Risky Business - Risky Business #821 -- Wiz researchers could have owned every AWS customer
Episode Date: January 21, 2026In this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, joined by a special guest. BBC World Cyber Correspondent Joe Tidy is a long... time listener and he pops in for a ride-along in the news segment plus a chat about his new book. This week news includes: Did the US cyber Venezuela’s power grid, or do they just want us to think they coulda? US govt might boycott the RSAC Conference ‘cause Jen Easterly being CEO makes them mad MS Patch Tuesday fixes CVSS5.5 bug and … stops you shutting down Wiz pulls off cloud stunt hack that ends with control of everyone’s AWS console Millions of Bluetooth devices that use Google’s Fast Pairing will pair with anyone, any time GNU inet-tools’ telnetd parties like it’s 2007, and brings -f root unauthed remote login back Thinkst is this week’s sponsor, and long time friend of the show Haroon Meer joins. As always they’re polishing their Canary tokens - adding breadcrumbs to lead you to them - but they’re also a bunch of giant nerds who now run South Africa’s Computer Olympiad. This episode is also available on Youtube. Show notes Cyberattack in Venezuela Demonstrated Precision of U.S. Capabilities - The New York Times Why I’m withholding certainty that “precise” US cyber-op disrupted Venezuelan electricity - Ars Technica Layered Ambiguity: US Cyber Capabilities in the Raid to Extract Maduro from Venezuela | Royal United Services Institute Former CISA Director Jen Easterly Will Lead RSAC Conference | WIRED Trump officials consider skipping premier cyber conference after Biden-era cyber leader named CEO - Nextgov/FCW Federal agencies ordered to patch Microsoft Desktop Windows Manager bug | The Record from Recorded Future News Windows 11 shutdown bug forces Microsoft into damage control • The Register CodeBreach: Supply Chain Vuln & AWS CodeBuild Misconfig | Wiz Blog Critical flaw in AWS Console risked compromise of build environment | Cybersecurity Dive Never-before-seen Linux malware is “far more advanced than typical” - Ars Technica VoidLink: Evidence That the Era of Advanced AI-Generated Malware Has Begun - Check Point Research Hundreds of Millions of Audio Devices Need a Patch to Prevent Wireless Hacking and Tracking | WIRED Critical flaw in Fortinet FortiSIEM targeted in exploitation threat | Cybersecurity Dive CVE-2025-64155: 3 Years of Remotely Rooting the FortiSIEM A single click mounted a covert, multistage attack against Copilot - Ars Technica Police raid homes of alleged Black Basta hackers, hunt suspected Russian ringleader | The Record from Recorded Future News Jordanian initial access broker pleads guilty to helping target 50 companies | The Record from Recorded Future News Supreme Court hacker posted stolen government data on Instagram | TechCrunch oss-sec: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd How crypto criminals stole $700 million from people - often using age-old tricks Ctrl + Alt + Chaos: How Teenage Hackers Hijack the Internet
Transcript
Discussion (0)
Hey everyone and welcome to risky business. My name's Patrick Gray.
We've got a great show for you this week. We will be joined by Adam Bualo and a special guest for this week's news.
Joe Tidy, the cybersecurity correspondent for the BBC World Service, is joining us to talk through all of the week's security news.
So that'll be fun. And yeah, in this week's sponsor interview, we're going to be chatting with Harun Mia.
And he's talking to us about something interesting. The idea of, I mean, we've all heard about honey tokens.
There's a similar concept called breadcrumbs.
They're not exactly new,
but Thinkst Canary is starting to support various types of breadcrums in its product.
And he'll be joining us to talk about what they are,
like what is an SSH breadcrumb.
And he's also chatting about how Thinks has actually acquired a very small,
I guess, would you call them a competitor or complementary business?
So that's pretty cool.
And they've also taken over South Africa's Computer Olympiad,
proving that they are in fact giant nerds.
So we'll be chatting with Harun about all of that a little bit later on.
But first up, it is time for this week's news.
And first of all, Joe, thank you so much for joining us.
This is your first time on risky business, and we're stoked to have you here.
Oh, thank you very much for having me.
I have listened to you guys for, I think, just about eight years now every single week.
You are my Friday gym session podcast.
So thanks for having me.
to be here. Man, that's fantastic that we can help you in your goal of getting swall. That's awesome.
And, you know, we hear you a fair bit here in Australia as well, because we've got all sorts of
radio stations and syndication agreements. So sometimes I'll be driving along, you know, after dinner
on my way home or something. And then there's Joe Tidy talking about the cybers on my car radio.
So yeah, it is great to have you here. And Adam's here as well. And mate, the first thing we're going
to be talking about this week, I am freshly back from six weeks in Latin America.
So I was in Brazil the last six weeks from early December until like 48 hours ago, just got back.
And there was a bit of news, you know, in Latin America while I was there.
Of course, the sort of abduction of the president of Venezuela, Nicola Maduro, was big news.
And now we're still seeing weeks later, we're still seeing news reports about, oh, there was cyber in this, according to officials who were briefed.
And then counterclaims saying, well, were this, you know, was there cyber?
Would that even matter?
on and on and on. I think the key thing here, the reason we're talking about this, of course,
is because the New York Times just did a very big and vague piece. I think my takeaway here is it
is impossible to know what the US government may have done here in terms of cyber,
and it would not have really been definitive anyway. So the whole conversation seems like a bit
of a waste of time, which is why we didn't have it last week. First of all, Joe, what are your
thoughts here, mate? Because it just seems like a bit of a waste of oxygen, this whole news cycle.
Yes, but I also find it really intriguing and I want to know.
And I remember when he came out Trump and did the press conference about it.
And he said it was dark and dangerous in Caracas.
No, dark and deadly is what he said, because we have got some special, I can't remember the phrasing,
but something like special skills in order to turn the lights out.
And I just thought, well, my cyber senses are tingling.
You know, that sounds like cyber to me.
And then I assumed that we would get more information and that it would just become a part of this, this, what was, you know, shock and all military campaign.
That would have been a significant, but obviously not, you know, not everything.
It was about cyber, but it would have been a significant part of it.
But there's just been nothing since.
The New York Times article, as you say, doesn't give much detail.
It doesn't really sort of progress the knowledge in any way in either direction, really.
I'd love to know, but I think part of the appeal of why Trump said that and why they're now not saying anything else
is because part of the strategy is don't let them know what capability we have, don't let them know how we did anything, keep them guessing.
Yeah, yeah. I mean, one of the craziest things about all of this is I'm now seeing some of the Venezuelan propaganda
that's being pumped out after this event actually being repeated by Americans. So, of course, one of the,
The Venezuelan guards apparently came out and spoke to the media and said,
oh, the Americans, they were super soldiers, genetically engineered.
They had sonic weapons that turned people into paste.
They basically had alien technology.
You know, so this, of course, is a way to save face after the loss,
but of course a whole bunch of Americans saw this and they're like, cool, retweet, retweet,
retweet, retweet, look at us, we have alien technology,
when really, to me, it just looks like the Venezuelans are trying to save some face.
What's your feeling on all of this, Adam?
Because, you know, we saw the material, the gear that the American,
Americans are brought in, like if I want to go and get around some S300 air defense batteries,
I'm bringing myself an EA18 growler.
I'm not bringing some cyber command nerds, right, to keep me safe on that mission.
Yeah, nerds with CMD.
at EXC, less slightly less threatening.
I mean, I think the thing that we, that this said to me is that, like,
cyber is a key part of US, you know, of the tools they have in their chest,
And they're very good at combined ops,
or like putting intelligence together with special operations,
with, you know, air support and all of the other bits and pieces.
And cyber is, you know, a piece of that puzzle,
even if the extent to which they are using in any particular case,
we're never going to know until years after when someone writes a tell-old book.
And that will be very interesting when it happens.
I mean, Venezuela's power system has, you know,
had a whole bunch of issues in the past.
You know, it's already pretty flimsy.
So I can't imagine it would take much to push it.
over, be it cyber, be it, you know, electronic warfare, be it, you know, what was the other thing?
We saw, like, bits of carbon thread dropped over transformers to make them stop work and short
them out, you know, whatever it happens to be. I guess, you know, the thing they are trying to signal
is we have techniques and, you know, if you're somebody else that's trying to mess with the US,
then you'll get some combination of those and we're just not going to, you know, know what that
combination actually isn't until we are the victims or, you know, it's 10 years down the track.
So I'm as curious as Joe is, but we're not going to find out in a while unless, you know,
Trump decides to just screenshot it all and post it on truth social.
You'd never know.
You know, he might well do.
You never know.
My favourite part of the kind of like mystery of it all was when someone tweeted a picture of,
you know, this meme of someone on a podium celebrating with champagne, exploding everywhere,
and it was cyber Venezuela.
And then it zoomed out.
And he was at the bottom of a much larger podium.
with people above them. And it was like military soldiers, Air Force, Ossint, human intelligence,
and then there's just a cyber guy pretending he was doing it all himself.
Delta Force are going to be in position number one on that podium, right? Like it is pretty funny.
But, you know, look, the whole thing, though, you would have to say, and I guess, you know,
just one comment, not really related to the cyber component of it, but, you know, I was talking about
this with our colleague Tom Muran the other day, which is, look, this is just one of the most
remarkable raids. It is the most remarkable raid in my lifetime, right? The fact that it went off so
swimmingly is just extraordinary. It is absolutely, it's almost unbelievable. And you think, well,
perhaps they were able to get, you know, through intelligence operations, perhaps they were
able to get a lot of the military to stand down while this happened. That doesn't make it any less
amazing. And Tom agrees with me on that. Like whether or not it was pure military or pure
intelligence or combinations of absolutely incredible stuff.
And I'd imagine, too, that there would have been a lot of useful intelligence collected
via cyber means.
You know, if you have to choose, right, when putting together a caper like this, whether
or not you wanted cyber effects on the day or you wanted cyber to do intelligence collection
leading up to the day, it's always going to be the intelligence collection.
That's something I've always said for years and years and years, which is that's where it's
useful, right?
You want to take out the power, do cyber, figure out which transform.
to blow up, then you know which transformer to blow up, blow it up.
You know, that's just my feeling, Adam.
Yeah, yeah, no, I'm with you.
Like, there are things cyber is good at,
and actually having effects is not really top of the list.
There's many better uses of that capability,
but it is good for the US, from their perspective,
to have everybody else being a little bit scared
just in case they do have amazing cyber
that can turn off the power.
Yeah, yeah, well, apparently, you know,
Venezuela alleged that they did that in 2019,
in a pretty big way when the previous Trump administration was trying to destabilize there.
And then, of course, late last year, you know, something that looked a bit like a ransomware attack
happened to the state-owned oil company and the government there was blaming the Americans.
And we said that that was actually credible.
So, yeah, who knows?
Anyway, let's move on.
And, you know, some more political drama in the United States as Jen Easterly, who was the former CISA director.
She, of course, was the second director at Sisa after Chris Krebs.
She got loomed at some point and is apparently an undesirable in the eyes of the White House.
Well, she was appointed to lead the RSAC conference in San Francisco,
so she's going to be the CEO of the RSAC conference,
and that has caused, according to NextGov,
it has caused some officials to consider skipping the conference.
The information I have is that it's essentially a blogger.
blanket ban on federal government employees attending RSAC this year because
Eastley is running it. This I don't think should come to any as any great surprise.
You know, we've got an extremely vindictive cadre of right-wing activists who are
constantly looking for ways to do things like this and this is just the latest one.
So I don't think there's going to be much of a government presence at RSC this year.
Joe, what are your thoughts on this?
Well, as a BBC report, I'm not really allowed to have an
opinion on the politics of it all. But, you know, politics aside, if you look at this,
if you look, I liked Jen Easterly as head of Cesar. I think she was great. I think she was,
some people were sort of wound up a little bit by her shields up thing that she kept going on
about. But, you know, for me, it was a message that they did resonate and it made a difference
and it made people, you know, start taking cyber seriously. I like her Rubik's Cube stuff and her
music. I think that's all, you know, part of the appeal of her for me. And I think her being appointed
to run the conference is great. I think it's frankly bizarre that a government would not want to
have officials there. It seems, I've never been, but I hear it's, you know, one of the most corporate,
one of the most government of all these cyber conferences. So it strikes me that you do surely want
to have people there. But, you know, it's their decision, isn't it? Yeah. Yeah, that's right. Adam.
Yeah, it just seems, you know, it's kind of petulant.
and vindictive and, you know, exactly what we expect, unfortunately,
from the Trump administration.
And, you know, the desire is to make it clear that anyone who is against them, you know,
is going to feel these kinds of effects wherever they go.
And so, much like the Sentinel one and Chris Krebs, right, there'll be fallout from
employing people, you know, that the administration doesn't like.
And it's just, you know, it's just not how things should be.
It's not how we should behave, you know, generally as a society.
and I think it's just embarrassing for everybody concerned
and sucks for Jen Eastley and sucks for RSAC.
So the black banning of former public servants continues.
Now, there's also news out of SISA at the moment.
We're not going into detail about it,
about something about how the acting current head
was trying to force out the CISO
and there's all sorts of weird political stuff
going on there at the moment as well.
But we do have this story in front of us, Adam,
where federal agencies have been ordered by Sissar
to roll out
a patch for a bug that you found kind of interesting and you think it's interesting that they have
ordered this one to be patched. But we've also got a piece to pair with this, which is that
the patch itself is actually bad and is stopping people from being able to shut down their Windows
11 systems, which is kind of funny, I think a less critical problem. But let's start at the beginning.
What's the actual bug here that Sisa is making US federal government agencies patch?
So this is a bug in the Windows desktop window manager and it's like a local information leak.
and it's like a CVSS 5.5, so not particularly exciting.
It's like the reason you would be using it is it lets you leak memory from the other end of an ALPC connections.
ALP is like Windows into process communication.
So between processes you can kind of communicate, there's a way to leak some memory,
and that lets you kind of leak information about where that remote process or the other end of the connection is located in memory.
So you can get to un-ASLR.
You can defeat ASLR controls.
and somebody's using them in the wild for that.
And that's Microsoft, really,
those things, 113 bugs got patched in this month's patched Tuesday.
This was the only one I think we saw
that was being actively used in the wild.
So the fact that someone's using it is part of CIS's choice.
But part of the reason Cicester is specifically telling people to patch it.
But I just thought it was interesting seeing a CVS 5.5 InfoLeague
being a thing that people were being ordered to patch.
Because most people would look at patch Tuesday,
start at the criticals,
ignore anything below that as a thing that they're actually going to push.
So it's good that Sessa is calling out one that is actually being used in the wild
and has some real utility for attackers because many people might otherwise miss it.
So I thought that was, you know, it's not often we get to give Sisser an Atterboy, you know, in the recent time.
So I felt like it was good to call them out for doing something, doing something nice.
But then, yes, we get to the Microsoft giver, the Microsoft taketh away part of this,
which is that past Tuesday also introduced some behavior with interaction with like,
the secure boot process where after you'd apply the patch, you can't shut down anymore.
So that's not great.
No, no, but I mean you can turn it off at the wall.
It's not the end of the world, right?
Fortunately, yes.
We're still fortunate we can still control the actual flow of electrons into computers,
but not for long.
I'm sure that'll be taken away from us, you know, but the AI future or something one day.
Now let's talk about this research out of whiz, Adam.
This is the good stuff.
This is absolutely amazing.
The reporting around this I'm going to say is not been particularly good because I think there's some nuance here that's been lost.
But let me have a crack at explaining what the problem is here.
So, Wiz discovered that there was a flaw in the AWS code build continuous integration process for the GitHub repos where the AWS console like source code lived,
which would enable them to change that source code,
which would mean they could do all sorts of absolutely horrible things
to the AWS like console, like front page,
which would be, I mean, amazing.
I mean, how did I go explaining that there?
Yeah, that's pretty much the nuts and bolts of it.
Like someone at WIS was sitting around the office one day
and said, hey, guys, did you know that I now have admin access
to every AWS.
environment on the planet, right? That's the like, that would have been a rough day around the office
when they're all sitting there like, you know, and no one's getting any work done because
everyone's high-fiving each other and backslaps or, you know, exactly, having to have it a great
up time. This is some just like, it's just chef kiss beautiful cloud hack and research and like
the team that was that pulled this together or whoever it was, so good. The specific details
here. So Amazon has their JavaScript SDK, which they develop.
and published on GitHub, that SDK is used in a bunch of applications, including the console,
but also many other things, you know, use the official Amazon SDK.
This particular Git repo was configured to use Amazon code build.
Normally when you, when there's like a pull request, the continuous integration will
build and integrate, you know, build and test the code that you've submitted.
Obviously, you don't want every pull request from every, you know, person on the internet
to result in the code environment, you know, in the environment spinning up and running,
the continuous integration because control of that lets you, you know, leak tokens or do whatever
else. In this particular case, they had an access list which configured which user identifies
on GitHub were allowed to trigger code builds. And this particular list was implemented as
what turned out to be a regular expression. So a set of numbers joined by pipe characters
so any one of these particular values can match the Reg X. And if you, you know, match the Reg X, and if you, you
out to trigger a build. The key insight that Wiz had was that this reg X is not anchored.
So at the start or the end, it can have other content. So if you can get a user identifier,
which is a super set of one of the ones that's allowed, so it contains that substring,
then you're able to pass this check. And so then they sat down and built a bunch of tooling
that would sit there watching GitHub registrations, looking at the numbers being allocated,
because these user identifiers are sequentially allocated.
And so if they wait long enough, there'll be a time window
where a user will get allocated an ID that's going to pass this check.
And so they sat, they built some tooling to kind of predict when this was going to happen,
register a whole bunch of them in bulk.
They figured out a path through GitHub that didn't require them to go through a capture
or any other kind of like, you know, non-robot check.
And then they won that race.
They actually built this infrastructure, got to the point that they could register an account
that met the prerequisites.
And then they exploited this bug.
granted themselves admin access to the AWS repos,
and at that point they stopped and reported it to Amazon
instead of hacking the entire planet.
But if China or Russia or anyone else had done this,
like North Koreans, oh my lord,
everybody's Amazon environments, boom.
I'm going to guess.
I'm just going to go out on a limb here and guess, though,
that AWS does do some monitoring of its console code, right?
Like after the build gets crapped out,
it goes live, they're going to be looking at that.
And they're going to be looking at that in case there's some, I don't know, DNS, people mess with the DNS or whatever.
It starts serving different content.
Like you always want to be looking on anything that critical at what is actually appearing in front of users, surely.
I mean, yes, but we are talking about, you know, one of many JavaScript dependencies of an application that's probably built in an automated fashion, right?
So you might detect it after the fact when weird stuff starts to happen.
but, you know, with an attacker that's smooth,
like those North Koreans with that huge one, you know,
a gazillion dollar.
By-bet hack.
By-bit, yeah, the buy-bet one.
Yeah, yeah.
Yeah.
But I mean, the thing with, like, you know,
by-bit style, like, you steal the billion dollars,
even if Amazon catches that 30 seconds later, right,
the billion dollars is already walked, right?
Because North Koreans are good and getting out.
Anyway, point is, like, this is, like, internet scale,
amazing, beautiful hacking and, like, hats off the whiz.
of a pull in this one together.
And actually going through and do it,
like not just stopping it.
We found the reg X in this situation.
We might be able to do this, reporting.
No, no.
Actually went ahead and did it.
They should have dropped the comment into the repo, like for sure.
Like, whiz was here.
You know, like just something like that would have been cool.
But I wonder if it would be kind of like the time
that someone actually managed to successfully backdoor SSH, right?
When nothing happened because it got snapped so quickly, right?
And, you know, that is the sort of thing where you would think,
wow, that's the end of the world.
But, you know, that's all.
It's just impossible to know.
Yeah, I know you want to believe, you know, I want to believe, you.
I want to believe, and Adam, I was going to ask, so I get these kind of reports through
and people message me, you know, individual hackers about things I found and they tell me
all the access they could have got.
But I always ask the same question, what could you have done with this?
So you've said that you've got, you know, this is internet ending.
But what, if you put your cybercrime hat on, what would you have done if you'd have had
that kind of access?
I mean, that's the, like, you know, you are the dog that caught the truck at this point, right?
I mean, you know, because, you know, if you have everybody's Amazon console in the world, right?
What are you going to do?
Well, I mean, I mean, you could just mine Bitcoin on people's, you know, mine cryptocurrency,
Monero on people's CPUs.
But, you know, the data theft options, the access into people's environments, I mean, you know, what would, like, if you were China, what would you do from here?
Like, you would have to figure out how to.
You could see what's happening is Adam's brain is actually spinning out right now because of the the possibilities.
This is like my four-year-old when he runs into a room and he says, I'm looking for the, the, the, the, the, the, the, the, the, the, right?
Like, that's what's happening to Adam right now.
You broke Adam. Are you happy, Joe? You broke Adam.
I'm so sorry.
Yeah, I would just yell, hack the planet at the window of the car. That's what I would do.
Right, pretty much. The possibilities are too much.
Don't break my co-host. All right. Let's move on. And look, this is, this is cool. I like, I like this next piece because I feel like to a degree, Adam, you've been a little bit too skeptical on the AI stuff. I think you're coming around to it a little bit. And it's because of stories like this, which is there's this Linux-based malware called VoidLink that's popped up that actually looks pretty good. And we've got some other reporting out of Checkpoint Labs that's
says, it's written quite breathlessly, but says, oh my God, this was thrown together by AI and
very little human involvement and whatnot. Now, look, even though the checkpoint stuff is a little
breathlessly written, that's still a bit of a milestone when you've got competently put together
malware as a sort of end-to-end platform that is being developed by like, you know, jailbroken,
clawed or whatever. What are you, first of all, tell us about this malware and then second of all,
Tell us about the role of AI in it and what you make of that.
Yeah, so the piece of malware is like Linux, malware.
It's kind of modular and plugable like you'd expect,
has modules for doing root kitty type things,
for command and control, for, you know,
all the things that you would expect an implant to be able to do.
It's also particularly well tuned to modern containerized and cloud environments,
so it's kind of set up to run not on bare hardware.
Like it's got the necessary kind of specializations
for operating in cloud environments
and interacting with, you know, the services and things that you would expect to find in cloud
environments.
So in that respect, you know, quite a modern framework.
And then a bunch of like anti-discovery, anti-reverse engineering, all that, you know,
sorts of stealth and hiding stuff that you would expect.
So like a well put together competent modern root kit using modern features and so on.
It's also written in, you know, some kind of modern pretty hip language.
uses ZIG, which is kind of like a portable C-style, you know, compiler slash runtime environment
that reminded me a lot of like MostF from back in the immunity campus days, which I used to,
you know, work on. So like quite cool tech. And then the, uh, the AI side of it, it seems like,
um, so checkpoint labs found a bunch of Opsic fails in the infrastructure around the deployment
of the stuff. And they found, you know, some build artifacts and things.
like internal design documentation and stuff lying around, all written in Chinese,
and it appeared to be generated by an AI, and they looked through this,
and they found, like, a bunch of tells that said that this, the person behind this was using,
I think, a tray, the tray, AI coding platform to do it, and they actually took a bunch of
the documents that they had found that the AI had generated to then guide the various subagents
and writing things, and tried to rebuild the malware themselves to see how effective that
process was. So the AI side of it is interesting because checkpoint started tracking this,
saw, you know, interesting new malware, and then they found this documentation, which is
structured like it's being written by a team of actual people, you know, describing
the sprints and then features and documentation, standards, and so on. And then they said,
the actual progress of the malware in terms of time is faster than these documents suggest,
and perhaps faster than the humans involved, you know, would be doing.
Perhaps it's not actually humans doing it.
And that's kind of the conclusions they've ended up arriving at that this is AI driven.
And that's, you know, to the skeptic in me, it's kind of cool that I guess the methodology for building this stuff, you know, if it's one guy behind this, building stuff at the scale of a team, actually, I guess, yeah, maybe they've arrived at something that's actually useful.
Yeah, I mean, I know a guy around here who is a, you know, CIA type who went to, you know, last year sometime, went down to the Microsoft Experience Center in Sydney or whatever, and they were doing those sort of coding demos where they're like, this agent's the boss and this one's this and this one manages these two and like breaking it up like that and then telling it to go and build a game.
This is one of the demos they have for their enterprise customers and it is pretty amazing and getting a lot better.
Joe, I wanted to ask, though, how you go about covering stuff like this for the BBC?
Because what you just heard from Adam was some, you know, was a subject matter expert talking about this topic with a lot of nuance.
For an audience who can understand that nuance, what's it like being the BBC cybersecurity guy and say you were tasked with covering something like this?
How on earth do you begin to do that?
I mean, I know how I would have done that because I used to write for newspapers.
like 20 plus years ago, but how do you skin that cat and what's that like in the year 2026,
you know?
Yeah, but you have an advantage, Pat, because I think you do have a technical background,
don't you, whereas I don't.
So it takes me a long time to get my head around these things.
But I think that helps in a sense as well because I think my stupidity helps my reporting
because it takes me a long time to understand, which makes me a bit more easy to boil it down
for people.
But it reminds me of that Claude story.
Do you remember that story from Anthropic, the, the, the, the, the, the, the, the, the,
the AI company that makes the Claudebot.
And they said that China, they discovered that Chinese hackers had used clawed,
agentic systems in Claude, to create a sort of end-to-end spying espionage hacking tool.
And it was, they were putting it out like it was fact and everyone was getting very excited.
And it was, you know, being looked at as a bit of a landmark.
But then what I did was I went and I read some people's analysis that I sort of know and trust and sort of admire.
and actually there's a bit more of a, it's a bit more complicated, you know.
So, for example, all the, all the evidence isn't quite there that it was all completely automated.
And actually, we've heard from Google that in previous reports about agentic AI cyber, you know, attacks, that they're not really that effective.
So I think you've got to, you've got to factor in that these companies want to make out that their bots are super duper incredible because then they can sell the idea that their AI,
needs to be protected by other AI in defense as well as attack.
And that's obviously a massive driver, not only in the AI world, but in the cybersecurity world as well,
because cybersecurity companies, as a kind of BBC sort of public servant journalist,
I always remind myself that these companies are selling fear.
They're selling, you know, this is what these incredible tools can do, this is what the hackers are doing.
You need to buy our tool to protect yourself from that.
So that always runs through my head as well.
But I think in general, my cynicism about AI becoming a major part of cyber, that is ebbing away, perhaps the same as you, Adam, because I was cynical at first, because I've been hearing it for a long time, that AI is doing this, that and the other.
But I do feel that we've had enough cases now where it does feel like, okay, this is now a real thing.
And what I like about this particular report from Checkpoint is that they have managed to find because of OPSEC failures on the hackers part.
pretty decent evidence of the kind of development trail, which you don't often get.
Quite often you'll get a cybersecurity company saying, this was AI with zero evidence,
whereas this time we do have a little bit of evidence that actually was.
It's so funny that you mentioned that Anthropic report because I actually came down on the side of,
oh my God, this is amazing, because even though there was some, you know, human elements involved,
like occasionally the AI rig would ask the person, oh, are you trying to do this,
or what do you want me to do here?
or, you know, prompt me to do the next thing.
I still thought that was incredible because it was such a force multiplier.
But again, I understand from a BBC perspective,
why you don't want to freak out your audience by saying that the AI hackers are coming to get you,
which I guess is why I thought that would be an interesting question for you.
But I've definitely found myself becoming less skeptical about this stuff in general.
I guess first working with some of the cybersecurity companies who are using these models
to do some fairly primitive things.
but, you know, they're incredibly valuable models,
even in doing those fairly primitive things
that until recently we've just been getting people to do,
which is a terrible waste of their time.
But I think in the field of software development
and malware development and running campaigns,
it's just, it is absolutely the future.
Now, moving on, and Adam, we've got one here
from Andy Greenberg and Lily Hay Newman about,
this is a Google Bluetooth pairing protocol.
It's called the Fast Pair Bluetooth Protocol.
There's a problem with it.
I mean, we're always seeing problems with, you know, various bits of Bluetooth.
But in essence, what the problem is here is that anyone can fast pair to these devices, right,
without having to have any special codes or whatever, which means, you know,
you could turn them into listening devices or you could track people who own these devices.
I'm guessing only for as long as they notice that their devices are no longer paired to their stuff.
I don't know.
You tell me you're the one who worked through this story.
Yeah.
So I guess there's two aspects here.
the fast pair process, which is a Google written kind of standard on top of Bluetooth for making,
you know, pairing headphones to your Android phones move. And then Google wrote the spec and then
certifies the manufacturers in their implementation to make sure that it works well. So the first
problem is that some of the implementations fail to check if a device is already paired when
starting the pairing process. So over the radio, over the Bluetooth, you can connect to a pair of
headphones that's already paired to somebody else and just kind of pair with them as well.
at that point, hot mic them, play audio, do whatever else.
So that's the first part.
And that's not ideal, obviously.
And it's an implementation issue with quite a lot, like Sony, for example,
is one of the big vendors.
They actually get to submit their devices to Google to have them tested.
And throughout this whole process,
no one involved actually checked to see if the pairing didn't work if you already paired.
So that's the kind of overall failing there.
The second half is location tracking.
So devices in the Android ecosystem on first pairing with a device that's logged into Google's ecosystem will basically add them to Google's device tracking API platform thingy wants it.
So whoever is first paired with them.
So in some cases you're able to take over and then receive tracking information from these devices like you were the first user.
and the users who are moving,
whose device they are,
may not be using that feature,
may never have noticed.
You can now track them even,
you know,
when you're outside of Bluetooth range,
you know,
independent of the Bluetooth thing.
So sit on the train
and now you can track people
that you're on the train with via this thing.
So that's also not great,
but that's a subset of the devices
have that extra problem
because not everything has location tracking support as well.
So not great.
You know, there's a lot of devices shipped
are going to need a firmware update.
Many people are not in the hands.
habit of firmer updating their headphones.
So that's kind of a problem, like fixing it in the wider ecosystem.
It'll be a long tail.
And, you know, it's the sort of just dumb bug that you would expect.
An ecosystem that has a specification, reference implementation, and device, you know,
kind of review process by the manufacturer ought to have caught something this dumb.
Yeah.
Moving on.
And there is a critical bug in 40 seam, which I'm guessing is fortinets.
Seam, this bug was actually disclosed in August 2025, but someone dropped a pock recently,
like a few days ago, and now there's an exploit for it now and people are using it,
and then everyone's getting known and, you know, it's business as usual.
Yeah, I mean, 40 seam is two words that just should not belong together.
Like, to start with, if you've got a 40 seam, you've already made some poor life choices.
The main reason I shove this one in is not because, you know, bugs and Fortnite devices,
because if we did that, we would have this in every show we've ever published.
This one I was real mad about because the bugs in 40 seam have all been basically the same bug
but just like one function over or like they had a command injection bug.
And then the next one is a second order command injection bug because they fixed the first order one
and then someone found the way past and so on.
So this is command injection floor unorthed.
So over the network to your 40 seam and then command exec has root.
And the bug is literally in the same function as the previous.
round of this bug, just the next parameter is different inside the function, and then they command
exec it through, like, I guess it's second order command injection because of the filtering,
and it's just so dumb that Fortinet have done such a poor job of fixing the bugs, holistically,
you know, just point fixing the one thing that someone actually was.
Yeah, yeah, they're not going in there and QAing the rest of the thing, right?
And that's clear, and that is making Beardy Man Mad. Okay, got it.
We've also got a multi-stage attack against copilot.
This one's actually kind of interesting.
Give it to us quick, Adam.
So this is an attack that's been seen in the wild against copilot
where you give a user a link to a legitimate Microsoft copilot.com website
that embeds a prompt.
And it's prompt injection, so not exciting.
But it bypasses the existing controls Microsoft has against prompt injection
by asking the same question twice.
And it turns out the card rails that are in place,
to stop copilot leaking people's personal information out via outbound web requests
through an attacker only apply on the first web request and not the second one.
So the prompt just asks the AI to do it twice to check that they match.
So that's kind of point number one that's dumb.
The second thing that's kind of cool about this is that the attacker injects a prompt
into co-pilot.
Copilot in the cloud goes off connects to the attacker's infrastructure and gets the prompt
that they've been directed to get.
And then even if the user is by this point long since closed the tab,
copilot is continuing to interact with the attacker,
you know, multiple back and forwards prompts and responses using the user's context.
And that's kind of a thing that I think many people didn't really think about.
You know, they imagine like you click on a bad link, oh my God, I closed the tab,
now nothing bad can continue to happen.
Not the case because, yay, cloud future, woo.
Well, cloud future and AI agent not really caring about your tab.
Exactly, right?
Because it's operating up in the cloud.
It's not running on your computer.
Yeah.
We've got some law and order stuff here where we've had some blackbuster hackers arrested by Ukrainian and German law enforcement.
And apparently the main dude, the alleged ringleader, is apparently Oleg, has been identified as Oleg Neffadov, who is a 36.
year old Russian National. He's wanted on suspicion of forming a criminal organization
abroad, large-scale extortion and related cyber offences. Let me ask you, Joe, because, you know,
the UK has seen a lot of very high-impact ransomware cases lately. Does this sort of news rate
in England at the moment? No, not really. We don't, I don't cover these kind of cases.
We see these arrests and they are quite frequent, but it doesn't seem to move.
the dial that much on what happens, you know, that these gangs are still there. And I thought
it was interesting reading this because as far as I was concerned, Black Baster had gone. You know,
they were, I haven't heard about them for a while. I thought, I assume that that sort of brand had
evaporated and given way to something else. I don't know what it is now, Dragon Force, whatever
it will be, chill in, who knows. So yeah, I'm afraid, you know, it's good news. We all, I always
treat it with, you know, like this is a good news story. But we would never, I would never cover that
on the DVC
because they are quite frequent
and without much impact.
Yeah.
And John Gregg over at the record
has a report up about a Jordanian fellow
who is pleading guilty to
breaking access into 50 companies at him.
I suppose one notable thing here
is he was extradited to the United States from Georgia.
Yes, yeah, from the country of Georgia.
And yeah, that's good work.
Getting someone out of that, you know, Soviet bloc world
into the west of prosecution.
So yeah, he's probably going to have a bad time.
And this kind of initial access brokers
have been such an important part of the ecosystem.
So it's good to seeing them getting law enforcement attention to.
Yeah.
We've also got a couple of skateboarding dogs this week.
We've got Nicholas Moore, 24, resident of Springfield, Tennessee,
has pleaded guilty to repeatedly hacking
into the US Supreme Court's electronic document filing system.
I think he was just using a cred pair he got somewhere.
But he was posting some of these documents.
He posted the personal data of several of his victims on his Instagram account at IHack the government.
So a little bit difficult for him to argue innocence there, you would think.
So that's a nice one from TechCrunch.
And finally, this week's absolutely wild bug, which honestly, like, you're not going to find this in too many places, but it's such a bad bug.
And people are messaging me about it.
And it's very, very funny.
But yeah, if you're using Gnu INAT Utils Telnet,
you've got more problems than you would have even assumed that already that you had.
You already had, yes.
Yeah, this is a bug that's been in INATUILNET Util's Telnet D,
you know, since 2015, I think the code got committed.
And the impact here is that you can pass a username in the Telnet environment,
which gets passed to bin login.
you can log in as any user with a username of minus F root,
because the minus F parameters of bin login tells it that,
hey, I'm just root, don't worry about authenticating me.
And this is funny for many reasons, one,
because telnetting in as root with no creds is hilarious.
Two, Solaris had this bug in its telnet D slash bin login,
you know, kind of embed login combination in the early 2000s, I want to say.
and then that bug was a recreation of the same bug in R-login on Unisies from the 90s.
So like AIX or whatever else back then, you could R-Login as minus F-R-R-R-R-N,
some other user without auth.
So there's a perennial Unix bug.
I guess Root causes the contract between Bin-Loggin and the rest of the system is terrible.
But mostly it's just made old Unix beards everywhere, chuckle with delight at seeing
this wonderful treat of a bug turn up on the bug track,
well, on OSSSEC mailing list like it was bug track in the 90s.
So, yeah, it's a good day to be an old Unix nerd right here.
Now, we are also going to link through to a wonderful feature
on crypto crime and theft from Joe Tidy,
which is going into this week's show notes.
But really, Joe, you know, thank you for joining us for the news.
But the big reason we wanted to get you here into the show to talk to us
was to talk a little bit about your book.
I have read a few chapters.
I've not read the whole thing.
But you've written a book,
and it's an interesting idea
because you've basically written a book
about Z-Kill.
Now, this was the guy who hacked Vastamo in...
Oh, my God, I've forgotten the country.
Was it Norway?
Finland. Finland.
Finland.
I'm very sorry to the Norwegians,
and the Finnish.
But, yes, hacked Vastamo,
which was like the sort of state psychotherapy clinics
and whatnot.
and, you know, stole all of those patient files, you know, tried to blackmail the company,
then was blackmailing individual people, caused some people to kill themselves.
I mean, this guy is like a horrible, disgusting sociopath, and you thought, hey,
I'm going to write a book about the dude.
And it's called, what is a, control of chaos.
I can't remember the back half of the title there, but it's an excellent read.
I just haven't finished it because it's like reading about this stuff in my time off
is very, very hard for me these days.
But Joe, I'm just really curious.
Why did you decide to write a book about someone who is widely regarded, I guess, as just an amoral sociopathic monster?
Well, I knew that there was a story there with Vestamo.
Vestamo for me is the cruelest cyber attack ever.
You just described it brilliantly.
You know, there was not only did he and either him on his own or with others hack and break into the psychotherapy chain,
Estamo, but also it's the direct blackmailing of the individuals, which we don't see very often.
We are unfortunately, obviously, now seeing a bit more.
There was a case in the UK last year of, you know, some parents being phoned up by a nursery chain,
after a nursery chain was hacked, for example.
But it was that direct appeal to the victims.
I've got your notes.
I know your deepest, darkest secrets.
Because it sort of blows away that that, that.
idea where a lot of these people sort of fool themselves, don't they? They like, they ransomware
hospital and say, oh, there's no effect on patients or whatever, right? So they, they like to keep
themselves, they like to give themselves the illusion of, of like, what I'm doing is not immoral.
Whereas this guy's like, no, I know that you had an affair on your husband and I've got the
notes and everything approving it. You're going to give me money, you know, or I'm going to ruin your
life. Yeah, and that was it. And I spoke to lots of victims for the book. And, you know, these people are
still suffering. You've got to think as well, you know, these people are already vulnerable.
Some of them children as well. You don't go to the therapist if everything's rosy usually.
I mean, it's quite a healthy thing to do anyway, obviously. But, you know, these people had
a lot of problems in their lives. And then suddenly you get this horrible email from, for my money,
the most hated hacker in history, because the thing about Kivamaki, when it came out,
he's called Julius Kivomaki Zekil, when it came out that he was in the frame for this, he was,
there was an Interpol Red Notice out for his arrest when the finish decided that he was the guy.
He has got a storied history in cyber.
And actually, it all comes back to my first ever day of doing my first ever cyber story in 2014
when he was part of a gang called Lizard Squad, which hacked Sony PlayStation Network and Xbox Live,
the two biggest gaming platforms in the world at Christmas.
and him and these other teenagers took it all down
with a very, very successful DDoS attack.
And I interviewed him on Sky News, that was 2014,
and I was just completely blown away
by this baby-faced hacker
who didn't give a damn.
The nihilism, the arrogance,
you know, love the attention, love the chaos.
And then I just sort of thought,
I've always thought to myself,
what's going on with those kids,
what's going on with him?
And then, of course, I've tried to follow his
Korea and they disappeared for a few years and they came back in the frame for the Starman.
I thought, my goodness me, there's a, there's a sort of villainous arc that I think we should
explore to find out how does someone go from what I now know was, you know, a gaming-obsessed
teenager to fall down a kind of delinquency online path and then to get into very serious cybercrime
and then become, you know, one of Europol's most wanted criminals for the cruelest cyber attack.
So that was what led me to write the book.
I just thought, let's use him as a way through to talk about the bigger problem,
which is teenage hacking cybercrime culture,
which has gone through an extremely dark transition around the 2010s
and has never come out of it.
Oh, and it just seems to be getting worse as well.
But I mean, you've spoken clearly to other teenage hackers, right,
as well as Zekil.
Is he different?
Is he missing a piece, so to speak?
You know what I mean, though?
You know exactly what I mean.
Well, I think the way that Alison,
so Alison Nixon is, I don't know if you've come across her,
she's like the authority on this,
and I will always defer to her expertise on this,
and I interviewed her a lot for the book.
And she describes people like Kivimaki
as the centers of gravity in these communities,
and they are not necessarily the most technically proficient,
They're not necessarily the most articulate, but they're normally the ones who don't give a shit.
So they're the hackers, they're the teenagers in the groups who are the most anarchic.
They don't care.
They'll go after, you know, they'll do things that other people just won't do.
So it's a community that pushes the sociopaths to the top.
Absolutely.
And if you look at some of the attacks that Kivamaki did in 2014, sort of a part of Lizard Squad,
he was he brought down a he forced an emergency landing of an airline because he was annoyed with the the CEO of sony online entertainment so he called in a bomb hoax without disguising his voice you know it's that kind of that kind of activity where it's a step away from hacking really these kids don't care what the what the how they cause chaos you know as long as they can do it and then what we see now with scattered spider you know it's a whole other whole other thing entirely they're now
combining their forces with them with well-run, organized ransomware gangs like Dragon Force.
You know, it's a potent mix.
I mean, I sort of contrast this with the teenage hackers that were causing a lot of drama.
Like, I think back to like Lulsec, right?
And I think back to people like Topiary, who I got to know, actually, he actually wound up doing some comedy.
Jake Davies, Davis, yeah.
So he actually did some comedy sketches for us on Risky Biz, where he did,
It was like, that was so funny.
He was like he would put on his John McCaffey voice and talk.
He'd do sketches about playing board games for John McKeith.
Like real surreal stuff.
And, you know, I used to set them to like the Twin Peaks, like weird music.
And like, it was really cool.
So I actually got to know Jake a bit.
And like I got to say, Jake is one of the loveliest young men I've ever met.
You know what I mean?
Like here was a guy who was at the center of this chaos all around the world.
But he was a lovely guy.
and clearly had no sort of moral failings, really.
Like, he was not a person that you would think has problems with morality.
And to go from that to this, I just, I'm like, wow, how did that happen so quickly, you know?
Well, I actually, it's interesting you bring up Lollset, because my, so I did the kind of the draft of the book.
And it's my first book, so, you know, I don't know what I was doing.
And the publisher said, yeah, this is great.
You've told us, you know, the story of Estamo and teenage hacking.
but they actually challenged me at one point.
They said, take off your boring BBC hat and your boring Sky News hat
and put your neck on the line a little bit and tell us,
you've told us how the transition happened and when it happened,
but can you tell us why it happened?
And I sort of went back to Lollsec as being one of the groups
that really did change things.
They brought teenage hacking onto Twitter,
and it was all about getting likes and retweets,
and they had a logo and they went after big organizations.
But they were funny.
That's how they got the attention.
They were funny.
Yeah, yeah.
And that's because of topiary.
You know,
that was his role,
wasn't it?
It was.
Yeah.
It was funny on,
and take the Mick.
Yeah.
But then also,
I don't drop him a text,
man,
see if I can get him to do some more comedy for us.
You know,
I need to,
I need to look this up.
But then if you,
I sort of like,
not just,
I think Loll set kind of,
they nudged the teenage hacking culture
in a direction with which it just has snowballed since.
So before then, you know, people would say it's a simplistic view perhaps, but because teenagers have always been hacking.
But if you look at the kind of 80s, 90s, early 2000s, Legion of Doom, Colt the Dead Cowell, Chaos Computer Club, Loft, different culture, different vibe to what you get.
Well, okay, so here's the question, Joe.
Adam and I, when we've had discussions about this, you know, both in the show and just amongst ourselves, we wonder if perhaps cryptocurrency monetizing these communities, right?
right, is where the dramas come from.
Because that would seem to be a pretty clean explanation for the culture change.
Cryptocurrency is number two on my three theories as to how it happened,
is why it happened is.
So number one is Twitter.
I think that Twitter had a massive part in the change of this culture
because if you talk to the guys like Jake and if you listen to, you know,
some of these panels that they do now as grown men,
they loved the attention.
They absolutely,
They talk about being more popular than one direction, you know, that it's all about that online cloud.
And Twitter changed social media because before Twitter, being on social media, being on a social
network was being social with your network, whereas Twitter said, you don't need friends,
you need followers, and you can get followers by being infamous, not even thummus.
You can just, you know, cause mayhem.
And then the number two, Bitcoin, I would say, you know, that really changed things because before
that it was quite hard to make money from your breaches and your hacks.
And the third one, I think, is the rise of live video, voice and text chats, IRC, Skype.
Now we've got telegram and discord.
Cybercrime is a team sport, as we know.
You know, it's not a loner in his room in a hoodie.
They're joining up all over the world and they're coming together to carry out attacks.
And if you've got instant, you know, tools like that, then you can quickly spin up an idea for a hack and go after it.
Well, I think this is why Nazis are making a comeback as well.
I liked it better when they had to hang out in weird little bookstores and industrial estates that would occasionally get burned down.
Whoops.
And now they're all over the internet.
And that's just how it is.
But, you know, in all seriousness, you've got to think about as a serious possibility for the fourth reason why this change might have happened, Joe, microplastics.
It's all about the microplastics.
You know, it's microfiber sponges.
It's, you know, that's what it's about.
I haven't considered that.
I've really missed a trick.
All right, Joe Tidy, thank you so much for joining us to talk.
Thanks, Adam.
To talk through the news and also to talk a bit about your book.
And I did actually look up the correct and full name of the book,
which is Control Alt, Chaos, How Teenage Hackers Hijack the Internet.
As I say, I got maybe a third of the way into it.
It's a very good book.
I will finish it eventually.
And yeah, so thanks for joining us.
And Adam, thank you, as always as well.
And I'll catch you both real soon.
Yeah, thanks.
I will see you next week, Pat.
See ya.
That was Adam Bwalo and a special guest co-host Joe Tidy,
the Cyber Security correspondent at the BBC World Service.
And yeah, it is time for this week's sponsor interview now with Harun Mir,
who is the founder of Thinkst Canary,
which makes, of course, little honeypots and whatnot.
You all know who they are.
They also operate, you know, honey token services.
But what about breadcrumbs?
This is a concept that is new to me,
but it has apparently been around for quite a while.
Thinks has introduced these things called breadcrumbs, which enable you to figure out when a bad person has got access to a box where you have SSH, basically.
So here's Harun talking about that.
We're also going to talk about a small acquisition they made of another company that does deception related stuff and how Thinxt wound up being the owner of the South African Computer Olympiad.
But first, of course, here is Harun Mia talking about SSH breadcrumbs. Enjoy.
So interestingly, we've had breadcrumbs for a few years, but we've been really quiet about them.
So to take a full step back, we've got the canaries dead simple, they act like entire operating systems.
So drop a Windows canary on your network, drop one that looks like an IBM mainframe, drops in seconds, forget about it, attackers hit it.
And then we've had tokens, which are, here's an AWS API key.
So you put those everywhere you want to, attacker finds them and you get an alert.
Dreadcrumbs, we kind of snuck in a few years ago because we were kind of feeling our way around it.
So the simplest version is dread crumbs lead people to your canaries.
So if you've got canaries deployed, you get to say, give me crumbs for this canary.
And if your canary was running an FTP server, we now give you a config file that points to it.
or if your canary is running RDP, we'll now give you RDP files, or you get a Windows shortcut pointing to file shares and that sort of thing.
But we were not great believers in breadcrumbs.
In part of lots of other deception players when they first started focused really heavily on it.
And we always felt that people find Canaries while they're doing their attacking business anyway.
and the act of deploying crumbs ends up being heavy and painful.
But what we've deployed recently,
or what we've built recently, are nicer SSAH breadcrumbs.
And the reason I say nicer, we've had in the past,
like if you had SSH D's,
so if you dropped a canary that looked like a lamp server,
MySQL SSH Apache,
you could get a breadcrumb that had an SSH host entry
that pointed people to that canary.
And so now you get to deploy those on your boxes,
people find them, people find your canary.
What we're doing now is generating SSH key pairs also for those SSHDs.
So the way to look at it is you, an organization and you've dropped two canaries,
you now get to create SSH key pairs for a zillion of your internal hosts
that then point to those two canaries.
So now it increases the odds that if any one of your hosts get compromised,
attackers find that SSH key pair and end up connecting to the host.
Yeah.
So, I mean, it's kind of like what you're doing is you're kind of funneling them towards a canary, right?
And let me guess.
The nice thing is you can generate unique key pairs.
Exactly.
For these SSH things.
And then you get the attribution.
Now, I mean, is that really much of a game changer?
I'm going to say probably not because you already get the attribution based on the IP.
and whatever, but I'm guessing from your point of view, it's easier to do the attribution in your
software. You don't have to worry about the network at that point. You could just take the attribution
based on the key pair and say, this box over here got owned and someone tried to, you know,
log into the SSH using this key, so go and turn off that machine. Exactly right. And we don't
see it as a game changer at all. Like exactly the way you say it, it's not something we've pushed
forever, even though it's been in there for years. But like the way we like doing things,
We like taking a thing and then making sure we get it nicer and writer.
And so what happens now is effectively someone pays 10K because they've got six canaries on their network,
but they get an entry on every host on their network.
And so they're funneling to us, but they're increasing the odds of catching an attacker
trivially.
And that's what we actually interested in.
Let me just ask though, like, do the process of deploying these,
things, I'm guessing it's mostly manual, right? Because you're not going to want to give your Canary
console, like highly privileged access to go out there and mess with all of your SSH configs. So,
I mean, does that get a bit unruly, though, Harun? Are you meant, you know, how do you tackle that?
Because I'm thinking, like, you're like, oh, you can put it on, you know, 100 machines. It's like,
how do you keep track of them all? No, so that's exactly the right question to ask, and exactly why
it takes us, took us a while to get here. So, so, of course, everything we do is API driveable.
and so deploying tokens, deploying birds, all of it can be done via the API.
But if we can make the API endpoint for this nice enough, now we can start saying,
well, you've got an AWS cloud and you've got cloud automation.
As part of your Init script, fetch an SSH key and deploy it on your host.
So now every time a Kubernetes instance comes up or every time a host comes up, it can reach out,
collect an SSH key that then gets applied to it.
Yeah, every time you deploy anything with SSH,
it's just like, Bing, Bing, Bing, done.
Exactly right.
And this is how that stuff comes up.
And so this is exactly how it works.
Single API request to us.
And then we also do the coolness behind that
to make sure that the API key being used for this
can only be used to fetch an SSH key.
So you can't use, if an attacker happens to find that,
happens to find that API key,
They can't use it to do more stuff on the console.
So again, in the way we typically do things,
it should be dead easy for people.
It should just slip into their work stream,
and it should increase their coverage by a whole bunch.
And of course, the way Canary works, it's completely free.
So even if they've got five birds,
they can now have five million SSH entries.
Coverage is better free, just works.
Nice.
Very nice.
So what, I mean, I know they're focused.
is on SSH, but where else can you use this?
Yeah, so we've got a bunch of different entries.
Like I say, even things like RDP.
So, so Canadi's have custom RDP that we can do it with.
We can do it with all types of shortcuts.
So, so in part, it just can you do, sorry for, sorry for my ignorant question,
but can you actually do key based auth for IDP?
Um, so you actually could do certificate based auth for RDP.
Um, so currently we do it for username password, but cert based off and because-
it's like key based off, but.
windows and very complicated and hard to do. Exactly. And part of our thing is, yep, we'll eat that
complication to make it easy for users and that's what we do. So we'll add a whole bunch of that stuff
down the line because you can see it works and you can see its value. But right now we'll start
with SSH. Now, the other thing we've got to talk about today is the fact that Harun, you've now
graduated, you are fancy because you are acquiring things. Let's talk about two things that you
have acquired. One is a company called Deceptic. And the other is the South African Computer
Olympiad, but we'll get to that next. First of all, tell us what Deceptic is. Another Deception
play, I'm guessing, but is it small? Is it like, you know, what happened here?
Yeah, so Deceptic, so we've seen other deception companies come up like over, over the different
runs, different times of the last 10 years. And Deceptic was a really small player in the
but almost the same makeup as us.
So ex-pen testers from Praetorian Labs, deep pen test skills, deep desire to make attackers bleed,
and accidentally made almost exactly some of our tokens, lots of our thinking, and we started bumping into them in places and really liked what they were doing, and reached out to them and said, hey listen, like, you're building something,
that's going to hopefully someday be like us, why don't you come join forces with us and do
coolness? It's hard to find good people. It becomes an easy way to grab good people. And we'll start
off just with some cool tokens of theirs that we'll integrate. So yeah, we're excited. We get to
find mini-meas that we think can become good and it should be interesting.
Okay, so that's like an aqua-hire, like micro-acquisition, I'm guessing, is that that's the
know what it sounds like here. Yeah, we don't think the acquisition is going to get anyone buying
islands or anything like that, but we think great people are worth grabbing whenever we find them.
Yeah, fantastic. Now, tell us about the South African Computer Olympiad and how it wound up in
your possession, because I'm guessing there's a story there. This is mostly just geekery and a little
bit because we can. Look, we like doing things in South Africa. The computer Olympiad's been running here
since like 1984. And we've got people on our team who are previous Olympiad gold medal winners,
but the Olympiad ran out of money, which is really an odd thing considering they's propped up
by sponsors and we know a bunch of their sponsors. But we got an email saying Olympiad's being shut down
for financial reasons. So we reached out, found out if we could buy them. It means a commitment from us
to keep them supported for the next few years, which is a little bit of money.
But mainly what we're saying is we've created a non-profit,
we'll commit to sponsoring it for the next few years,
and hopefully get it on its feet again.
Give it a fresh coat of paint,
like there's a few things about it that we don't like as much.
But we think it's important for Z-A, and we can.
So we'll keep it going until we can make it nice enough
to attract more schools, attract more sponsors,
and then usher it on its way.
I mean, it's nice to have these sort of things, right?
Because they effectively operate as talent pipelines
for the local technology industry.
And I'm guessing, like, you know,
just putting on your cynical hat,
that's going to benefit you because you could use all the talent
you can get locally.
I know you hire outside of South Africa as well,
but, you know, one of the challenges in South Africa
is actually finding those people, right?
And this is a good way to do that.
It absolutely should down the line.
Like, you see the quality of people who come out of it,
like strong comcise, strong algorithmic skills.
And yeah, totally.
Our take is, look, it probably will be good for companies like us down the line.
If it doesn't, it's okay.
It should stand on its own.
But more than likely, we'll get the benefit.
Genuinely, deeply, one of those rising tide lifts all boats, things that works for us.
All right, Harun Mia, terrific to see you as always.
Thank you for joining us for another year of Risky Business.
sponsorship and yeah we'll be chatting to you throughout 2026.
Always fooled that, but.
That was Harun Mia there.
Rounding up this week's edition of the Risky Business podcast, I do hope you enjoyed it.
I will be back next week with more security news and analysis, but until then, I've been Patrick Gray.
Thanks for listening.