BTS #67 - BIOS Password Cracking, Secure Boot, and Stackwarp
In this episode, the hosts discuss various cybersecurity topics, including the challenges of BIOS password cracking, the implications of AMD’s Stack Warp vulnerability, and the importance of up-to-date secure boot certificates. They also explore the risks associated with network security appliances, the costs of cybersecurity, and the role of marketing in raising awareness. Additionally, they share insights from an X-ray analysis of USB cables, highlighting the differences between quality and counterfeit products.
Subscribe
Transcript
Paul Asadoorian (01:54.117)
This week, cracking BIOS passwords, Stack Warp, important secure boot updates, Fortinet’s patching the patch, and more. Stay tuned below the surface. Coming up next.
Paul Asadoorian (02:09.432)
Welcome to Below the Surface. It’s episode number 67 being recorded on Thursday, January 22nd, 2025. I’m Paul Asadorian. Joined by a mixture of coworkers and podcast friends, Mr. Vlad Bapkin is here. Vlad, welcome.
Mr. J. Snyder is here. And Ms. Mandy Logan is here. Mandy, welcome.
Chase Snyder (02:30.178)
Hello.
Mandy Logan (02:34.256)
Why thank you. It’s my first foray into this little world. So this is very nice. Very nice. Thank you.
Paul Asadoorian (02:38.594)
Yes, I’ve been doing a lot of crossovers. Just been dragging in all my podcast friends into this show because why not, right? Yeah, we get different perspectives. It’s nice, it’s nice. God to have you, Mandy.
Chase Snyder (02:46.827)
happy place.
Mandy Logan (02:51.912)
Thank you.
Paul Asadoorian (02:51.972)
Just before we get started though, below the surface listeners can learn more about Eclypsium by visiting eclypsium.com forward slash go. There you’ll find the ultimate guide to supply chain security and on demand webinar I presented called Unraveling Digital Supply Chain Threats and Risk, a paper on the relationship between ransomware and the supply chain, and a customer case study with Digital Ocean. If you’re interested in seeing our product in action, you can sign up for a demo at eclypsium.com forward slash go.
Alrighty, now that we got that out of the way, I think the first order of business is to talk about BIOS password cracking, which I’m sure Vlad, you’ve done before, right? I know several on our research team, we’ve talked about BIOS password cracking in the past, and there’s easy ways and there’s hard ways. Vlad, have you done this recently or somewhat recently?
Vlad Babkin (03:49.165)
Yes and no. So usually for me BIOS password cracking was, hey we just reset smos, like take out the small butter and done, the password is no longer in the BIOS. This is the case of when this doesn’t work I guess.
Paul Asadoorian (03:56.782)
Right.
Paul Asadoorian (04:03.906)
Yeah, yeah. Does that clear like is the password stored in like a NVRAM that gets cleared when you take the battery out? that basically the tried and true method?
Vlad Babkin (04:15.876)
That’s normally the case, but yeah, the article you are trying to mention in this case tells that it’s not stored there, it’s stored in actual separate flash. So you can take out the battery all you want, password is not gonna go away.
Paul Asadoorian (04:25.219)
right.
Paul Asadoorian (04:29.972)
Mm-hmm. And then they decided to go with a different approach and decided to start brute force cracking it with a Rust-based project on GitHub, but failed to even build. So then he asked Claude code.
to write a Python script to do the brute forcing via the Windows based HP BIOS utility, which is interesting. I’m assuming, I wonder if that’s a bootable, it must be like a bootable thing. So you boot it on your BIOS utility or if it was running directly in Windows, I’m not sure which.
Vlad Babkin (05:07.884)
It was running directly in Windows and it had the BIOS utility apparently.
Paul Asadoorian (05:13.42)
And the thing that is interesting, six months later of near continuous attempts at nine seconds per try, which is very slow, by the way, in terms of password brute force guessing, that is for listeners, that is slow. The method failed to produce a hit. And so he was unsuccessful. Which is interesting.
Mandy Logan (05:22.956)
Yes.
Vlad Babkin (05:23.552)
very very slow.
Vlad Babkin (05:36.417)
Yeah, so the most interesting part of the story is that he has hardware access, like it’s not a remote thing. So, or she, I’m not sure who is doing the cracking in this case, but regardless, you can get the flash contents and maybe extract the hash, which would maybe accelerate it just tiny little bit, you know, go from like, you know, seconds per attempt to at least attempts per second.
Paul Asadoorian (05:57.068)
right.
Paul Asadoorian (06:05.676)
Right. Yeah, I’m curious now what’s on that flash chip. Like what happens if you use a spy controller and just zero out that flash?
Vlad Babkin (06:05.964)
So.
Vlad Babkin (06:15.946)
Yeah, or I don’t know, find the hash and just replace it with the hash you know. Like what’s preventing this is the interesting part because like at six months of attempt, just the electricity cost of like running this might be more than getting yourself a flash program and just dumping the flash.
Paul Asadoorian (06:20.566)
Right, right.
Paul Asadoorian (06:33.656)
Right, right.
Mandy Logan (06:34.936)
That’s kind of what I was thinking too along the same lines because I feel like yeah bios UEFI firmware security This is where people brilliant people should be spending time. They say these are critical things These are critical infrastructure and yet I’m kind of confused on this you’re spending six freaking months to crack a $200 laptop like and it’s not even being done like what I could on the outside goes like that’s not really efficient. So is this literally just
Paul Asadoorian (06:52.034)
long time.
Mandy Logan (07:04.102)
doing it for S &Gs? Or are they doing it like, I’m curious on your guys’ side, like is there some other methodology here that is brilliantly working to push security forward? Or was this just an expenditure of electricity, time, money, because you can say you did it.
Paul Asadoorian (07:22.488)
Yeah, because now I’m also thinking like you could de-solder that spy chip and put a new one in as well, potentially.
Vlad Babkin (07:29.526)
Yeah, like.
Chase Snyder (07:29.646)
I feel like it’s, it’s just like, it’s basically like, there’s a whole meme around using AI for various security things. Or someone thought of this one and it was like pretty easy for them to set up and do it. They’re like, okay, we tried out an AI thing for security research. It didn’t have to be super real.
Paul Asadoorian (07:44.396)
yet more of an experiment but just cuz you can doesn’t
Vlad Babkin (07:49.066)
Yeah, yeah, yeah, yeah, yeah, yeah.
Chase Snyder (07:50.646)
It’s going to get a headline regardless of if it’s real, real cybersecurity research or useful cybersecurity research or not, because it’s like, ooh, AI, offensive AI, defensive AI use cases.
Vlad Babkin (07:56.192)
Yup. Yup.
Vlad Babkin (08:02.444)
Yeah.
Paul Asadoorian (08:02.948)
It is a testament to the BIOS password as some type of security control that does work to some level of efficiency. I do recommend a BIOS password, especially as I think about KVM systems, these IP-based KVMs that attach to your system. In a lot of them, can install as a card or they have connectors that go onto your motherboard. So through the KVM, you can manage
BIOS just like you would in a BMC and I’m like you know some recommendations for people that are deploying either BMCs or IP based KVMs is to set a BIOS password so that someone does connect to it like basically have physical access right is what those devices allow that there’s at least a password there that deters them.
Mandy Logan (08:57.976)
Okay, so you’re talking so it deters it’s not bulletproof
Vlad Babkin (08:58.38)
Yeah.
Paul Asadoorian (09:01.132)
Right, yeah.
Vlad Babkin (09:01.9)
Yeah, it’s not always bulletproof. If you have hardware access, what you can do, you can grab yourself a programmer, dump the flash, analyze it, find where it stores password, extract the hash. Most normally, like in my experience with BIOS, BMCs and whatnot, most of the time, it’s either stored in plain text somewhere, or it’s a very basic hash like SHA-256, depending on what you’re just dumping. BIOS usually is hashed.
Paul Asadoorian (09:25.002)
interesting.
Vlad Babkin (09:31.798)
BMCs usually are not due to IPMI protocol limitations. and if you got something like a SHA-256 hash, that’s like billions per second on the GPU.
Paul Asadoorian (09:36.611)
Interesting.
Mandy Logan (09:38.052)
Wait, do you know more?
Paul Asadoorian (09:42.724)
Mm.
Mandy Logan (09:44.444)
Do you know anything on the reasoning why SHA-56 is used most commonly?
Vlad Babkin (09:49.994)
Performance.
Paul Asadoorian (09:53.144)
Yeah, either that or that. Is that what’s in the EDK2 specification?
Vlad Babkin (09:53.792)
So like…
Vlad Babkin (09:57.981)
I’m not sure, you didn’t check that much.
Paul Asadoorian (10:00.517)
Yeah, I mean the other thing you could do is you could reverse engineer the UE5 BIOS code and see where it’s accessing and storing the password and see how it hashes it.
Vlad Babkin (10:09.708)
And even then, if you have physical access, nothing is stopping you from overwriting the hash, even if it would be something much more secure. Let’s say some crazy soul would implement argon2id in BIOS and hash using that. Well, you can just make your own argon2id and just write it into the flash once you know where it is. So.
Paul Asadoorian (10:17.71)
Right.
Paul Asadoorian (10:28.866)
Yep. I would just call it code to decompile the bios and find where the code is that sets the password. Give me some, at least guide me in the right direction.
Vlad Babkin (10:40.364)
Yep. So it’s like, I question the existence of why would the person specifically go through biocity for this long at this low rate.
Paul Asadoorian (10:52.31)
Right, right. Yeah, it’s the BIOS utility that’s probably adding a lot of that latency, right? Because the way that it’s going to access those chips is a much longer technical discussion, right? But the way software in Windows interfaces with these subsystems jumps around a bit to like different protocols and stuff, which is probably what’s introducing that latency. But like Vlad saying,
Mandy Logan (11:15.654)
but how much latency?
Paul Asadoorian (11:17.444)
I mean, it depends on the system, but you know, typically it’s like memory mapped IO and other there’s other protocols that I can’t recall off the top of my head that allow you to have access to the chips through like some other hardware operating system subsystem and all that is going to add latency. Whereas like Vlad saying just, you know, dump the chip directly.
then you can do an offline attack on it, which is much faster.
Paul Asadoorian (11:53.829)
It’s funny we’re still talking about password cracking. We were talking about how Mandiant released those full rainbow tables. And I started looking at how you generate your own rainbow tables and like just a quick glance and quick research, I was like, that’s really involved. Like it was asking me all kinds of questions that I didn’t know the answers to as to how I wanted to create the rainbow tables. And I was like,
Mandy Logan (12:03.994)
I was curious, yeah.
Mandy Logan (12:19.973)
Did you look at those notes they sent yesterday, the information from Lumo, when I was asking yet about generating?
Paul Asadoorian (12:26.046)
no, I looked at those. Yeah, yeah. So he had notes on it. Yeah.
Mandy Logan (12:29.532)
Because I, right, well was pretty, I thought it was interesting that on talking about like an average household connection that if I remember correctly, it was on a simpler hash taking one table as an example, just on six alphanumeric characters that to download it would take possibly seven, I think it was 7.3 or 7.7 hours.
Paul Asadoorian (12:56.696)
Yeah. Mmm, interesting.
Mandy Logan (12:57.146)
But to generate it would take like 1.1.
and it gave the methodology to be able to generate. So I’m just curious if you happen to look at that and if that was what gave you the issue. You’re like, I don’t know how to answer this stuff.
Paul Asadoorian (13:09.506)
Yeah, it’s much longer. Mandy didn’t publish exactly how those tables were created. And so the AI that I asked to analyze it was like, Mandy didn’t publish all the details, so it couldn’t tell exactly how those tables were created, like how big of a dictionary or whatever. And there was other parameters that I was like, I have to research those. It’s been a long time since I’ve done any serious password cracking.
Vlad Babkin (13:40.748)
So that makes sense.
Paul Asadoorian (13:46.723)
What else we got in the news? we got a new vulnerability from AMD, the affecting Zen versions one through five processors. This affects their Sev SNP, which is like the, what’s the Intel equivalent? drawing a mental blank now. SGX.
Vlad Babkin (14:04.78)
secure enclave, think, something like this.
Paul Asadoorian (14:07.074)
or secure enclaves yeah you know in in intel it’s been a basically it’s a hypervisor layer security control that
Correct me if I’m wrong, prevents a host and guests from talking inappropriately to breaking out of, I should say breaking out of their assigned memory regions. And this vulnerability allows you to manipulate pointers to essentially step out of your memory controls. Did I get that right, Vlad? Have you looked at the stack warp vulnerability?
Vlad Babkin (14:42.668)
Not in great detail, but again, judging from what they describe, they can control pretty much execution flow. They can inject code pretty much into confidential VM. Like how bad it is? Yes, it’s bad. mm-hmm. Yep.
Paul Asadoorian (14:59.042)
Right, but they need to be on the host operating system to inject into guest VMs, right? That was the attack flow. I gotcha.
Vlad Babkin (15:06.038)
Yep, and I presume they should have high privilege on the host machine. I presume, I didn’t read the paper in detail, but usually these attacks require pretty high privilege on the host VM or attacking, sorry, host machine or attacking wherever the attack is from. So again, confirming this, we would need to read the paper because if it is any user can do this attack, it’s much worse.
Paul Asadoorian (15:32.758)
It looks like in their demos they’re a regular user.
Vlad Babkin (15:37.224)
wow, okay.
Paul Asadoorian (15:39.3)
Yeah, like I don’t see a root prompt.
Yeah, they have like a 36 second attack. That was like the first one on their on their site. Stack Warp Attack dot com. You know it’s serious when the when the attack gets its own website, its own logo. That means it’s pretty serious.
Vlad Babkin (15:44.809)
wow.
Chase Snyder (15:59.894)
I’m glad, Paul, I’m glad to hear that these these marketing activities are an indicator of seriousness to you that warms my little heart. I’m trying to remember, it was like Heartbleed had tons of graphics. I was like, they hired a graphic designer for that one. There’s a whole marketing department. If the the volume gets big enough.
Paul Asadoorian (16:16.707)
Right?
Paul Asadoorian (16:25.956)
for sure.
Mandy Logan (16:28.11)
So I want more information here. And first off, do we say SEV SNP? Or no?
Paul Asadoorian (16:35.704)
Yeah, I’m not sure how you, yeah, it’s a weird, I guess you could just call it SEV, secure encrypted virtualization. It says a CPU extension enabling more secure separation between virtual machines and the underlying hypervisor.
Mandy Logan (16:41.54)
of, okay.
Paul Asadoorian (16:52.26)
So you can deploy VMs for a cloud. It’s for a cloud provider, right? You can deploy VMs in an untrusted hypervisor environment securely. So the cloud is a good use case for this, right? Because you don’t want tenants being able to see each other’s data across VMs on a hypervisor.
Mandy Logan (16:52.355)
so
Mandy Logan (17:10.742)
And I thought, isn’t this like AMD’s, know, crown jewel of making sure there’s confidential computing? And I thought, I thought I saw in some of their documentation that their pitch was like, not even the hypervisor can touch your VM. But this seems to kind of fly in the face of that in every single way. So how was that missed? Like how? What do you postulate? What is your? Was that the right word? We’re not gonna say purgatory.
That’s all I
Paul Asadoorian (17:40.943)
Well, I think it’s more for cloud environments, think, unless you’re running your own kind of cloud environment. it’s more tuned towards.
I’m running VMs that need to be separated from each other. So like you may have, it even says in the FAQ, like if you have an AMD CPU that supports SEV, your machine is affected, but the attack is only gonna play out if you rely on that confidential in the controls that are provided by AMD SEV.
Mandy Logan (18:15.548)
So, I mean, then to me, that means like, I’m doing quick calculations, I would assume that that’s only like 20 % of scenarios. Even lower.
Paul Asadoorian (18:25.092)
Yeah, it’s probably a much lower percent. That was my take on this one too, Mandy and company, right, was this is for a select portion of the market, not everyone. Cause like my AMD CPU probably supports SEV, but I’m not using it, right? I can use other virtualization technology, but I’m not doing the secure enclave implementation from the hypervisor built into the CPU.
Vlad Babkin (18:54.998)
like for this talk to actually be effective, you need to be using the set technology in the first place. And I would question in what environments it’s used, like obviously cloud, but besides clouds, I’m not sure we will meet this many places. Like maybe some government agencies might be worried, maybe some self-hosted guys who are hosting VMs might be worried, but it’s like…
Paul Asadoorian (19:00.77)
Mm-hmm. Right.
Paul Asadoorian (19:06.99)
Cloud is the only, yeah, besides cloud, don’t know, right.
Paul Asadoorian (19:19.78)
Mm-hmm.
Vlad Babkin (19:23.188)
more or less fringe use case beyond cloud.
Paul Asadoorian (19:29.698)
They also have chase your marketing point. The very last FAQ asks if you can use the logo and they actually provide a whole bunch of different logos in different formats for you to use. They do. They do. They worked really hard on the marketing angle. mean the website looks nice. It’s got a nice theme and colors and everything. Yeah, for sure. For sure.
Chase Snyder (19:40.876)
Yeah, they want this to get covered. They want us to be talking about it.
Chase Snyder (19:52.214)
Yeah, there’s a marketing meta around these things for sure. Where similarly to the AI for password cracking, it’s like these are the kinds of things that get attention and attention is extremely valuable regardless of what it’s about.
Paul Asadoorian (20:07.758)
Yeah, actually, and to go back to what’s affected, in the AMD advisory that you can find, it is CVE 2025-29943. If you follow that along and get to the AMD advisory, and it looks like EPYC processors are the ones that are affected. And that is like they’re, that’s the ones that are used by cloud providers, right? That’s the…
It’s not in like desktops and server, well maybe servers, but certainly not desktops.
Vlad Babkin (20:41.26)
Because desktops don’t usually come with all of those fancy features for virtualization anyway.
Paul Asadoorian (20:47.638)
Right, right, yeah, a description for EPYC is kind of where my brain was going too. High-performance multi-core server and data center microprocessor.
Paul Asadoorian (21:03.086)
So primarily affecting providers, which I’m sure are working diligently to apply the patch, because it hits them right where they want to put these controls to separate data in virtual machines. So that was kind of an interesting one. Hey, know, any time it gets a logo on a website, I feel like we have to cover it.
Mandy Logan (21:20.495)
in
Mandy Logan (21:26.46)
And it looks, I’m curious, it always in, you know it’s official whenever it has a black background even when you’re not in dark mode. You know, it’s super serious. Now this note is, I notice here it says also disabling SMT is an effective immediate stop gap. So if anybody is affected by this, I guess at least they can do that if they don’t get the patches.
Paul Asadoorian (21:33.688)
That’s right. Yes. For sure.
Paul Asadoorian (21:52.036)
Yeah, the patches are out and the paper will come out in usenex security 2026, which that’s what I was digging for on this website. When I first saw it was I’m like, there a GitHub? Like, can I, can we test this? Uh, but then looking at what processes that affect them, like I don’t have access to one of those processors readily available. So, uh, we will get more information and hopefully some demo code as well. But at least now everyone understands the vulnerability. You can go patch it.
Vlad Babkin (22:18.176)
Well, there is a simple POC.
Paul Asadoorian (22:21.955)
of that.
Vlad Babkin (22:23.392)
There is a simple POC somewhere in the SV artifact.
not sure what it contains.
Like, they actually, if you read their article, they post or where can I send you the link? Okay, let me just drop it here.
Vlad Babkin (22:44.236)
Here you go. Here is the link. So this is the file associated with the exploit. So they might already have published it in POC. I’m just now looking at what’s in there.
Paul Asadoorian (22:54.73)
interesting.
all yes we did publish car i think i couldn’t find that easily on the website
Vlad Babkin (23:02.73)
Yeah, it’s in the article. If you open the PDF for Usenix 26, there is a read button on the website and you can scroll down and you will see link to this website, Zenodo. Yeah, it contains this nice SV artifact and they described that it has simple POC, which would allow yourself to check if you’re vulnerable.
Paul Asadoorian (23:12.152)
interesting.
Paul Asadoorian (23:21.047)
Nice.
Paul Asadoorian (23:28.065)
Nice.
Mandy Logan (23:29.18)
But this would be, I don’t know, I’m still weirded out by that. From what I’m understanding of it, this has made it through five generations of this chip, right? It’s been steadily vulnerable this entire time. I’m still weirded out by that not having been found in production at any point through the different generations. Like.
Paul Asadoorian (23:56.822)
It’s crazy. And it’s not the first time I want to say there’s other vulnerabilities in AMD SEV and other there’s certainly vulnerabilities in Intel’s SGX or secure enclaves. And there’s been a series of research that basically breaks the security boundaries in all these technologies. I’m not aware of anyone exploiting it in the wild. And so this isn’t traditionally also like a transient
transient execution. This is an archi- they say it right in there, right? It’s an architectural bug, not transient execution like Spectre or Meltdown. But even in all these classes, I’ve not seen it used in the wild unless someone else remembers a reference, but I don’t see it exploited in the wild.
Vlad Babkin (24:47.297)
Yep.
Mandy Logan (24:47.868)
Okay, and then who would benefit the most from exploiting it?
Paul Asadoorian (24:53.539)
Well, it’s somewhat of, I class these as like when we’re talking about cloud, it’s kind of an opportunistic attack, right? So let’s say like as an attacker, I go create a cloud account, I spin up this technology and it’s vulnerable. I got to hope that whoever’s next door to me, right, my neighbors, are targets that I want to attack.
And I think that’s why we haven’t seen a lot of these attacks in the wild, because it’s very opportunistic. I don’t know who my neighbors are necessarily in the cloud environment. Maybe I could determine that using some of these exploits, but it’s very opportunistic.
Mandy Logan (25:36.54)
Well, that brings to mind I was talking to a dev at Dropbox and Dropbox just migrated everything from AWS to proprietary or to locally hosted. Of course, then they moved up. They also moved up to Poland. Interesting also. They also did that. And so in what you’re saying, is that a portion of application like it had been in AWS?
Paul Asadoorian (25:48.789)
Interesting.
Paul Asadoorian (25:52.705)
Yeah, well, yeah.
Mandy Logan (26:06.074)
It’s all in cloud. We’re talking about Dropbox. So it’s all right.
Paul Asadoorian (26:09.773)
files, Yeah, good juicy target, yep. It could have been one of the drivers for them to move to on premises, but I think more so its cost.
that drives people, I think security is probably second or somewhere down further on the list from cost. When, especially a larger company, there was another company that makes project management software that moved everything from the cloud to on premises and they had this big party in the office when I think the CEO and the founder hit the button to make the last final change that moved them from the cloud to on premises.
Again, and I remember reading it from that, who is the company that makes project management software? Basecamp? I think it’s Basecamp. I remember reading about Basecamp a few years ago in their move.
Mandy Logan (26:58.703)
Okay.
Paul Asadoorian (27:03.915)
And remember security like being on the list, but not very high up. It was very much more about cost, operational costs, and the difference between running in the cloud and on-premises. And so we haven’t seen that continuing trend. Of course, whatever they’re hosting on-premises, has to still, could still implement the same technology. they’re not, know, they still are responsible, they’re more responsible for security hosting it on-premises in that model, but they have more control, right?
in a cloud provider and you’re concerned about Stack Warp, you have to wait until the cloud provider deploys the patch before you benefit from it. Whereas on-premises you’re in a little more control. You can go, I can go apply that patch from AMD.
Mandy Logan (27:52.654)
I will say in their migration project, does sound very likely that they’ve spent more than what was projected to be saved.
Paul Asadoorian (28:00.148)
Mm-hmm. Well, maybe in the short term, but they’ll probably recognize the longer-term gains.
But again, it’s more responsibility, right? Yes, now you can apply. I mean, we’re gonna talk about network security appliances, of course. That’s the same trade-off, right? It’s a very similar shared responsibility model. And I draw this line very distinctly for Eclypsium.
Mandy Logan (28:11.633)
Right.
Paul Asadoorian (28:31.583)
But in general, I like to classify devices because the terminology is all over the place. They call it a network edge device, a network security appliance. Like, what is it? But I’m saying that the appliances that you push responsibility back to the vendor on more so and are trying to benefit from shedding that responsibility are the vendors that provide you with an appliance, physical or virtual, and the vendor provides the operating system.
and maintains and controls the operating system.
Cisco has been in the news for their secure email gateway and their VoIP stuff, their unified communications. So when I do the research and I ask this question, I’m like, is this product from Cisco deployed as like, do they provide the operating system and the application in a physical or virtual appliance? Or is it software that I as the user can go install on an operating system that I install, maintain, control and monitor?
And that’s a big difference. So when I did that research, I basically prompted AI. I said like I did research, like I did this magic, I prompted AI. When I prompted AI, I’m like, so how is this deployed? And AI is like, well, this is deployed as an appliance and Cisco provides you with the operating system, right? Usually that’s Linux under the covers, right? We’ve seen usually CentOS is pretty popular, other Linux as well, and they’re maintaining the operating system. And the hope I think from IT teams is, don’t have to maintain and
monitor and manage that operating system because it comes from the vendor. Very similar to the shared responsibility model in the cloud. If I’m hosting in the cloud, there’s security responsibilities that I’m passing off to the cloud provider, but as soon as I bring it on-prem, now I’m responsible for the operating system.
Paul Asadoorian (30:25.439)
It’s interesting how we thought that was the benefit to shed some of this responsibility. But now some of the benefit is if I control the operating system, I can put my stuff on it, right? I can put my EDR on it. I can put my vulnerability management on it. I can put Eclypsium’s agent on it because we support the operating systems that you manage maintaining control. And so you have better visibility and control, but more responsibility.
Mandy Logan (30:54.268)
That goes with most everything in life though.
Paul Asadoorian (30:56.359)
Right. But I think the hope is you have better security, right? You hope that whatever device you’re getting from the vendor is more secure than you could make it yourself. Right? I don’t know if that’s the every IT teams like decision tree, but certainly
Mandy Logan (31:06.096)
then went right.
Paul Asadoorian (31:12.969)
as a cybersecurity professional, that’s when like these are the trade-offs that we have to weigh. Can we do it better ourselves or is the vendor going to do a better job? Now what we’ve seen in the past probably three years is an increasing continuing trend of these network security appliances having very poor security and couple that with attackers noticing that and going well that now that’s our target. Right? So we’ve got this perfect storm and Chase you’ve pulled all kinds of evidence that
this is happening, right? This has already happened, right? That network security appliances are almost open up more risk now, right? I don’t think we’ve ever had the frank discussion that it’s riskier now in a lot of circumstances, right? Wasn’t the insurance company, cyber insurance?
Chase Snyder (31:59.234)
Yeah, yeah, yeah. Yeah. You found that report that opened up the flood gates to me. didn’t realize that cyber insurers were putting out these like state of the industry reports, but it was at Bay Cyber Insurance Company that put out their, their report that said it. Companies with, I’m going to, I’m going to cite the source so that I don’t get in trouble for naming vendors at Bay Cyber Insurance said that among their customers that filed a cyber insurance claim,
Paul Asadoorian (32:20.663)
Yeah, yeah. It was a great report.
Chase Snyder (32:29.206)
Among their customers, you were 6.8 times more likely to be the victim of a ransomware attack if you had a Cisco or Citrix VPNs. And then it was like 3. something more likely if you had on-prem VPNs versus cloud or no VPN at all.
Paul Asadoorian (32:41.059)
It’s crazy.
Mandy Logan (32:43.351)
Yes.
Chase Snyder (32:50.99)
And then numerous of the big reports from like the Mandiant M-Trans report, the Verizon data breach investigations report from 2024 and 2025 indicated a big uptick in exploitation of vulnerabilities against network devices and speed of those where in the Verizon report, the 2025 one, which was mostly in 2024, the median time.
to exploitation of a newly disclosed vulnerability in a network edge device was zero days. The median time was zero. So it’s like the most of them are being exploited on or before the CVE actually gets issued or they get disclosed. So it’s not only that they’re being targeted, but they can be exploited super quickly. And there just is, is no defending against that. There’s these layers of challenges where you can’t as the buyer,
Paul Asadoorian (33:34.413)
Yeah.
Chase Snyder (33:45.238)
of the firewall or the VPN or whatever. You can’t put your EDR agent on it. You don’t have the level of monitoring. So you’re not going to catch an exploit that hasn’t been of something that hasn’t been discovered. You’re not going to see weird anomaly. Yeah. You’re not doing anomalies actually in that box. Yeah.
Paul Asadoorian (33:56.012)
Right, and you can’t implement your own compensating controls, right? They’re limiting you from implementing those compensating controls. Not that you can’t bypass compensating controls, but they’re there for a reason, to make it more difficult and expensive for an attacker to compromise the system, right? That’s the goal of EDR, patch management, the whole thing. But it’s interesting too, I wanna go back to a point that you said, Chase, that…
the zero days, right, from the attackers were already exploiting it. That’s how the vendor found out about it and then released the patch to fix it after, like the indicator was it’s already being exploited in the wild.
Right? And this, this takes me back to like my early days working for a university where not just my university, but many universities from like 2001 ish on, uh, were in this unique situation where the, the, the bar, cause we were just building the security programs and a lot of those universities at that time, the bar was can I find and discover the vulnerabilities and compromise systems myself at a faster rate than they’re being externally reported for me?
When I first started at the university, the primary indicator that we were compromised came from an external report. It came from another university or law enforcement or just independent third party reporters. It was like, hey, I’m being attacked by your system or hey, you’re hosting 247,000 movies that are being distributed on the internet from one of your systems, right? And it was the external report.
reporters, and we had to work hard on our security programs to just reach that tipping point where we could discover stuff better on our own and reduce that number of external reports. Everything comes full circle. Now we’ve got these network appliance vendors that are fixing stuff after it’s exploited. When are we going to start to get ahead of the problem?
Vlad Babkin (36:04.428)
It gets it only gets worse actually sorry for interrupting They start they are slowly starting to hide their firmware from downloads behind Behind some bars to like prevent researchers from actually digging in it doesn’t stop attackers, but it stops guys like us into digging in instead because like If attackers held bent on getting into some organization. Oh, hey these guys have this 40 gate this 48 calls $20,000
Chase Snyder (36:04.503)
It’s also the
No, you go ahead.
Paul Asadoorian (36:14.006)
Right.
Vlad Babkin (36:33.536)
Well, I don’t care, I’m gonna buy that FortiGate, but what do vendors like us do, because imagine that we have a hundred of those which we want to protect, all of them cost twenty thousand dollars. So they’re not doing a good job at defending from all of those attackers.
Paul Asadoorian (36:49.451)
Yeah, it sounds like their answer is more sweep it under the rug. Don’t let people find vulnerabilities in it so we don’t run into this situation when the real answer is let’s secure up our code in applications and make sure we’re not delivering vulnerabilities.
Mandy Logan (37:02.021)
Yeah.
Vlad Babkin (37:04.3)
It will only get worse with this approach because it’s not sweeping it under the rug from attackers, it’s only sweeping it under the rug from defenders like us. And eventually what we’re gonna get is exactly like the announcement that, hey, your patch is actually not patching anything.
Paul Asadoorian (37:09.697)
Yeah.
Mandy Logan (37:21.774)
It’s like the Emperor’s new clothes. Like they’re saying they’re all secure and everybody else is going, hey, you’re not actually wearing anything over there.
Paul Asadoorian (37:24.717)
Yeah.
Paul Asadoorian (37:28.119)
Right, right.
Mandy Logan (37:33.54)
Everybody else knows it.
Paul Asadoorian (37:35.364)
It does underscore the interesting point where honeypots are a way to catch what’s happening now, right? So like as a security research organization, a lot of companies do this, they set up honeypots and observe the behavior, right? It’s just so backwards. It’s so backwards. That’s where our intelligence is coming from. And we’re just sitting around waiting for threat actors to exploit something to figure out what’s vulnerable and what’s being compromised.
Chase Snyder (38:04.238)
Yeah, the new timeline. This happened a couple times in 2025. You see the like big wave of scans happening, like big internet activity that’s like, oh, it looks like a whole, any sort of Palo Alto, anything that’s exposed internet is getting scanned right now. I wonder what’s going to happen in like two weeks from now. And then there’s a big wave of attacks. Like who could have possibly foreseen this? But it’s like, you can, you can see there’s like, but to have the sort of…
Paul Asadoorian (38:16.821)
Yeah.
Paul Asadoorian (38:24.803)
group thought.
Chase Snyder (38:32.184)
threat research be happening by attackers and then it’s like, okay, we’re going to watch out for as soon as they start trying to actually use that. And then that’s when the clock starts for us to start trying to do something about it. It’s like, we know they’re going to find the, find the vulnerabilities when they start looking for something to attack. means we know they have some sort of attack to do. let’s see how long it goes from when they start scanning for all the, management interfaces on whatever box it is. and then, but
Even still like what organization can move that quickly. Okay. More fun stats. I’m a stat machine from the, from the data breach investigation report. Those same devices, the, the median time for exploitation of a vulnerability on a network box was zero days. Right. The median time to patch that was 30 days. And that’s the median. Lots of them take way longer. so the, there’s a real imbalance in how quickly.
the different parties can act in these cases.
Paul Asadoorian (39:36.74)
I have an interesting data point on that chase. then when we were looking at, think you were on this meeting too, we were looking at.
basically putting ourselves in the shoes of an IT or security administrator that has to go update a network security appliance, right? So you have to know, and the way the data is presented by the vendors is often, well, there’s this vulnerability, it affects this operating system, and by the way, there’s 100 products that use this operating system.
And it’s these like even we’re looking at Fortinet not to pick on Fortinet, but I mean, I kind of will. I’ll try not to but.
the list like six different ranges of for the OS that needs to be patched. And I think this was recent. They have at the bottom they have a link to a tool. It was like, hey, if you need help figuring out what you have, what version it’s on and what version it needs to be, they have a tool that can help you with that. So the fact that they need a tool to help their customers figure out, I don’t know, I’ve got all this stuff deployed. Like, what do I have? What operating system is running? And what
version do I need to be on to remediate the latest vulnerabilities is not an easy question to answer, right? So much so they have to have a tool. Cisco’s had tools like that for a long time, right? To go, well, I’ve got this model, you this specific model switch, and I need these features, like what iOS do I need, right? Which one do I need? They’ve all had tools to help you figure that out. So it’s not, and that’s part of the reason why my point is the remediation is
Paul Asadoorian (41:18.724)
much slower than the exploitation that that’s happening
Chase Snyder (41:23.426)
Yeah, a hundred percent. also they don’t even in a, even in a very mature enterprise that has a security team that has a process in place where they want to say, okay, we are at N minus one for our, you know, firmware versions across this fleet of whatever type of device we have seen in the real world environments where
That just, it just isn’t the case. Like it’s so difficult. have a per vendor tool and you got a person or multiple people whose job it is to look at your tens or hundreds of different devices across all of several different vendors worth of stuff and make sure they’re all at N minus one for firmware. But updating the, you know, it’s non-trivial to update the firmware or the underlying OS or whatever on any of those things.
So it’s like, even if they find out that they’re not N minus one for some certain part of the fleet, it’s not like they can just click and do the update that they start to on. They just don’t have the bandwidth for this, especially with.
Paul Asadoorian (42:31.788)
No.
Well, one of the problems that I believe we ran into back in the day, I don’t know what this looks like now, but this is what Cisco device is.
And more so the driver, right? I think I’ve said this internally, but the driver for updating the primary one is if you have a bug that’s affecting production, if there’s some issue with the firmware or software that’s impacting production, then the network and security teams are like, or at least the network team is like, we need to upgrade. But part of that upgrade process is what version do I need to go to that fixes the bug that also has the features that I need that I’m using, right?
Some of the Cisco upgrades I remember were feature dependent. Like, you can go to this version, but make sure that version includes this feature because you’re using it, right? If you’re using a particular routing protocol. But then you have to go, if I go to that version and I’m using that routing protocol, am I introducing new bugs? And have those bugs been fixed? Because I’m using BGP on this one, but going to that version of iOS introduces this new bug in BGP, but fixes the bug in the underlying, you
OS. I don’t say like I’m giving everyone a pass, it also it’s not like you said Chase, it’s non-trivial to upgrade and update these devices.
Vlad Babkin (43:56.044)
And yeah, security teams often face resistance from like, site reliability guys. Like, imagine that you have an engineer who is worried about product actually running. Suddenly a security guy comes and says, all our fleet of servers is pretty much in bad state because firmware is not fresh and it’s vulnerable. And he’s pushing this reliability guy to update all of them. And he goes like, okay, you want to update the entire fleet? Do you understand what will happen in production if all of them crash at once?
Paul Asadoorian (44:01.186)
Yeah.
Vlad Babkin (44:24.765)
And suddenly the process starts to drag on for maybe a year, depending on how big the fleet is.
Paul Asadoorian (44:28.234)
Right. Yep. Yep.
But now there’s also the scenario which makes things even worse for defenders. And this is the case. And look.
No one writes perfect software. No one creates perfect patches either. So Fortinet customers are now seeing the 2025, CVE 2025 59718. Chase, I think you and I wrote about this last December. This is the one that is essentially an authentication bypass when you’ve got the single sign-on feature enabled in FortiGate firewalls. And Fortinet patched that in December.
But, and so I have more data. So we covered this last night on my other Paul’s Security Weekly podcast, but it was just, Bleeping Computer was like, attackers are exploiting patched versions of FortiGate. And I’m like, well, how do you know that? Like, if they didn’t give me any sources to back that up.
But after last night, Arctic Wolf produced the evidence, including IOCs. So it is now an observable thing that attackers are exploiting patched Fortinet FortiGate firewalls for CVE 2025-59718, which again, if you’ve got single sign-on enabled, allows an attacker to bypass authentication.
Vlad Babkin (45:59.165)
Yeah, your 40 gates are now unpatched. You have to patch again soon.
Paul Asadoorian (46:03.052)
You have to patch the right? And as we sit here today, I don’t think Fortinet’s released the patch for that. To patch the patch.
Vlad Babkin (46:14.889)
And the funniest part is that I Fortinet is one of the OSes which tries to lock down your access to the underlying operating system. So, irony. So, in this case. But it’s not just them, it’s like industry-wide problem. If it would be just one company doing this, we probably could bash it, but it’s not just one company, it’s more than half of them.
Paul Asadoorian (46:22.774)
Yes.
Paul Asadoorian (46:30.572)
Yeah.
Paul Asadoorian (46:36.444)
all of them. Yeah, or half of them at least right? Yeah, for sure.
Paul Asadoorian (46:44.194)
Cisco’s in the news as well. I think I talked about that. The article I have in the show notes actually talks about both of them. And again, I mentioned these before, right? These are issues in their… It was added to the Kev. This was for the Unified Communications Manager. So this is for like their VoIP deployment. So if you’re using Cisco’s Unified Communications Manager,
Also session management addition and a bunch of other things, Unity connection. I believe that’s all part what they call unified communications. It’s basically a VoIP systems. There is a pretty gnarly vulnerability in proper validation of user supplied input and HTTP requests to the web management interface. They can bypass authentication. This one’s being exploited in the wild and was added to the kev comes on the heels of
CVE 202520393 secure email gateway, which was the iron port acquisition from back in the day. So yeah, I think that our audience would probably know, right? That unified communications manager has a larger footprint in market share than secure email gateway. But both have kind of similar vulnerabilities.
Mandy Logan (48:10.384)
Wait, so how this is saying that they’re recommending they should patch their systems or upgrade to new versions on which the vulnerability has been fixed. Do know if the upgrading if the upgrade costs money?
Paul Asadoorian (48:24.15)
That’s a good question. I’m not sure.
Paul Asadoorian (48:29.602)
that historically, sometimes.
Mandy Logan (48:33.104)
Right.
Paul Asadoorian (48:36.608)
But major upgrades could require hardware.
If you, so I was doing that with FornaNet. I was looking at.
So for net rate, can buy the physical appliances. Same thing with these Cisco products. You buy the physical appliance or virtual appliance. And, but if you buy the physical appliance, there’s like a matrix. So what version of the operating system you’re on only supports this version of the hardware. Once you want to go to a newer version of the operating system, you may have to upgrade your hardware. So remediating this problem, speaking to monetary costs, Mandy, it could mean if I want to be on the latest and greatest, I can upgrade my
hardware. I could get a new appliance and you know that that could take procurement all that deployment it could take well over a year conceivably. The planning testing you know the whole the whole nine yards.
Mandy Logan (49:27.472)
Right.
Paul Asadoorian (49:36.013)
So we hope that the worst scenario is you’re on an unsupported version and you can’t upgrade and you’re vulnerable. I don’t believe that was the case with the Cisco ones. If there was a case where you couldn’t upgrade. Of course, again, figuring out what…
versions are affected in which what your upgrade path is and the affected products. I we were talking about that this week too, is sometimes really hard. It’s not in any structured data, right? Like it’s not something I can query for this set of vulnerabilities and go, hey look, if you’re worried about this Cisco vulnerability, it affects these products and here’s the versions you need to upgrade to and here’s the hardware you need to upgrade to. Like figuring that out is not easy.
Mandy Logan (50:29.436)
seems complex and it’s also just annoying if it’s thing for, hey, let’s just make it where it breaks and you have to pay more.
Paul Asadoorian (50:38.73)
Right. And I mean, lot of these products have been around for a while, right? Like the Unified Communications Manager has version, so that’s interesting. It says version 12.5, migrate to a fixed release. So this tracks, they’re not going all the way back to, so if you’re running 12.5, you’re not gonna get a patch. If you’re running 12.5, you gotta go to version 14.
Mandy Logan (50:43.045)
Yeah.
Paul Asadoorian (51:02.174)
and then there’s a patch for version 14. But if you’re a hardware, if you bought hardware from Cisco and it can’t run version 14, that means you need to upgrade hardware. I don’t know if that’s the case in this product line, but it could be.
Paul Asadoorian (51:18.966)
Now I really empathize with the IT teams.
Vlad Babkin (51:22.123)
And to be honest, it gets even worse when, hey, maybe we can just patch it ourselves. But no, they are preventing access to the underlying operating system. So you are not patching that yourselves. You cannot have any compensating control.
Mandy Logan (51:28.048)
No.
Paul Asadoorian (51:28.108)
Nope.
Paul Asadoorian (51:36.79)
Right.
Paul Asadoorian (51:40.771)
Yep, that’s a great point. The last topic we wanted to cover was, well, second to last one, because I want to talk about a recent blog post as well, was Microsoft issuing a CVE for out of date secure boot certificates. So there’s the 2011 secure boot certificates and there’s the 2023 secure boot certificates.
2011 secure boot certificates as of June of this year, I believe what Microsoft is saying is will not sign DB and DBX updates. Right, so they issued the CVE to basically like your, you’re not quite vulnerable now. It’s like a prediction, like you’re gonna be vulnerable in June, but we’re gonna issue the CVE now so you have time.
to note that any Windows PC that still has 2011 Secure Boot certificates will be vulnerable in the future to Secure Boot bypasses for which we’ve identified like a vulnerable piece of software that was signed. So they’ll issue a DBX update only for the 2023 certificates, not the 2011 certificates.
So you could have secure boot enabled, secure boot checks out, but since it’s 2011 CA, it will allow vulnerable code to run and bypass secure boot. I think that’s what they’re saying. They said it in very weird ways. If you read the Microsoft KB articles, it’s very strange. We’re scratching our heads. Like, why are you describing it like that?
Vlad Babkin (53:27.979)
to make it more confusing.
Paul Asadoorian (53:29.59)
Yeah.
Mandy Logan (53:30.99)
Okay, so I’m, yeah, and I’m confused on one point. So if they’re delivering the new secure boot certificates through the Windows monthly updates, then as long as you’re getting the monthly updates, in theory, you would have the new certificates, right? So is this mostly just offline rigs or air gapped systems or something?
Vlad Babkin (53:31.529)
Micros.
Paul Asadoorian (53:54.179)
I see, I don’t know if those updates are automatically applied or if Microsoft makes the update available and an administrator has to apply it. Because they’ve done stuff like that in the past. They’re like, you can apply this update, but we’re not pushing it down via Windows Update. It’s something you have to install. Because it could break stuff.
Right? Like if you’ve got a driver or something, well, drivers are somewhat different. Yeah, you can badly break stuff.
Vlad Babkin (54:23.668)
Pretty bad lubricant stuff.
Paul Asadoorian (54:29.634)
So that’s why oftentimes they won’t push it out. But also, if you’re Windows 10, you are not going to get that update. Unless you just put the certificates there manually. I wonder if Microsoft has, I don’t know if Microsoft would document that. Because they don’t want people running Windows 10. They want to run Windows 11. But conceivably, the secure boot certificates DB and DBX are just variables in UEFI that you can change.
Paul Asadoorian (55:01.89)
So you could do it yourself.
technically possible.
Mandy Logan (55:05.295)
And so if the certificates aren’t updated, does that basically overall make the device waste?
Paul Asadoorian (55:14.554)
It makes it, so I think what Microsoft wanted to say was it makes Secure Boot meaningless. Right? And that’s why they issued the CVE. I mean, they could have just come out and said that. But like, if you read the description in the CVE, like finding it on Microsoft’s site is also a chore.
Vlad Babkin (55:34.004)
This is…
Vlad Babkin (55:38.731)
They don’t want to be categorical because it still means that it will validate signatures. It’s just that you can bring your own vulnerable driver and whatnot and then bypass it and they are hard pressed to tell it in a normal language because if they do it in a normal language they might get chased out by legal teams of other companies who are not happy with that normal language. So they have to be very fluid when they do stuff.
Paul Asadoorian (55:45.132)
Yeah.
Correct.
Paul Asadoorian (56:03.102)
It could, that’s a great point, Vlad. It could be why they issued a CVE for this to kind of like a CYA. To be like, we told people, we even issued a CVE, a vulnerability, you know, for this condition. And when you get compromised, it’s not our fault. That actually makes sense.
Mandy Logan (56:09.019)
Yeah.
Mandy Logan (56:22.042)
That’s kind of what I figured they why they would do it and do it ahead of time.
Paul Asadoorian (56:27.926)
Yeah, this was my prediction for Windows 10 though. At some point, I’m like, Windows 10’s not gonna get updates and it’s not gonna get new certificates for Secure Boot and it’s not gonna get DB and DBX updates, which means Windows 10 in Secure Boot doesn’t really mean much anymore.
Paul Asadoorian (56:52.982)
More work for IT teams, they were pointing out. I do want to end on kind of a fun note. So I don’t know how much we’ve talked about this, but we have an X-ray machine in the office. Chase, you’ve been in the office and seen it. Tell us about it.
Chase Snyder (57:09.004)
Yeah, 100%.
Vlad Babkin (57:09.706)
Free healthcare is not all what it was hyped up to be. Mandatory joke.
Paul Asadoorian (57:12.45)
We gotta have our own x-ray machine now. Like, my wrist is kind of hurting. I gotta go to the office. It’s not for that, right? You’re not allowed to use it to image any human being, right?
Chase Snyder (57:16.118)
Yep. Yeah.
Mandy Logan (57:17.692)
Exactly slap that bad boy up here. Let’s give it a look
Chase Snyder (57:27.276)
Yeah, we’ve been putting spiders in there and then letting them free in the office. We’re going to see who gets bitten. Yeah, so far. No, yeah. The first thing that happened with it or the, the fun thing that we just published the post about was that they x-rayed some FTDI USB UART cables. One of which was acting suspicious and was working.
Paul Asadoorian (57:32.586)
Yeah, right, right.
Chase Snyder (57:53.902)
kind of slowly or not at all for these case, which caused them to buy a new cable. And then they were like, we got the X-ray machine, let’s X-ray it. And just looked at the big difference between the guts of these two USB cables. And yeah, I don’t know, it’s fun. mean, go to eclypsium.com slash blog and check out the website. But basically you can tell by looking if you have even marginal experience in this realm because the…
The counter the old suspicious probably a counterfeit one is messier inside like it’s like it’s like bad cable management But on this micro scale where the wires are all tangly and it doesn’t it just looks kind of worse But there’s also a bunch of stuff that I wouldn’t have been able to tell about That I had to be schooled on like one of them has copper ground pores in it and one of which doesn’t which I went down a whole rabbit hole And it is not universally agreed upon that copper ground pores are good
But it’s still pretty widely used by reputable manufacturers But the funniest thing is that the counterfeit or we don’t actually know if it’s a counterfeit. It could just be Yeah
Paul Asadoorian (59:00.31)
well she’s a cheaply made cable so i use these cables all time
They’re basically USB to serial adapters. So when you want to console into an IoT device or a Raspberry Pi, you use one of these cables. So USB out of your computer into the UART or serial port on whatever device that you’re testing or hacking into or doing some recovery on. And it allows you to talk UART protocol from USB in your computer to the device. And there are a plethora of these
Chase Snyder (59:08.461)
Mm-hmm.
Paul Asadoorian (59:34.356)
cables available if you just search for, I did FTDI USB to UART cable and there’s tons of them and I have a bunch of them, like a handful of them because they’re cheap. I like the Adafruit one, it’s like 10 bucks. That one seems to be reliable but I’ve gotten other ones that like they work sometimes and sometimes they don’t.
And now I’m starting to realize why. When we did this post, I was like, oh, that’s why, because they’re cheaply Chinese made devices. There’s reasons for that. Right? Like the more expensive cables that are sold by Digi-Key maybe.
I’m just speculating here, but that’s like the actual production run, right? So they’ll go through the rigorous testing and make sure they meet a specification. Those are the $20 cables. But then second or third shift rolls around in the factory and they’re like, let’s do a run of 10,000 of these and let’s kind of tweak it so it runs a little faster. Let’s not do all the QA on them. And those are the ones that we sell for $2 on AliExpress or whatever.
We saw that with batteries too, people imaging batteries. That’s basically the difference. So when you see Tmoo and you see stuff being sold really cheaply, that’s one of the reasons why they can sell it so cheaply. So when we publish this article, I’m like, oh, that makes perfect sense actually. But it’s really cool to see it with the X-ray machine. And I love how they presented the blog post. You can see the two images. As you scroll through the post, you’re like, all tell me which one is the, I don’t know if you should say counterfeit. Counterfeit’s not
Chase Snyder (01:01:16.398)
the worst one. might be a counterfeit or it might just be kind of a cheap, cheap bad one.
Paul Asadoorian (01:01:16.438)
right term. Yeah.
Right, the one not built quite to spec versus the one that is built to spec. And so you get both images and you get to look at those before you get the answer as to which picture is which. And I’ll be honest, I got it wrong and I can go back and I learned some stuff too from this post, Chase.
Chase Snyder (01:01:38.274)
Yeah, thank you. Shout out Eclypsium Research Team for that one. Super fun. And they’re doing more. That was a fun one, but they’re doing other, they’re doing some pretty serious research with ice rangers. It’s just cool thing to have. We’ll do more posts on the way.
Paul Asadoorian (01:01:48.226)
Yeah, this was just a fun one to say we have an X-ray machine.
Vlad Babkin (01:01:53.642)
We sometimes do interesting stuff as well, not just x-rays.
Paul Asadoorian (01:01:55.929)
Absolutely. Right, right. This was just kind of a fun one. Yeah. Well, we’re on short on time. I want to thank everyone for participating today. I want to thank everyone for listening and watching this edition of Below the Surface. We’ll see you next time. Over and out.
