So this just in.

A truck carrying a full load of Ramen noodle packs was involved in a multi vehicle accident on the mass Pike.

Estimated loss to the company forty bucks.

Flavor packs were all the flavor I.

Flavor packs worth more than the noodles.

Such.

All right, well, welcome to security this week.

I'm Carl Franklin.

That's Patrick Hines and Dwaye Laflotte, and we got some stories here for you.

A few of them involved Google.

So the first one is from Tom's Hardware.

Google is getting ready to hack back as US considers shifting from cyber defense to offense and new scam Farms Bill opens up new retaliatory hacking actions.

I'm waiting with baited breath.

This is very interesting.

We've talked about this, not on this podcast, I don't think, but but Duenna and I have definitely talked about what would happen if they allowed us, because there was some talk about this number of years ago.

The biggest problem is knowing you're hitting the right target.

Attribution is really hard, and false flags are a thing.

I can try to say, oh, you know, Singapore is the source of the hack, and then you go and take out a hospital in Singapore if you don't know what IP address you're going up.

Against, well you wouldn't take out a hospital.

You might if it looked like it was coming from North Korea and they, you know, fake you out.

Again, it can be done.

It just has to be done carefully and methodically.

And again it's always been illegal, so up till now it's been a moot point.

So question if you read through this article, it's a scam.

Farm's Marque and Reprisal Act is what it's called.

And this would authorize the President of the United States to issue letters of marque and reprisal with respect to acts of aggression.

Again the United States, a member from a member of a criminal enterprise, or any conspirator associated with an enterprise involved in cyber crimes.

What is a letter of marquee?

So this is privateering.

Oh oh, this is what the English crown did to Spanish ships where they said, that's where I've heard it before, right, yes, yes, yep, that's where it comes from.

Yeah, so they got citizens to sign up to it.

Sounds like pirate but it's not.

It put me on the list, signed up to go hunt down the bad guys.

Yeah, yeah, push it on the.

List, right, are we like bounty hunters now?

So basically this is like we've talked about a cyber reserve, if you will.

When the war in Ukraine came, one of the things that Ukraine did is they try to recruit people who were technical so that they could start attacking, so they could raise the stakes against the Russians, because the Russians were actively using cyber against them and people they didn't know where trust.

They said, here's some websites, if you can take them down, that'd be great for those that they knew and trusted.

They gave them intel that they could act upon it and to go after specific records, specific targets.

This is that kind of thing.

But the thing I don't understand is the president has to sign this letter, but the president also has control over probably one of the best offensive cyber commands ever, right, US cyber Command.

I don't know if you guys remember trick Bot, the massive ransomware.

I'm sorry, Dwane, that's yesterday's news.

Today he fired them all.

Never mind, sorry my bad, Go ahead and continue.

That's a joke.

Tend to see here.

But like Trickbot was was compromising all sorts of different companies with initial access and then ransom wearing and that sort of stuff.

And at one point I can't remember what the target was, whether it was a water treatment plant or something like that that was hit, or whether it was might have been actually the gas pipeline.

Think it was a gas po okay, yeah, and US Cyber Command stepped in the next day said whole my beer.

Yeah.

The next day trick clock line.

We're offline.

Now we don't have access to any of our servers.

So whoever did this knows what they're doing.

Yeah.

So yeah.

US Cyber Command was like, oh, you know, to stop that.

That's quality, this is scale.

Yeah.

So's you know, if if we're if we're at war, if there's you know, if let's say things break down with Russia and you know, we finally had enough of what's going on and we decide the gloves have to come off.

Haven't broken down yet.

There's too many topics, there's too many targets.

I don't know.

Maybe maybe it's just fodder for the for the gristmail and you know, yeah, we're going to hack back and they're never gonna even do it.

What I'd rather see is coordination through the FBI of saying, look, we've been attacked by you know, external actors.

We believe we know how to go after them.

Here's our data.

We want permission to go and hack back, and then they do do it.

That's not what we're talking about here.

That's what I'd like to see.

Yeah, well, apparently there's a lot of money earmarked for this, at least a billion dollars in the big beautiful bill.

So they're you know, they're not kidding around.

I like it.

Yeah, we'll see what happens.

See what happens film at eleven.

Maybe wrong, Maybe we'll turn the discord server into privateers and all of you.

Oh that's all great idea.

We'd have to move it off and big at a boat.

All right.

So, next story from Bleeping Computers, Citrix fixes critical net scaler remote code execution flaw exploited in zero day attacks.

And this story is from August twenty sixth.

Yeah, and this is this is one of two of our go patch stories.

Right, So how do you know you're affected if you're running a net scaler from Citrix?

Yeah, fourteen dot one prior to fourteen dot one, dash forty seven forty eight.

You want you want to go patch upgrade your net scaler.

The vulnerability here is a memory overflow bug where successfully ex obviously gives you remote code execution.

That's an RC, so pretty important.

Usually net scalers are accessible to the Internet, especially the gate the net scaler gateway, so you're absolutely gonna want to go fix this one.

I'd say this is probably topic.

One, So let's go a little deeper just for a second.

Sure, when you say RCE, what comes to mind for me is a reverse shell, the ability to like run commands.

It will, sure, but sometimes it's not that open.

What percentage of the time does an RCE do you think result in Like I just can run any command I want and I have a shell or versus I can insert a command command injection and I can just get a little bit like I can get let like twelve characters get to run.

Right, Because it's a big difference.

Yeah, that's yeah, there's a huge difference there.

You're absolutely right.

If I had to put a number on it, I would say that RCE is full control.

So it's reverse shell.

So when they say RCE, it's admin you get to run.

Yeah, as many commands as you want.

Then maybe maybe you're at the console.

Yeah, maybe not easy for you to run the commands, like you have to run them and batch them together and.

Bundle them in a package or something.

Yeah, I get twelve characters per you know, post to a website and I have to put it in a file and then tell that file to run.

But eventually you're going to get control.

You get control over the system.

So you think RCEE comes after PRIVESK, right, you have you do privileged escalation and then you can.

So that's that's a good point.

It depends.

It depends on if the system itself is running in escalated privileges or not.

So if I compromise a website and the website's running as a low end user and I get remote code execution, I can run commands with command prompt.

Well I'm still running as that low end user, so now I need to PROVESK afterwards.

But if if I'm on like an elevated system like usually the netscalers aren't expecting people to do it have backup systems, right, then prove already happened the moment I hit the system, because I'm already running on your privileged context.

All right, good to know.

Yeah, you usually need PRIVESK after you've got RCE, but because you need privileges to run the commands you really want.

Yeah, right.

And although far too often we find a lot of people we talk to and work with and whatnot, they have applications running in greater privileges than they need to.

Yeah, least privileges not followed.

Listen, I love developers, but a lot of that is the developers sometimes going, it works on my workstation, exactly, So let's keep opening up privileges until it works.

Oh it works now as an admin, leave it alone, and you.

Probably opened up fifty percent of the privileges you open up weren't necessary.

Right right, Yeah exactly, yep.

All right.

So the next story, or the next two links anyway, go together.

The first one is Google from First Alert six wowt dot com.

Oh from the First Alert team.

Yeah, Google Warren's two point five billion Gmail users to update passwords after data breach of one of its databases.

And so what did we do?

We all went and we updated our passwords and all that stuff.

Even though I never got anything from Google.

Yeah, never got anything on my iPhone or whatever.

And then a couple of days later, Google comes out with from their blog gmails protections are strong and effective and claims of a major Gmail security warning are false.

Yeah, so it's a BS story.

Not a bad practice to change your password though.

No, agreed.

And so if you dig into we're going to send out a link to this and if you click on the Google reports a breach.

Yeah, if you go down that the reported breach was if you're using Salesforce and you had enabled sales aloft Drift.

So, salesloft Drift is an AI that can well connect into your Salesforce and pull information out and do all sorts of stuff.

No, it's not.

It's a band from the nineties and you know it.

I know, right, it's sales loft Drift the pain.

So if you had enabled it and connected it to your Salesforce, you were vulnerable.

Other than that, normal Salesforce users were not so.

And what they saw was when they when they went through and did the forensics, is they saw a bunch of select queries coming through from sales sales loft Drift, the connector for select count from account.

Right, So if you know sqels statements, this is trying to figure out how many accounts you have in your salesforce.

Select count from opportunities, select count from users, left count from case, so so on and so forth.

And they were enumerating the back end database in salesforce, pulling all the information out for your customers, and they could grab o oft tokens and all sorts of other weird stuff.

But this was absolutely not a Google issue.

This was more there was a connector that got compromised and if you had it on, your accounts might have got compromised.

All right, So the long and short of it is you should change your password on a regular basis, but not because of this story.

Actually we should talk about passkeys at this point.

Yeah, I was going to say, honestly, I've been changed my Google password in years.

Yeah, I'm throwing that out there.

Last I had my Google password, I had a password manager said it was a really, really long password.

But now I'm literally just using passkeys for everything.

So passkeys, I think we've mentioned it before, is where the device does an exchange with the service or website and it's like a certificate.

It's not really a certificate, but it might as well be.

It's like hundreds of characters password and the device remembers it in its secure storage.

And so like if I have that on my phone, I've got to authenticate to my phone and hopefully using you know not you using a pin code that has limited tries, and you've got security and the device.

But it means that you have to not only have your device, but be able to unlock it.

And that might be a desktop in your house, a browser you know on your work PC, your your tablet, your phone or other device.

And it's much more secure because no one, even a five dollars rench doesn't work because you don't know that password.

The five dollars rench works if you have the device and they tell you to unlock it and then they you know, hand them the device.

That's different.

But is this five dollars rench you speak of, is that a metaphor in your land?

It breaks into anything, It breaks into most things.

Yeah, basically, yeah, it's this sophisticated piece of hardware where you go to home depot and you buy a wrench for five dollars.

I mean it has to be a hefty wrench.

So it's a metaphor.

For compliance out of them.

No, it's actually legit thing.

It's actually a risk that we assess.

Although we find that rubber hoses will get answers, fast water boards, Yeah, they hurt more.

Who stole my red bull?

Who ate the cheesecake?

I had the French?

So past keys are the next generation.

The problem with passkeys right now is that every service that implements them is doing them differently.

Right.

We haven't gotten consistency.

Yet, right, So you have fifty thousand different authenticator apps on your phone.

The thing that's making it easier is most of the good key manager.

Yeah, key management and password management systems will save your pass keys as well.

Yep, and provide them.

Okay, look into it.

Okay, well that's where we break.

Right here is where we break.

We'll be back right after these very important messages.

So don't go anywhere, all right.

So in Hacker News, Android security alert, Google patches one hundred and twenty flaws, including two zero days.

Didn't we just say, didn't Google just say no, wait, we're really secure?

Well they said Gmail was secure.

Yeah, Gmail's great.

Android's another story.

Android's a whole different animal.

Listen, I'm glad that somebody's looking at Android, because somebody needs to all the time.

Oh yeah, I'm going to say something similar to what I'm thinking it is, why don't they make the whole plane out of the black box stuff?

Why doesn't Google out of the Gmail stuff?

That's great.

I can imagine Patrick in a board meeting like at Boeing or something.

Hey, hey, I got an idea.

Why don't you make the plane out of the black box material?

And everybody's like, you're a genius.

Puts a plane in the black box, and then it's recording.

That makes sense that you know what Patrick?

I think he solved it.

Solve it might drop follow me for more tips, I'll get Bellevue.

Listen, folks, this is what I have to deal with every day.

You know.

This is what it's like to work at a security company any Hampshire.

Okay, so help me unpack this story, somebody.

So this is not uncommon, you know, Android is It has been around a long, long long time.

It's actually if you look at the number of devices running Android, it's way more than running iOS.

Yeah, right, because there's all sorts of different Android style devices from set top boxes refrigerators to set top boxes to TVs to whatever.

Even phones, right, even phones, Android phones far out weigh usage.

Of iPhones absolutely, so far from that standpoint, it's a large target.

But the other thing about Android is it's also was geared to be open originally, right, where's iOS was completely closed off nobody could see the source code right.

And got more closed off over time, and got.

More closed off over time.

So we're going to see these things where oh, there's this Linux kernel flock here, or there's this you know, buffer run over there.

It's pretty common.

It's just good that you have someone like Google who really does understand it very well, going through and saying, okay, yeah, found this, found this, found this.

We have one hundred and it sounds staggering, Oh my god, there's one hundred and twenty seven patches, But if you go look at Microsoft patches this year, there are plenty of them that were deployed that were over one hundred.

Yeah, things they fixed, so not on common.

Here's the problem.

Here's a big problem that nobody, no one's talked about lately.

The problem with Google and Android, as I understand it, is they build a version and then they come up with new features that they're going to add that they didn't tell their ecosystem about and so the next version that comes out can't be installed on the hardware.

Yeah.

Well it's even worse than that though, because not only do they do that, but they also then allow a provider to add core features as well.

So like if I'm an AT and T customer and using Android, at and T gets a say as to what's on the phone, what apps, what preconfigurations, that sort of stuff.

Same thing with Verizon, the same thing with you know, all of them.

So now you're you're making it flexible enough where all these providers can do their own branding and their own apps in their own whatever.

But you have no control over that ECO system.

Right.

Whereas I get my iPhone from AT and T or Verizon or whoever, it's the same iPhone, there's no it's the difference.

Yeah, exactly, it's running the same OS.

There's no patching, there's no random apps on there.

If I want the Verizon app, I have to go download it, right.

Yeah, So you know, I think, like I said, there's just two different mantras.

So it doesn't surprise me that they found issues like that.

I got a story for you, Yeah, this was this was just yesterday.

My wife and I went to Best buy to get her a new laptop.

Cool, and we literally walked out with a new laptop in the box and I said, I'll set this up for you because it's probably got all sorts of bloatwear and stuff.

Yeah it didn't.

It had two HP apps and McAfee wow, and that's it.

Windows eleven has the crap wear moved down to the root.

That's what it is.

Yeah, they rekated it with with bloat with.

Yeah, but I thought that was interesting because it wasn't that long ago that you buy a new laptop and you've got all of this crap software.

Maybe they realized it doesn't work.

Yeah, you had to pave it.

Yeah, well it could be.

I mean I still am upset about McAfee, but whatever.

That's it is what it is like deploying MACA.

I know you have contracts with McAfee, but we really they're better and cheaper.

McAfee is just one hair away from being spam.

Yeah, because when when your contract you're free thirty days with McAfee ends, they throw up the same style warning screens you would see if you were on.

A Yeah, I'd rather have nothing, you know, a.

Spyware site where it's like oh, you do realize you're not protected anymore?

Click here right, yeah, type okay, whatever.

But you are.

You have Windows Defender right.

Exactly, and you weren't protected before with them, right, It's all right?

So I don't know.

I really don't like McAfee.

I would I would unstall that and just allow Defender and whatnot runs with that.

Actually, I have Defender on my phone works really well.

Yeah, all right, So if you have an Android device, patch yep.

Go patch, go patch, Go patch, go patch.

You're going to write a song?

Go patch?

You should.

We should get t shirts with like a dog with a software like a disc in his mouth he's panned.

On the run time or something like that.

Met it to yourself.

We need you know what you need?

You need a band Carl with a cybersecurity theme and two tambourine players for me and Dwayne.

I look fantastic in bell bottoms.

Okay, said No one said, all right, So we told you Google is all over this week's show.

So this one is from cloud dot Google dot com view state de serialization, zero DAVE vulnerability in site core products.

This one's neat.

Let me guess they're written in dot net.

Well hence the view state.

So we'll unpack this a little bit.

So for those of you who don't program in dot net, where typically you're going to see, yeah, these are a sp dot net systems.

Yeah, site core.

You have view state and view state.

Think of it like think of it like a session key for you being logged into the server.

But it's not a key.

It actually contains sized data.

It does so if you could decrypt it, then you could see real data.

It's not just a key.

So it might be a drop down box and it maintains which one you have selected.

Yeah, right, but it's also view state data.

Is it's encrypted by with the machine key, data that you typically don't have access to.

In this particular case, they actually were able to access the machine key remotely.

Wow, that's no blin.

So accessing the machine key means obviously you can now modify U state, if you can modify VIE state.

You can inject an object into the view state and then sign it as if the server would.

So when the server gets it, it goes, oh, okay, this is cool.

I must have had that object on the page because it looks like it's signed by me.

And when a de serializes it.

It would then run good everything go boom.

There's a technical thing most programmers won't know, and that is it seems like when you talk to a web server it remembers you.

It doesn't.

It doesn't.

It's like if you go to a conference and the speaker says, oh, hey Patrick, and they're like, here, remember my name.

It's on your chest.

So what happens is when you make a request, especially to like a web farm where there's fifteen web servers and they're load balancing, they might try to make you go to that same web server regularly with your conversation so that it doesn't have to put things in memory all the time.

Yeah, it's called affinity affinity.

Once you log into one system, the idea with affinity or stickiness is that every request goes to that same service.

That said, every time you talk to that web server, you have to remind it where was I what was I doing?

And you state and your session key and your token and all that stuff.

Is the way you remind the server this is where we were in our last conversation.

And that happens every time you talk to the server.

This is in older technology, this is aspnut web forms that we're talking about, which has been replaced by Blazer, which does not have this problem.

Correct.

So is Blazer connection oriented or connection lists?

Well, there's two types.

There's Blazer server, which uses a signal our connection on the back end just to transfer data that's changing and comes back with data that's been updated using sockets you know requests.

Yeah, uses web sockets signal Ours implementation of web sockets, and then the server maintains the state of all the data right there.

It's never sent back down to the client.

And in web assembly it's just a standalone thing, so you're you're responsible for communicating with the server through an API or something else like that.

HTTP protocol is connectionless, it doesn't you have to bring it to you.

Everything from the privates conversation, so HTTP, ASP, all PHP, all those things follow the rules that I just illuminated.

Yeah, you have to have some session that you hold back.

Calls talking about a cheat where they set up a session so that they don't have to do that, which is great.

Yeah, but Laser service wonderful and it's.

Very secure, but that wasn't possible back in the old days.

No, So what's really neat about this?

Let's say we could grab the view state, and let's say we could modify that view state.

Now I'm an attacker on the website.

I'm viewing a site car so site coort for people.

We didn't actually even talk about this.

It's a uh content resource management.

Yeah, it's it's like I think like WordPress.

Word site court is going to sue you for comparing them.

A wordpressy They were exploitable, so they're exactly like WordPress.

No.

Anyways, I go to the website, I get I get this view state.

I can then as I grab the machine keys, I can decrypt this view state.

I can add an object.

What object do we add?

In this particular case, what they did is they injected what's called the weep steel w E E P S t e e L, which is a an object.

Sebaskan Robin's ice cream flavor.

Come onload fifty razor.

You know I expected, I'm gonna be honest, when my kids started trigger treating, I expected more razor blades in game.

I know, I know where where are all the razor blades.

Has a man gotta get a shave, right, We like, we all checked every piece of candy like there was going to be a razor blade in everything.

It's like candy.

Cut it off.

So what this would do is when it de serialized on the server, then it would take over the server.

And from there they started doing reconnaissance with things like sharpound and that sort of thing to enumerate the environment, gain access to recontrol over the web server, all sorts of crazy stuff.

Yeah, yep.

So if you've got site core patch.

Right yeah, yeah, or switch to another yeah, or upgrade to Blazer, Yeah, or upgrade to Blazer, call our buddy Carl.

In which case Carl at apphoenex dot com we'll take care of you.

Yeah, Carl can absolutely help you with them.

This is this is an inherently risky thing to do, is give people the ability to edit over the Internet.

Oh.

Absolutely.

So it's nice to make fun of the companies and I feel bad sometimes, but you know, they picked it.

It's kind of like, you know, if you made fun of Roy Sigfried and Roy because they got eaten by a line.

It's a it's an an inherent job risk.

Yeah, eaten by a lion one of the Wow, not too soon, it's years, It's okay.

Too soon, Yeah, it's been years.

Most people listening to this don't even know who Sigfried and Roy are.

All right, so what do we want to say?

Are we done with the view state?

I think we are?

Is there a pack?

Did they say that?

Yeah?

I believe that psyche core has actually fixed the issue.

So you should be good if you're using Psychcorp.

The problem is if you were using psite core, you may want to just go through logs and make sure that there's nobody doing weird stuff on your server that you don't expect.

Okay, and speaking of logs, do security blogs enable vibe coded?

Cybercrime?

Security companies routinely publish detailed analysis of security incidents, making attacker tactics, techniques, and procedures wildly known and visible.

These reports often provide comprehensive insights into specific vulnerabilities that are or could be exploited, malware delivery mechanisms, and evasion techniques.

Yes, let's talk about a few aspects of this.

So the first is well, vibe coding Before you start, this is not this is not a new question right now, We've been answering this question for twenty two years.

Yeah, but continue so in the question and let's answer that first the question is are we safer by divulging this stuff or by keeping its secret?

And the I mean, honestly, the community that supports open source should be all over the Yeah, we're safer if we disclose this stuff.

By disclosing it, we can come up with better tools, we can let do lessons learned.

Some people might say that we shouldn't be talking about this stuff on our podcast when we try to give people advice about how this stuff works, but understanding how.

It works the criminal career advice.

Helps you one understand when it's safe, when it's secure, I think we should air in the side of information that said, there's a big difference between explaining how an attack works and providing a sample code.

What Microsoft did recently was cut off some companies in China's ability to get early warnings before there was a patch available, and it included how to recreate the problem, and as a result, some Chinese actors when and use that sample code to go hack a bunch of defense organizations in US companies.

That's that's too far.

We're not talking about that.

We're talking about, Oh, there's enough information that I can vibe code a reproduction of that perfect concept I would say that's possible, but it's narrow.

And the reason I say it's narrow is my is our experience.

So if I have a group, if I have a team of six developers, if I take that best developer in that team and I give them vibe coding tools like cursor, AI, Windsurfer, those kinds of tools, I can get the productivity of that team of six typically out of that one if they're really good.

But I can't get rid of that one.

And so I can't take a thirteen year old who doesn't understand web sockets and TCPIP and ports and things like that and have them vibe code their way to an exploit because of the blog is sphere.

If they're a if they're a technical hacker programmer, I may they may be able to vibe code their way to a point where they can write something they normally wouldn't be able to write themselves.

So it's a combat multiplier, it's not a gross enabler.

Yeah, and I would go even a little bit further.

They may be able to write something that eventually they could write, but like you still have to have the technical knowledge to know if the thing that the AI is writing is in the right realm of possibility.

He is doing the right things and that sort.

So you still need to be an expert, but I think what happens is you're going to bring the time in right.

So like, if it's going to take me a month to build an exploit, I might be able to do it in a week if I'm vibe coding and understand everything.

But eventually I would have been able to write it by myself anyway.

Yeah, So let's talk about something that most people don't know about.

So there's a tool.

There's a tool called metasploit, and there's a tool called explore exploit dB yep, that most people are horrified to find out about.

Is this where we play the theme song Patrick.

Yes, you definitely would.

Yeah.

Exploit DB's awesome, all right.

Roll it, roll it yeah, Yeah, it's screamin.

So exploit dB is a database of exploits against known systems.

So if you find out after doing a scan that somebody's using qte FTP versions one, two, three, four, five, whatever it is, you can look up an exploitdb and you might be able to find an exploit that might work against it.

Also, if you're running metasploit.

You can go and look in their tables and find an exploit that they've built, so you can target that and it'll work sometimes but not always.

And the trick is it'll If you don't know what you're doing and it doesn't work, you're screwed.

Yeah, if it doesn't work and you know what you're doing, you can go in and look in question.

Maybe they installed it to a different path other than the default path.

Maybe they're on a different port than the default port.

Maybe there's a In other words, you can you can figure out why it didn't work and fix it.

That's not possible if you're not technically savvy enough, So you've got to be ninety percent of the way there or else you can't do what this what this article is talking about.

Okay, so it helps you with that last mile, it's not gonna help you with the first nine.

Yeah, agree, all right.

That brings us to our clickbait story, which you know it's kind of important.

This it's not us.

We're not just baiting you.

Like the register, FBI cyber cop salt Typhoon ponned nearly every American, Yeah, plus millions of other people across eighty countries, Salt Typhoon.

It's basically China.

China's hoovered up.

You gotta love that as a verb.

They hoovered up information.

And know right, hoovered.

So this is like Jaeger, this is exposure.

This is he got phone logs too.

So yeah, if you if you.

Gave up on privacy a decade ago, this is no big deal.

If if you're worried about China's hacking, it's a big deal.

But it also shows they did get caught.

Yeah, but they got caught six years later.

Yeah, that's true.

The campaign started in twenty nineteen.

Wow, So in twenty nineteen hackers broke into telco companies right, yeah, your Horizons and AT and TS and that's fur stuff and started pulling information like who you're calling and recording calls and seeing us the messages and watching what you're browsing for on your phone.

Yes, kids, someone can see what you're browsing for on your phone sometimes, so you know, this could be pretty damaging depending on what they pulled.

That's true, although I'm pretty sure it's not ending up on the dark web, because China will keep it for themselves like they did the Marriot hacker.

Oh, absolutely right, and they'll use it to leverage assets in the United States, I'm sure.

And yeah, I don't think China cares.

If you know, every American is going to porn sites on their phones.

Well it depends if it depends if you're if you're a senator saying how those sites are terrible and you should never view them.

Oh yeah, well okay, yeah.

Then China comes up and says, hey, here's a list of all the ones you go to.

How about you vote our way.

When they find out Mike Johnson's browsing habits, he's in trouble, right, what did they tell his son?

Oh I almost got Duyna spittake.

Yeah, I almost coffee almost came all over.

Yeah, yeah, I timed it wrong.

I didn't time it right.

All right.

So the blackmail factor is high, is what you're saying?

Or present?

I don't know.

If it's high, it's present.

Yeah, well, it's present for people who are doing things they shouldn't do.

Are doing things they shouldn't I mean, listen, I'm sure there's one or two Americans who are cheating on their spouse and it's in an SMS message somewhere.

So dude.

Here's the thing though, if China came and said Carl is doing this, who would believe them?

Well, there is that And if they said, well we know because we hacked your tailcoats, Okay, well what the hell are you doing tack of my tailco It's.

Right, And you did just plant that information exactly.

Yeah, you made that up.

You made that up because.

Carl Franklin dyes his hair silver.

I always wondered about that, now you know.

So this this is a big, far ranging thing.

That said it.

There's nothing here that I don't assume our government is doing with warrants or without warrants.

Oh isn't doing yes, yeah, absolutely, or fiz at court orders or whatever.

Yeah, absolutely, yep.

Okay, well there's no there's no really call to action about this.

It's just you know the usual.

Well, just accept the fact that there's no there's no privacy.

Well or listen, if you're going to be taught like we use communications platforms expecting that if it needs to be secret, we need to know that that data is being encrypted end to end.

We need to know that that data is being burnt at a particular time.

And that's what one of the reasons of things like signal and even then, Yeah, we're not putting anything super sensitive in those chat lands.

We have code words for customers when we're talking in person.

Right yeah, just so that we're not be like, hey, there's this customer by name, right.

Yeah, so we don't throw names around frivolously.

Be paranoid, always paranoid.

Well, just because you're paranoid doesn't mean they're not out to get you, right, Okay, Well, on that happy note and notes, let's wrap it up and we'll say thank you for listening, and we'll see you next week on Security this week.

Thank you, Bye bye guy