Learning Library

← Back to Library

React2Shell Vulnerability: Severity Debate

50m • Unknown Channel • security • news • intermediate • Watch on YouTube ↗

Key Points

The podcast frames hacking as forcing systems to do unintended actions, setting the tone for a deep dive into current cyber‑security threats.
Hosts introduce the agenda: evaluating malicious large‑language models, a bizarre Gmail‑lockout exploit that changes a user’s age, simultaneous attacks by multiple threat groups, and the impact of solar radiation grounding aircraft.
A major discussion centers on the “React2Shell” remote code execution flaw (CVSS 10.0) affecting React Server DOM packages and downstream frameworks like Next.js and Vite, which lets crafted HTTP requests turn into server‑side command prompts.
Experts debate the vulnerability’s severity, with some comparing it to historic Log4Shell exploits while others caution that alarmist responses could cause more harm than good.
Patches have already been released for the affected versions, emphasizing the need for rapid supply‑chain updates and vigilant monitoring of software dependencies.

Sections

Full Transcript

# React2Shell Vulnerability: Severity Debate **Source:** [https://www.youtube.com/watch?v=LWGdsBMPcnY](https://www.youtube.com/watch?v=LWGdsBMPcnY) **Duration:** 00:50:03 ## Summary - The podcast frames hacking as forcing systems to do unintended actions, setting the tone for a deep dive into current cyber‑security threats. - Hosts introduce the agenda: evaluating malicious large‑language models, a bizarre Gmail‑lockout exploit that changes a user’s age, simultaneous attacks by multiple threat groups, and the impact of solar radiation grounding aircraft. - A major discussion centers on the “React2Shell” remote code execution flaw (CVSS 10.0) affecting React Server DOM packages and downstream frameworks like Next.js and Vite, which lets crafted HTTP requests turn into server‑side command prompts. - Experts debate the vulnerability’s severity, with some comparing it to historic Log4Shell exploits while others caution that alarmist responses could cause more harm than good. - Patches have already been released for the affected versions, emphasizing the need for rapid supply‑chain updates and vigilant monitoring of software dependencies. ## Sections - [00:00:00](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=0s) **Security Intelligence Podcast Intro** - The opening segment introduces the IBM Security Intelligence podcast, its hosts and guests, defines hacking, and previews topics including malicious LLMs, Gmail lockouts, dual hacks, solar radiation impacts, and the React2Shell vulnerability. - [00:03:08](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=188s) **Balanced Response to Emerging Vulnerabilities** - The speakers stress that while new exploits like Log4j‑style bugs demand swift action, organizations should avoid rushed patches—citing Cloudflare’s misstep—and instead apply controlled, intentional updates. - [00:06:33](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=393s) **Cascading Breach Impacts & Debate** - Discussion on how a single breach can propagate through token reuse, the challenges of patching dependencies, and the heightened polarization surrounding the vulnerability. - [00:09:54](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=594s) **Prudent Overreaction Strategy in Business Continuity** - The speaker advises leaders to intentionally “overreact” to emerging risks by conducting rigorous risk and business‑impact assessments, maintaining strong vendor communication, and adjusting responses proportionally to ensure swift and effective continuity. - [00:13:55](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=835s) **Prompt Injection Enables Malicious AI** - Ian explains that standard language models can be coaxed into creating phishing or other harmful content via subtle prompts, rendering specialized “low‑level” malicious bots like WormGPT4 largely unnecessary. - [00:17:09](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=1029s) **Democratizing Hacking Through AI Tools** - The discussion highlights how AI lowers the entry barrier for cyber‑attackers—enabling easier creation of phishing emails and synthetic media—while urging defenders to adapt and questioning the cost‑benefit of such tools for malicious actors. - [00:21:36](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=1296s) **AI-Driven Security Becomes Norm** - The speakers discuss the rise of automatic AI-powered fuzzing and penetration testing, urging organizations to adopt more agile, dynamic defenses since attackers are also leveraging AI. - [00:28:38](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=1718s) **Managing Single Point of Failure** - The speaker recommends using passkeys, token‑based authentication, and separate accounts for sensitive versus non‑sensitive data, applying data classification to avoid a single point of failure. - [00:33:05](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=1985s) **Free Services Turned Double‑Edged Sword** - The speakers examine how reliance on free platforms limits user support, forces payment to regain access, and how security measures can be weaponized—highlighted by ransomware that exposed a hidden APT. - [00:37:02](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=2222s) **Stealth APTs and Ongoing Discovery** - The panel stresses continued investigation beyond an initial noisy breach, using iceberg and “Quiet Crabs” analogies to illustrate hidden APTs that linger in networks, waiting for the optimal moment to strike rather than merely seeking quick ransom. - [00:41:13](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=2473s) **Proactive Threat Hunting and Human Bottleneck** - The speakers advocate leveraging digital workers and automated agents to make threat detection more proactive, reduce alert overload, and ensure analysts investigate even minor anomalies to prevent larger breaches. - [00:45:13](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=2713s) **Cyber Threats Exploiting Disasters** - The panel examines how attackers may time exploits to coincide with natural catastrophes such as hurricanes or snowstorms, explores the feasibility of artificially mimicking solar‑radiation damage, and stresses that these events are merely symptoms of larger system‑availability and resilience challenges that intersect with cybersecurity. - [00:48:33](https://www.youtube.com/watch?v=LWGdsBMPcnY&t=2913s) **Weak Links and Disaster Recovery** - The speaker uses power‑grid analogies to illustrate how hidden single points of failure can cause massive outages, urging organizations to identify, test, and reinforce backup and redundancy measures before ransomware or other incidents expose weaknesses. ## Full Transcript

0:01I think this is actually a really great use of 0:05hacking. That's something we always tell our clients is hacking 0:09in its simplest form is making something or someone do 0:12something they're not intended to do. And that's exactly what 0:14this is. All that and more on Security Intelligence. Hello, 0:22and welcome to Security Intelligence, IBM's weekly cyber security podcast, 0:27where our expert panelists break down the biggest industry news 0:31stories into practical takeaways you can use. I'm your host, 0:35Matt Kaczynski, and I will not tell you what was 0:37on my Spotify wrapped this year because I believe in 0:40data privacy and I might be a little bit embarrassed 0:42by what was there. Joining me today, Claire Nunez, Creative 0:46Director for the X Force Cyber Range and a rug 0:49maker, as I've just learned. Sridhar Mupiti, IBM Fellow and 0:52cto, IBM Security and making his podcast debut. Ian Malloy, 0:57Department Head, Security Research thank you all for joining me. 1:01Here's what we're going to be talking about. Do malicious 1:03LLMs live up to the hype hackers can lock you 1:07out of Gmail by changing your age? What happens when 1:10you get hacked by two different groups at once? And 1:13the time solar radiation grounded a bunch of planes? And 1:16why that matters to security Pros. But first, React2Shell has 1:22sparked a cybersecurity debate. Last week, the React team announced 1:30that security researcher Lachlan Davids had discovered a remote code 1:34execution vulnerability with a CVSS score of 10.0. So big 1:39deal in React Server components now quick PSA, the affected 1:44packages are React Server DOM, Webpack, React Server DOM Parcel, 1:49and React Server DOM Turbo Pack versions 19.0, 19.1.0, 19, 1:55and 19.2.0, plus any frameworks or bundlers connected to the 1:59vulnerable packages through the software supply chain, which means things 2:03like Next js, Waku Vite, and Redwood SDK, among others. 2:08Now, the way this remote code execution vulnerability works is 2:12so you have to know a little bit about React 2:14server components first. They are little pieces of code that 2:17execute activity on a server. The server and the client 2:20communicate by way of HTTP requests. Basically, hackers can sneak 2:24data into the HTTP request gets sent to the server, 2:27the server decodes it, thinks it's a command, and it 2:30executes it right. So in plain terms, the bug lets 2:32attackers turn a normal web request into a command prompt 2:36on your server. Now, we've seen attackers exploiting this, and 2:39we've seen patches and updates already rolled out, but I'm 2:42really interested in the debate surrounding this vulnerability because people 2:46have been kind of split on the One hand, you've 2:48got people who likened it to log four shell, which 2:51was a big deal when it came out, as I'm 2:52sure you all remember, and you see that in the 2:54name we've given it. But others felt like we're kind 2:57of overreacting to this and we're doing a little more 2:59harm than good. So, Sridhar, I'd like to start with 3:02you and get your take on this vulnerability. Where do 3:05you think it falls in terms of severity and why? 3:08I think any severe, any vulnerability with 10 requires some 3:13level of legitimacy and action for sure. Right. But the 3:17blast surface, in my opinion, is not as big as 3:20log 4J. That doesn't mean we can't ignore it. Right. 3:23We still need to go and take care of it 3:26as soon as possible. Like you said, any of the 3:30next JS packages as easy to update, but trying to 3:36go and do it with some level of control would 3:40be good, rather than what Cloudflare tried to do is 3:44to go and release something in panic, and that creates 3:47even more chaos. Right, yeah. I'm glad you mentioned the 3:50Cloudflare thing. Right. Because that's a good example of an 3:52organization who looked good intentions, but they were rushing to 3:55get something out and they accidentally knocked themselves off for 3:57a little bit. And I think that's, again, part of 3:59the reason why people are saying, look, you gotta slow 4:02down. It's not that it's not important, not that it's 4:05not serious, but approach it with some intention. Right. Anybody 4:12have any agreements or disagreements, want to build on what 4:14Sridhar said there? Ian, you got anything you want to 4:16add there? Yeah. So I think the interesting thing there 4:19is when you have these new vulnerabilities, if they are 4:21potentially easy to exploit, what you're going to realize is 4:24that the attackers are going to try to exploit them 4:26very, very quickly, and you want to maintain the ability 4:29to be ahead of them. And. And that's where, you 4:31know, speed is obviously very, very important. But as Sridhar 4:33just mentioned, sometimes moving too quickly can become a problem, 4:38and, you know, it can have unintended consequences there. I 4:41think it's good to prudently overreact sometimes, and especially when 4:46something is very out of the norm, that's important to 4:50do. But I do think that it can also hurt 4:52you sometimes if you overreact too much. There's. There's a 4:55difference between reacting and saying, let me look into this, 4:58and reacting where the sky is falling down and you 5:04kind of don't know what to do. So I think 5:07this is a Good time for organizations to evaluate kind 5:10of where they're at and where REACT exists within their 5:14architectures and their vendor architectures as well. But I don't 5:19necessarily think everybody needs to kind of run around like 5:22Chicken Little right now. But it's worth looking around and 5:27considering where does our risk lie? I think that's a 5:31really good point. Not always knowing exactly what you have 5:35deployed. Sometimes your CMDB databases are out of date. You 5:39don't necessarily know what you have deployed, where you have 5:41it deployed. This is one of the things we learned 5:43with log 4J. That's an important thing to keep in 5:47mind then having good hygiene on your supply chain. The 5:51other thing, Ian, is that this is one of those 5:54things where it's not just a patch. It's a patch 5:56for sure. You can go do it, but I believe 5:59you have to go rebuild and redeploy. Right. This is 6:03where I think I've seen a couple of customers talk 6:05about, yes, I updated it, but I still see it. 6:08Right. So. And rebuilding broke something else. Yeah, I'm glad 6:12that you know. So two things. First of all, prudent 6:15overreaction. I think that's a lovely little term and I'm 6:17going to keep it in mind for my life in 6:19general, but also for cybersecurity purposes. But I also like, 6:22Ian, how you brought up that you don't necessarily know 6:24right off the bat where this thing might be in 6:26your system. Right. Like the day requires a little bit 6:28of digging. And so that got me thinking about the 6:30kind of long tail that this attack could potentially have. 6:33That like, you know, I. It made me think of 6:35last week we discussed the gain site breach, which slightly 6:38different, but, you know, it was people using tokens they 6:42had stolen in an earlier breach of sales, law of 6:44drift to gain access into more systems. And it just 6:47got me thinking about how one attack on one piece 6:50of infrastructure can really branch out in ways you don't 6:54expect. And I'm wondering if that influences how we look 6:57at the severity of this particular breach. Sridhar, you got 7:01any takes on that? I think the dependency aspect is 7:05a key thing. Right. That's what I was trying to 7:06allude as well. Right. Which is while you may fix 7:09something, but the fact that, number one, understand where it 7:13is, two, understand, okay, what does it take to actually 7:17fix it? Patching3 is trying to look at the dependency 7:21of it. Okay. If I fix it, what else might 7:22break? So some level of caution in terms of going 7:26with the controlled approach is what I would suggest. Matt. 7:29Now, Ian, I'm wondering if you have any thoughts on 7:32why such a debate was sparked in the first. I 7:35mean, I just, I kind of feel like it seemed 7:37like there was a particularly strong polarization here. I don't 7:40know, maybe that's just where I hang out online, but 7:42I felt like it was. It was more, I don't 7:43know, vicious than I've seen before in a lot of 7:45times. I'm just wondering if you have any thoughts about 7:47why this vulnerability sparked such a reaction. I mean, it's 7:49hard to say sometimes. I mean, I think if we 7:52went through the log four shell, it was huge. As 7:54Sridhar said, that was pervasive. It was used everywhere as 7:57a major dependency. REACT has a lot of the market 8:00and so I think people were expecting it to be 8:02much, much bigger than it ended up being. It's also 8:06a little bit different in that the log four shell, 8:08you could attack systems that were in the back end 8:10here. I think you have to actually have direct access 8:12to them. But I think one of the reasons people 8:14think we're overreacting is we're not necessarily seeing the exploits 8:17in the wild, maybe as quickly. And a lot of 8:19the exploits seem to indicate that people aren't able to 8:22exploit it as easily and as readily as maybe they 8:25had expected. It's a simplicity of how you can exploit 8:28it. You don't need to authenticate. You just basically go 8:31to the specific endpoint and execute a code and it 8:34just does it. So Sometimes you have CBSS 10.0 which 8:38are not so easy to exploit, but this one seems 8:41to be like a piece of cake. Right. And I 8:43think these are really strong kind of technical reasons for 8:46why there's been the kind of reaction that we've seen. 8:49But I'm also wondering if there's a sort of, I'll 8:51call it a cultural component to this. And by that 8:53I mean we've recently seen a lot of kind of 8:56pushback in cybersecurity against specifically how we cover like AI 9:01related threats. Right. Like, I've seen a lot of people 9:03being kind of skeptical about that language. And I think 9:06specifically of the MIT report that got kind of pulled 9:09down because it said that there were 80% of ransomware 9:11attacks used AI. And then it turned out that was 9:12kind of bunk. And I'm do wondering if, I do 9:15wonder if this is kind of like a perfect storm 9:16thing where this is coming along at a time where 9:18there's an increasing skepticism around some alarmism maybe in how 9:22we cover cybersecurity. I don't Know, do you think that's 9:24part of anything? We as a community are getting more 9:27and more paranoid, right? Like, you know, because, you know, 9:31we've got the hype of Gen AI being able to 9:35launch attacks very quickly. So we are reacting very quickly 9:38to anything like this than what we have done before 9:43the era of log 4J. So Claire, I want to 9:46ask you because you do a lot of work at 9:48the cyber range, kind of preparing organizations to address risks 9:51and react to things like situations kind of like this. 9:54Right. And again, that phrase you used, prudent overreaction, keeps 9:57popping up in my mind. So I was wondering if 9:59you had any advice on kind of how you prepare 10:02your organization, your executive leaders, whoever, to approach these kinds 10:06of things with that level, that appropriate kind of, you 10:10know, sense of proportion. Any thoughts there? Yeah. So usually 10:14again, we do advise organizations to prudently overreact to things 10:19that are new in this space and to kind of 10:24take a step back and maybe move a little bit 10:27more slowly to evaluate kind of the risk at hand. 10:32So mostly we, we do advise our leaders that come 10:37through the range to really focus on risk assessments, prudent 10:41overreaction, and to also continuously just do business impact analysis 10:47as well. And to have a good line of communication 10:51with their third party vendors as well. Just because if 10:54they know that they're going to be changing something because 10:57of a critical outage or patch that they're doing, you 11:03want to be aware of that so you can ensure 11:04business continuity on your side. Because you may not have 11:07this in place, but maybe one of your vendors does. 11:10So those are some of the things that we kind 11:12of highlight on and that that applies really to any 11:14industry where you do want to know your risk, be 11:18able to react swiftly. And to. You know, have good 11:27communication with your vendors. Makes perfect sense. Before we move 11:30on to our next topic, I just wanted to throw 11:32it to Ian or Sridhar. Do you have any last 11:34words aside from patching or updating, any advice that you 11:38would give organizations dealing with this thing at this time? 11:41Sridhar, let's start with you. Anything you want to add 11:43there? I think Claire covered it well. Right. It's about. 11:45First is visibility. Right? Like what is the block surface? 11:49What's the visibility in terms of to the vulnerability and 11:55how susceptible is my environment to that? Right. Second, is 11:58able to do some level of risk assignment to say, 12:01okay, do I need to go and update it? If 12:03so, am I going to break something or can I 12:04just put like a, I don't know, a waf rule 12:07or an ip, allow a deny list to be able 12:10to block that port. Right, Meaning can I do some 12:13banded approach so that I can buy some time? Right. 12:16And then once you do the risk assessment, then it's 12:19a mitigation or remediation for me. Right. Mitigation is something 12:22like a WAF gateway. Remediation is, okay, I gotta go 12:25and update the patch, but do the dependency chipping and 12:29make sure that you actually fix the root cause. Absolutely. 12:32Ian, any final thoughts? I like what Schrader had said, 12:34but I think a couple things would add maybe just 12:37how can you actually automate some of your testing so 12:39that, you know, when this actually does happen, how can 12:42you respond? How can you respond very, very quickly and 12:44how can you not actually create some new kind of 12:47errors and, you know, make the problem actually bigger than 12:49it was, especially when some of the mitigations end up 12:51being quite easy to deploy. So I think we've covered 12:54this pretty well. Let's move on to our next story 12:57here. Do malicious LLMs live up to the hype? There's 13:05a lot of conversation about whether generative AI is delivering 13:08on all of its promises in the enterprise world. And 13:12it turns out that some cybercriminals are also wondering whether 13:15it's worth it. In a recent report, Palo Alto's Unit 13:1842 analyzed the capabilities of two of the most popular 13:22malicious LLMs on the market. We've got Wormgpt 4 and 13:25Kawaii GPT. Now, unlike mainstream LLMs, two tools have no 13:30ethical constraints or safety filters. And they're mainly sold as 13:34tools for, you know, phishing, malware code generation, automated reconnaissance, 13:38that kind of thing. Now, some people kind of look 13:41at these tools as unleashing a whole new wave of 13:43cyber attacks by lowering the barrier to entry and streamlining 13:46malicious operations. Others are more skeptical. Specifically, I'm thinking of 13:50an article by Nate Nelson in Dark Reading who wrote 13:53that these things fail to live up to the hype. 13:55They, they're kind of only useful for very low level 13:58criminals. And after that they, they're just not that powerful. 14:01Ian, I know you do a lot of AI security 14:03research, so I wanted to throw to you first you 14:06look at things like Wormgpt4, kawaii GPT. What do you 14:09think? Impressive? Disappointing. Somewhere in between. What's your take on 14:12these things? They make good headlines. It gets people excited. 14:16You can see, hey, there is now a malicious use 14:18of AI. Are they actually pushing the envelope or anything? 14:22I don't really think they are necessarily. I think the 14:26barrier to entry to grabbing any other LLM and actually 14:28using it for potentially malicious purposes is actually pretty low. 14:32Most of the models tend to be fairly easy to 14:35prompt inject if you want to get them to do 14:37something malicious. On top of that, I can actually just 14:41take any normal model and as long as I'm not 14:43explicitly telling it, hey, I'm writing a phishing email. Help 14:47me write a phishing email. I just go and say, 14:48I'm writing a marketing email. Help me write a marketing 14:50email. Add some emphasis here, make it critical. The user 14:56has to respond very, very quickly. This is urgent and 14:59it'll happily do that. You can describe a perfect phishing 15:02email and it'll write it as long as you don't 15:03tell it it's phishing. So the intent is very, very 15:06difficult to understand. So that's maybe one of the first 15:08things I've kind of observed. No, it makes sense. Right. 15:10And again, that goes back to something that we talked 15:11about in the last episode, which is that research into 15:14using poems to kind of jailbreak your prompt, your models. 15:17Right? Like if you phrase your malicious prompt not directly, 15:21but in verse, you can make it do things it's 15:23not supposed to do. Right. So like you said, maybe, 15:25maybe these models aren't even really necessary. Right. On that 15:29front it got me thinking about something which is worm 15:32GPT4 has like a subscription model, right? Like it sells 15:36it's, it's services to other hackers. And, and part of 15:39me kind of wonders if like that's the whole play 15:40for them, like if it's not even really about, you 15:42know, cyber crime, but like they're making money by selling 15:45a thing to people. It's a branding play. Maybe hackers 15:49are the real, you know, target in a sense. I 15:50don't know. Shridhar, any, any thoughts on that? Do you 15:52feel like that that could be a possibility there? Due 15:54respect to Ian, right, But he top of the researchers 15:58in the world in this space, right? Of course the 16:02bar is really high for him and everything is. But 16:05look at it from individuals who don't do this on 16:09a daily basis. For them, things like warmgpt or Kawaii 16:15GPT lower the bar. Very, very, very to be accessible 16:21things that we don't know. Somebody like Ian, I would 16:24expect him to say, okay, write me a marketing campaign 16:27and embedded links in there and do the right way. 16:30But somebody who doesn't know this is going to say 16:32give me a phishing link. It does not have spelling 16:34mistakes from Nigeria. Right. That itself is probably good enough 16:41for Them to go and. Researchers in like Ian would 16:46probably go for 40, 50%. These guys would probably look 16:50for 8%, 10%. Right. And 10% of a billion people 16:54is plenty. Right. So I think there's a market, I 16:59mean Kawaii GPT is free and chat, the warm GPT 17:04is what, 200 bucks? Something like that, Easily accessible, right? 17:09Something like that. Right. So I mean there is a 17:12market and they're trying to make the hacking democratize a 17:16little bit so that it's easy to approach. So we 17:19as defenders have to do a better job of at 17:22least addressing this lower barrier, their attacks. That makes a 17:26lot of sense. It's, it's like you said, there is 17:27like a real market there. You know, not everybody is 17:30as skilled as our Ian Malloy's of the world are, 17:32but that's why, you know, Ian's here at IBM instead 17:35of doing that. Claire, any thoughts on your end on 17:38these things? When you look at them, you know, what 17:40do they spark for you? Well, I'm also wondering, besides 17:43just like creating phishing emails and such, these probably also 17:46have other nefarious use cases, right? Like helping you do 17:50malicious research of some kind, maybe generating. Photos that are, 18:03cases too that individuals would, you know, try to access 18:07these for and you know, the, the hacking ones of 18:11creating a phishing email or such. I'm sure that's just 18:14kind of like a nice to have for some of 18:16these users. But I think that on the topic of 18:22like are these worth it kind of thing, I mean, 18:26I guess it depends how you use them. So if 18:29a hacker is going to use them just to spell 18:31check or something, maybe not. They could maybe use Microsoft 18:34Word for that or like a free plugin. But you 18:39know, if you really want to do a lot of 18:42different things in terms of generating photos and then maybe 18:45it's worth your criminal money, that that's kind of my 18:50thought on it. It AI improves your phishing and research 18:53overall. You just have to know how to use those 18:56tools. That makes sense. And, and it reminds me that 18:59I think it was Worm GPT that they kind of 19:01said that. Look, we, part of our training set is 19:04like, you know, malicious stuff specifically like. Right. Like phishing 19:07emails, malicious code, whatever. The idea being that it would 19:09be even better generating some of that stuff for you, 19:12which, but that does still raise the question, right, about 19:14like hallucinations and those kinds of things that we still 19:18see happening in Vibe coding with legitimate LLMs. And I 19:21just kind of wonder, I don't know, is that also 19:23throttling our AI malware the same way it's kind of 19:26throttling some of our clear Net development? I don't know. 19:29Ian, any thoughts there? Do you think that the hallucinations 19:32stop it from being super powerful with malware? What's your 19:34take? It definitely could. I think some of the articles 19:37kind of question whether or not people are getting the 19:39performance boost that they were, but I think we've been 19:42making the same kind of comments about just Genai and 19:44Vibe coding. And actually if you are not a skilled 19:47developer, it actually can cause a. Net negative through some 19:50studies. And so we're probably seeing a little bit of 19:52that as well. Sridhar, I wanted to ask you because 19:54you brought up that KWAI GPT is different. They don't 19:57charge for it. It's a kind of open source community 19:59approach. It's freely available on GitHub according to Palo Alto. 20:03It's really easy to set up. I was wondering what 20:06your take was on this approach of an open source 20:08malware community, basically. Personally, it's not something I haven't quite 20:11seen before, but. But I'm also not as seasoned in 20:14the space. What are your thoughts on this thing? When 20:16you make it open source like this, it is not 20:19only assisting the bad actors, but can potentially be used 20:23by the good actors to say, hey, let me go 20:25test to see how easy my system is to be 20:28vulnerable for this, or be able to learn from that, 20:32to be able to use that as an input for 20:34my red teaming or my blue teaming, or a combination 20:38that. That can result in doing a better job of 20:41security coming in from a hacker mindset. Right. So to 20:45me, I think this becomes a collaborative effort where the 20:50bad guys are doing a great job of collaborating with 20:52each other anyway. And when you keep it in the 20:54open, at least we know some of the tactics and 20:57procedures that can help us in terms of building better 21:02software. I like that a lot. You know, kind of 21:04a. There's a constructive use for this kind of thing, 21:07right? If you're smart with it, you can make it 21:09work for you. I really like that. So to round 21:11out this segment, I just wanted to ask if we 21:13have any kind of final takeaways for defenders, should the 21:16existence of dark LLMs kind of change anything about what 21:19we do or stay the course. And I'll just go 21:21back around. Ian, any thoughts on your end? Should we 21:23adjust in any way. I mean, everything that an LLM 21:26can do, a human can do effectively. So it's really 21:28about the right and pace and the scale. And that 21:31really then comes down to, I think, what Sridhar was 21:33saying, automating all of your pen testing, finding your vulnerabilities. 21:36We're seeing lots of companies do this automatic fuzzing. Google, 21:40Microsoft and others are starting to do this and starting 21:42to build these automatic pen testing capabilities where if you 21:45can capture everything through an AI agent, for example, using 21:49some of these tools before you put it into production, 21:51that's going to make it that much harder for them 21:53to attack it once you actually do release it. Absolutely. 21:55Sridhar, anything on your end to add there? These will 21:58become norms. Right. And throughout this discussion, I'm sure we'll 22:01have more top. Even if you go back to the 22:03previous topic and this topic, we just have to become 22:06more agile, more dynamic in our security. Right. And so 22:10what means is okay, you know, Fido or passkeys is 22:16no longer an option. Right. You have to assume that 22:20every email is not trusted. Right. You have to assume 22:23certain things and build security around that. Right. As defenders. 22:27So that's the way I would look at it to 22:29say you'll see more and more and more of these. 22:33The challenge is for us as defenders to say how 22:35do we raise the bar to make the security more 22:38adaptive, more dynamic, more resilient? Gotcha. And Claire, any final 22:42thoughts on your end? Yeah, I agree with Sreedhar on 22:45all of those topics. I think something that has come 22:47up a lot with clients and in kind of CISO 22:50roundtables lately is that. We really need to be using 22:54AI to our advantage as well. And threat actors are 22:57going to level up with it. So we have to 23:00as well. There's a lot of great options out there, 23:03as Ian mentioned, to kind of do that. So it's 23:06important that organizations, instead of just kind of forgetting about 23:10it a little bit, is thinking about how they can 23:13better integrate it into their security as well. So I 23:16think that the kind of takeaway here is that even 23:18if these things maybe aren't as impressive as they sometimes 23:20sound in the headlines, we can't rest on our laurels. 23:23Right? Like, there's still plenty of work to be done 23:25there to make sure their organizations are prepared for when 23:28these threats do become as. As powerful as some of 23:31the headlines make them sound. Let's move on to our 23:34next story. Hackers lock users out of their Gmail accounts 23:38by changing their ages. It's a pretty simple technique. First 23:45they break into your account often by just stealing your 23:48credentials. Then they change your age to 10 or something 23:51else that makes you look like a child. And that 23:53means they can add you to their family group where 23:55they are a parent. And now they have total control 24:02you yet. And that was kind of on purpose, right? 24:05Google was making it so the children couldn't circumvent the 24:07control, so their parents set and hackers have used this 24:10against them. Now, Claire, I know you have some thoughts 24:12on kind of how this might align with some new 24:15regulatory efforts to spin up an even bigger problem. Walk 24:19us through that. Yeah. So first off, I think this 24:21is actually a really great use of, of hacking. It's, 24:27it's hacking in its simplest form, right? So it's making 24:30something do something it's not intended to do. So and 24:34it's, you know, like a meal hack kind of thing. 24:38But it's, it's for technology. So that's something we always 24:41tell our clients is, is hacking in its simplest form 24:44is making something or someone do something they're not intended 24:47to do. And that's exactly what this is. But it's 24:50very interesting because. So Google rolled out, I think, these 24:53parental accounts a couple years ago. But in Australia, Australia 25:03use social media. Instagram has recently rolled out teen accounts 25:07that have different parameters around it. So my thought is 25:11that this, this could become a bigger threat than it 25:15has. I mean, we've seen people's accounts be compromised on, 25:18in different levels because they clicked on something they shouldn't 25:21have. But perhaps this is something that will scale more 25:25broadly as people or as these platforms start to roll 25:30out these teen accounts or child accounts, because instead of 25:35just completely preventing users from being on their platform, they 25:39want to have these users, you know, for life and 25:41have them graduate into adult accounts. So I think it, 25:44it brings up a lot, you know, that's a potential 25:48for what can a threat actor may do. And a 25:51lot of people would probably be willing to shell out 25:54a decent amount of money to get their Gmail back 25:56accounts back, to get their Instagrams back. If you get 25:59locked out of those, there's a sense that your life 26:01is lost. Whereas other platforms, you could very simply just 26:05make another account. But if you can't get into your 26:08Gmail and you can't get to Perhaps your bills or, 26:12or something, whatever is in there. That's very scary. And 26:16I could see people shelling out a lot of. I, 26:19I think they reference gift cards so shelling out a 26:22lot in gift cards to get their accounts back and 26:24who knows if they are ever reverted to whatever age 26:28actually are or if they just get to stay 10 26:31forever. There are, there are two things there that I 26:33want to kind of pick up on. The first is 26:35like you said, I can see, you know, a scenario 26:38where this becomes almost like a, a method of wiping 26:40accounts. Right. Like if you think of those, the Australia 26:44social media bands, I think it's like people under 16 26:46just can't have an account flat out anymore. And it's 26:48almost like again, I don't know if this would work 26:49and I'm not trying to give anybody ideas, but I 26:51could see a situation where you get on there, you 26:52change someone to age, you basically destroy their account, delete 26:55it, it's gone. Right. And then the other thing that 26:58you had mentioned too was that. This is a kind 27:03of situation where people might be willing to pay a 27:07lot of money to get these things back because they're 27:09very, very dear to us. And it got me thinking 27:12about, I don't know, is that like a fundamental flaw 27:14in, in how we approach our, our security or our 27:17security hygiene that we rely on such a free service 27:20like this for so many things. Ian, let me throw 27:22it over to you because you know much more about 27:23this stuff than I do. Any thoughts on that or 27:25this attack in general? What are you thinking here? Another 27:28couple of things interesting. All roads seem to lead to 27:30Gmail and once you get locked out of that, you 27:33lose access to everything else. But I can say the 27:37unintended consequences of that, how difficult it is to get 27:40access back. The fact that Gmail is effectively an unsupported 27:43service because it is free, so there is no tech 27:46support you can call up and complain to. The different 27:49forums I saw indicate that if you have it tied 27:51to a YouTube account, you actually have to go through 27:54YouTube to get access to it. So unless you have 27:56a channel there. And that seemed to be the only 27:58kind of road and trying to figure out, well, what 28:01is the way to get access back when you actually 28:04do put all of your eggs in this one basket 28:06where you have no recourse. Yeah, no, I think it's 28:09extremely scary. Sridhar, I want to bring you in here 28:11and get your take on it and also specifically on 28:14this being a situation where they're using kind of, well, 28:16intentioned controls to do some harm to us. Like Claire 28:21said, it's like hacking in its purest form. What's your 28:23take on this whole situation? I think there's a couple 28:24of demograph dimensions over here, right. I mean, first just 28:27picking up, leaving. I mean, picking up where Ian left, 28:29right. This is not a new. You know, revelation. This, 28:35this exposure has been there for almost a year actually. 28:38Right. And Google has still not fixed it. So that 28:41kind of goes to the point that Ian is saying 28:43is, you know, it'll happen when we will make it 28:46happen. Right. So for me, I think is a couple 28:49of things. If you're really relying on the single point 28:52of failure across all the things, then make sure at 28:55least it's done right. Like don't use passwords, use passkeys. 28:58Right. Make sure that there's some level of a token 29:01or that credentials cannot be stolen. So if you're putting 29:06everything into one place, make sure it's a good, solid, 29:09safe. Right. I'm not advocating for that, but if you're 29:12doing that. But the other dimension is, yeah, I mean 29:15this is a single point of failure which has your, 29:18not just email, but your financial information, your pointer to 29:22your bank statements, pretty much everything. Right. I'm not giving 29:25my IBM address to my financial statements. Right. That's what 29:29I'm doing. So it's better to do a little bit 29:32of a difference in depth and have a different account 29:35that provides access to your sensitive information and use this 29:39for probably nonsensitive. Right. So trying to combine your. What 29:44we do in enterprises, we say that go and discover 29:50data, classify the data and protect your sensitive data differently 29:54than non sensitive data. I think we should try to 30:02you're using it, use it correctly. But if you're option 30:07not to use it, then try to think about how 30:10do you safeguard your most sensitive information with the right 30:13set of tools versus using one for everything. Right. I 30:17think it's an extremely good point bringing up this concept 30:19of defense and depth and kind of being able to 30:22apply that to so much of what you do. Ian, 30:24I think I might have cut you off. You want 30:25to jump in there? No, I was going to ask 30:26a question. I mean, how many email accounts do I 30:29actually need to make myself more resilient to these types 30:31of threats? Then you have another problem. I have a 30:35passkey, it's a yubikey, I can show you right now. 30:39And unfortunately it died on me this morning, so I 30:42can't log in remotely because my UV key died. And 30:45so I was thinking about this. What would I actually 30:47do? I now have to have one of the recovery 30:49accounts, which might be my wife. And now that's another 30:54potential weak link. I'm using in a passkey as an 30:57example of the defense. But one should use more than 31:01one passkey as an example. Something like a hardware device 31:06that you have, you can use your touch id, right. 31:09As well as have backup mechanisms where you're not just 31:12saying that this is a child account and something happens, 31:15you cannot unlock it. But having, like you said, your 31:18partner or your extended family be able to open that, 31:22those are the techniques that one can use. Right. So 31:25backup Yubikey at home so I'll be able to get 31:27back in, no problem. But I was just thinking about. 31:30The resiliency problem that we actually have here and then 31:33kind of leaning back on this notion of the unintended 31:38consequences of these different security procedures. So when you actually 31:41give someone else access to unlock your account, can that 31:44be weaponized? And I think this is what Claire is 31:46saying. Everything is at some point going to be weaponized 31:49and there's going to be some unintended consequence that someone 31:53didn't think about when they designed the system system. And 31:55that's kind of the mentality we. Have to get into 32:05key thing on my laptop. Sridhar, you mentioned passkeys. If 32:10you're somebody who's not technically savvy, you may not have 32:13any of these things implemented. And I'm not sure about 32:16the customer support that Gmail has for free users. But 32:20I've recently had an issue with my Meta account where 32:23I'm trying to figure something out. There's some kind of 32:25like, weird block on my account and I'm trying to 32:27get it fixed because I'm trying to sell things on 32:29Facebook Marketplace and I, I can't contact Meta unless I 32:33pay to contact Meta. So there's another issue there where 32:38it's like, if you don't want to pay for a 32:41subscription to one of these services and maybe I don't 32:45know if Google has the same policy, but if it 32:47were on a platform like Meta, this would be a 32:51huge issue and all these people would also have an 32:54issue. And, and think about all the payment information that 32:56is also stored in Meta or, and where, where else 32:59it's connected to because it's almost I see Facebook as 33:03an option a lot more frequently as a login option. 33:06So it's, it's kind of like the, we put a 33:09lot of trust in these platforms but if, if you 33:11need help, you might not be able to get it, 33:13especially if you don't have any of those, you know, 33:18extra access options enabled. Yeah, I think that's an extremely 33:23good point. Right. And again it comes back to this 33:25concept of so much like, of our load bearing Internet 33:28infrastructure is like free services, right. Which like turns out 33:31to be a double edged sword in this way because 33:34like you said you have to pay to get your 33:36account back. That's. Nobody wants to be faced with that. 33:39Right. And Ian, I also wanted to just spotlight before 33:41we move on this, this notion that you had said 33:43about, you know, everything can kind of be weaponized eventually. 33:46Right. And like even the, the protections you put in 33:49place can like under the right circumst become weapons in 33:51their own. Right. That's what we're kind of looking at 33:53here. Right? Like that is exactly that situation. And so 33:55you're kind of foreshadowing something, this resilience conversation that I 33:59hope to get into in our final segment. But on 34:02that note, we do have to move on to our 34:03next segment. When ransomware reveals a bigger threat. Researchers at 34:13Positive Technologies shared a curious case where a ransomware infects 34:17ended up alerting its victims to the existence of a 34:20much quieter and separate apt, or advanced Persistent Threat lurking 34:24in their network. While investigating a victim's compromised system, the 34:28researchers found evidence of Quiet Crabs, which is an espionage 34:31oriented APT known to quietly dwell in systems for hundreds 34:35of days. How did they find them? It's because a 34:37much noisier attack believed to be the work of ransomware 34:40gang Thor was also underway. Whereas Quiet Crabs uses unique 34:45tools and tactics, including speedy exploitation of new vulnerabilities, Thor 34:50used some commonly known tools which meant they triggered more 34:53kinds of alarms and called attention to some of this 34:55activity. And Quiet Crabs got caught in the kind of 34:58crossfire. Shridhar, I'm wondering what this story tells us about 35:02apts and particularly how hard they are to detect. I 35:06mean this is a situation where we didn't even know 35:08there was one until somebody else showed up. How confident 35:10can we really be that that something's not lurking in 35:12our systems right now? Now and the we. I mean 35:15it's just general users, right? Go ahead. It is hard, 35:17right? I mean apts by design are silent and not 35:20noisy as some of these things that you see they're 35:24supposed to be advanced and persistent and that means they're 35:28just lurking and patience. Right. And part of the reason 35:32why we do. The threat intelligence report every year. Right. 35:38And every year I'm surprised to see that that. The 35:43number of days to identify a threat is like 300 35:46almost a year. Right. And that tells me that anybody 35:51who is making a lot of noise is going for 35:54a quick buck. Right. But the real money is in 35:59this advanced persistent test where they will play the long 36:02game which is make sure that you not just go 36:05and circumvent the controls on the endpoint point go and 36:09reach out to command and control silently move laterally until 36:13you're confident about doing something. Right. So it's lucky that 36:17we were able to find this quite crabs through some 36:21noisy attack but not many people are as lucky. Until 36:28you get to certain situation where it is probably a 36:33little bit too late it so Yeah, I think APTs 36:38are dangerous and just because you find something that doesn't 36:43mean you need to stop looking. Even after you find 36:48out that you probably remediated it. It's good to continue 36:51to look beyond the D day to see if there's 36:55any activity which is. Different behavior than what you expected. 37:02Yeah, I like that point. Just because you find something 37:04doesn't mean it's time to stop looking. Right. There's more 37:06digging to do. Ian, any thoughts on your end here? 37:10Yeah, it's kind of like that proverbial iceberg But I 37:13feel like this wasn't actually the first time we've actually 37:15seen this as well where you went and there was 37:17one very, very noisy attack. Someone maybe tripped or made 37:20a mistake and they're actually able to discover that there 37:22was someone else who had actually been in the network 37:24multiple times. Look, not all of us are going to 37:26have a silver lining of a in a ransomware attack, 37:29but sometimes you do have that silver lining. Right. It's 37:31quite funny. Claire, any thoughts on your end here? I 37:34really love the name Quiet Crabs. It sounds like a 37:38like beachy indie band of some kinds. Really great name 37:42and really works for you know, their stealth in the. 37:46In the network. So I really like that. And they 37:47probably are moving laterally like a Crab. I think APTs 37:52are also just very interesting in general. A lot of 37:57people are like you mentioned, I think Sridhar, you said 38:00looking for the quick buck and curious or concerned about 38:04ransom. But I think people should be more concerned about 38:08APTs because they are in your network and they are 38:12waiting for the right moment to strike. And if they're 38:17just Hanging out there. They can do that on a 38:21weekend or a holiday or they're ready, they're waiting for 38:25the moment. Ready not just to encrypt systems. To, you 38:31know, to make money quickly. They're, they're exfiltrating, they are 38:35working. On their end to wait. So they're ready. So 38:40you're not ready. So I think people should be a 38:44little more concerned about them. And people don't always want 38:46to admit that, oh, we weren't detecting anything within our 38:50network either that we just, we've been sitting here for 38:54300 days and haven't recognized that. So I think a 38:56lot of people don't want to admit that they are 38:58concerned about APTS either. Or to say like we would 39:03detect that very quickly and perhaps they wouldn't. And it's 39:07evident that they wouldn't because lots of organizations are breached 39:11and attacked each year by these groups. Yes. Like Sridhar 39:14said, right. In IBM's own research, the cause of the 39:16data breach report, you know, routinely, it's like it takes 39:19like 300 something days to like detect and remediate a 39:22breach. Right. So it's like you're not alone. Like, you 39:24know, maybe that's one of our messages here for folks 39:26is like don't, don't feel ashamed of that. Like, okay, 39:29might have taken some time, but you are not alone. 39:30You're the norm with that kind of thing right now. 39:33We can't always like count on threat actors to, to 39:36be noisy and we can't always count on the noisy 39:38ones to kind of give away the other ones. So 39:40I'm just wondering if we have any thoughts, you know, 39:41looking at this. Does this change anything about how you 39:44think about how we investigate threats? I mean, shhar, you 39:47already said, you know, don't stop looking just because you 39:49found something. I think that's a really wonderful way to 39:51put it, but I just wanted to open it up 39:53before we move on. Any last thoughts here? I'll start 39:55with you, Ian. Any last advice you'd give organizations when 39:58it comes to apts? Well, definitely you could be proactive. 40:00You can constantly look at your logs. You get to 40:03run different analytics. I think with the additional automation that 40:06we actually have now through agents, you could take any 40:08threat and where you might not be able to have 40:11a human actually spend the time to go through and 40:12investigate that. You can just let an AI agent go 40:15and run through your logs. Do these different correlations pull 40:19down different threat intelligence and whatever it might be is 40:23at the time this was not known but new piece 40:25of information came out and as you're constantly churning away 40:27at it, you might realize that hey, this was actually 40:29the connection that we actually needed to realize that no, 40:32this is not just background noise. This was not like 40:35a one off. This actually was potentially an incident. The 40:38last thing I'm able to say is I always heard 40:40there is two types of companies, those who know they've 40:43been compromised and those who don't know they've been compromised 40:45yet. It's a very good way to put it. And 40:49I also like, yeah, this idea of this is a 40:51really good use case for AI agents. Like you said, 40:53you might not be able to put a person on 40:54investigating all this stuff, but you got agents, that's a 40:57good way to put them to use. Sridhar, any thoughts 40:59on your end? I'm a little bit worried. Right, like 41:03you know, 2025, the number doesn't change. Right. Still almost 41:07a year before we find. I think we need to 41:11start thinking about, you know, how do we go after. 41:15These brands persistent threats activity more proactively. Right. Whether it's 41:20threat hunting, whether it's doing behavioral analytics, you gotta change 41:24the game a little bit too. And Ian's point about 41:27fine, maybe it is a human bottleneck. So fine, let's 41:30use digital workers as a way to go through that. 41:33I think we need to start embracing a little bit 41:35more proactiveness. And hopefully we'll bring down the number from 41:40300 to less than that. Absolutely. And Claire, any last 41:43advice for organizations when it comes to apts? Back to 41:46kind of what I mentioned earlier, Prudently overreact. If you 41:49notice something that's, that's a little strange, don't just consider 41:54it like. A small anomaly, it could be something bigger. 41:59So you know, as Ian mentioned, agents will really help 42:03you look into some of those lower level alerts. It's 42:06important to kind of be able to cover your bases 42:09and at the same time rely on agents and not 42:12burn out your security staff either. If I remember, wasn't 42:15that how they found the RSA breach? One person found 42:19something, everyone said they were overreacting, but they just kept 42:21sticking at it until they finally uncovered the entire threat. 42:24So that's a perfect kind of example of why it's, 42:26you keep digging, why it's worth doing that digging. Let's 42:29move on then to our final segment because we are 42:31almost out of time here. Airbus flights grounded by intense 42:35solar radiation. Now, I like to end the show with 42:42something kind of ridiculous or wacky and I think this 42:45is a really good one. In that vein, vein, 6,000 42:47jets needed to revert their systems to an earlier software 42:51version after it was discovered that bursts of intense solar 42:55radiation were corrupting data in the newest software and disrupting 42:58critical flight controls and even leading to some, some injuries 43:01of people when we saw some sudden, you know, planes 43:03kind of suddenly losing altitude and whatnot. Now none of 43:06us here are physicists, so I'm not asking anybody to 43:08talk about how solar radiation works and what you can 43:10do about it, but instead I just wanted to. This 43:13whole thing made me think about an aspect of cyber 43:15security and system resilience that I feel like gets less 43:18attention. At least where I hang out it does, which 43:20is these threats to our systems from things other than 43:23human hackers. Right. The natural world. Natural disasters can shut 43:27us down and not even disasters, solar radiation, you know. 43:30So I'm just wondering, you know, we'll do a quick 43:32roundtable here. Do you think our security approaches today address 43:35this issue enough and if not, how can we make 43:38them better? Claire, I'll start with you. Any thoughts there? 43:41So I think the impacts of this are still kind 43:44of going on a little bit. I've heard of so 43:46many flights being delayed still and, and no one likes 43:50an airline disruption that is like the one industry where 43:53continuity being disrupted is the absolute worst. I think a 43:57lot of organizations are actually thinking about the. Meeting point 44:03of acts of God or weather. And nature and cybersecurity 44:11or cyber resilience and business resilience. We have a lot 44:14of clients come through the range that will say we 44:17want to frame our scenario around a snowstorm and we're 44:22an organization in Texas and like, because that happens right, 44:27your, your continuity will be disrupted. And if there's a 44:31cyber attack and you need to get to, to people 44:34and tell them that their, their power is still going 44:37to work or their water utilities or, or whatever are 44:41still going to work. You, you, you have to practice, 44:43practice that. So I do see a lot of organizations 44:46thinking about, you know, this is during wildfire season or 44:50hurricane season and thinking about what would happen if our 44:54data centers went out on this side of the country 44:56when we operate on this side of the country. Because 45:00of natural disasters. So I think a lot of organizations 45:03think about okay, and where, how are we still going 45:08to continue? Whether it's a natural continuity issue or cybersecurity. 45:13Because as mentioned earlier, APTS will just kind of sit 45:17in your network and wait until you are at a 45:20bad place. So if they are, you know, following the 45:23weather of wherever you are and there is a hurricane 45:26and that they might choose that moment. It's, it's not 45:29impossible. So I see a lot of organizations kind of 45:34working on this more should though. Yeah, that and I'm 45:37glad to hear that you seeing that. And I think 45:38like the Texas snowstorm is such a good example of 45:40that. We've all seen the, the sort of news stories 45:42about Texas grinding to a halt when certain amounts of 45:45ice hit them. So that's a good thing. But you 45:48also bring up, before I continue the roundtable, just a 45:51real quick question. You also bring up the idea of 45:53hackers kind of taking advantage of this, you know, sort 45:56of natural disasters and the like to wreak some more 45:58havoc. And I have a question here actually from one 46:01of our producers about would it be possible for a 46:04hacker to duplicate this kind of solar radiation damage using, 46:07I don't know, UV or something? Ian Sridhar, any thoughts 46:10on that? Is this a duplicable thing you could do? 46:13You know, I would take a step back. Right. The 46:15solar radiation is just a symptom of a bigger problem, 46:17right? The problem is there are going, you, there are 46:21going to be situations that will impact the system availability, 46:26resilience and operational resiliency for lack of better it, right. 46:30That juxtaposes with cybersecurity. Now that could be temperature. Yes, 46:35of course you can, somebody can crank up the emf. 46:38We've seen that in the movie, right? Or whatever. Forget 46:41the movie now. Ocean's Eleven, I think so I kind 46:45of look at those as. I look at the solar 46:49radiation as an example of these external calamities that can 46:53impact the operational aspect of a system. System that, number 47:00or number two, that somebody can take advantage of it 47:04and misuse for a different thing. Right. But the core 47:07thing is how do I design system to be operationally 47:11resilient so that I can minimize the cybersecurity. Impact of 47:17that Makes perfect sense. And it kind of sounds like 47:19maybe this is something that would more happen in a 47:20movie in terms of hackers exploiting UV to duplicate the 47:24damage, you know. But it's not even that, right? It's 47:28not even that. Like let's say for example, in the 47:30same plain example, you have a three mile redundancy. It's 47:34the same hardware, it's the same software running three times. 47:38If it's going to fail, it's going to fail all 47:40three. Right. Instead I think we need to think about 47:44a mechanism by we introduce a diversity where fine you 47:47may have hardware version A and software version 2 and 47:51hardware version B software version too. So that you're thinking 48:03Or create solar radiation. It could be as simple as 48:07exploiting the same software three different times. Right. So no. 48:12Yeah, I like that a lot. You know, putting the 48:13focus really on the concrete activity you can do instead 48:15of some of this sort of wilder stuff. Ian, we'll 48:18end here with you. Any thoughts on your end in 48:21terms of how we approach this stuff? If we're doing 48:23a good enough job, if we could do better. What's 48:24your take? Yeah, I think just kind of adding what 48:26was already said. I mean, there's always going to be 48:28a weak link. There's going to be dependencies to systems 48:31that we're not expecting. You're going to have cascading failures. 48:34I remember the 2003 Northeast blackout because one power plant 48:38went out. I remember reading as a result of some 48:41other studies, there's a single chain link fence in Kansas 48:44and if you cut the link there, it causes massive 48:47outages. If you think about software, and this maybe was 48:50kind of going back to the react when you have 48:52a single dependency, it's the proverbial one person in Kansas 48:55maintaining a prod and everything depends on it. We just 48:58don't really know. I think that's really the problem is 49:00that we don't know where the weak links are when 49:03they fall over, typically until they do fall over. And 49:06then if you think about having backups and disaster recovery, 49:10they're not always tested. And a lot of times when 49:12you actually go and you try to test your backups, 49:15typically with a ransomware incident, you find out that they've 49:18not been working or their tapes are corrupted or someone 49:20overwrote them. And so really it's thinking through, through all 49:24these different things that can potentially happen. Analyze it, determine 49:27where the weak links are, where you don't have the 49:28protection and the redundancy that you think you do, and 49:31then kind of making a plan for that. Awesome. That's 49:34a great way to end it. Thank you for being 49:36here, folks. It's all the time we have for today. 49:38Thank you, Sridhar, Claire and Ian. Thank you to the 49:41viewers and the listeners. Shout out to YouTube commenter at 49:44the bar who shared some thoughts on our last video 49:47about how devs could protect themselves and their brands during 49:49software supply chain attacks. Tax. I love hearing from people 49:52about this kind of stuff. So please, please weigh in 49:54if you have thoughts. As always, subscribe to Security Intelligence 49:57wherever podcasts are found. Stay safe out there and test 50:02your backups. I guess.