Risky Business - Risky Business #828 -- The Coruna exploits are truly exquisite
Episode Date: March 11, 2026On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They cover: The Coruna exploits were L3 Harris, but it se...ems Triangulation… was not! Iran’s cyber HQ hit by Israeli (kinetic) strikes Trump’s cyber “strategy” is … well, all we’ve got is jokes cause there’s no serious content NSA and CyberCom finally get a leader after Lt Gen Joshua Rudd gets Senate nod DOGE (remember them?!) employee walked a social security database out on a USB stick This episode is sponsored by open source cloud security scanner Prowler. Creator and CEO Toni de la Fuente talks to Pat about some of the enterprise features Prowler is growing, while remaining true to its open source roots. This episode is also available on Youtube. Show notes Inside Coruna: Reverse Engineering a Nation-State iOS Exploit Kit From JavaScript GitHub - matteyeux/coruna: deobfuscated JS and blobs US military contractor likely built iPhone hacking tools used by Russian spies in Ukraine APT36: A Nightmare of Vibeware State-linked actors targeted US networks in lead-up to Iran war Iranian cyber warfare HQ allegedly hit by Israel Last 2 names of 6 US soldiers who died in Kuwait attack identified by the Pentagon Signal, WhatsApp users face Russian phishing push, Dutch warn Samuel Bendett on X: "Russian military told it couldn't use Telegram messaging app" FBI investigating ‘suspicious’ cyber activities on critical surveillance network Risky Bulletin: New White House EO prioritizes fight against scams and cybercrime President Trump’s CYBER STRATEGY for America Fact Sheet: President Donald J. Trump Combats Cybercrime, Fraud, and Predatory Schemes Against American Citizens UK plans to shift fraud fight onto telecoms, tech companies Trump to hit Anthropic with executive order to remove "woke" AI Claude Anthropic launches code review tool to check flood of AI-generated code CrowdStrike reports record quarter amid investor concerns about AI impact Critical defect in Java security engine poses serious downstream security risks Gen. Joshua Rudd confirmed as NSA, Cyber Command head Plankey’s nomination as CISA director now in jeopardy DOGE employee stole Social Security data and put it on a thumb drive, report says Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel Cel mai mare exportator român de carne, deținătorul brandului Cocorico, a intrat în restructurări, alături de Casa de Insolvență Transilvania
Transcript
Discussion (0)
Hi everyone and welcome to risky business.
My name's Patrick Gray.
Fantastic show for you this week, an excellent selection of news to get through with Adam Boyleau and James Wilson,
and we'll be doing that in just a moment.
And then we'll be hearing from this week's sponsor, Proula.
So Proula is an open source project that does cloud security checks and remediation.
And its founder, Tony Dela Fuente, will be joining me later on in this week's sponsor interview.
So, of course, there is the open source project.
but they're kind of at the point where they're starting to add some enterprise features into the commercial version.
It's much as you would sort of expect, pointy-clicky SSO integration and, you know, compliance features and stuff that really doesn't belong in a community slash open source version of software like that.
So Tony will be joining us to have a bit of a chat about that later on in this week's episode.
But first up, let's get into the news.
And we've got to start this week by kind of correcting some stuff.
I said last week.
So last week I said it was my very firmly held belief that Trenchen, L3 Harris Trenchin,
was the vendor behind what became known as the triangulation campaign, right?
Which was targeting Russia.
It was disclosed by Kaspersky in late 2023.
So last week I said a few things.
I said, I thought that the newly unveiled Karuna Exploic Toolkit was linked to triangulation.
And I said this for a few reasons, basically because it seemed to be implied a little bit in Google's write-up of it.
I Verify came out and sort of made that link.
And I'd already sort of long suspected that triangulation was an L3 Harris-Trenchant thing.
Turns out it's not, right?
So it turns out it's actually not.
But interestingly enough, the bit that I did get right last week is that the Karuna stuff is the trenchant stuff, presumably leaked by Peter Williams.
Now, we don't know that that's the stuff that he leaked, but we do know that these were a series of exploit chains that were being used at L3 Harris, or developed by L3 Harris, around about that time.
So you would think, logically speaking, that these are the exploits that were leaked.
There's some dead giveaways there.
I think the fact that they've got, like, bits of this are named like Cassowary, which is a dangerous, flightless Australian bird would tend to indicate that maybe this is a trenchant product.
I should also mention, too, that I do have some sourcing on this.
I'm not just, this isn't just vibes at this point.
Last week was a little bit too much vibes maybe, but this week not so much vibes.
So, you know, TLDR, triangulation and Karuna, not from the same vendor,
did use one of the same bugs though.
And I'm really unclear on whether or not that was parallel discovery or someone licensed
the bug to someone else to use or, you know, maybe someone used to work at place A and moved to
place B and sort of took the bug with them.
I don't even know how that happened,
but we can say they were using some of the same exploits,
could have been parallel discovery, not sure.
Triangulation was not trenchant, Karuna was.
That's about as cleared up as it's going to get.
Adam, let's bring you in on this one for starters.
The other thing that's happened here, of course,
is that we actually have the Karuna samples on GitHub,
thanks to the team at I verify.
Thanks for that.
Which meant we've all got to look at them.
Yeah, it's been a really interesting, you know,
seeing the inside of that particular kit.
I mean, we've seen bits and pieces.
is that particular, the bug that you mentioned that's shared between Karuna and triangulation
was that undocumented Apple hardware feature that basically turns into unconstrained DMA.
Like that was a super juicy bug.
And so seeing the insides of the rest of the tool chain that was kind of around that.
Because when we saw, I think it was Kasperski wrote up that particular one, like, we were like,
you know, there was some eyeball face going on there because it was.
so interesting. And so seeing the rest of the tool chain, you know, it's kind of gratifying to see
what the high end of the market looks like. And, you know, many people have seen little bits and pieces,
but seeing the whole chain laid out and just how, you know, like, I guess there's a reason
that, you know, Trenchant and, you know, Asimaf and LPL before them, you know, were very well
regarded in the industry because they produced some good stuff, it turns out. And yeah, it's nice
to see. It's good to see the write-ups. You know, James has been digging through it and some
intelligent as background at Apple as well.
And so yeah, it's just been a fun week around the office,
you know, seeing these beautiful,
exquisitely clasped fabaget egg, you know, exploits.
Yeah, I mean, this explains why Trenchant guys had the good parties in Vegas,
I guess.
Like this is why they get the big bucks, right?
It turns out they're pretty good at this.
So, yeah, let's bring in James at this because, you know,
because the obvious thing is, geez, if only we knew someone who used to work at Apple
on iOS, who might be able to have some insights here into what these exploits
looked at.
You know, James, you have spent some time actually over your weekend too, because this is such a rare event.
Really having a look through these samples and you have been, I mean, to say you're impressed is a bit of an understatement.
Yeah, that is an understatement of the century.
Like, it's such a weird feeling to be looking at exploit code that is exploiting code that you know was written by folks that just were used to work in the building next to you at Infinite Loop.
And then when you see the way this has been strung together, just using the most, it seems to be.
seemingly unrelated parts of even just the JavaScript frameworks, like the number format object in the internationalization framework being combined with an offline audio context that had a buffer overflow in it being then combined with vector graphics. It's like no one would have ever thought to put these three things together. But the sheer depth of knowledge of the internals of how this works is just, you know, I was looking at it from the lens of, okay, people are saying this is nation state and sophisticated, but what does that actually mean? And gosh, you really do see what?
that means when you're looking at the code you're probably you're probably
piling into this thing saying yeah sure buddy whatever yeah okay come on click click and
then you're like oh my god yes yeah now i should mention too for those who are really really
interested in james's opinion uh on this toolkit you have recorded an 80 minute solo podcast
just talking through your analysis of this of this exploit toolkit and we're going to
publish that i think either today or tomorrow but it's going out real soon so if anyone out there listening
to this is interested. And like, God help me, I never thought it would, something like that would be
interesting. But I've listened to about half of an hour of it as of yesterday. And it's really good,
so well done. But those who are interested in listening to that, you can find it at the Risky
Business Features podcast. So just search for Risky Business Features in your podcatcher or head to
risky.com. Scroll, scroll, you'll find it with all of the right subscriber links there.
But look, I think it's safe to say that this stuff is, yeah, very well done. And look, staying on that
topic, we had a guy, Daniel Wade, publish an analysis of the JavaScript components of this,
which was really interesting because everybody was focused on the sort of payloads and whatever.
And it looks clear, too, that these toolkits went from being used, presumably by the US.
You know, Google say this, and they're a bit cagey about where they saw it pop up.
Then all of a sudden, it's being used by the Russians to target Ukrainians, and now it's being
used to try to steal cryptocurrency from Chinese speaking users, which is just like, what a,
what a waste of some exquisite exploits. But where was I going with that? Oh, yes, the JavaScript.
So everyone's been looking at the samples and the, you know, the actual exploit components of this.
This guy sat down, really had a look at the JS components. James, what did you think of that
part of all of this? Yeah, he's, it's an incredibly in-depth analysis. And I think the thing to really
call out here is that the analysis that Wade did he was the only one I think between
Google and I verify that with the other sources to actually call out the use of or explain
how the pack bypass works right so in all Apple A series silicon since I think the
A12 onwards there's a built-in hardware feature that looks at the the pages in memory
before code is run and it checks that there is actually a cryptographic hash and
signature there before it'll run code for obviously ensuring the integrity of the code
Google and I verify called out that this had obviously been bypassed, but just called, I think they referred to as like an undocumented or not public bypass.
But yeah, he went through and figured out how it works.
And the way it works is, again, just it's beautiful.
It's signed code being used to sign other unsigned code.
And it's magic.
Adam, you got some thoughts there.
Yeah, it is.
It's just beautiful work.
and you know the
you can listen to James's pardon
you hear the specifics of all the details
but really it's just like
you know I've met some of the guys
that work in places
you know like trenchant
and you know some days you see them at the end of the day
and they're at the pub having a beer or whatever
and they've got that just like there's a certain look
like glassy look on your eye
when you've spent your entire day
inside the gubbins of you know
symbol linking in the middle of someone else's operating system
and it's just you know
I have a lot of
of sympathy for what that does to your brain. So like I salute you, sirs for your very fine work,
but god damn, it's cool. And it's just, yeah, it's great to see it torn down and written up
so that we can all enjoy it. Now, I will just say too further on the triangulation,
you know, misattribution there. I'm not the only one who thought this, right? So as evidenced by
I verify, you know, who had the samples and looked at it getting feelings in their waters that
these things were connected. I mean, you had L3 Harris Trenchant guys passing around
stickers at conferences that were triangles saying, caught in the wild. You know what I mean?
And also, I've heard from some people that certain elements of trenchant management weren't
really keen to shut down the rumor because it was kind of like a positive rumor to have that you
were behind this like really badass set of exploits or whatever. So look, I'm not the only one
who's made, who's made that mistake and formed that opinion in error. But I think it's really cool
that like we're kind of at the point where we've, I feel like this mystery is largely
solved. You know, Lorenzo over at TechCrunch too, overnight. He posted a piece too that linked
the Karuna stuff to Trench in. So I think, you know, I think we can kind of put that to bed.
Who was behind triangulation? I don't know. It's another Five Eyes actor. Was it a contractor
that wrote it? Was it NSA? I don't know. I don't know. But I still think Kaspersky's story
that a Five Eyes threat actor was exploiting the telephones of people who worked at Kasperski's
at threat research seems like a pretty unlikely one.
I think if I had some closely guarded exploits,
I'm not going to throw them against threat researchers.
That's just me.
You know, I'm like, hey, I've got tens of millions of dollars of O'Day here.
Let's go exploit some people who work at Mandian.
Like, that just doesn't track.
You know what I mean, Adam?
Yeah, like it feels like a poor choice.
Unless you have some very specific tasking or reason that you need specifically them,
but like that just feels very niche and it seems like a poor life choice.
Well, and they were hacking ambassadors and stuff.
and people in the government, oh, and a handful of Kaspersky researchers, like, give me a break.
No, that's not what happened.
Now, anyway, we're going from the exquisite end of the exploit and, you know, malware industry,
down to the kind of like run-down crappy rats everywhere.
And we've got this great post here from Bit Defender talking about APT36,
which is apparently a Pakistan-based threat actor, which is now,
just vibe they're doing vibe coded malware which bit defender is calling vibe wear I love it personally
James you've had a bit of a look at this and you know you also think Iran might be doing some
stuff around you know vibeware and whatnot but I mean this is how it's done it's kind of depressing
what do you make of all of this what do you make of this APT 36 and how they're rolling
yeah it didn't there was two funny callouts in in that article the first one was you know
a Go binary that they observed that had still had a template address in there for the C2.
And so it got deployed and it couldn't actually reach back to its C2.
And I think that only could have been better if the C2 address was actually still local
hosts.
So the developer could have legitimately said, but it worked on my machine.
So that.
But the other interesting thing here is, you know, they're adopting novel languages or niche
languages like Zieg and Crystal and NIM and like that's real new hotness stuff.
And some of the articles say, oh, you know, that's going to help evade detection.
And I'm not really sure that's the case.
But I would have bet that it's just because, you know, given free reign and LLM is probably more inclined to go and churn out a new language that it has a fresh and pretty deep set of knowledge around to create these exploits.
I mean, this is a trend.
But, yeah, this is a bit of a trend because we saw something where there was like Go malware for some like ancient platform recently when we're both scratching our heads going, uh?
But, you know, probably LLMs being everywhere and doing so much code is a part of that.
But you were going to jump in there, Adam, with something.
Yeah, I mean, part of the write-up is suggesting that maybe they're doing this for detection evasion, right?
Like, you build custom malware.
That way you don't have to worry about sicknesses existing for your malware.
You can avoid AV and other things.
But the idea that you would need to go to the extent of, you know, like writing a malware in one place
and then having LLMs translate it into other implementations so that they can avoid detection.
It's like avoiding AV really isn't that difficult.
Like there's like the state of the art for avoiding AV is already, you know,
good enough to get past most people's AV.
It seems unnecessary.
So, you know, maybe there's some other explanation.
Like maybe it's just fun.
Maybe it's different.
I don't know.
But like the detection of Asian angle just didn't seem, didn't, you know,
track exactly like what's going on to me.
But hey, who knows?
Now we've also got this other story here about some state linked actors,
Iranian state-linked actors targeting US networks and whatnot in the lead-up to the Iran War.
James, you felt this one dovetails actually previously quite nicely with the APT-36 one.
Why is that?
Yeah, I didn't make that connection at all until I read the write-up, and they talked about they're using Dino,
which is a very new, again, with the theme of the new hotness, a very new Node.js replacement,
like a JavaScript runtime.
And then it's like, you know, if you know what Dino is, you know that it's basically a runtime that was designed for security built in.
And it explicitly does not allow access to network and disk and all the things that you would want a backdoor to have.
So it's like, it's just these weird technology choices.
Like, as Adam said, if you're just trying to get a different hash for your malware, why are you bothering?
But then we're seeing like LLMs choose brand new languages and brand new runtimes.
And those runtimes don't even fit the model of what you would want.
your implant to be doing.
Right.
So you see this one as a bizarre technology choice
on behalf of the Iranian APT operators,
which would suggest that maybe they're using LLMs
to do some of their dirty work.
I'd scratch my head,
but the lack of hair just makes that dangerous.
Now, look, staying on all things, Iran,
we have a story here.
It's been repeated in a bunch of outlets,
but we've linked through to the SC media version of this story,
that Iran's like cyber warfare HQ on a base somewhere
was actually hit with an airstrike or a missile.
Like it has been blown up by the Israelis.
No surprises there.
I think I remember reporting on when the Israelis hit a Hamas cyber facility in Gaza,
actually many years ago before all of this, before the war in Gaza.
It was just so massively controversial.
In that case, the building had been evacuated.
prior because there had been prior notice given, so no one was actually killed in the strike.
But, you know, I think a lot of people in this field sort of forget that people who are doing
state-backed cyber operations, I mean, quite often they're gathering intelligence that is going to
be used to harm their enemies.
So they are legitimate targets.
And I just sort of, I haven't seen as much of that discourse this time around.
So I think maybe people have adjusted to that.
But, I mean, did you reflect on that a bit as well, Adam?
Yeah, yeah, exactly. I mean, the increasing, I guess the utility of, we talked, was it last week, week before, about like where there are places that cyber is actually legitimately useful.
And battle damage assessment, reconnaissance, things that are like legitimately military functions, you know, if you start doing those, then you, you know, you do end up being kind of legitimate targets.
And, you know, I think that, I remember that one against Hamas. And we talked at the time about how this is also a deterrent for wanting to go and use your cyber skills, you know, in that kind of.
of capacity, maybe think twice go do some other business, like same kind of thing here where,
you know, even if the effect of blowing this up is not, you know, in terms of ongoing operations
and those particular staff, you know, even if that wasn't a big impact, it just has that kind
of reminder, you are a legitimate kinetic target if you're doing this, you know, in an adversarial
context, you know, in a war and, you know, think about what you're doing.
Yes. You're a part of it, I think, is the message there if you're gathering into.
I mean, I think that's what makes OPSEC so important.
I think it was really funny, actually, when the United States started to sort of docks some of these Chinese operators, right, whether that was DOJ or whoever is like, well, you know, all of the attribution stuff.
And then the Chinese are like, yeah, we're going to do the same thing.
And they do stuff by like saying, Rob Joyce is NSA.
And it's like, yeah, man, he's been on my podcast as NSA.
Great collection there.
So I think, you know, this is where OPSC as well becomes pretty important to the whole enterprise.
and I think that's something five-eye certainly does better than the rest of them.
Anyway, moving on.
And, you know, two of these, at the time of the, this article was written,
six US service members had been killed in this Iran.
War, I think that's risen to seven now.
Two of them were actually cybersecurity people.
There was a guy who was studying cybersecurity at a university,
and a guy who was actually doing cyber stuff, defensive cyber stuff in the US military.
They were both killed in a strike in,
Kuwait. So there you go. It's very sad. I mean, I don't think these guys chose to engage in a
missile war with Iran that didn't have clear aims, you know, and they've paid the ultimate
price for that. Yeah. And these are reservists. So these are people that had, you know, regular
civilian lives and had been deployed, you know, as reservists. And that's, you know, it's a pretty
long road from Iowa to, you know, where they were in some, you know, a place in Kuwait. And yet,
expecting to be on the end of a missile strike, not really probably what they expected when they signed
up for the reserves, you know? Yeah, I mean, I just don't, I don't quite understand what all of this
is for. You know, I understand that Iran's missile launch capabilities will be temporarily
degraded. Maybe they drone manufacturing temporarily degraded. We haven't seen really a change of regime
or, you know, if anything, we're going to wind up with a war hardline regime. I just, I don't know what
this is for. And tragically, those dead schoolgirls, mate, that's just, you know, I've got a
daughter that age and seeing that something like 170 kids were killed. And, you know, the
reporting suggests that one of the reasons that strike may have happened is because
Claude was used for target selection and to accelerate target selection.
You just think, wow.
If that is the case, if there were insufficient checks done, I mean, what a, you know,
just what a tragedy.
The whole thing.
The whole thing is just tragic.
Anyway, moving on and, you know, sort of staying with cyber and conflict, the Russians are
doing a big signal and WhatsApp.
pushing push. Is this just more QR code linking, James, or is there something interesting
happening here? No, I didn't see anything particularly novel other than just the sheer volume
of it and the brashness of who it's targeting. It's just same all, same all. And even
sort of signals advice reads, it's almost reads like tired advice of like, okay, come on. You know
this is happening. You know what you've got to do, but you're still falling for it. So just the
same, same. Yeah, I mean, this is, you know, a pretty well-known problem.
But on the other hand, like, there is not that much attack surface here, right?
I mean, your options for phishing signal users to get some useful effect are pretty limited.
And, you know, I don't know what the Signal Foundation should do through, you know, kind of make that pairing, device pairing process more robust.
But I think, you know, there is somewhat heartening that there is so little attack service here.
And, you know, all they have to do is figure out, hey, is there a more robust way we can do this?
And they're going to shut off, you know, one of the only significant avenues people have for doing this.
this kind of thing. So, you know, whilst the, we don't have a support pot on Signal that's
going to message you advice does, you know, you can just, you can feel the like exasperation,
like them rubbing their temples at the Signal Foundation. But, you know, they have an opportunity
to figure out, you know, really answer one question, how do we do this better? And they'll make
a big difference. So that's good. All right. Oh, now, this next story. This next story. Now,
this is completely unverified. It's been pulled off like some Russian telegram.
I reckon there's a 50% chance that this is just completely made up by some Russian mill blogger.
But I want to talk about it anyway because it's one of those things that like,
is, I don't know, it's probably, it could be true.
I don't know.
It vibes right for us.
It vibes right, right, right, which is that the Russians have been trying, initially we're trying to tell troops
and trying to tell Russians generally not to use telegram because it's not safe.
after a while
and that's where this
from what I heard
like this kind of feels like
it's probably wrong
but after a while
they said look
people on the front
can keep using telegram
because it turned out
telegram was being used
a lot by Russians
who were involved
in the war in Ukraine
in Ukraine
I'm sorry
so there's that part of it
but now this report
from Russian Telegram
says that they told them
to stop using telegram
and to start using Max
and this is their everything app
This is the Russian WeChat, basically.
So they're like, start using Max.
And now the latest info is, and that's what this thing is claiming, is that the Russian government is now saying,
oh my God, don't use Max.
It's completely insecure.
People are dying because they're using Max.
Go back to using Telegram.
So, look, I don't know that this is true.
But what I do know is that it's extremely highly plausible, because if I'm Ukrainian SIGint,
this is absolutely what I'm doing is I'm trying to figure out Max, right?
Yeah.
And Max is a pretty natural.
target with them. And of course, this is one of the challenges of building your own sovereign
technology stack, whatever else. Like, this is hard work. Like, it takes a while to get right. And
even if Max turns out to be as good as signal or as good as, you know, other alternatives,
it's going to take time. Like the first versions, first couple of years, you know, much like
when you roll your own crypto, everyone who tries to implement their own X5 and I'm parsing is going
to, you know, screw it up the first 11 times they do it. The same thing here, right? I've been trying to
implement your own messenger and trying to do so in like in wartime conditions against an adversary
that is in an existential fight against you yeah that's not the place that you want to be yoloing
your first you know your first take at a national messenger so yeah it's a it's gonna be a fun ride
for i imagine the ukrainians must be having a hell of a time discovering it figuring out all the
ways to break it and then abuse it and then yeah if this report of uh russian troops being told to
just go back to telegram is true then. Yeah, it doesn't look great for the rest of the Russians who
are stuck having to use Macs. Well, it is kind of funny because it is the app that the Russian government
has made to make it easier to surveil their own people, which ironically makes it easier for their
enemies to surveil their people if they find the bugs in the thing. So, you know, anyway, I don't
know, as I say, that's completely unverified, but a fun one to talk about anyway.
Now, speaking of technology engineered to surveil people, the FBI is investigating another
breach on its so-called critical surveillance network. That's what CNN has called it in this instance.
Now, we have seen a breach of this surveillance-associated systems in the past.
You know, recently in the last couple of years, this happened, and it was the Chinese,
but they didn't actually get to the wiretap systems. What they did get to were the systems
that were like processing, the warrants. And this is extremely valuable intelligence, because
it would tell them like, oh, okay, the Americans are on to this guy, who we've been using to do
X, Y, Z. So we're going to just have to like walk away from that asset. And, and that sort of stuff,
right? So this is very valuable. But in this case, we don't really know exactly what data the
attackers have got. It's all very cagey. I mean, usually in America, like, eventually they're
pretty forthcoming about stuff like this that's gone wrong. But James, you've looked into this as well
as us. And there's like not really much on this out there. No, there is hardly anything. So it's a lot
of speculation. I sort of broke it down into like an input process output framework and maybe it is the
input. It's the tasking. It could be. It doesn't feel like it's the process of actually wiretapping
that that would not be in these networks that are supposedly seeing suspicious activity that I
believe would be in the telcos. Adam, correct me if I'm wrong. But there is also the angle of what
if it is like the repository of the recordings or the transcripts or something like that.
We just, we don't know. It's so, so short on anything substantial. Yeah, but they seem freaked out.
which is not, never good, right, when you're dealing with news like this.
Right.
And we're also not clear what the link, if any, with Salt Typhoon is, right?
How does this fit into that?
Because, you know, we saw reporting of the Chinese intruding into Telco-Li systems there,
but we also didn't really have any details.
And part of this, as you say, is that people are just kind of cagey around Lawful Intercept
and the actual mechanics of it, you know, there is quite a lot of moving parts.
I mean, it could even be as something as like, you know, you've got recordings,
but you need a linguist to process them.
So maybe there's, you know, because it's not necessary in English,
there's lots of places where the downstream products are processed.
And yeah, so we don't even really know, as you say,
eventually maybe the US, you know, will explain it.
It's funny seeing, you know, the other countries in the world that have also been
Salt Typhoon, how much slower they are at getting out details of what happened to them than the US.
And so we complain about the lack of transparency here and how long, you know,
how imprecise the languages.
But, you know, we don't hear this coming out of, you know,
other countries that were Salt Typhooned, you know, in anything,
even this little bit of detail, you know?
Yeah, I mean, it is funny, like for all we say about the Americans,
they are pretty transparent when it comes to this stuff in a way that he's like,
like, we just would never happen here, right?
So, like, if this were happening in Australia, it would be buried.
Like, we ain't hearing about it unless somebody blows the whistle and tips off a member
of the opposition who brings it up in some Senate committee or something.
Like, that's how it would get out.
And it would be a scandal, right?
Whereas this is just, you know, normal day of the week sort of stuff in America.
Now, look, speak in a normal.
novel stuff in America.
The Trump White House has released its cybersecurity strategy.
Now, if you remove the logo pages and the preamble
and the last page, which is just a blue sheet
with the White House logo on it,
you get a total of four pages for this cybersecurity strategy,
and it reads, like, this is the most bizarre thing
I've seen in what's supposed to be a serious public policy document.
because it reads like cyber security fan fiction.
We are going to like secure our networks and upgrade them and they'll be the best in the world.
We're going to do this.
We're going to go after the adversaries and, you know, completely render them helpless, flailing children.
You know, it's bizarre.
Our colleague, Katelynipan, did a write-up of this in the Risky Bulletin newsletter,
which is hilarious.
It's quite long.
It's funny because he actually cut it back.
He could have.
He couldn't, right?
And I spoke to him about it.
He's like, yeah, originally it was longer and he cut it back.
And it's like, it's still actually pretty beefy for a lead item in a risky business newsletter story.
But it's like the whole thing is just bizarre.
It's so weird.
Like Tom Uren, our colleague, he's writing up a more serious analysis of this tomorrow for the seriously risky business newsletter.
Again, go to risky.
Dot biz to subscribe to that.
And it's his feeling that some of the parts of it where they're like they're going to go offensive
and take more offensive actions against.
adversaries. You know, he thinks that is a part of the strategy that actually has some hope of
going somewhere. The rest of it just seems pretty meaningless. And my question is,
given the other actions of the United States right now when it comes to, you know,
like offensive actions, whether we're talking about Venezuela or what's happening in Iran,
you sort of wonder if they're about to go on like the cyber equivalent of a kill streak
with no sort of deeper strategy beyond that, right?
And I just don't know what's going to happen.
Like, let's start with you, James.
What are your, I mean, first of all, what did you think of the strategy, which we'll put in quotes?
And second of all, like, you know, what?
What?
As you guys know, I've had the pleasure of working in some very large enterprises
over the last couple of years, places that have like entire departments that are called
strategy and transformation.
And they churn out just the most dry, hard to read things.
And, like, I spent years training myself how to read those.
I couldn't get through this document.
I just, I couldn't.
I kept putting it down.
I kept coming back to it.
I kept going to read this thing.
But, you know, it does, ironically coming back to AI here, it almost, you know, in a super cynical sense, feels like someone said, okay, what's the real executive order?
We just want to go and wreck a bunch of stuff in cyberspace.
Okay, but we can't just say that?
So can you please create me a doc that looks really balanced and talks about all these other things we're going to do?
But what we're really going to do is go and break a bunch of stuff in cybers because it's such waffle.
It's so, so meaningless.
Yeah, I mean, it's like the whole thing's bizarre.
Let me just quote a bit of it.
President Trump's actions, however, send a clear message.
We will act to defend our interests in cybers,
whether destroying online scammers networks
and seizing $15 billion of their stolen money,
supporting a globe-spanning operation
to obliterate Iran's nuclear infrastructure.
Huh? It's a cyber strategy.
Or leaving our adversaries are blind and uncomprehending
during a flawless military operation
to bring international narco-terrorist
Nicholas Maduro to justice
adversaries are on notice
that America's cyber operators and tools
are the best in the world
and can be swiftly and effectively deployed
to defend America's interests.
I mean, that's a hell of a strategy right there,
don't you think, Adam?
I mean, I guess what I took away from this
was, like, at least, like, the Five Eyes
in the US in particular, like,
they know how to do offensive cyber, right?
They're good at the technical part of that,
their obsect's great,
we were just talking about their ones,
beautiful, you know, beautiful exploits.
Obviously, those were Australian exports.
They bought off the shelf.
But anyway, no.
Yeah, yeah, enough of the media talking about how these were American exploits.
They were Australian exploits.
Thank you very much.
So, like, the US absolutely has amazing offensive capability.
Defense of cyber, and especially during defensive, you know, at a country scale,
like trying to solve municipal water, SCADA, you know, vulnerabilities or whatever, that's hard.
Just hack and stuff is easy.
and the US knows how to do that.
And this is just the case of we've got a hammer.
Let's go find things to hit with it.
Because in the end, all of the other problems are really hard.
And the Trump administration is not there for hard problems, right?
It's there for quick wins and easy and, you know, things that they can make a splashy show of doing something about.
And that's what offensive cyber is.
Like, is it going to work?
Maybe a little.
Maybe it can some people who knows.
And we haven't really tried it.
I mean, like letting NSA, you know, uncaging that particular.
shark and letting it just go nom nom over the internet.
It might work.
It's possible.
Yeah, I mean, I think that's always the case with these Trump initiatives, right?
Like even this around thing, it might work.
But I would say there's a reason other people haven't tried it, right?
Like, now, have previous administrations been too cautious with offensive action?
I think they have, right?
So you're right.
We're going to get to see.
We're going to get to see what happens here.
And I do think that the offensive actions against ransomware,
cruise and ransomware as a service. I mean, that's gone. It doesn't exist anymore. And I think
that's largely because Five Eyes took their gloves off and just beat the crap out of them, right?
So I think you can achieve certain names. Like data extortion is huge. Ransomware still exists,
but doesn't feel like an existential crisis for us all anymore. And it did there for a while.
So I think, you know, you can, you can certainly achieve things with offensive action. But like,
let me just quote one more line from the cybersecurity strategy, which is our resolve, this is the
moving forward section. Our resolve is absolutely.
We will act swiftly, deliberately and proactively to disable cyber threats to America.
We will not confide our responses to the cyber realm.
So, you know, gloves well and truly coming off.
Now it looks like the White House has announced a thing where they're going to go after cyber scam compounds
and look at actually setting up like a victim's restitution fund.
I don't know that that's the way to go, but I think it's beats doing nothing.
And you contrast this with the cybersecurity strategy.
I mean, this seems like it actually had a lot more thought going to it. James, what did you think of this one?
Yeah, real thought gone into it. You know, I think I raised the question of like, where's this funding going to come from and to what scale? How is it going to be meted out?
It'll come from all the Doge savings, man.
Well, yeah, hopefully the plan for this is on the thumb drive that we'll get to. But it's like, yes, great. I mean, if I was a victim and this fund was being set up, I would be appreciative of it.
but I don't think the government stepping in here
and making a pool of money available to victims
actually shifts the needle on fixing the problem
in the platforms and the systems that are enabling it.
So good, but wrong spot, maybe.
Yeah, Adam?
Yeah, I mean, I guess the article said that the money
looks like it's going to come from stuff they've seized from,
so it's like proceeds of crime.
And I guess in that respect,
that seems like a better use for it than just putting it
in the general government apart.
but you know I also wonder with like is there any weird incentives here like if people can give
their money to scammers and there's a chance they're going to get it back again like does that
make them more prone to falling for scams like kind of how cyber insurance makes people target
people that have cyber insurance so and if it's money seized from these scammers is that all
money seized from Americans or are they taking money that was lost by Australians and giving it to
America like it's just strange like I get it right like I think though the Brits there's a
in the recorded future where the Brits are thinking about this a little bit differently,
which is like more about shifting the liabilities onto telcos and banks.
And you might think, well, why telcos?
And it's because a lot of this stuff happens over the phone.
And the telcos should do a better job of blocking some of these scam call centers where they know where they are.
You know what I mean?
They're getting reports of this stuff.
And they're just operating on such thin margins that they don't want to spend the money to actually deal with it.
You know, I would say, too, that I did some Googling today.
And the, you know, the total amount of money lost by a.
Australians in these sorts of scams in an annual period is something like two billion
Australian dollars and the Commonwealth Bank, which is just one of our big four banks,
posted a profit of 10 billion. So I think, you know, I think if you want to get this stuff to
stop, you do make the banks liable and it stops. Basically is what I think. I mean, James, you actually
worked at the Commonwealth Bank, but probably not on stuff like this, but, you know, that sort of
statement, like even that idea would be considered just the most unholy.
satanic idea by Commonwealth Bank Management, surely.
Yes.
Yeah, there's various people there that I'm sort of picturing their reactions now
if I showed up and suggested this, that we do this.
I think you and I'm talking about this offline and the bank aspect came up.
I think if I remember, right, the UK article actually pitched it more out,
like get the telcos and the platforms involved.
And I said to you, well, but what about the banks, right?
Because I think we both agree.
The buck stops with the payment processes.
We know this model works.
You know, when credit card companies take on the burden of all things fraud-related and
protect the customer, that's a proven model that works really well.
Well, there is a reason, which is the banks in the UK are already on the hook to a degree, right?
So I think this is just an extension out to other players.
That's right.
It's taking that same model and taking it to the next couple of layers up.
But again, you know, I think the right sort of incentive structures happen when you put this
closest to where the money moves around.
but we'll see.
It's better than what we're seeing in other places.
So all these things are like,
okay, let's watch and see what works
and extrapolate that out into other regions.
Moving on.
And, man, so many executive orders to talk about this week.
And apparently, according to Axius,
this is a bit of a scoop.
The White House is readying a executive order
to get Anthropic pulled out of every corner
of the US government.
I mean, this is just like, you know,
they're shooting themselves in the foot with this.
It's insane.
It's petty.
I don't get it.
James, let's start with you on that one.
Yeah, I don't get it either.
And, you know, with those quotes you were reading out of the strategy, like, Grok wrote that.
And if you don't think that did, like, convince me otherwise, right?
It's straight out of an LLM, that sort of language.
But the thing that irks me about this is it's this notion of, and I hate the term woke,
but it keeps coming up around, oh, we're getting rid of anthropology because it's too woke.
I'm sorry, go fire up, open AI, go fire.
higher up, Lama or any other model, pitch them the same sort of question and watch which one of them is the most sycophantic and woke.
And it's open AI every time in the current set of models.
And it's largely anecdotal, but when you use these things day by day and you interact with them,
Anthropics the one that actually just gives you straight answers and doesn't sort of, you know, fluff around and give you the, you know, you're absolutely right sort of things.
And so it's dumb on every level and it's extra dumb because it's the best model out there.
they're hell-bent on getting rid of it.
I mean, Adam, I've got to ask you, like, I mean, if you're China watching this,
you know, there's that meme of, like, America saying, take that China and, like,
blowing its head off with a rifle and China just standing there looking horrified.
You know the meme?
Like, this strikes me as one of those, right?
Yeah.
It's just, it's dumb and it's petty and it's poorly thought out.
And unfortunately, that's a pattern that the Trump administration, you know, leads us to expect,
like this sort of, you know, child has built this incredible, incredible edge.
with Anthropic.
It's such a wonderful story
of American innovation, right?
And they're good at innovation, right?
And they've built this wonderful thing
and now the government's like,
ah, can't have that, you know?
Like, what?
Yeah, it makes no sense
that's such a self-owned
and, like,
and the thing is,
Anthropic knows that they're good, right?
They know that they've got the best stuff.
They're doing, you know,
their numbers are all looking great.
Corporates taking them up.
Like, it's, you know,
they're doing well and they just don't care.
Like if anything, the burden of not having to do business with the US government,
I mean, think how much simply your regulatory and, like, legal approvals department is going
to be without having to do government contract approval?
Like, I bet those guys are just laughing.
Like, going off to the, you know, have a beer to celebrate and not having to deal with
Pentagon procurement.
I mean, well, the problem is, though, like, being designated as supply chain risk,
I mean, I think there's a bit of a legal argument back and forth,
but I think, you know, a lot of companies that might do business with the US government
can no longer use it as well.
like, well, that is what the government is claiming.
So, you know, it remains to be seen how badly this is going to harm anthropic.
But, you know, all of these companies are basically just cash incinerators, right?
So, like, bottom line difference, I don't really know if it makes much of a difference.
It's just they're all in a race to see who can sell the most tokens.
It's pretty funny.
I saw some numbers going around on socials the other day.
I don't know if they're true.
But it's saying that like a $200 Claude Code subscription can burn up to $5.
grand of compute every month.
A hell of a business model.
Which is like the level to which this stuff is,
I mean,
this stuff is just subsidized to a degree that is like kind of crazy.
And look,
staying with Anthropic,
they are launching a code review tool to check,
funnily enough,
to be able to review AI generated code.
So I love this.
You know,
you create the problem.
You create the solution.
James,
I mean,
you're the guy who spends the most time with AI among the three of us.
Yeah,
I think this is probably quite a positive development,
actually.
Yeah, it's a positive development, but is it a standalone product that we should be sending a press release out about?
No.
Like, if anything, it sort of harks back beautifully to the Microsoft Playbook of, we've created this product and it's got a whole bunch of security problems in it.
But that's okay.
This product over here fixes all those security problems and we'll sell you both.
And it's two different licenses.
Like, just bundle this into the way the thing works.
It's generating the code.
Make sure it checks its work.
Make sure it's doing the code review itself.
And the result is better anyway.
So, yeah.
I mean, you know, Claude Code subscriptions eventually have to head to like five grand a month anyway, right?
So you'd expect some bundling there.
Well, I don't know.
I don't know.
That's probably the upper bound.
I don't know if everybody's generating that much, you know, using that many tokens.
But anyway, this whole thing, what a, what a wild world.
And I should mention, too, that we had a bit of a laugh about the fact that Crowdstrikes share price plunged because Anthropic, like, you know, code security or whatever got released.
and investors don't know much about cybersecurity,
so they started selling CrowdStrike.
They just posted a record quarter, okay?
And it's like, what is it?
Their total revenue grew 23% on a year-on-year basis
to $1.31 billion in the quarter end of Jan 31.
So congratulations to all of you crowdstrikers on that.
Just a funny thing.
Now, Adam, you're our Java guy, man.
You're our Java guy, and we've got a Java story here.
He gets me the AI guy, and I'm stuck with being the Java guy.
Like, do I look like I'm from the 90s?
wait. I mean, you do.
Yeah, fair call.
You are from the 90s.
And you do love a bit of Java.
I don't.
I love it because it's so easy to break.
And people who write Java code, for whatever reason, seem to write security critical
trash.
And this is a great example of security critical trash.
This is a authentication library called Pact 4J that amongst other things implements like
JWT tokens for web authentication.
So we do web app as, you know, all thing requests is what it uses.
JWTs are usually like a little
Jason blob that are then signed
with a signature
this particular piece of code
if the signature was null
it would just go you know what
that's fine we'll just trust the contents anyway
so you can make a token that says yes I'm totally admin
just not sign it and it lets you in as admin
so good job Java devs
I mean you know
it's a decent I mean you know we talk about comedy bugs
but that's like, you know, comedy masterclass bug.
I laughed.
Pretty good.
So, definitely comment.
Pretty good.
All right, so we're on the home stretch now,
and we have seen a bunch of reports that Genua Joshua Rudd,
Lieutenant General, or whatever it is,
he's been confirmed as the head of NSA and Cyber Command.
So finally, after about a year or whatever it's been,
there is now a new head of NSA and Cyber Command,
so that's pretty good.
Meanwhile, over it's Sisser, dude,
I think I called it right when I've said that this is SISA.
this is a century of humiliation because you know we talked about their CIO going we actually had this
bizarre moment in our prep call between the three uh three of us plus Ambly was on the call as well
this morning where I'm like oh hang on we've got an item here about uh CISS CISO and deputy CISO
leaving we talked about that last week it's like no last week it was the CIO this week it's the CISO and
deputy CISO and now Sean Planky who was going to be Trump's nominee to lead CISA I mean he got
walked from his job at DHS and like
Like there's reporting that I think he was only came back as a nominee for a second time due to like a clerical error and stuff.
And there's this whole background about how he's on the nose because of some DHS decision to not buy boats from some congressman's district.
I mean, the whole thing is like the ultimate.
It's not even a sandwich.
It's so late.
It's more like a lasagna of American political dysfunction.
Just sort of squeezed into one.
And here it is.
But it doesn't look like he's going to be the guy.
I think is the TLDR here.
Yeah, no, we don't really know much about the guy, but yeah, the bit with the Coast Guard part of it.
And I think there was some reports that he'd been kind of in, when he was in the DHS, he was also rummaging around and Cicester, like, kind of on the assumption that he was going to end up in the role.
And it did not seem that people there were enjoying that process.
I did see, I did see those reports where he was like apparently annoying people, basically.
Yeah, so I imagine it would be some degree of celebration at Ciccer over this.
but, you know, they haven't a lot of good news to go around.
So I guess even a little thing probably feels pretty big there.
Yeah, it's going to be a small party too because there's not many people.
Well, everyone's still furloughed, I think.
I mean, I don't know.
Maybe that's changed.
But like, as I say, like Sysa is unfortunately just, you know,
you wouldn't really describe it as a functioning agency at the moment.
Speaking of which, though, I did have dinner with Chris Crabs last week in Sydney.
He was down at the same event that I was out, that sphere event.
That was fun too.
There's a lot of cool people around got to come.
up with some listeners, met some cool listeners.
So thanks to all of you for saying hello.
I did really enjoy that.
But yeah, wow, what a world.
Now, we did mention a Doge thumb drive, James.
You brought that one up.
We got a story here, another one from Lorenzo,
that says that a Doge employee apparently walked out
two very tightly restricted databases from government systems
and said, oh, these will be great at my next job.
Now, whether or not this is, this guy was just trolling,
or whether or not this is actually
happened kind of supports our argument at the time that all of this doge stuff that was happening
that perhaps there might be some data governance concerns to say the least yeah that was a prediction
that you made and it seemed pretty pretty accurate um you know it never felt particularly good
letting four chan kids rummins around with root access to all of government things and of course
this is you know how it's you know how it ends up shaken out and the the thing that i found reading
this story was you know i saw the headline about doge and i'm like man i
I'm going to doge in ages.
That seems like ancient history.
And it was only last year.
Yeah.
But yet, like, so much has happened.
And Doge just seems like a quaint sort of after, you know, footnote at this point.
So I'm good on Lorenzo for digging up a story that, you know, I had already forgotten about.
So, yeah.
But exactly as we would expect, of course.
Yeah.
I just, I mean.
You have to laugh because otherwise you would weep.
Yeah, you really would.
All right.
So we're on, we're very much on the home stretch now. James, you out of this one. This is a link from Palo Alto U2.
Looking at a vulnerability in Chrome that allowed extensions to do unholy things to Gemini.
Yeah, look, contrast this to me spending 80 minutes doing a solid podcast talking about the intricacies of what it takes to escape a sandbox from a browser.
And then this is basically the browser sandboxed, but we jammed an agent that had.
has full file system access right next to the DOM and the rendering engine.
And it's like, well, why do you even bother sandboxing anymore?
And it's just, it's such an inversion of the security paradigm where it's like decades of work
went into securing the browser.
And then we just throw an agent in there that has full access to everything.
And of course, all the extensions can access that agent and give it prompts to do.
It's just like, you know, did no one walk down the hall and talk to the crafty security guy and
say, hey, should we be, should we be worried about this?
Is there anything going on here?
I mean, this reminds me of like the, I saw a funny post somewhere of saying, you know,
all these people are throwing like Claudebot into VMs.
And they're like, yeah, that's great.
Then they give it its credit card number.
They give it access to the internet.
They give it all its password, all their passwords.
And they're like, oh, no, something bad happened.
But I'm running it in a VM.
You know, it's just, what?
Yeah, yeah.
Yeah, it's like you run it into VM.
Good job.
Okay, what's the first thing I'd ask you for?
All the tokens that you've got on your local desktop machine and you paste them in.
It's like, okay, so the VM is giving you a different IP address at that point.
That's good, good job, pal. Well done.
Yeah.
All right.
So we're going to wrap it up now and just mention this story.
This is one for the slide decks, right?
It's unusual.
Well, I guess through my career, it has been unusual previously to hear of entire businesses disappearing as a result of cyber attacks.
But there's an extremely large Romanian meat processor called Aleks 1, which, and Catalysis,
And Catalan obviously dug this one up and put it in our Monday newsletter.
They had a ransomware attack and the costs for recovering from this have essentially driven them into insolvency.
So they're going through some sort of restructure now.
Just a good one for the slide decks, right?
Because I know people are always looking for these sorts of things and this one happened in Romania.
So it's probably going to go a little bit under the radar.
But this is a real big deal company.
And yeah, people can take a look at that one in this week's show notes.
But that is it for this week's show.
Adam Bualo, James Wilson, thank you so much, both of you for joining me to walk through all of that.
Yeah, thanks for much, Pat. We will see you next week.
Yep, thanks, Pat. Looking forward to it.
That was Adam Bualo and James Wilson there with a check of the week's security news.
And it is time for this week's sponsor interview now.
And for this week's sponsor interview, I chatted with Tony De La Fuente, who is the founder of Proula.
And Proula started off as purely just an open source cloud security scanner, I guess.
You could use it to find misconfigurations.
You can use it to actually do remediations as well.
And you don't need to use the SaaS tool to do that.
You can do that through the command line.
It's just cool.
It's very good.
And the open source version being free, you know, a lot of people use it.
Like it's an extremely popular project.
But obviously, Proula, now there's a pro version, which previously, like, you know, it's just like a SaaS version of Prouler, I guess.
You could actually spin it up yourself and kind of run the same thing as, as,
SaaS, you know, so you can run it in a container or whatever, spin up a web server and you've
essentially got the SaaS version there yourself.
Tony's finally at the point where there's going to be some features splitting off that are
just paid, you know, and an example here, and I'll drop you in here where he starts talking
about this, but an example is SSO, right?
So you can actually get SSO to work with open source prowler, but it's a bit fiddly and
you've got to go configure it yourself and whatnot, whereas with the Praula Pro, with the
SaaS version, that's just, you know, pointy-clicky.
done. So I'll drop you in here where we talk about that and that leads to a deeper conversation
of, you know, what the dev team at Praweller have been up to. Enjoy. Actually, in Preruner
open source, you can configure that, but you have to configure it. In Prerruder Cloud,
it comes everything done. Yeah, yeah, yeah, yeah, right? So it's more pointy-clicky.
So that is the basic thing that everybody puts like paid only, but it's beyond that. So everything
in a complex platform, you need to configure a lot of things. We have now, for example,
attack path that requires more infrastructure like GraphDB, etc.
So we maintain everything all that for our customers.
That is probably not enough value for somebody that can do everything with their hands.
But most of the organizations, any size, they don't care about what is underneath, right?
You just want cloud security in place.
Yeah, you just want it to work.
You want to put the credit card number in a make-up work, right?
Exactly, exactly.
So you can go through your favorite marketplace,
or the credit card and that's all, you get it.
Yeah, but I think importantly, right, like the checks in Proula,
they are remaining open source, right?
Like, that is not, it's not like you're charging for checks with these changes.
No, no.
So our plan and the reality is that Prouler is the facto tool for cloud security,
and that is going to keep being exactly the same because it's our value, right?
Creating new controls, new detections, remediations for cloud infrastructure,
for infrastructure as code, for Kubernetes,
SaaS providers as well,
the most common SaaS providers for infrastructure.
Let's say the Microsoft 365, Google workspace,
even GitHub, etc., GitLab that we are adding now.
All that stuff, the Prallery Universe is accessible for everybody,
including the AI, right?
Or third party is AI.
Well, funnily enough, funnily enough,
because you and I were chatting before we got recording,
and funnily enough, you told me,
that when the people are asking Claude code, hey, like, can you check my cloud infrastructure
and make sure, like, nothing's accidentally exposed or misconfigured?
And basically, Claude goes around and tries to take a stab at itself, and eventually it downloads,
it downloads, Prallel, spins it up in a container and off it goes, and it just, like,
uses Prallor and gives you the results, right?
Yeah, when it goes to that end, he says, okay, let me use Prowler.
Yeah, that's awesome.
But, I mean, I guess, you know, I guess that's handy, right, to be able to be able to
to get ClaudeCode to use Proula.
But when you ask it to do something like compliance reporting,
I'm not gonna trust a non-deterministic
large language model to do my compliance reporting
based on using an open source tool
in an unsanctioned way.
Like, so I'm guessing you've still got like a bit of a,
a bit of a moat, right,
with some of these enterprise features
that you're baking into the products.
I mean, that must be part of the thinking here.
So part of our mapping,
the mapping between controls and requirements
of an integration platform, that is totally accessible.
It's part of PraterHap, for example.
But we want to offer the part of the infrastructure,
like SOC2, Type 2, support, the multi-tenancy backup,
all that stuff that you need to have.
If you want to go into compliance, that is going
to be part of the paid only, of course.
Yeah.
But our Cloud Pro or Prouler Cloud Enterprise.
Now, I should mention, too, that, you know,
people who want to actually use Proh, like, it is not difficult.
If you just grab a credit card,
you can actually just head over to, you know,
Prahler's website and, you know, click on pricing,
and then off you go, you could get going with this extremely easily.
Or if you are really stingy, you can just go to GitHub and grab the free version
and do what you need to do.
But one thing that's been interesting for you, right,
is with the AI stuff, it's not so much that you guys are like squeezing heaps.
I mean, there's a bit of AI.
You've sprinkled some AI on Praula, right?
But it's not like an AI first kind of product.
But what is interesting is people are building an awful lot of AI-related infrastructure, right?
You've had to build checks for that stuff.
Like, what sort of infrastructure are we talking about there?
I mean, you know, I'm not super Ophay with the AI infrastructure,
but I know that model context servers are a thing,
MCP servers are a thing,
but like what else is involved?
And how easy is it to configure this stuff
in a way that's not dangerous?
Well, so not using AI in a world of open source
is a nonsense, right?
So of course we use with Prater Studio,
you can create new detections, remediation,
and new providers.
Actually, we have customers that they create their own providers
to scan new providers with Proller.
Their own providers, like whatever they want to use Providers.
So all that stuff is doable in matter of hours.
Well, yeah, you've got rid of that part of these sort of products
where you have to be proficient in some indecipherable query language
and scripting language for writing the tools.
You can do that with AI now.
Exactly.
So, for example, we added Bersel support in two hours.
For example.
So now you can, because Vercel is a key part of, you know, cloud infrastructure at the end of the day, right?
So and also adding a chatbot, adding an MCP as a part of our set of tools when it comes to using findings or using priority in many different ways is key.
So all that stuff is available around your findings, around your remediation plans, etc.
I guess my question was more about like what sort of infrastructure people are spinning up, you know, to host their own agents and whatnot.
And, you know, is that turning into a popular thing for people to use Proula to check, right?
That sort of infrastructure.
You mean in AWS bedrock or vertex, etc?
So, yeah.
So we see that happening every day when it comes to building their own modern.
or their own AI in their workloads.
So, but sometimes it's like, you know,
everybody goes very, very fast, building everything.
So people is missing the security part of those services as well.
Like, well, like, I guess that was, yeah, that was part of the question, right?
Which is like, how are people doing with that, right?
Because we've got this entirely new type of cloud computing environment that people are not
experienced in setting up.
Are they making mistakes?
And is Pralafinding, like, a lot of,
misconfigurations and stuff in that area.
Yeah, 100%.
The good thing is that Prater always finds a lot of misconfigurations.
So the new software development lifecycle is you build something and you put something somewhere,
right? And that word is cloud. And that cloud can be infrastructure as service, like major
cloud providers or even places like Cloudflare or like Versel or like many others that they
need security as well. They need compliance as well. They need to make sure you are using
the best practices to prevent from DDoS attacks to you know SQL injection. So because
of course now cloud code security is going to take care of the security of your
things. But can you 100% trust of everything that is being given in a prompt,
from a prompt? We will see. I think and
rule-based security is still a thing.
At the end of the day, AI goes through checklists in order to give you a response.
Yeah, I mean, I think at the end of the day, you know, having stuff like ClaudeCode
actually use existing tools like Praula is what's going to make a lot of sense.
You know, and when we, you hear people, the buzzword at the moment is, you know, systems of record.
They're going to need to use systems of record and whatever.
It's like, yeah, it's pretty funny.
As in, we're just going to need the same old products, but just with agents doing more
to interact with them.
What's the plan in terms of timing?
Because this hasn't happened yet, right?
So these versions are upcoming.
Is it a gradual rollout of different versions,
or are you just going to bang, do an update real soon?
We are releasing this week before RSA.
A couple of features, like the provisioning,
bulk provisioning with Providron Cloud,
and also the import findings from the CLA.
So we are making the CLA.
Of course, it's the scanner, but also the CLA is also a client of Prouder Cloud,
in order to make easier the integration from CICD pipelines into Cloud for compliance,
A.I., etc.
So that is coming before RSA, and during RSA and after,
we are rolling over more features that are going to enhance
the experience of our customers.
Yeah, and I'll just say for the umpteenth time,
I love it that you have a command line.
You know, version of Proula, it makes a lot of sense,
especially for people who want to give Proula the sort of privileges
that it needs to do remediation.
Like, I totally understand why people don't want to cut and paste that
into a web service, into SaaS.
Like, that seems insane to me.
So yeah, being able to do that in a CLI,
and then also being able to do scans from the CLI
and then import that into the SAS
so that you can do things like generate compliance reports
and whatever, you know, that makes a lot of sense.
And it's also the sort of thing that absolutely does not belong in a free and open source
repository.
So it makes a lot of sense to me.
Tony De La Fuente, thank you so much for joining me, as always, to talk all things, Praula.
It's always very interesting.
Thank you.
Thank you, bye.
That was Tony De La Fuente from Praula there.
And, yeah, you know, Proula is a good thing.
It's a wonderful thing.
And you can just go to their website and drop in a credit card and, you know, use it.
pretty straightforward or you can go to GitHub, grab the free version and just off you go.
Important thing that he noted there too, which is prowler's checks.
All of that's open source.
That's not going to go behind any sort of payment system or payment plan or anything like that.
But yeah, it's good stuff.
Proula's cool.
That's it for this week's show though, and I do hope you enjoyed it.
I'll be back soon with more security news and analysis.
But until then, I've been Patrick Gray.
Thanks for listening.