Ryan Naraine (00:02.541) It is Friday, August 30th at 8 0 8 a here in Phoenix, Arizona. We have made it to episode 10 of the Three Body Problem podcast. Congratulate yourselves guys. Shout out to Juan, my buddy Juan and my buddy Costin. Juan checking in here from the U .S. Costin is in Romania. We're on three different time zones. Shout out to Juan for setting up a very, very special keyboard here. So we don't hear his clickety clickety clack. What kind of keyboard is that? JAGS (00:12.579) beyond all belief. JAGS (00:28.708) Dude, I built this. It's a 34 key keyboard and I like it has the most silent switches I could find just so you wouldn't complain about me typing during the podcast. So I hope you're happy. That's all I'm telling you. Ryan Naraine (00:41.633) Commitment to the cause. it, my friend. Costin, noticed the NSA announced yesterday that you're launching a podcast. I think this might be in direct response to you. Demanding success stories. Congratulations on that. How are you, my friend? COSTIN (00:53.818) That's thank you. It was exactly what I was thinking that we were demanding success stories and the truth is that it doesn't matter what you are doing if nobody knows about it. Like you may be doing the most important thing in the world but if people don't know about it then it doesn't matter that much. Ryan Naraine (01:13.578) You have high expectations though. I expect this podcast to be a dud. mean, they promised an episode on some of the SIGINT stuff that went into capturing Bin Laden and so on. usually these things turn into a dud. Do you have expectations that this could be something interesting? JAGS (01:29.016) mean, are they inviting us? Are they bringing us on board? Can... Coast... Ryan Naraine (01:31.723) We'll do a collab bro, 3 body problems and no such podcast to make a collab. JAGS (01:37.293) No, no such buddies. I mean, my, I there's, there's what I want to see. And then there's what the government can provide, right? Like what I want to see is a semi candid discussion about what, what they do, can do, won't do, et cetera. And where things have gone well. And I know that that can sound unrealistic, but part of the reason that I want, I want to believe I would love to see it is Ryan Naraine (01:38.879) What are your expectations though? Seriously. JAGS (02:06.358) The USIC, the US intelligence community has just a terrible track record of explaining itself and selling itself in the right light. And we're in a particularly dark time when it comes to trust of government, trust of the intelligence apparatus is something that is working very, very hard to keep us safe and free and to save the Swifties and all this shit. So like it would be nice to have. Hayden and some of these other folks come out and say, yeah, this is the super cool shit that we do to protect everybody. And maybe that way people would actually feel that it's worth it to go spend three, four years working at the Fort as a mole person without seeing the sun, without smoking any weed, without doing all and without getting paid properly, et cetera, et cetera, just so that they can do some really cool shit for their government. So I do think there's good reasons why they should embrace PR. Is it in their wheelhouse? Are they able to do it? I don't know, man. Like, not historically, but who knows. Ryan Naraine (03:10.283) But Kostya makes a great point. It's important that we have these kinds of validations for some of the things we hearing in the background. It's the question we asked of Dave Itell. And this whole notion of success story, noticed you threw out the Swifties there, but the CIA actually had an official go on, an official come out and say, listen, a lot of our work went into warning the, was it the Austrians? Is it in Austria? I don't even remember where. Say again. JAGS (03:32.384) Australians. Australians. Ryan Naraine (03:36.196) No, no, no. The weird, weird, weird, the Taylor Swift concert was going to be held. No, no, no. It was going to be somewhere in Europe. Anyway, isn't that a big, isn't that a success story, Costin? Like when these things, when these things get, when these things, when there are big incidents that get, toward it, you have to imagine there's a cyber component. You have to. COSTIN (03:37.257) Austrian. JAGS (03:38.741) I thought it was Australia. COSTIN (03:43.501) European JAGS (03:47.177) Austria, you're right, you're right. COSTIN (03:53.818) I would say yes. If there was a cyber component, you can't be sure. It may be a pure humane. Nevertheless, think, well, NSA blogs, CIA going public, well, with this information, I think it kind of signals what we were saying, which is that we want to see more success stories. mean, as Juan was saying, the intelligence community probably hasn't been very good at PR. If we like, I mean, on the commercial side of things in companies doing trade intelligence, whatever, if we were doing such a terrible job at PR, we'd probably have lost our jobs like a long time ago. I mean, nobody would keep you employed if what you're doing is just something that you do in a corner and essentially nobody knows about it. So I think it's very welcome. JAGS (04:50.985) You gotta keep that in mind every time Ryan starts complaining about the marketing people, shaking his fist, telling them to get off his lawn. I mean, it's one of the few functions that will pay for what we're up to. It corrupts it, it can corrupt it, it creates all kinds of other problems. think those have more to do with power imbalances, right? Like are you... Ryan Naraine (05:06.405) Fair, fair. It also drives the entire narrative though, which is... COSTIN (05:07.204) That's true. JAGS (05:17.393) The biggest problem you have with these big companies is because they don't empower individuals. Who is supposed to fight back when some CMO or some idiot who thinks that it's okay to put lampshades on models and use them and commercial offerings. When that person tells you what to do with your blog, what to do with your CVEs, who is empowered within a big company to tell them that they're wrong and to fuck off? You don't have enough of that. But I still think that you don't want to throw the baby out with the bathwater because frankly, I'm not sure which other functions are supposed to pay for the kind of thing that we enjoy in CTI that we want to see more of because it's not going to be detection engineering. It's not a pure CISO security thing. So you got to think about some of those dynamics. Ryan Naraine (06:04.067) Alright like and subscribe to this podcast, like and subscribe to that podcast. Hopefully we'll have a big collab soon with the no such podcast coming on the three body problem and having like a big shoot out. Let's paper to the news quickly. story this week obviously was Volt Typhoon caught by Lumen Technologies, Black Lotus Labs. Shout out to Danny Adamaitis and his team there, Mike Horker, for research work into finding a zero day exploitation of a JAGS (06:16.226) Ryan Naraine (06:30.784) bug in VersaDirector or file upload thing that was, the interesting part here is this VersaDirector is used by ISPs and MSSP. So the blast radius or the potential is significant. And then Volt Typhoon again is this Chinese APT that the US government has been beating the drum saying, listen, these guys have been well embedded in infecting US and Western critical infrastructure as kind of like it's pre -positioning for wartime thing and it just feels like a lot of hyperbole. Sum it up for me, Juan. There's a lot of moving parts here. No surprise that like things like Versa Director is a target base for these guys. JAGS (07:12.982) It's not a surprise. and frankly, look, volt Typhoon is a, is a pretty interesting threat. And there's a lot of things that we could and should discuss about volt and about the U S government's response. And all of this is coming from, the original, discussion about volt Typhoon kind of, popping Guam and how much that was considered sort of prepositioning for, you know, some kind of warlike response, which really panicked a lot of people. However, in this particular case, mean, look, always shout out credit to Danny and Amitis, Michael Horka, the Black Lotus team. They do amazing work and they have visibility that I don't think anybody else does. Like it's just, it's not that it's greater than other people's. It's just a different type of visibility that most people don't have. And it's one that we should be extremely appreciative of as like they are an essential part of an ecosystem that otherwise cannot defend itself. But Ryan Naraine (08:08.819) Not many people know that this Lumen technologies used to be the old century link backbone that really powered much of what networks were dating back to the 90s, right? JAGS (08:13.663) Right. Right. I'm just, I'm, yeah, and I'm so thrilled that they've been seen it fit to invest into a proper research team and enable them. You have like Ryan English over there. There's a lot of great people and they're doing God's work sort of putting the stuff out there, particularly when you look at something like Versa and the way that they've responded to this thing, because I, I'm sorry, like I'm feeling super hot -taky today and that like, I'm looking at the Versa disclosures and You know when you read something and you know someone's like lying to you? Like you know when someone's like just the way that they write something, they're just, they're trying to side show you away from like what actually happened? That's the entire fucking Versa disclosure. Ryan Naraine (09:01.534) Are you talking about the, because I noticed there's a big line there and there are acknowledgement of the OD that this is because of firewalls that were not properly configured based on 2015 and 2017 guidance from them. You laugh, no, wait, wait, wait, wait, wait, wait, wait, wait. Let me set up the question because you laugh. There is a shared responsibility thing here if that's the truth, assuming that's the truth and people have not configured firewalls properly based on guidance from 2015, 2017. JAGS (09:12.436) You mean that's that Right. JAGS (09:28.167) Nah, nah, yes, yes. Absolutely. Absolutely. So first of all, the fact that you start, that is the first bullet point in the entire disclosure. It's like you're literally saying if these idiots had somehow followed our firewall guidance or hardening guidance from nine years ago, this would not have happened. And I ask you, sir, that is not a flex at all. Cause if you Ryan Naraine (09:29.245) Can you totally blame Versa here? Okay, so get into it. Ryan Naraine (09:49.04) This would not have happened. Ryan Naraine (09:54.16) That's a flex. Come on, I told you nine years ago to fix it properly. You're sitting in there. JAGS (09:57.906) No, dude. No, because you didn't click on the fucking links. You go to a you get hit with a fucking login, like authentication page, which I'm sorry, if you get a device from your ISP, if you get this from you don't have those credentials, you're not a direct customer of Versa. Second of all, if those were your firewall and hardening guidance from 10 years. Ryan Naraine (10:04.698) You can't. a support portal, you get to a login support portal page. JAGS (10:25.637) Why the fuck isn't it the default settings on your devices? I'm sorry. Well, if... Ryan Naraine (10:30.267) Well, maybe they're all 10 year old devices that have just been left in a state that you you you missed a victim left in a state of disrepair. JAGS (10:36.644) You Mr. Victim for whom I'm sorry. There's so many aspects of this that are fucked up. I don't understand. this is not the only vone that's at play here. There's an issue here, right? Like it's, is it local privilege escalation or is it remote code execution? Like, can I upload the file and run it fully and like get complete access or like If I happen to have a file on there on this device, like, can I do whatever I want? Because those, they're not acknowledging the Vone in it's what is probably supposed to be two Voles. And they're just like obfuscating right past it. And then look, even if you, even if you give them all of that, even if none of that matters, where is the guidance and the insight as to what happens to these people that have been popped with because of your devices? since June, which is when you first get the disclosures and no one's been able to do anything. And what you come out with this is like victim blaming bullshit, no guidance about how you can tell if you were a victim, what happened when you were a victim? What do you do now? Like all of it is just like, I tweeted out this, like this too shall pass, like kitschy bullshit, because that's the approach to this. I think versus just sitting around hoping that like something blows up real quick so that everybody can forget. that this happened and that's not the right guidance for a situation like this. Ryan Naraine (12:09.429) We got a lot to get to in this, but I Costin to jump in here. When a vendor says, listen, you're not using my prescribed secure lockdown guidance. Is that fair? mean, should they, we talk about a shared fee, shared responsibility model and the cloud, the big cloud providers are having this. They ship you a cloud thing and they say, here's the prescribed rules for setting it up properly. And then you don't set it up properly. You get popped. And then whose fault is that? Juan is, Juan is. I mean, there's probably a lot of talk there about who's telling the truth or not, but you got a take on that? COSTIN (12:42.906) When you say guidance, means exactly that. It means it's not mandatory and it's not default. So you can set up any way you want and essentially it's your responsibility if you're not following the guidance. Now, I'll be honest here. I've been on that side of things before. When there were, let's say, problems, issues of all sorts, because people don't follow the guidance. And we discussed, we discussed this a lot of times. trying to understand why, let's say, 2FA is not default. Why is it not enabled by default? And that actually kind of mitigates the issue when a thread actor gets the logging credentials. And with those logging credentials, essentially gets remote code execution and owns the entire infrastructure or deploys malware on all the machines through an administration console. And the answer from the developers was that actually more people would complain if you make those things default compared to the number of people who complain that it's easy and very convenient. So if you force 2FA by default, they tried that in the past and they got like, you know, thousands of complaints. So I think it's an issue of, yeah, usability versus security, like the problem that is as old as the world and... Yeah, it's like the most common excuse whenever this happens is they didn't follow the guidance. Ryan Naraine (14:16.397) One, what is the guidance if you've been popped here? Because that was one of your complaint a minute ago is, listen, once you've been popped, there's no guidance on what to do. If you have customers coming to you and saying, hey, we suspect based on some IOCs, the Black Lotus Labs pushed out, which we'll talk a little bit about AV coverage as well, because there seems to be a big massive gap there. What are you telling folks who believe they've been popped? JAGS (14:39.761) Good luck. Like what the fuck? Yeah, look, it's the reality. It's the reality that this vendor is enabling, right? Because you look at everything they've put forth and Versa has not said absolutely anything about post exploitation activities. How do you verify? Like moreover, like how do I check my Versa device to see if this web shell is on there? If it is, like have you guys cleaned it up? Like if I... Ryan Naraine (14:41.553) I mean, that's the reality. JAGS (15:07.919) If I restart the device, is it gone? Right? Like there's nothing, there's nothing meaningful there. And then what we're talking about is the larger issue with these, you know, appliances and all these, you know, sort of devices where you look at it, go, yeah, you mentioned the EDR, right? Like there's no devices on here that there's no, telemetry generation. that's happening in these things in any meaningful way. There's no verification of how like the integrity of the thing. So good luck, right? Like the big question here being if this, somebody exists on your appliance, they have a web shell, they have access, they have creds, they're in your network. We're getting, we're running into this all the time, especially with things like Volt Typhoon and all this sort of like new Chinese, like covert networks, or I think, what was the term, orbs? was a term that got dropped at PivotCon. Ryan Naraine (16:11.66) absorbs me. JAGS (16:12.621) Or, God damn it. can't remember. There you go. Operational relay boxes. Yeah. So like these, these sort of like, covert networks, non -attrib networks that the Chinese are using extensively, like other people are, but the Chinese are in particular. Right. COSTIN (16:14.668) Operational relay box, I think. Ryan Naraine (16:25.431) KVBotnet was like the previously discovered KVBotnet by Black Lotus Lab was one of those. was like a tar like covert exfiltration channel, right? JAGS (16:29.901) Exactly. Well, think about how we're finding out about all these things, right? You have Black Lotus as like defend... Dude, defenders of the fucking internet, right? Like no one else is in a position to look at these stupid devices and say, look, actually all of these Soho routers or all of these popped routers or all of these appliances are communicating with each other and allowing tunneling across, you know, halfway through the planet, coming out through all these different boxes and... Ryan Naraine (16:37.932) Shout out to marketing, man. JAGS (17:00.12) You know, your IOCs don't mean shit because I just gave you an IP that's actually someone's house down the block that they don't know that they have a pop device. And that's where all this Chinese activity is coming from. And like, keep in mind why they're doing it for all of the conspiracy bullshit against the IC. They're doing that because they know that our beloved bureaucrats at NSA and everywhere else can't lift a fucking finger when these things pop out of residential networks inside of the U .S. So it is a very key smart thing that the Chinese are doing and they're doing it everywhere. And I'm hearing this from like seven, eight different countries in the Western world. So it's not a small thing. Yeah, not just the Chinese, but the Chinese have made a network of it. Like they've made a business out of this. Ryan Naraine (17:38.175) quickly. COSTIN (17:38.636) Not just the Chinese, Not just the Chinese. VPN filter. Ryan Naraine (17:42.357) Quickly what? Ryan Naraine (17:46.505) You said EIC can't lift a finger. What would lifting a finger look like? JAGS (17:48.459) Yeah. I mean, frankly, I think we in the pseudo libertarian bullshit have really sold ourselves on this notion that like, you know, the great defenders and the machinery that we've put in Fort Meade that is supposed to be helping us needs to like cut both of its eyes out to spite itself and rub gravel over its hair and never look at any networks within the US, which is horseshit. The internet is a global phenomenon. Everybody's abdicating their responsibility over fixing any of these fucking devices. And we're telling the IC that, yeah, yeah, you're super powerful everywhere, but just pretend the US doesn't exist. And then we can all sit around and cry about every time we get. Ryan Naraine (18:30.887) What does lifting a finger look like? What are you proposing? I'm trying to get to like, what are you proposing? You proposing that the NSA has the power and is empowered to go cleaning up local boxes? Not just clean up, but infiltrate. Okay. So what are you proposing? Let's put it on. JAGS (18:35.562) Take the... JAGS (18:42.612) Yes. It's not just, dude, forget the, forget the cleanup, forget, like let's, we're not, I'm saying like, we're not even talking about cleanup disruption or containment. We don't even know the nature of the threat. We don't know the extent of the threat. And frankly, look, CISA doesn't have the capability, doesn't have the. Technical know -how doesn't have the expertise the FBI doesn't have the capability Doesn't have the technical know -how doesn't have the expertise and also can't seem to do anything without breaking a bunch of shit and then you know CIA doesn't play here and NSA which does have the capability does have the expertise you just told them to sit it out because it's uncouth and Like I just don't think it's fucking cute Ryan Naraine (19:32.56) Well, don't know, uncouth is the reason. Costin, are you comfortable with what he's asking for? COSTIN (19:39.392) Yeah, I don't know, like, it's obviously not the first time and I was just thinking that props again, props to Black Lotus Labs for discovering this. It's the kind of thing that you'd expect the NSA to find or the FBI or whoever and it seems they didn't, right? Also, they did discover other similar things in the past, which raises the question how, of course, how it was done in the past. Nevertheless, I was just kind of thinking that these orbs are kind of the answer from threat actors to the CTI industry's IOX. That's exactly what it is. We came up with IOX, so they imagined the orbs as a response to the industry coming up with IOX. So where's the solution? Like where do you balance the privacy and the NSA tapping the fibers? I don't know. I don't know. Ryan Naraine (20:33.87) What's the next chess move? JAGS (20:36.419) Well, dude, there's another side to it, right? The only reason we're having this conversation about NSA plant, like NSA is coming to play is us saying, okay, call your dad because everyone here has like not been doing what they're supposed to do. Like the manufacturers are not taking care of these devices. The ISPs are not taking care of these devices. The customers are not taking, cannot take care of these devices. The CTI industry doesn't play on these devices. So yeah, we're getting to that point where you go, well, fuck it, call in the giants because you know, what else do we do? COSTIN (21:15.13) Who's responsible, right? But I think if you're like strictly speaking about that, no, the FBI should be. I think it's within their attributions. JAGS (21:18.073) No one. Ryan Naraine (21:18.882) I don't know. Ryan Naraine (21:23.82) Wait a second, you see? JAGS (21:23.876) The FBI is a law enforcement body. It's not an intelligence body. That's really the problem here is like there is no one doing local intelligence. Intelligence is nowhere near the FBI. And I mean that in every possible way. So like I really don't think they're the ones that we should be talking about. Like, what are they going to do? Go walk into every house and like unplug every device. Like, what are they going to do? COSTIN (21:42.018) Investigations. Well, there was such a case, the way, there were indictments in which the FBI did go to people's homes and they asked for access to their routers and they dumped the routers and got them all out. So it happened. JAGS (21:55.134) Knowing about VPN filter, right? Ryan Naraine (21:55.425) I'll remind you guys, I'll remind you guys that the KV botnet that we were just talking about, the US government with the FBI's help did a massive take down and neutralized that botnet. The problem, it's all end of life, so whole things that will be reinfected down the road. And this can, you'll allow me a bit of victim blaming. you said the customer can't do anything about it. The customer is sitting there on end of life old stuff that should have been replaced in a hardware refresh at some point down. JAGS (22:06.338) But how did they find out about it? Ryan Naraine (22:24.127) Shouldn't customers take some responsibility for refreshing their hardware and not having these link, old Cisco router sitting there that will never be patched? Where's the responsibility there? JAGS (22:34.176) It depends. It depends on. So this is where we're going to need to really stratify what we mean by customers and what kind of devices we're talking about, right? Like when you talk about home customers with shitty Soho routers, that's a tough one. Like that is a very tough one. Well, but that, but those are different, right? Like, and those are different types of devices and everything on the Soho side of the house. Like personally, if, if Ryan Naraine (22:51.292) businesses, enterprises. JAGS (23:01.771) And I've had conversations with certain folks in the US about this, like from the White House, Cyber Command everywhere. It's like, look, I personally think we need to start embracing the notion of eminent domain on the internet. If your car breaks down in the middle of the highway and you leave it there, after a certain amount of time, someone from the government, local government is gonna come by and take that pile of junk and throw it away because it's a hazard to everybody around. We don't have a similar concept when it comes to the internet. When you have 40 million cameras made by some garbage Chinese manufacturer, which because they've turned into a botnet takes down the internet in all of the East Coast for six hours or whatever. I don't, if you've talked to the manufacturer and you've talked to everybody else and no one's going to fix it. I don't see why we can't apply a notion of eminent domain where you go, well, we're just going to nix all of these devices off the internet. Goodbye. Right. Ryan Naraine (23:57.349) guarantee we had this conversation when Conficker came up, right, Costin, about like whose responsibility is this to just go clean up these boxes that people have left unattended for so long? Do we need friendly viruses? Do we need friendly cleanup worms? That kind of conversation dates back to the early 2000s, right? JAGS (24:00.96) off JAGS (24:11.103) Brickerbuck? Brickerbot! It's happened! COSTIN (24:12.728) We don't. COSTIN (24:16.92) No, we don't need that. don't think we need that. And to be honest, a lot of the people... Yeah. Ryan Naraine (24:21.561) I think this eminent domain conversation, sorry, Kirsten, this eminent domain conversation is interesting and I want you to respond to that, Kirsten, because it feels like Juan is asking for some dangerous things. COSTIN (24:28.975) Mm. JAGS (24:33.868) You Ryan Naraine (24:37.018) No? JAGS (24:37.97) Yeah, sure, sure man, why not? Why not? Let's be dangerous today. COSTIN (24:38.212) Cheers. Well, it depends what he's asking for like what if he's asking like, you know more power to the NSA and give them Authority to intercept traffic between US IP addresses I mean I'm fine with that as long as you guys keep it in the US and you don't bring it to the rest of the world I'm fine with that Ryan Naraine (24:58.798) You JAGS (25:00.764) Dude, you guys have no choice. The NSA can play ball over there however much it wants, right? Like what we're talking about is bringing, you know, good old fashioned, you know, door knocking freedom back to America. No, but okay, look, the joking aside, right? Let me put it a different way because Brickerbot is a thing that has happened before. If the hacker community... Ryan Naraine (25:14.447) or knocking freedom. Would you stop? JAGS (25:27.013) This is my like Russia of your listening moment from like the Trump campaign back in the day. If the hacker community had taken this Versa thing and instead of, know, when they realized that they were taking three months and they were going to lie about like how they found it and they weren't going to help anybody. If they had taken that exploit and bricked every device on the internet, we'd be having a very different conversation. And I, and I wish honestly, I kind of wish this would happen more. Like all those Fortinet devices, pulse secure devices where you're like, look, clearly the manufacturer isn't really giving a shit and this is being used for like a serious national security problem. most of the war in Ukraine was enabled by these edge devices being garbage. What would happen if you crowd tocade this shit? What would happen if somebody used that same exploit and just bricked all of them overnight? It would be a crisis. would be a corporate problem, but we would be having a very different conversation about vendor responsibility. We would not be sitting around going, well, doesn't the victim also share some blame? You go, no, they had no fucking clue this was happening. They didn't. They thought they were protected by the manufacturer. It turns out the manufacturer doesn't care. And somebody else took it upon their hands. And yeah, maybe we'll spend some time trying to look for who that is. But in the meantime, hey, Fortinet Versa, whomever, how about you fix your shit? because every one of your customers is pissed. Like that's what's missing here. Ryan Naraine (26:58.805) Justin, I have a question for you, because you've been on the other side of this, and it's something you pointed out over on Twitter, is 48 hours after Black Losers Labs shipped IOCs, including this for some sample, antivirus EDR coverage for this was like one of 66, and then 48 hours later, I believe, last night I checked it was up to four of 66. What happens in an antivirus lab when something like this comes out and Like what's going on behind the scenes that it feels like a lot of AV vendors have largely ignored this. COSTIN (27:31.085) Mm -hmm. COSTIN (27:35.386) In many cases it depends a lot if the lab receives the samples directly or not. If they don't get the sample directly, you know, sent by a good soul out there, it's let's say up to their research teams digging that blog and just being aware of what's going on in the world and fetching the sample from Virus Total if they have a Virus Total subscription because the sample is not available anywhere else. and adding detection for it. Honestly speaking, what I think happened here is that that particular file, the one that we are talking about, which was one of the 66, is actually a zip archive. So it's like it's a Java archive. And it could be very well that one of the reasons for the low detection is that engines on VirusTotal do not unpack that to find the malware inside. They rely on the fact that Ryan Naraine (28:27.123) Can't read it. COSTIN (28:32.698) virus total unpacks the files so they would be seeing the unpacked class file and detect it so that could be one of the reasons I mean initially I thought it was shocking that it was just 1 of 66 but like 24 hours later it was still like 5 of 66 which is super strange super shocking JAGS (28:53.704) We're talking about theoretical detection, right? In a sense, because it's not like the AVs are going to be running on any of the devices themselves. So it's great for identifying, this looks ugly, but it's not like you're going to find it in situ and go, OK, here's all of the pod. COSTIN (28:59.79) Yeah, yeah, of course. Ryan Naraine (29:05.66) Right, right. JAGS (29:16.987) I ran with it the minute, you know, Black Lotus did a great job of reaching out to all the vendors and folks saying, hey, like, look, there's this big thing happening, like, see how you can defend your customers. I find it in every single time we've had these engagements with Black Lotus, they're super helpful. They're super proactive. And I find it some of the most frustrating experiences in my career because we'll run through all of S1's telemetry, looking and looking and looking. and you won't find a fucking thing because it's happening on a network device that produces next to no telemetry. And then what you were hoping for is that you magically find the lateral movement activity that comes from that device to the rest of the network. And in some cases we have found it. We've had incidents where our differ or MDR people realize like, Hey, there's a Cisco appliance. There's a whatever appliance that keeps moving laterally and then weird stuff starts to happen on endpoints. And that's the luckiest indication you have. Like that is a stroke of luck. And then the next thing you have is like, well, time to call these people and ask them if we can, if we might, if it's possible somehow to get to this appliance and try to figure out what's going on. But otherwise it's a permanent beachhead into that network. It just... Ryan Naraine (30:39.487) One, also heard previously you mentioned some vendors requiring NDAs to even look at that stuff. Can you dig in a little bit into what you meant? Because I wasn't clear on what you were saying. JAGS (30:48.955) to the extent that I can as like something that, well, no, no, no, no, no. I haven't signed any fucking NDAs. I can tell you that, and I wish someone would come at me with one of those, but frankly, like I haven't had to sign them. And the people who've told me about them are people who clearly should not have told me about it because of that. Like essentially what was happening in the earlier days, I don't know if this is still a practice, but what happened in the earlier days of like the Volns and Fortinet, Pulse Secure and so on. Ryan Naraine (30:52.847) you can't even talk about it. You can talk about having decided. OK. Tell me what they're asking. What's what's. JAGS (31:17.186) is that when you want it to have an engagement to say, okay, like something has happened. I need you to check this device. I need to know what's in it. You know, what's going on. The whatever terms are engaged, involved in like you being able to inspect a Barracuda device or a Fortinet device or whatever comes hand in hand with, and please sign this NDA. And then we will help you with the inspectability of your device, which is I mean, definitely like you're holding someone bent over a barrel who has no other choice, but also it's actually quite terrifying because what we're seeing with certain Chinese infections into some of these devices is they've wise end up to that as well. So if you try to do certain types of commands, if you try to dump a certain kind of core, if you do things on that device to try to check to see if it's infected, In some cases, they'll restart the device and the whole thing is gone. So this is a very delicate thing that requires, like that could really use the expertise of the motherfuckers that built this thing. And they're the ones that are least interested in knowing what's happening. Ryan Naraine (32:34.155) Costing this status quo sounds crazy though that there's there's no network telemetry that gives you any sort of hunting ability. The Chinese are using it to get into critical infrastructure, the preposition for physical combat. We can't defend ourselves. The NSA has no, there's no eminent domain. The NSA has no authority to go down and clean up. what is this? I mean, in all seriousness, is this just kind of COSTIN (32:53.242) Authority JAGS (32:56.502) Just a podcast. Ryan Naraine (33:02.92) a lot of hyperbole or you believe this is as serious as it sounds. COSTIN (33:06.522) It's a state of things, I guess. It's just how things are nowadays. I guess that a lot of people listening to our podcast are now coming up with a lot of business ideas, how to create products that close these issues. I mean, I have a couple of ideas on how to deal with that. Just never had the time and the resources to implement them. I mean... Ryan Naraine (33:30.068) So you think there's a product gap here? COSTIN (33:32.418) There is for sure, there's a product gap. mean, everyone's pushing EDRs, again, all sorts of agents that run on devices. XDR, YDR, XDR, ZDR, AI, AI, ER. Ryan Naraine (33:39.184) XDR is the next thing. I'm told XDR is the extension of EDR that goes to the... JAGS (33:46.178) Brought to you by... It's all powered by AI. Let me start there. I don't know if you guys went to RSA, but this problem is solved with acronyms. Ryan Naraine (33:58.93) In all seriousness, we've given up. We've largely given up on this. COSTIN (34:03.428) The thing we've given up, mean, we just need this is for sure it's a kind of a paradigm shift and we need some new solutions to this new world, like solutions that allow you to remotely check these devices without running any kind of code on them, like remote attestation, if you want. integrity checks, collecting more telemetry Syslogs, putting more emphasis on analysis of network logs to spot anomalies. I think that this is probably where we need to move, like this is the direction that we need to invest in, and these are the of products that are currently missing, will solve, let's say, this generation of problems that we are having. JAGS (34:52.393) Yeah, I think that there is definitely a part of this that is an innovation problem where it's like you hope that some really brilliant folks out there can come up with a solution that still fits within this generally capitalist paradigm. You go, okay, it's just a money problem like haves and have nots go buy the thing. Why don't you have this becomes a compliance thing? Awesome. Sure. But I think that there's another side of this that is regulatory that is pointing us at the problems with like a lack of consumer protections, a lack of real regulatory agencies. Frankly, like I think inspectability needs to become a purchasing requirement. Like if you're telling me that as a company, I'm about to invest and buy your $20 ,000 appliance and there is literally no... Ryan Naraine (35:20.517) Amen. JAGS (35:46.68) established mechanism by which I can inspect this device. Why? Like the only reason to buy it is there's no better choice, but frankly, yeah. Yeah, but, but you know. Ryan Naraine (35:56.326) The problem is that they're all the same. That's the problem though. By which we need, which, which, which I, you mentioned regulation, I was going to go up the stack and say secure by default, secure by design, the pledge. no, exactly. You have to go back to the manufacturers to fix this. can't be building point products and inspection products and band -aids and duct tape to continue making a mess of things. JAGS (36:05.296) Secure by default is the biggest missing thing here. Ryan Naraine (36:19.248) You gotta go right up the chain and have the vendors fix this. And unless the government has some sort of power, there's just like, eh, we'll sign a pledge and hope that. JAGS (36:21.444) Well, cause you know... JAGS (36:27.256) You know the conversation, you know the conversation we will have, we would have if somebody comes up with, let's say a virtual shim by which you shove an EDR into the memory of a Fortinet device. What the next conversation we're gonna have is an Apple style, well, they sued them to death and then they closed the way that they could like get into, yeah. Ryan Naraine (36:42.139) You Ryan Naraine (36:46.65) You're adding a tack surface my friend. JAGS (36:48.834) yeah, you're adding attack surface. You're adding theoretical attack surface to the device that's currently being attacked and has already fallen. How fucking dare you, right? It's just like... Ryan Naraine (36:53.552) To a place. Ryan Naraine (36:59.286) And in fairness, gotta, something that crossed my mind through all of this, in fairness to AV engines, like they've had a bad rap for being so deeply embedded and you know, it can be the entry point for malicious attacks and the entry point for APT. It hasn't been as much as the Fortinet and all these other guys. So that's a takeaway. JAGS (37:02.425) Come on. JAGS (37:18.093) Yep. Yeah. COSTIN (37:19.962) I tell you guys one thing, which is that what I learned like all these years is like, away from appliances. Like just stay away from any kind of appliance that you cannot inspect. In general, building your own hardware and running open source software is a lot more secure. But there is for sure this issue that you pay as you're saying, you're paying like $20 ,000 for an appliance. You install it and you think, okay, now I have my security. And then somebody hacks that appliance with the zero day. And from there, they move in your like whole network. They deploy ransomware. And then, you know, suddenly you have like a bigger problem and there's no accountability. mean, who's responsible for this thing happening to you? It was like a zero day. You didn't do anything wrong. Who's responsible? You pay $20 ,000 for the privilege to be ransom. JAGS (38:05.197) What? What's? JAGS (38:18.27) I mean, I think that's totally on point. What I'll say is, what is the alternative in the sense of, okay, you presumably need these high end, high throw put high bandwidth devices for, you know, all kinds of enterprise needs. And you would expect that if you're paying more money, you're going to get better service, which to be fair, I get the sense that Cisco is a lot better about this, but you're paying the Cisco premium, right? Like you're not. You're paying a little higher, but they are a more responsible vendor that might be the only responsible vendor from what we've heard as far as these appliances go. But if you, you know, if you take that off the table and you're saying don't buy appliances, like, is there some like ubiquity version? Is there like, what is the like semi open source open WRT version of things? And can we shove a network? detection and response thing into that stack because you have to give someone an alternative. Ryan Naraine (39:17.801) Cost in this. COSTIN (39:17.818) Sure, I can tell you what the cool kids are doing. You wanna be the cool kids. So what the cool kids are doing at the moment is like buy their own hardware or like build their own hardware, which is typically Intel, Intel hardware, but with some high performance network ports in it. They deploy a Proxmox, which is a virtualization software and they run PF Sense, which is a free BSD firewall. JAGS (39:20.694) Please, I wanna be one of the cool kids, come on man. Yeah. COSTIN (39:46.686) management solution on top of Proxmox. So this is what the cool kids are doing at the moment. JAGS (39:52.884) And that's where you're going to put your agent, coast and DR. Ryan Naraine (39:55.6) Your in -band network tap. COSTIN (39:55.918) You can put your agent inside Proxmox. You can run it. You can put it inside the PF Sans box. The nice thing here is that because you control the virtualization, you have full access. You can inspect everything, everything you want in there. You can essentially have VPN, like you can have everything. So it's one of the solutions that I hear people using more and more. JAGS (40:22.036) Time to start selling boxes, man. Come on, you're leaving money on the table. Ryan Naraine (40:28.186) Last word on Volt Typhoon, Costi and you mentioned on the last episode is blurring of ransomware and APT lines. I got a banger of a quote from Joseph Men in the Washington Post from Chinese embassy spokesman Lu Peng Yu. Lu Peng Yu says Volt Typhoon is actually a ransomware cyber criminal group who calls itself the dark power and is not sponsored by any state or region. So they're outright with basically saying, with the muddying of the waters. COSTIN (40:32.9) Hmm. JAGS (40:54.28) With the lies? Ryan Naraine (40:57.692) You were ahead of that, Costin. COSTIN (41:01.028) Yeah, we talked about it in the last episode, right? Ryan Naraine (41:03.0) Yeah, exactly. we love this off. Just dismiss this and laugh it off. COSTIN (41:08.568) Don't laugh, I mean, it's exactly what we were talking about and I think earlier today there was a CISA advisory about Iranian tradactors essentially selling access to ransomware gangs. again, this mudding, the same issue, yeah. And I think we also mentioned the Iranians during the last episode and their affiliation with ransomware gangs. Ryan Naraine (41:23.34) Same exact thing we talked about last week. COSTIN (41:36.314) I would say here that this is one of the kind of things, let's say, we were seeing for a long time. deployment of ransomware by APT groups as a method to muddy the waters is super, super effective because it gives you this kind of deniability. Ryan Naraine (41:58.552) Is it something that becomes normal moving forward? You'll just see it as like, okay, every campaign will have a rootkit, it'll have this, it'll have this, and it'll have a ransomware component. COSTIN (42:01.923) Yeah. COSTIN (42:07.418) I thought it was interesting to actually watch how this message gets propagated and how different people interpret the message. I saw like immediately a lot of pro -Russian and pro -Chinese websites were starting to replicate the messaging that it's not a CNAPT. This is just some cyber criminal group, ransomware cyber criminal group. immediately you see that disinformation, kind of fake news if you want, being replicated across the internet and copied by different sources which are pro -East, pro -Russia, pro -China and so on. So I think it works and this probably suggests that there will be more and more cases like that in the future because it just works. JAGS (42:56.398) The Chinese are doing it on purpose now though, like this is a shift in the way that they're approaching it, right? Because we're not actually talking about a threat actor that is deploying ransomware. We're talking about them just trying to fight back an attribution claim with nothing, right? Like just saying, well, you know, somebody puts out a bullshit flimsy report saying, no, this is actually a ransomware group. Everybody else is wrong. And it becomes a, said, she said thing, even though, you know, there, there is no, there is no proof. There is literally no leg to stand on to say that that is the case. And it's not the first time they've done it. If you remember, there was a, some kind of bot inauthentic activity on Twitter where for a while you had all this bizarre, obviously bot generated, comments and content, pushing to say that I believe it was a PT 40 or a PT 41 is not Chinese. It's actually, I think the US or something like it was hilarious because they even like some of those comments ended up on my feed. They ended up under like Rob Joyce's like feed. So you're like guys. I mean you idiots are not even trying but it goes to show what the tactic is, which is to say, you know, if in America quote unquote, what you have are these government affiliated. quote unquote defense companies that supposedly are in cahoots with the US government to get more budgets by beating down China, boohoo, then why not do the exact same thing in the US and just get Kihoo 360 or whatever other idiot to come out and say, no, it's actually just misattributed, this one group, whatever, we're done here. And for them, that's enough. That's enough for a narrative. And frankly, in the US, we've seen that bullshit like that works. We saw 2016, the entire threat intel community talking about fancy bear and whatnot, cozy bear, DNC stuff, starting with CrowdStrike, but everybody else corroborated this. And on the other hand, you had Jeffrey Carr. And that was enough, right? Like CNN could say, well, there's dissension and right, you get all the sort of like Trump Maggabots that have that have been bitching about CrowdStrike for, for, you know, God, how long has it been? Ryan Naraine (45:01.66) You Ryan Naraine (45:15.218) 8 years. COSTIN (45:15.642) years, eight years. Guccifer 2 .0 JAGS (45:15.877) Eight years? Jesus fucking Christ. Okay, sorry, for eight years. Right. But it's enough, right? Like that's that is still something that to this day, you will hear that, you know, there's there's both sides to this argument and there isn't. Ryan Naraine (45:31.802) Is it easy to discern? COSTIN (45:32.268) And listen, is so much it works. The reality is work so much better than the previous messaging, which was that China does not engage in any kind of illegal cyber espionage operations, unlike the United States, which is the biggest battery out there, which nobody believed or even covered as the other side of the coin. The fact that, yeah, now different state actors are saying that well this APT whatever or Storm or Typhoon or whatever is just a ransomware group and there's like hundreds of them is a much more powerful message. Ryan Naraine (46:08.142) And that was gonna be my question. My question to you, Kostin, is it easy for you in the lab to discern what is ransomware and what is APT and what is mixing it? And how many, all of these nonstop daily 8K SEC reports on ransomware might just be APT masquerading as ransomware? COSTIN (46:24.79) I tell you something, it used to be easy but it's definitely not easy anymore. I was actually planning to look a bit into Diggs Dark Power and I think as far as I know there is a Dark Power ransomware which is some kind of ransomware that old Typhoon was deploying like again. But this reminds me, I think I mentioned it, Stripefly a couple of... Ryan Naraine (46:34.797) So there is a dark power. Ryan Naraine (46:40.452) yeah. COSTIN (46:51.424) episodes ago, which was a very similar group, an APT group with some very advanced tools, zero days, whatever, they were deploying a very unusual strain of ransomware. Like in one particular case, they deployed it against a media institution in Taiwan. And then like as a story became public, they just offered the keys for free. they just like decrypted the data for free. JAGS (47:18.298) Whoops. COSTIN (47:18.756) which was like super, super weird. Like typically when they decrypt, let's say, certain targets for free, that's not ransomware. Like typically the ransomware like financially driven, they negotiate to the blood essentially. Like they will drain every Satoshi, if you want like Bitcoin fraction out of their victims and keep increasing, keep increasing. the ransom until they get paid. So I think this is maybe one of the remaining giveaways, which is that if this financial component is missing, either let's say there's no decryption, even if you pay the ransom or they give the decryption keys for free, that raises some questions. Ryan Naraine (48:12.329) Another topic in the news this week that's near and dear to this podcast's heart is Google Tag discovery of APT 29, Midnight Blizzard Nobellium caught using iOS and Chrome exploits that was previously deployed by NSO Group, Intellex, these commercial spyware vendors. Is there any room here that this could be just pure coincidence, Kostin, or this is? JAGS (48:22.328) Yeah. Ryan Naraine (48:40.849) solid discovery of reuse. COSTIN (48:43.732) I mean the names of the variables like inside the exploits are just the same. Like what we can have here I think there's a possibility that maybe the same people sold both to APT29 and Intellect, CyanSO, whatever. The other possibility I guess is that maybe APT29 just bought these products, reverse engineered or targeted themselves and they just extracted the exploits. And yeah, I guess the last possibility is that they were targeted with these exploits, which they captured, reverse engineered and reused. But if you ask me, I suspect the most likely explanation here would be that they bought from the same source. Now, to me, it's interesting that APT29 is doing this kind of things. It's not the first time they were doing this LinkedIn targeting a couple of years ago with iOS and ACE. I think they were at the moment. didn't install malware, but it was just stealing cookies. So people were being messaged over LinkedIn and if they click the link, you know, their cookies are gone and then the attackers could just reuse those cookies to steal their emails and so on. So it's kind of interesting that APT29 is poking at this subject, even if they don't have dedicated high -end malware for iOS. Ryan Naraine (50:10.501) Before you go, Juan, I wanna ask you a quick question, because Costin didn't mention this possibility. Conspiracy Ryan is asking, is it possible that APT29 is living in NSO and living in Intellex's boxes? mean, you have to imagine, these guys broke into Microsoft and stole executive emails, source code, customer emails. You have to give them that. You have to put that on the list, no? COSTIN (50:24.046) Mm. JAGS (50:28.012) Yeah. They could, but I actually want to point out a different possibility that was brought to me by somebody much smarter than I yesterday, which is that I'm going to paint a picture and it's going to sound kind of nuts, but think about this. Has Apple succeeded so greatly? Ryan Naraine (50:51.011) Conspiracy Juanito? JAGS (50:57.701) in making certain parts of the iOS exploitation tool chain so hard. Because look, we're talking about, you talk about it as if like somebody bought an exploit and that's not really what we're talking about. We're talking about somebody having a chain of exploits. And if you look very, if you, if you read very carefully into that Google blog, they don't, they're not necessarily talking about a whole shared exploit chain. They're saying that there are shared. Ryan Naraine (51:11.845) chains. JAGS (51:26.909) And I wanted to just add another possibility into this like competing hypothesis space, which is has Apple succeeded so greatly in making one portion of this so hard that it the only available. Exploit to fit into these chains for one portion of what needs to be accomplished the same one being sold across the board. Right? Like it is it. You know, whether it's a component of persistence or it's a component of breaking out of the sandbox or it's a component like whichever one it is. But that one part is so hard and so scarce that right now NSO, Intellexa and maybe some other Russian supplier or Russia friendly supplier. It's it's the kind of rumor that falls off the back of the truck that is very hard to believe because we think, well, come on, there's no way that's the case. Ryan Naraine (52:01.472) I see. Ryan Naraine (52:10.849) Is this inside information? JAGS (52:24.24) But I do want us to consider it. We want to consider it, you know? Ryan Naraine (52:25.089) It's believable because Apple has made efforts to lock down things privately without saying anything. mean, blast door mitigation was found by Google Project Zero and Google mentioned in the Stagg report that lockdown mode has been, it worked. JAGS (52:36.602) Hey, lockdown worked, apparently lockdown worked, right? So I'll bitch and complain about Apple on inspectability all day long, but you do have to give them immense credit for what they're doing in just raising the bar, the difficulty of exploitation across software and hardware stack that they control. So I do think there's that element. Now there's another thing that I want to point out in this APT 29 attack, which is the cookie stealing, which is the point of the attack. Personally, I have this belief that, and it's completely unsubstantiated, but I have this belief that there is no way that we're going to continue to see spyware mercenary vendors focusing so hard on trying to keep this iOS or mobile charade and cat and back and forth cat and mouse game going when it's becoming so expensive, so brittle and so difficult to maintain. If you can get the same net information by virtue of hitting cloud services directly, which is, know, our backups are on the cloud. Most of the stuff you do on your phone is connected to some cloud service that is holding a bunch of your data. The cloud providers are not putting any effort into inspectability, nor are they letting you know, you know, somebody tried to, you know, grab your whatever, iCloud backup or, or get into your email and this and that way, in some ways they are, but they're not really giving you details. So if you tell me. I, I run the new NSO, right? I'm, I'm NSO two. And what I've learned is that it's going to cost me an arm and a leg to try to get iOS exploits and to try to persist on these devices. and, and then at any given moment, Google tag or, or, project zero is going to come out and burn my chain and I'm screwed. And I need to go find the same component all over again, or I can focus on stealing cookies, sessions, creds, et cetera. And I can provide my customers 85 % of the same visibility they were getting by virtue of being on the device. You're telling me that I wouldn't pivot into that model that no one is even JAGS (54:57.144) bothering to check those cloud logs. In some cases, they don't even exist. In some cases, even if you get the stupid notification that like a nation state is targeting you, no info about the IP, about the infrastructure, about what they took, about what they did. I mean, it is a that is where that market must be going, if not to say should be going because it doesn't make sense to keep trying to beat your head against that brick wall. Ryan Naraine (55:25.693) I'll see you COSTIN (55:26.874) And I think there must be also quite a significant price difference between these exploits. I am maybe, I don't know, I like one I'm confident that are still zero day chains like full remote code execution with jailbreaking. I'm confident that they are available for purchase, maybe like $3 million, $5 million, $10 million. I am confident in these are still available. But at the same time, something like this, these cookies still are style exploits which are not even zero days, they end days, right? They probably sell for much less, 20 ,000, 30 ,000, so suddenly they are affordable, are like for APT groups like APT29 which maybe they don't have billions or tens of millions to burn on zero days. This can be like a very effective thing. Ryan Naraine (56:16.953) They saved that for the guys up the chain. These things are effective on watering hole attacks on Mongolian websites against iOS 16 .6 kind of thing. I mean, that's where you use those, right? COSTIN (56:24.474) True, I don't think that's true. That's what people probably use in Mongolia and other countries. But also I like to point out that watering holes nowadays are very rare. This used to be super popular 10 -15 years ago. Nowadays people are super careful not to burn their full chains on watering holes because essentially there is a very high risk that any crawler or whatever just hitting that website will capture the full chain so typically yeah this is a poor people's solution these are poor people poor poor apt groups solutions but the funny thing is they are just as effective as one was saying and i think that one of the top characteristics of apt 2090 is that JAGS (57:05.669) You COSTIN (57:21.348) They've been able somehow to achieve the same as all the other top groups out there with a lot less resources without using crazy exploits, without using super crazy sophisticated malware. What was that? Ryan Naraine (57:33.251) also shows you don't need them. Right? It shows you don't need some crazy sophisticated all day malware if you can just slide in with cookies and... COSTIN (57:43.02) Yeah, yeah, I mean, with the solar winds. JAGS (57:44.881) It depends on your tradecraft. It depends on your tradecraft and your goal. Like one thing about 29 is they're being super crafty and resourceful and getting some badass like amazing ops going. They're not quiet. It's not happening without anybody noticing, right? Like a lot of the Oday hygiene that goes into Western ops is mostly about the need for covertness above all things, which is why whatever the Chinese might claim about the US or really any of the Western Gov's, you are hard pressed to come up with examples of what you might call fishing with dynamite, right? Like you're not seeing a sea cleaner supply chain attack style thing or solar wind style or anything like that. Even if they did get the access, I would expect the tradecraft of Western govs to essentially put them in a position to say, look, you're not going to indiscriminately pop every single person and then figure out where to go from there. That's not how we operate because someone's going to notice and we were never here. that's the ultimate priority is not the data. It's we were never here. After that, what can we accomplish? And it's just a completely different school of thought. Ryan Naraine (59:11.914) We're running out of time and I wanna make sure we touch on this because it's coming up soon. Microsoft is hosting a Windows endpoint security ecosystem summit in September, specifically around Windows kernel access and in response to the CrowdStrike thing. Costin, did you get an invite? COSTIN (59:28.772) not sure. Ryan Naraine (59:29.43) No invite for you? 182, did you get an invite? JAGS (59:32.268) Not for me, there are some yeah, yeah, CTO, CISO, engineering, everybody's going to be there to be a part of this. Well, so only because Dave Weston is in charge and we believe in Dave and we trust Dave. Look, I would normally come out swinging thinking, you know, that this is like some cynical attempt to then take us into changing the access to the kernel. Ryan Naraine (59:35.274) your company will be represented. Ryan Naraine (59:41.064) important meeting, Ryan Naraine (01:00:00.034) Ha! You remember my Echo Party keynote, right? JAGS (01:00:03.325) Of course. And I mean, I think that's great keynote and we should, you let's repost that because it is really on point. but let me just say, think Microsoft bringing in the companies to have a conversation, under the auspices of somebody like Weston who is genuinely interested in securing this thing rather than just like having regulatory change and capture is an incredibly good sign. And I, I, I, applauded and I hope that it turns into some new paradigm between the endpoint vendors and Microsoft. I want to believe it. I refuse to be cynical ahead of time, right? Like you got to give them that opportunity. Ryan Naraine (01:00:44.326) Alright. Let's be... Okay. Ryan Naraine (01:00:50.672) What's custom? So let me ask you this. What is a new paradigm that you think can emerge here that is practical, workable, answers all the questions? What are your expectations? COSTIN (01:01:04.772) So having participated in a couple of these conferences, you want, not from Microsoft, I mean, but in general, what I learned is that there's never any kind of decisions that are taken there. Typically, people get together and someone just presents their vision, which in this case may be a Microsoft's vision. They might, you know, ask for feedback. They might collect some kind of thoughts from the audience, but in reality, No decisions are typically taken at these events. The decision is made. Yeah. Ryan Naraine (01:01:36.121) Well, actually the decision is already made. What you're saying is that they come into it and the decision made and it's basically a communication venue. get a sense that in this case, there's a genuine attempt to find a balance between the European Union stuff, Windows Defender stuff. There's a lot of equities at play, but I get the sense that there's a genuine attempt to avoid a repeat of the CrowdStrike incident. COSTIN (01:01:44.793) Correct, Ryan Naraine (01:02:00.344) there will be some sort of change, some sort of API thing, some sort of technological thing will come down the pipe. You're saying they already know what they want to do, they're going to come and just kind of do this communication? COSTIN (01:02:11.226) So yeah, the only thing probably they'll come and show like this is what we are gonna do and we need you guys to support us. Like that's I think what typically goes behind closed doors at these meetings. And some people might say, yeah, it's actually good for us to support this. And actually we need to be on the same side. Maybe other people will be upset like, this cuts our access. it's bad. So what are we gonna do? But in the end. I think as you were saying, probably the decision is already made. Ryan Naraine (01:02:42.606) What are you hoping for though? mean, in keeping every bit of equity in place, what are you hoping for? No change? Some change? What kind of change would make you comfortable? COSTIN (01:02:56.474) Do you remember what I said like when we were discussing this like if I were the person who has the power at Microsoft I would say yeah like speed is not the most important thing like if we can make things more reliable and more stable and if what it takes is a bit of speed I'm actually willing to trade the speed for that security so if you ask me if the goal here is to make a more reliable kernel like one is more stable Ryan Naraine (01:03:01.763) Mm -hmm. Ryan Naraine (01:03:16.568) You're willing to make that trade off, okay? COSTIN (01:03:26.208) and one that can survive crashes of company like third party provided drivers and code. I'm happy with that. But I think there has to be some kind of a trade off. You cannot expect the same kind of reliability that other operating systems have and the speed at the same time. So you have to essentially trade speed for reliability. Ryan Naraine (01:03:58.527) Nothing from one, no? JAGS (01:04:00.501) I would like Ryan Naraine (01:04:03.135) What are you hoping to get out of it? what do you think? Give me a feel heading into this meeting. Or you can say you don't want to comment on it because you're in. JAGS (01:04:10.241) No, look, I would like to be surprised in the sense that like for me, again, the paramount thing to protect is inspectability. That is the whole business of what XDRs are doing that is actually meaningful and valuable. And anybody who says otherwise is wrong. Inspectability is important and it's what we're complaining about with all these other devices. And we get to complain about it on appliances because the endpoint, at least the Windows endpoint, is one that is relatively well covered due to the efforts of a lot of different companies. I would like to be surprised by what brilliant people who control and understand the kernel as it currently exists and what is possible. What can they suggest would be the new paradigm of inspectability? Can they surprise us with some way? We hadn't even considered where if we're willing to, you know, cave on this thing and accept this other thing, then all of a sudden we have this wonderful new paradigm of inspectability wherein memory is more approachable, wherein stability is not a problem, wherein, you know, you can do X, Y, and Z and we can start spending less money and resources on anti -tampering, spend less money and resources on stability testing and can just focus on inspectability. That would be absolutely wonderful. And I think it would be Microsoft taking charge and leading the way in something that everyone else is failing at, particularly Apple and these appliance vendors we were discussing. That would be great. I don't want to discuss the disappointment version of what could happen in this, you know, many worlds interpretation of Microsoft's summit. I just. Ryan Naraine (01:05:58.182) It's not a contentious summit though, right? They're not butting heads. You know, I don't expect it to be one of those. JAGS (01:06:03.154) Well, I'll say this, even if they came up with the best possible version of things, that's not to say someone isn't going to bitch. Somebody is going to complain no matter what. But I think there's a very big difference between them saying, hey, we'll enable you to do things in this different way. And these are the benefits for you. And these are benefits for us versus them walking into the room and saying, well, the party's over, kids. We're going to go do this thing. And you guys. Ryan Naraine (01:06:08.546) someone's not going to be happy. JAGS (01:06:30.616) just going to have to suck it up and take it and I don't want to hear anything about antitrust. It all comes down to what the proposal is and what their Ryan Naraine (01:06:39.088) There's something concrete coming though, because they've kind of teased it in a previous blog entry and this blog post talks about concrete steps to improve security and resilience of joint customers. So there's something on the pike and there's something interesting. I'd like to be surprised myself. Final words, Costin, we're running out of time. What are you up to this week? COSTIN (01:06:57.178) I can't believe that we're gonna close the episode and not talk about Pavel Durov's arrest in France. JAGS (01:07:06.366) His exile is fake apparently. He's been going back and forth to Russia 50 times since 2014. Ryan Naraine (01:07:10.847) That's the thing. That's the thing with this story. There's so much misinformation and disinformation depending on which side of the political divide, especially here in the U .S. There's a cyber angle though. There's a story today from the Wall Street Journal that his iPhone was hacked in the United Arab Emirates and in France. Interestingly, the two places that he just got citizenship. So I suppose like the iPhone access in exchange for citizenship, a passport. COSTIN (01:07:11.971) I meant COSTIN (01:07:21.146) There is. JAGS (01:07:21.672) The whole thing is a cyberangual. COSTIN (01:07:31.373) And he got sedation. JAGS (01:07:36.35) The exploit was too expensive, give him a passport. Ryan Naraine (01:07:41.24) Where do you land on this, Gustin? mean, there's a million things we can talk about here and I don't want to just belabor the podcast going too long, but there's this whole narrative in mainstream media that it's an encrypted messenger. I mean, the reality among people who know is that that's far from the truth. And there's all kinds of conversations around free speech and what it means. Give me the cyber angle and your take on this since you brought it up. COSTIN (01:07:55.226) Hmm. COSTIN (01:08:04.474) Mm. I think it's very important story from many points of view. At least let's say from the point of view that this is being turned into whatever versus whatever people turn this into either Russia versus Ukraine or is it Trump versus Biden or Harris or whatever. It's a very, very polarizing story, I guess, simply because Pavel Durov is a Russian citizen. As far as I know, he never renounced. his Russian citizenship. And it has kind of an interesting background here. think not many people know that his brother is like an Olympic mathematician. He won the Mathematic Olympics. So I guess possibly some could say that his brother is the brains behind all that technology. And maybe he's the looks. I don't know. I mean, if you compare the photos. Ryan Naraine (01:09:01.22) yoi yoi, so many and this is another new wrinkle here. COSTIN (01:09:04.634) It's a new record. That's one thing. The other which looked very interesting to me was that he's being accused of some crazy things such as providing cryptology services without certified declaration, providing cryptology tool not sold, ensuring authentication or integrity monitoring without prior declaration. it's like... It's a bit crazy. There's one thing that we need to mention for sure is that our good friend, Ivan Kvyatkowski wrote I think a good summary about it for the French newspaper Le Monde. So that will definitely require for some of you Google Translate or chat GPT or whatever. But I think it's an important story because it shows several things that one, people can be very easily confused about the technology they're using and they may simply trust something which is not trustworthy. Even now, after all these discussions that Telegram is not encrypted, I see people saying that, ha, now France has the keys to the Telegram encryption. So I'm sorry to bring it to you that there's no keys. There are no keys that France might begin. JAGS (01:10:17.76) I'm sorry to break it again. Ryan Naraine (01:10:23.423) Everything sits in clear text on their servers, right? mean, this is Telegram you should view as like Twitter. JAGS (01:10:25.208) Thank COSTIN (01:10:30.306) Yeah, it's semi -public. Everything you write there is semi -public and that was kind of always my assumption. Now why, like this is super weird. If you ask me, the fact that you can have these encrypted chats, but they're not default and actually they're making it more and more complicated to find how to actually turn this encryption and the encrypted chats is like super, super weird. Ryan Naraine (01:10:37.417) That's the design, yeah. COSTIN (01:10:58.104) me super suspicious. But at the same time, you can't ignore the fact that, I mean, it's a super, super popular tool. There's hundreds of millions, probably billions of people using Telegram, including in Ukraine. So it's being used, I don't know, to warn people about all sorts of attacks. So for sure, Telegram is an important people, if you want technology at the moment. Super popular. mean, Ryan Naraine (01:11:24.093) Very popular in Europe, right? COSTIN (01:11:27.642) All my friends use Telegram. Ryan Naraine (01:11:28.297) I don't know anyone here in the US that uses it. And I don't know anyone in the US that uses it. COSTIN (01:11:32.78) Interesting. I mean, just as popular or even more popular than WhatsApp, if you ask me. Ryan Naraine (01:11:35.091) Never had someone try to have a conversation with me. Ryan Naraine (01:11:40.755) Juan, are you following this story? Why? JAGS (01:11:42.528) Yeah, to some extent. Well, look, the telegram side of things is actually important. And it's not that people in the US don't use it. It is used for a lot of things that we're generally concerned with, like the com kids, for example. A lot of the cesspools of the internet are on there. A lot of the... Ryan Naraine (01:12:01.914) scattered spider people. JAGS (01:12:08.044) data leaks from threat actors and different hacking groups, quote unquote, end up on Telegram. Like there's a valuable aspect to keeping track of what's happening in Telegram groups. But other than that, like I became really interested in the story yesterday when Andrei, I want to say it was Andrei Sakharov, a reporter claimed to have seen border crossing entries of Pavel Durov going back and forth into Russia, supposedly, allegedly 50 times since 2014 when he claims to have been exiled and not returned to Russia ever since in a FSB leak of border crossing database that supposedly 500 gigabytes and was added to some aggregator, a leak aggregator somewhere. Honestly dude, Pavel Durov, whatever, where the fuck is this leak? I want this 500 gigabyte FSB border crossing leak somewhat, you know, hit me, slide into my DMs because like that's the fascinating part. And the reason I really care about the Ryan Naraine (01:13:21.656) It's a Russian citizen though, right? There's nothing illegal about him crossing the border. The claim that he was in exile is what you're questioning here. JAGS (01:13:27.761) Well, he's claiming he hasn't been back to Russia since 2014. So if that's not true, I'm curious. But also, this is a very conveniently timed story about a leak that no one else has seen that would be incredibly impactful on a variety of levels, counterintelligence efforts. there's so much we could get from that leak. So A, is the leak available? Is it actually there? What other magic could somebody like Kristen Del Rosso turn up if she got her hands on that? B, COSTIN (01:13:27.862) Mm Ryan Naraine (01:13:31.918) Okay. COSTIN (01:13:46.116) Mm. JAGS (01:13:58.209) Is he actually in there with those border crossings? Because otherwise, like this is perfectly timed disinformation about, you know, to try to discredit this guy when he happens to be in the limelight in Paris. And Ryan Naraine (01:14:12.054) And this is the reason I'm not following this story. There are just too many conspiracy threads to run down and it's just, even for me, my head just becomes complicated. JAGS (01:14:18.907) That's why those conspiracy threads pop up, it's so that you will get tired and not follow the story. You know, like, that's all it is, man. COSTIN (01:14:24.578) Mm -hmm. Yeah. Ryan Naraine (01:14:25.887) working. COSTIN (01:14:28.218) I think it was a joke. If you ask me, that was a joke. the problem is that it's so difficult to know what is a joke and what is real and what is disinformation. JAGS (01:14:54.498) They have that program. can just go take that at St. Petersburg University. mean, political technologists trained in St. Petersburg University. COSTIN (01:14:58.746) I don't even want to take it. COSTIN (01:15:04.415) And you need to do the summer job. You need to do it at the troll factory. IRA troll factory. JAGS (01:15:10.069) at the IRA summer internship, summer intern. Ryan Naraine (01:15:14.998) Alstein, what is your gut feeling about what's happening? You think there's this real legit concern about Islamic State use of telegram to recruit operative and plan attacks and like not moderation. What do you think is happening here? COSTIN (01:15:28.434) I think for sure that Pavel Durov probably refused access, refused the government's access to all these technologies. We have to say, we need to say probably that the way he got the French citizenship is like super rare. So that doesn't normally happen. Like if you, wanted to get French citizenship, I don't think they will offer that particular type. of citizenship which you wanted, right? So could it be, I don't know, just the question is that he was offered the French citizenship in exchange for maybe allowing access or you know, like now that we help you, maybe you will help us and he didn't help them. So. Ryan Naraine (01:15:58.62) want but Ryan Naraine (01:16:15.09) exchange for the iPhone password. Operation Purple Music is the name of the iPhone compromise of his phones. COSTIN (01:16:23.692) I tell you that one thing always I found amazing and like I couldn't quite explain it, but there's we're talking possibly petabytes of leaks of essentially illegal data being distributed through telegram servers and tons of people, researchers, cyber criminals, whatever downloading all these data. So I always wondered how is it? possible, what kind of servers do they have to store all that insane amount of data? And the fact that whoever is in control of that data has a huge access, has a huge visibility, like to all the leaks, to all the criminal data that is being stored on these servers. It's an incredible power and a sale level kind of power if you Ryan Naraine (01:17:07.088) enormous, yeah. Ryan Naraine (01:17:16.676) And therein lies the reason he's been arrested, COSTIN (01:17:19.918) That could be the reason, right? Like who are you to create your own NSA and start harvesting the world's stolen information, including, I don't know, secrets from politicians and compromising materials. Ryan Naraine (01:17:27.6) No eminent domain for you. Ryan Naraine (01:17:32.934) Juanito you get the last word, any labscon related news to pass along? JAGS (01:17:37.107) Well, last word on the topic we're just discussing is it reminds me of the admonition in this podcast from you guys about how this fight against encryption and whatnot is going to just continue in one form or another over and over and all these different forms. And we know, know, encryption quote unquote under something like Telegram. But really what we're talking about is bringing these platform holders to heel. and saying, hey, you you really need to be playing ball with us in some form or fashion. So I am really curious about what ends up happening with this one, particularly since it's in a legitimate country, right? With some legal process and whatnot. And I'm sure they have a reason for it, whether it's the right move or not, totally different. But it is speaking to the issue that we're dealing with in the US as well of just having no control, no input, not even reasonable discussions with Elon or Mark Zuckerberg or whomever else about how these platforms should be managed. there's something big there. And then you asked about about LabsCon. Ryan Naraine (01:18:44.841) Abskahn is two weeks away, three weeks away maybe, yeah. JAGS (01:18:47.258) Yeah, we're, I mean, we're sold out. We're completely sold out. It's completely filled up. The agenda's locked in. So now it's mostly sort of the excitement period, except for those of us that are speaking, which means it's now crunch time and panic mode, but really looking forward to actually getting there. Ryan Naraine (01:19:06.829) Enjoy your holiday weekend. It's a holiday weekend here in the US, Costin. Last word for you. What are you up to next week? Costin is on vacation. COSTIN (01:19:11.258) It's always holiday here. JAGS (01:19:12.965) It's always vacation. COSTIN (01:19:15.866) Next week I'll be at the Underground Economy, which is a conference. It will be in Europe this time, think. Unless it's always in Europe. So, more vacation for me if you want. Ryan Naraine (01:19:31.457) Let's leave it right there. Take care guys. COSTIN (01:19:36.206) Ciao, bye bye.