And then those people need to be saying, for you to trust me to do this,
safely, here's my duty of care. And what we slip into without that is, trust me, bro. And instead,
like, you take any, take Adam. And Adam will tell you, of course we were going to pop that thing.
And Adam knows it. And every attacker knows it. And everyone else is just acting like that's not the case.
And that's just insane for places where it matters. And instead, the company should
feel under pressure to say, if we're going to do this domain joined edge thing, then we need to show
that we've had it audited by the absolute best, because otherwise you shouldn't trust us with this
thing. And so, like our slash security really comes from the place that says, why would you trust us
with this thing? Look, it's because we're thinking about this. And what I want to see more from other
vendors and what I want to see customers demanding is exactly that sort of accountability.
And way back, you know what's crazy Harun, right?
Is, you know, I work with a bunch of startups now and all of them get security testing.
And it's because often people procuring newer technologies, they demand a pen test.
You know what I mean?
They want to know that you've been through like a rigorous audit.
Like, you know, Knock Knock is a great example where commissioned to test.
really good tester actually based out of Australia testing company.
They found a couple of things too, which were definitely worth fixing,
but then you get to package up the report and like customers can look at it.
What's amazing is how much this type of material is demanded from startups.
But meanwhile, they'll throw a couple of million dollars at a few, you know,
pan devices that are like, you know, Linux on MIPS with no like memory corruption
mitigations or controls and like no pen testes or
No pen test report needed, that's fine.
You know, you guys have been around for a while.
It seems a bit backwards.
Yeah, it's exactly the reverse assumption, right?
You think that they're big enough and they must be okay.
And also, like, can you really ask them for that sort of stuff?
But it's absolutely what we should be doing.
And I must say, also for the smaller startups, you'll see them slip in two ways.
They'll do the pen tests.
But when you're a young startup, you're going to have this problem of, it's a normal
technical death thing, right? You're racing for income, you're racing for features, and you start to
choose, make your architecture choices then. And my thing is, we've always known that we genuinely
have to be accountable for our choices. So today, we don't heavily play in active directory
deception because we don't know how to do it safely. Like the times we've done it, we ended up with,
Yes, we can own this.
And there's no way we can not own this.
And so we don't release that because we're not going to get people's networks on that way.
And what you see is the reverse.
Like I've spoken to other people, other vendors, and I go like, how are you doing that securely?
And there's a shrug.
Well, it's like, you know, it's like when I talk to HD more about how Run Zero is, you know, a terrific scanner that is unauthenticated, right?
And he's figured out how to make unauthenticated scanning work really well.
And the reason for that is like anyone who's done pen testing knows that a great way to collect privileged credentials is to just pop up on the network and wait for the vulnerability scanner to pass off a bunch of highly privileged credentials to you thinking that you are a device to be scanned.
You know, and it's like you can't fix that.
You just can't fix that.
And it's dumb and we shouldn't be using that shit anymore.
Yeah.
And I'll take it a step further.
we shouldn't be introducing those things. And you will still see a ton of security products,
still introducing security badness. And my thing is, because they get to get away by having their
SOC2 report. And a SOC2 report, like we all know, is... Hey, but they're FedRamp. It's fine. It's fine.
Exactly. And so I'm saying what people should have is a slash secure page like this,
that at least says, here's the things we think.
you should be thinking about. Here's the things we thought about. Here's why you should listen to us.
And like this stuff keeps changing. We write about some of them pretty currently. But yeah, I think
it's a mistake for people not to. Increasingly, I push back to people to say, let's go read their blog.
You can read the Run Zero blog and you can see HD's thoughts on the industry. You can come see our
blog and other than our new features, you'll see here's the stuff we're doing to keep
our infrastructure safe, so that when we get popped like F5 did, you'll hopefully hear about it
before the two years are up and all our source code is gone. And mostly, that just doesn't exist
for people because the market's not demanding it. And when we did the products we deserve talk,
I said that good customers need to push back because lots of times good customers know that they
hearing vendor BS and they ignore it. But the problem is bad, like younger customers don't know that
stuff. And so it's the responsibility of smart customers with well-funded teams to push back and say,
actually this is garbage and you guys shouldn't be doing it. And then hopefully that stuff will get better.
I mean, like, it's funny talking about this because it's been my approach for years that the stuff that I'm
interested in from a, you know, security products point of view. And these days kind of as a, you know,
part-time, you know, venture investor, which is part of my job now, the stuff that I'm really
interested in is what I would describe as enduring controls, right? And the great thing about
enduring controls is they tend to be a lot simpler than the stuff that is getting owned sideways
these days. So I think about stuff like airlock digital, which is allow listing and, you know,
very simply constructed, but, you know, makes allow list.
listing simple, you know, scales up to, I think they've got clients with like 150,000 endpoints in
one console, like pretty amazing stuff. But it's simple stuff. There's no heaps of pauses and they
don't have a team of researchers who are playing whack them all with different classes of attacks.
It's just this enduring control that is going to work as well in 10 years from now as it does
today. And the attack surface is not really there. Then you've got other stuff like Knock Knock
is a good example, very similar approach. It's a allow listing, but it's for network connections.
you know, again, an enduring control.
Your stuff, you know,
honeypot-based detection and sort of incident alerts, you know,
again, it's an enduring control.
And in fact, more enduring now,
because you've launched a bunch of new stuff
that we're going to talk about in just a second.
But you see what I'm saying, right,
where I feel like when you're dealing with the stuff
that's not an enduring control,
when it's like stuff that just,
it's never going to be good.
I don't know.
I just, I'm not at all hopeful that it's going to be good.
No, it's, so,
I think we've quoted it before in the show.
Like, you know the thing that says,
I didn't have time to write you a short letter,
so I wrote you a long one?
Like, that also applies to, like, good product design, right?
Like, if you can whittle it down to,
here's the thing that it does,
we do this one thing,
then it doesn't become,
let me throw the kitchen sink at it.
It's, here's what we do,
we're going to make sure we can do it cleanly,
and we're going to make sure we can do it well.
And the alternative to that is,
let me grab every buzzword that we can.
can let me shove it down because maybe this ticks some of your boxes when you're trying to
do your acquisition or your purchase.
And, and, and, what is, what is, what is F5? It's a load balancer firewall waft.
Okay.
It's a, it's an SSL termination load balancing firewall waft.
And, and, and that stuff happens a lot. And I'll tell you to a bigger, to a bigger thing
that you mentioned, like, for the last while, like, like, we went through this 15-year hysteria of
everybody's starting a company and everyone's getting acquired and everyone's selling their company.
And you end up with this horrible place where people are, like the intention is to make a company
and then sell the company. And like what you'll see, if you speak to the airlock guys,
if you speak to HD, if you speak to knock knock, fundamentally there's, I want to build a meaningful
thing. And like if you're building a useful thing, you get a bunch of people who feel they
doing like great work in building that thing. And then you actually care about can I do it securely,
can this thing not own my customer network. Well, but I think it's those two are kind of related.
Like the reason it is an enduring thing, it's a fundamental control. And the thing about fundamental
controls is they tend to be quite simple. So they are easier to build securely, which again is why
I like them, you know? Yeah. It's, I think, I think you'll bump into
Like when we gave the talk, I spoke about why people stay away from building simple things.
And there's a bunch of things, a bunch of reasons that simple is hard.
But I think that's maybe a soapbox issue for us to get into one day.
That's a longer conversation.
Speaking of, we're kind of running out of time here.
So you've also put out a platform update for things canary.
What have you shipped?
Yeah.
So this month we shipped two new platforms.
So for us, Canaries, you'll remember the original version.
were just the hardware devices, still by far a biggest seller, so literally thousands of them.
Famously, we always talk about hardware devices in Antarctica, so sitting in the snow.
But soon after that, we released VMware versions, HyperV versions, AWS versions, GCP versions,
but all of them logically are the same. So if you've got this environment, you boot them up,
a canary is now in that environment, and we've got them on Docker, we've got them in tail scale,
For people who like tailscale, you can just click a button and a canady shows up in your tail scale network.
And this month, we released them for Oracle Cloud infrastructure and Nutanics.
So again, people who've got those sort of setups, you now have the option where you can drop a bird in.
Again, Jess works, shows up in your console, and you're good to go.
Excellent.
Now, the Antarctica one.
Is that the Australia-based guy from the Antarctic Authority or whatever, the Antarctic Division?
I'm not sure I can say that
Oh, that's right, because I met that guy
I met the security guy for the
Antarctic Division or whatever it's called
at like Ossert like 15 years ago
and he gave me a pin
and he was a really cool guy
so hello to you
if you're listening I've still got the pin
around somewhere
I have to say we now have two customers
in Antarctica
so one of them might have been
that and we now have two
but it is one of the things
I love most in my life
Like if you tell me that you take something away from me and I'd be very sad,
being able to save you on all seven continents is one of them.
I love our Antarctica customers.
Got a look after those penguins.
All right.
Harun Mia,
thank you so much for joining me for that conversation.
Great stuff as always.
Always cool, Pat.
That was Harun Mia from Thinks to Canary there with this week's sponsor interview.
Big thanks to him for that.
And that is it for this week's show.
I do hope you enjoyed it.
I'll be back next week with more.
news and analysis, but until then, I've been Patrick Gray. Thanks for listening.
Hello, I'm Claire aired, and three times a week, I deliver the biggest and best
cybersecurity news from around the world in one snappy bulletin. The Risky Bulletin podcast
runs every Monday, Wednesday and Friday in the Risky Bulletin podcast feed. You can subscribe
by searching for Risky Bulletin in your podcatcher, and stay one step ahead. Catch you there.