In this episode of Below the Surface, Paul Asadoorian, Vlad Babkin, and Adrian Sanabria discuss the ongoing vulnerabilities in network edge devices, the implications of legacy systems like Avanti, and the strategies employed by threat actors. They explore the importance of monitoring and detection in cybersecurity, as well as innovative deception techniques to enhance security measures against exploitation. In this conversation, the speakers delve into various aspects of cybersecurity, including innovative strategies to enhance security, the challenges posed by vendor cooperation, the implications of cyber insurance, and the importance of visibility in threat detection. They discuss the use of canary tokens, the exploitation of edge devices, and the reality of zero-day vulnerabilities. The conversation also touches on the need for firmware updates, the shift towards open-source solutions, and the role of AI in developing cybersecurity tools. Subscribe Transcript Paul Asadoorian: Welcome to Below the Surface. This is episode number 69 being recorded on Friday, February 27th, 2026. I’m your host, Paul Ossidori, and joined by Mr. Vlad Bapkin. Vlad, welcome. Vlad Babkin: Hello? Paul Asadoorian: And our very special guest for this episode, no stranger to podcasting, Mr. Adrian Sanabria. Adrian, welcome. Adrian Sanabria: Hey, Paul, nice to be here. I’m excited. Paul Asadoorian: Awesome. Yeah, it’s good to have you, man. We were chatting and I was like, hey, I’m doing a podcast on this topic and Adrian’s like, yeah. We talked about, I mean, you talk about a wide array of topics on Enterprise Security Weekly, so it’s good to have you. Let’s see, so before we get started, below the surface listeners can learn more about Eclypsium by visiting eclypsium.com forward slash go. There you’ll find the ultimate guide to supply chain security. An on-demand webinar I presented called Unraveling Digital Supply Chain Threats and Risk, a paper on the relationship between ransomware and the supply chain, and a customer case study with Digital Ocean. If you’re interested in seeing the product in action, you can sign up for a demo at eclypsium.com forward slash go. Well, as I was gonna say, a webcast, did, it was interesting, we did a webcast called Firewalls on Fire, and realized that the title, the first part of that title overlapped with a DEFCON presentation from the last year or two. And so we heard from the author of that DEFCON presentation. in the top, yeah, it’s a great title. And I apologize again for the name collision, but go check out that person’s Firewalls on Fire DEFCON presentation as it covers the same stuff. And some of what we’re going to talk about today is the continuing problems that we have with Adrian Sanabria. It’s a good title. Paul Asadoorian: network edge devices, which just, it blows me away that we’re still here talking about it, but somewhat also not surprised that we’re still talking about it. Because this trend, think is still on the upswing in my mind. Adrian, I want to get your thoughts in general on the just general trend of attackers going after these network edge devices. Adrian Sanabria: I mean, you know, on the one hand, I do have a blog post where I kind of talk about this. I refer to the asbestos of IT, which all these file transfer servers, FTP VPN, like old school IP sec and SSL VPN exposed to the public internet. Like we don’t have to expose all that attack surface in 2026. have stuff like tail scale. We’ve got, you know, wire guard. Paul Asadoorian: I love tail, I love tail scale, dude. It’s so awesome. Adrian Sanabria : ZTNA technologies that allow us to access remote resources without exposing TCP services or UDP services to the public internet, which is how most of this happens. know, most of these edge vulnerabilities we see, and I don’t know SD-WAN a little bit. We’re going to talk about that. I’m not sure I understand the, whether or not that is absolutely necessary to expose to the public internet. Paul Asadoorian: Right. Adrian Sanabria: because it looks like an authentication, an issue in the authentication system that is exploited there. But generally, think there’s a lot of work we can do to just re-architect to remove a lot of attack surface. Paul Asadoorian: Yeah, agreed. We’ve touched on that before, Adrian, and I’m just puzzled as to why enterprises are still kind of stuck on these somewhat legacy VPN models. If you read the Bloomberg article on Avanti, it covers some of that history, So go ahead, Vlad. Vlad Babkin: I can add a little bit of oil into the fire actually. If you take a look at modern devices, one example is Microtik that I use for my home network. And it’s not that hard to configure them to not expose anything but the OpenVPN. Like Microtik actually can run the OpenVPN server on top of it or WireGuard or whatever, both of them. And in this case, if you configure it correctly, firewall it off and everything nicely. The only port that you will expose to the public is literally OpenVPN. and whatever you want to expose to the public, like maybe forward some service inside of the network. certain devices, like which probably are not very enterprisey, already even have a solution to this. So an insistence of enterprises of using stuff that literally exposes management interfaces is strange to me. Paul Asadoorian: Yeah, I’m somewhat ignorant to exactly how tail scale works, because you don’t have to expose a port to the internet, but Adrian, go ahead. Adrian Sanabria (06:20.43) And the, the, I think. Adrian Sanabria: Yeah, I think the other factor here is that these all tend to be legacy products where their code base has existed for 10, 20 years in some cases, you know, that are not really receiving a lot of quality of life updates, you know, just a bare minimum to be able to keep selling them. And as we see from the Bloomberg article about Ivanti here, Paul Asadoorian: Mm-hmm. Adrian Sanabria: They’re not even interested in doing that. They’re not even interested in going after the security issues and fixing them. They’re kind of just letting them, letting whatever is going to happen happen. Paul Asadoorian: No. Adrian Sanabria: So maybe avoid some of those vendors and products as well, right? Paul Asadoorian: Yeah, for sure. So there is a Bloomberg article. I do want to state, and I talked about it on my other podcast too, Bloomberg wants to charge like $2 a month, which would be fine, except I need to read a Bloomberg article like maybe once or twice a year. Like if they had a cybersecurity section and it was at least somewhat, if it was value-wise worth $2 a month, 100%, I would subscribe for $2 a month, right? Adrian Sanabria: Once a year. Adrian Sanabria: So I recently found, believe it or not, I got a new library card for the first time in 40 years. And you can access a lot of magazine subscriptions with a library card without having to pay for them. Yeah. They have like an app you can put on your phone. I forget the name of the app, but, Paul Asadoorian: Mmm. Paul Asadoorian: interesting. Hmm. Paul Asadoorian: Yeah. I don’t want to take away from, like, I understand why they want to charge $2 a month. And look, I would rather have you charge $2 a month than try and do some, like, crazy advertising thing that, from cybersecurity standpoint, is somewhat risky. So I appreciate it. I get it. Everyone’s going to make a living. But the audience, like, when you put together one really good or once or twice a year, a really good cybersecurity article, well, I can’t justify it. Vlad Babkin: Wow. Adrian Sanabria (08:24.11) It’s called Press Reader is the name of the app. And you just put, yeah, you just plug in your, what library it is and your library card number and boom, can read like that’s the economist right there, which is a really expensive subscription. yeah, yeah. So that’s, that’s a, hot tip. You can get a library card for free. Paul Asadoorian (08:25.77) Okay. Yep. Impressed reader requires your library card number or whatever. Paul Asadoorian: Oh yeah, I used to subscribe to The Economist. it was, was, I haven’t read that in a long time. Paul Asadoorian: Right. And of course, like, I don’t like we’re hackers. It’s not like it’s public knowledge how to get around paywalls. Like it’s not even most LLMs will tell you some ways to get around paywalls. And so no knock to Bloomberg. But I really want to read the article. And I wasn’t the target market for the subscription. So in any case, I’m reading the article. It’s a really good article, though. Bloomberg interviewed seemed like a pretty large number of ex-employees of Adrian Sanabria: And you. Yeah. Paul Asadoorian: Avanti and of Pulsecure, right? Because that was, I forget how Avanti was created. Did Avanti ever have their own software or were they just a company that was created to acquire other companies? Adrian Sanabria: No. Yeah, yeah. So they were a combination. It was just a new name they gave because it was Heat Software and, you know, Shavlik and like all these different companies. Yep. Paul Asadoorian: Mm-hmm. Paul Asadoorian: it was Shavlik, the patch. Is that what their EPM is? That’s Shavlik. Okay, that makes sense. It makes sense that there’s nothing truly new. Then when I hear these things and I talk about them, I’m like, what’s a Vaunte EPM? If someone had just told me, by the way, that’s Shavlik, it would have saved me a lot of reading. Because I’m like, I already what that product does. I’m just old. Adrian Sanabria: Yeah. Yeah, it was. Adrian Sanabria: you Yeah, I just happened to be an industry analyst when all that was happening. So I covered a lot of that. I wrote up a lot of that merger and acquisition stuff. Paul Asadoorian: Yes. right. So Avanti is really just the shell company, if you will, and it acquired MobileIron for older cybersecurity folks like us, we recognize those names, and it acquired PulseCure. And then rebranded it to Kinect Secure. So you’ve got this really confusing naming thing where you’re like, wait, what is this VPN? Is it Avanti? Is it Kinect Secure or is it PulseCure? Today, it’s Avanti Kinect Secure. is the product. You can run it as a virtual appliance or a hardware appliance. And then again, they have other offerings. But it is the Pulse Secure Connect Secure line that this article is focused on. Do they touch on mobile iron a little bit in here? I’m not sure. They look like they’re primarily focused on the Pulse Secure Connect Secure line. And it really shed light as to why we’ve got some of the problems that we have. If you believe me, some people are skeptical. Some people are like, well, you know, this article’s overblown. It’s not really, know, Avanti tried to do some hand waving. And I think some other analysts were like, it’s not as bad as that Bloomberg article painted it out to be. But they do make a pretty compelling case. Vlad, Adrian, I don’t know if you got a chance to read this article, but I thought it was really good. Adrian Sanabria: Yeah, mean, 119 organizations breached. there’s a handful, I can count on one hand the number of companies whose products got over 100 companies breached because of one vulnerability, right? There’s like move it DMZ. Paul Asadoorian: And that was the supply chain. That was the supply chain breach, Where the Russian threat actors breached Pulse Secure in like 2021, backdoored the product and it shipped to 119 customers. I think we knew that, but we didn’t know how many customers, right? Adrian Sanabria: Mm-hmm. Adrian Sanabria (12:04.1) Yeah, yeah, this is huge. It’s, you know, move at DMZ, hit a lot. And, and yeah, it’s not just once though, right? Like it just keeps happening. Paul Asadoorian: And then have other vulnerabilities that get exploited by threat actors, 100%. Adrian Sanabria: And the one thing that this article doesn’t drop in there is the fact that Ivanti was one of the signers of the Secure by Design CISA pledge back in 2023, right in between all this stuff. And we do have some inside knowledge here from the former CISO of Ivanti saying, yeah, there is no effort to fix any of this stuff. Paul Asadoorian: Right. Yeah. Paul Asadoorian: Yeah, so we have first slash secondhand accounts, however you want to count them of that kind of thing happening, which is telling but what was even more, I think, like important and carried a lot of weight was the not just number of customers that they lost, but the who those customers were. So basically, at one time, like we had pre pandemic, then pandemic hit, and everyone went out and bought VPNs. and VPN spending was on the rise during the pandemic. Then, as the pandemic kind of waned down, that people started ditching their VPNs. And also it should be important from a business standpoint at that time, Avanti made that decision to go from you buy it and pay us upfront to a subscription model, which further hurt them financially. There’s some numbers in there financially that are just astonishing. Adrian Sanabria: Yeah, they went from like 300 million in revenue on this product to 150 million in revenue in like 18 months. Even the US government was saying, there’s no other advice we can give than stop using this product, which is rare. Paul Asadoorian: Mm-hmm. Right. Paul Asadoorian (13:50.38) And they did. And they lost the Navy, Air Force, Army, and several private companies. It’s here in the article. I’m trying to find it. But they lost a huge amount of DoD customers and a huge amount of private companies. And actually, funny, I remember talking to a CISO. And I’m not saying that this is the case, because you can go look it up in the PSW archives. But… Adrian Sanabria: yet. Paul Asadoorian: we were having this conversation and he kind of hinted towards on live on the air that we’re making decisions to get rid of technology based on security incidents. And now my guess is he was referring to Avanti after this article came out. And again, that’s just speculation on my point. Vlad Babkin: and just. Adrian Sanabria: And there’s some stats out there. looks like most people jump to Palo Alto, like something like 70 % of all VPN use is, what do they call it? Globals global protect. Yeah. That’s where it came from. Yeah. Paul Asadoorian: Yes. It is the global protect. Yeah, the latest Gray Noise Report global protect was was huge. Yeah, huge in numbers on that. Sorry, Vlad, you were trying to say something. Vlad Babkin: It’s not even that surprising. You’re running a cybersecurity company. I’m not speaking just about Vantia, just every one of them. If you refuse to fix vulnerabilities in your product over years and years and years, and they keep piling up, and people start talking, hey, there is no effort to fix them inside your company. Well, it’s going to eventually translate into a huge reputational hit, after which just lose customers. Because de facto, all of the VPN companies Like they use WireGuard, OpenVPN maybe, maybe. And it’s literally just two, three protocols in play. And in general, nobody of them invented anything radical in you. Like, I don’t know about tail scale in this case specifically, but most of the appliance-based stuff is literally OpenVPN nicely bundled in the box, right? So this is… Paul Asadoorian: Yeah. And some other weird VPN binaries that I haven’t gone back and looked at the lineage of them. I think it would be an interesting study. But in a lot of these network edge appliances are, so you’ve got Avanti, Fortinet, Palo Alto, and Cisco. You can trace back these, the buffer overflow vulnerabilities, right, since they’re Linux under the covers, to a Linux service that’s listening on Vlad Babkin: Yeah. Paul Asadoorian: typically the default port of 8.443, and typically that’s like slash SBIN slash SSL VPN D. And it’s that binary that contains the memory corruption flaws that have been, when, you know, that’s just one class, obviously, of bugs that we have in there. It’s perhaps, I don’t want to say it’s the most detrimental, because it’s memory corruption, keep in mind, you have to tune your exploit to your target. So these devices can be run as virtual appliances on x86. So you need a specific kind of exploit for that. They can also be targeted at a physical appliance. But those physical appliances, as is the case in Fortinet, they’re ARM32. And then I think like newer models are ARM64. So you take all those three platforms as an attacker. If I’m going after memory corruption and I need a ROP chain, I need to execute a payload. It has to be tuned for that platform, right? And tuned for that version that is installed on that platform. So if you’ve looked at, and I’m not picking on Fortinet, I just happened to look into it. They’ve got a lot of different versions of FortiOS. Like, I think version five, six, seven, and I don’t know if they’ve gone to eight yet, but six and seven are some of their major versions that are still supported, even in six. But there’s a lot of different versions of them. Vlad Babkin: That’s it. Paul Asadoorian (17:38.33) And if that binary changed in between those versions, you have to adjust your exploit for that version that’s running either on x86 or ARM32 or ARM64. So you have those problems. But keep in mind, a memory corruption exploit gives you code execution on that Linux layer, which is super useful for attackers, right? Then what I noticed threat actors doing… is they’ll go into the bootloader on those devices and maintain persistence. They’ll somehow embed themselves either through SimLinks in different partitions or right in the bootloader like on Raman on Cisco FDD devices, they’ll actually infect the bootloader. And I’m not just saying like that’s a thing and it’s possible. That’s based on I’ve looked at the vulnerability in Fortinet, which threat actors have used it. How have they used that? How have people observed those threat actors doing it? And that’s where that information comes from, which is actually, it’s so much fun, I’m overwhelmed, because you can do this for all the major platforms. You take the major vulnerability, and then you go start tracking threat actors. then you start drawing parallels to what they’re doing. And they’re basically all using this as jumping off points to collect credentials and conduct operations. It’s C2 infrastructure as well. Vlad, ahead. Vlad Babkin: Anyways. Massive case in point, all of the added value for these devices does not come from VPN features itself. It comes from all of the added services on top of the binaries they just keep reusing. And like, if you suddenly stop providing that added value, Paul Asadoorian (19:07.34) Yes, I agree. Vlad Babkin: Bye bye, company. Adrian Sanabria: Yeah, why not just use, right. Paul Asadoorian (19:18.41) If you just needed one device, right? Like you’re an individual or even a small company, need one device, you could use tail scale stand up, a PF Sense, Open Sense, OpenWare, and you’d be fine. The enterprise use case is they need tens, hundreds, thousands of these potentially deployed. So not only do I need something that can be deployed very reliably, but I need a management layer on top of that. And if you look at Palo Alto, Fortinet, Vlad Babkin: Yeah. Paul Asadoorian: and Cisco as example, their management platforms are also like huge beasts of software that help you manage all that infrastructure, which by the way, have also had vulnerabilities that are exploited by threat actors. you just keep increasing your attack surface in this area in an effort to provide security for your company, which is crazy. Vlad Babkin: Yep, and in this case, like, the real solution to this probably would be when somebody comes out with a service which allows to deploy all of this Kubernetes containers and whatnot, and just containerize this OpenVPN without any extra interfaces so that, like, it’s managed with normal infrastructure as code kind of stuff. But that doesn’t exist yet in my brain. Paul Asadoorian: Sure. Yeah, I know there’s some, and I think they’re for like training purposes, but I know that when I looked at yesterday, I was looking at Juniper platforms, it was like, how can I virtualize them? And they had one platform that it looked like it spun up a container, a Docker container, and inside the Docker container, it runs Linux KVM and virtualizes one of their platforms. And I was like, Really? inside a Docker container? They said they did that to make it easier for people to deploy. said, our customers told us they wanted containerized stuff, so we made it deployable in a container. Those of us that are good with Linux or watch my technical segment on Wednesday know a little more about how to set up Linux KVM now. And I’m like, just give me a QCOW2 image and deploy it. I that’s what Cisco does. That’s what Fortinet does and a lot of other folks as well. Adrian Sanabria (20:59.33) inside a Docker container? Paul Asadoorian: And I mean, not so secretly, right? I’m building a lab. I want to be able to run this stuff. I want to be able to test this stuff. I want to be able to infect these things, watch that infection, and then develop ways to help detect that infection in an effort to help enterprises with visibility. Because the mind-blowing thing, and we talked about it in our webinar, right? The mind-blowing thing, I came to this point, I’m like, look, it’s interesting how these vendors put out a platform. and they’re like, here’s an appliance, virtual or physical, you get, as the customer, you get access to like the operating system layer, which for those more technical, right, Cisco iOS, Cisco FortiOS, like that’s your interface to the device. Underneath is Linux, but many vendors are like, no, no, no, no, you can’t, as Mr. Customer, you can’t go into that Linux layer because that would cause support issues. or whatever the reasons are, support being probably the number one. And cybersecurity companies like us are like, I want to give you, like I had literally people on the webcast asking me, Paul, why can’t we enable eBPF monitoring on the Linux subsystem on these enterprise appliances so that we can monitor what’s happening in Linux? I’m like, you’re making so much sense right now. It’s a great, like you’re spot on. I’m like. But as cybersecurity companies, we don’t have access to that layer either, unless we exploit a vulnerability. But we’ve all the time, we can’t put an exploit in our product, okay? That’s not what we do, right? We can’t be exploiting vulnerabilities to provide visibility, so cybersecurity companies are limited. So what does an attacker do? An attacker finds a buffer overflow, vulnerability, and exploit, and they live inside that Linux layer. Adrian Sanabria (22:58.0) Alright. Paul Asadoorian: where the user and cybersecurity companies have limited visibility. And that’s the frustrating thing. Adrian Sanabria: It is not unheard of for customers to hack a vendor’s product to make it more secure. That is not unheard of. Paul Asadoorian: Yeah, it’s happened, right? I get it. I know we’ve had the discussion many, many times here at Eclypsium. maybe someday, who knows? I know. It’s an ongoing discussion too. We haven’t closed the books on it, yeah. that makes it hard, right? I haven’t looked into Avanti very deeply. Vlad Babkin: We should have opened them. Paul Asadoorian: I know that most of these are really just Linux underneath. When we talk about Cisco SD-WAN, that’s just Linux underneath. And I was not familiar with the Cisco SD-WAN platform. And also SD-WAN is kind of this like weird catch-all term, I think, for different, slightly different technologies. But when I, it was NCSC, someone published, I put it in the show notes. Someone published a really great guide. Oh, it was like the Australian counterpart to Sysa maybe? Produced the Cisco SD-WAN Threat Hunt Guide. I well, this is great. When you look through the Threat Hunt Guide, they’ve got you looking at things like slash, var, log, and looking at SSH configuration. So I’m like, this box is just Linux. I can tell from the hardening guide, this box is just Linux. So, but it looks like they might give you access to that Linux layer if the hunt guide is like you need to go look at this file. Adrian Sanabria (25:00.1) Yeah, yeah, mean most Cisco devices you do get some kind of CLI, but most of what I’m used to from most of my experience goes way back is iOS CLI, not Linux based. Paul Asadoorian: Mm-hmm. Yeah, was, there was like some juncture where everyone started building in Linux to the underlying layer. And I think that allowed them to virtualize the iOS and FortiOS operating systems. And there was a lot of benefits to doing it. I remember reading about it, forget what all the, but there was like benefits to doing it that way and changing the architecture. Yeah, right. Adrian Sanabria: It just makes development cheaper and quicker. Vlad Babkin: And some of the Cisco products actually allow you access to underlying bash, like an Exos does, et cetera, et cetera. Paul Asadoorian: Right. And so FTD does as well, which is super handy. Then we can provide better visibility into those platforms. We do that in FTD. can tell you the Arcane Door campaign, if you haven’t looked at that, they targeted FTD devices, did some pretty amazing things with them in terms of credential gathering. One of their line dancer or line runner payloads, has a network sniffer and also can harvest credentials locally from the VPN appliance itself. if you’re not patching, but patching, this is interesting because Adrian and I have talked a lot about vulnerability management with each other in the past. The thing that gets me is if you’re an organization that’s relying on vulnerability management to solve this problem with your network edge devices, it’s too late. The traditional way of doing vulnerability management, is not really going to help this problem. We saw with the Cisco FTD, the most recent one, that Cisco came out and said, threat actors have been exploiting this vulnerability since 2023. Right? And this is not the only one. Yeah. Adrian Sanabria: I have stats on this. So I’m putting together a blog post on this, basically I’ve been kind of obsessed for the last year about speed of exploitation. So the answer to the question, how fast do you have to be to fix your stuff before attackers can exploit it, can use it? And the answer is you can never be fast enough. So it kind of shifts focus to like passive mitigations, to hardening, to things that generally make exploits harder to pull off or harder to leverage or better detection on lateral movement. because according to Mandiant, the average time to exploit in 2023 was five days. And then in 2024, it dropped to negative one days, which means the majority of active exploitation that we’re seeing is before disclosure. These are zero days, right? And in this case, this is… Paul Asadoorian: Yep. There’s several sources that that backup your statements, Adrian, 100%. Adrian Sanabria: And this is exactly that case where, you know, now that we know what we’re looking for, you know, we can see it happening for two years already. Paul Asadoorian (28:14.53) Yep. so monitoring these devices is super important as well. Because as we march through the different classes of bugs, authentication bypass is also big too. Now, that doesn’t give them a Linux root shell, but authentication bypass can do a couple of things. One, it gives you the attackers, threat actors access to your firewall. And so what they’ll do is if they can just bypass authentication, Vlad Babkin: Cool. Adrian Sanabria: Look for Shabby Stuff. Paul Asadoorian: They’ll set up an SSL VPN tunnel for themselves and put themselves on your internal network. And they really only need the authentication bypass to do that. And the nice part about the auth bypass is it’s not dependent on architecture. It just works natively within the application, and you’re just using it. Similarly, command injection might be the most damaging class of attacks on these devices because it is platform. Vlad Babkin: Yeah. Paul Asadoorian: you know, CPU architecture agnostic and gives the attacker not just the capabilities in your VPN, but also the capabilities to execute commands that could lead to a Linux implant being deployed on the system. So the combination, of course, of I’ve seen combinations of authentication bypass to command injection. The latest FTD demo that I built uses an authentication bypass exploit. to find the URL endpoint that doesn’t require authentication. And it just needs that to go to the next stage to do the buffer overflow exploit to gain a Linux shell on the device. So it’s chaining these exploits together, which is hard for defenders, right? How do you assign a severity to multiple vulnerabilities now on any system, specifically edge devices? Vlad Babkin: Yeah, there are practical cases where like three or four low to medium vulnerabilities when combined are becoming one critical one. And you cannot really do anything about it. And also there’s another beautiful thing about like authentication bypassing these devices, you don’t necessarily even need to make an SSL VPN tunnel. So like if your strategy is, hey, I will just monitor if there are new SSL VPN tunnels, what the attacker can do is just open themselves support that goes into some internal service. Paul Asadoorian: Mm. Vlad Babkin: and, oh hey, now I will monitor open ports. Okay, they can modify routing tables and that’s another surprise they can do. So there is a lot of stuff that they can do with configuration there which you will never be able to detect and see. Paul Asadoorian: Yeah, mean also if SSH is on the Linux system, that’s another avenue that attackers could use as well. Adrian Sanabria: Yeah, which is why I think deception is really interesting. Put some fake SSH on there. Put some fake binaries on your system. Stuff that you know the attacker is going to reach for immediately, that living off the land type of stuff. Yeah, make detection easy by putting fake stuff out there. Paul Asadoorian: Mm-hmm. Paul Asadoorian (31:14.23) Yeah, you know, this is a case I don’t often recommend people go towards things like canary tokens in honey pots. I mean, I love canary tokens. I think you should have them right. But do we now put canary tokens on our network edge devices if we can like do we have developed custom ones? I this is a case where you that given the lack of visibility, you need anything that you can reach out for to put on here to get some visibility. So yeah, I would do that. It’d be interesting. Adrian Sanabria (31:31.28) Absolutely. They’re the ones getting hacked. Paul Asadoorian: Like I’d wonder how you could do that inside like the FortiOS or iOS layer if you don’t have access to Linux. Adrian Sanabria (31:45.05) So. Adrian Sanabria: I gotcha. So if you have access to bash or some kind of shell like that, the way that I do it is I create wrappers for binaries. So I will create an alias that loads when you log in, use your bash profile, your bash RC, and that alias will basically run a script that triggers a canary token and then runs the actual binary. So instead of… Paul Asadoorian: Mm-hmm. Paul Asadoorian: Mm-hmm. Paul Asadoorian: Mm-hmm. Adrian Sanabria: And you can replace the actual binary with a canary binary, but I find it much easier to just use an alias because nobody’s going to look to see if they’re being run through an alias first. And by pointing that alias at a script that you hide somewhere in the file system, everything looks normal when they run the command. Like there’s no difference between the command running. if it goes through an alias or doesn’t go through an alias because most of these canary tokens are just, you know, curl this HTTP or, you know, trigger this DNS, do a lookup on this DNS. Paul Asadoorian: I see. So in the script you trigger the canary token and then you just run the command that was alias. Yeah. Adrian Sanabria (33:00.24) It’s literally just a curl line and you hit that HTTP destination with curl or Wget or whatever you have on the box. Paul Asadoorian: Yeah. Paul Asadoorian: Right. And then you know, hey, an attacker ran this binary. Or someone ran the binary. Adrian Sanabria: Yeah. Well, and not only that, but you can use, so when I do this, when I write these scripts, you can grab information about them. So like one of the things you can grab is the IP address that they’re coming from. And you can use the user agent. Every time you touch a web server, there’s a user agent field and you can use that to smuggle out all kinds of details like what account is it, what IP address are they coming from, like any details you want. Paul Asadoorian: Mm-hmm. Paul Asadoorian: Mm-hmm. Paul Asadoorian: interesting. Yeah, yeah. Right, right. Adrian Sanabria: You can put in that so not only do you get an alert saying somebody just ran this command on this box But you can also see what IP address that they SSH didn’t Paul Asadoorian: That’s awesome. That’s awesome. Yeah, we definitely see, I think we need this level of creativity to help defend this attack surface because I don’t think we’re going to get anything better anytime soon. I mean, there is the, if you want follow the headlines, right. Crowd strike partner with F5 to do some stuff, but I haven’t seen much else in the way of providing great visibility. I mean, other than when we do it at Eclypsium, we do some pretty amazing things to basically, we have to live off the land that’s given to us. And we do some amazing things there too, to give people visibility. And that’s the level of creativity we’re down to, the vendors aren’t going to give us more access. I don’t see that happening. Vlad Babkin: Yeah, well some vendors actually are cooperating well, like Cisco and XOS is one example. But some vendors are just a nightmare. hey, customers will want a visibility into Palo Alto. Well, Palo Alto is a fully closed ecosystem. They’re not giving you any kind of access. So the only access you can hope for, you cannot even get aliases. So you don’t even get that. So there is like a question how to monitor them and like, answers there is not easy. Paul Asadoorian: you guys. Vlad Babkin: Not simple at all. Adrian Sanabria: Well, that’s the, that’s the, you know, and that should go into your build versus buy decision. You know, when picking something up is our ability to detect attacks on this appliance are limited or, or, you know, you just need different strategies. Maybe. Vlad Babkin: Yeah, it was very funny to me when I heard the news that cyber insurers actually increase the insurance cost when you use SSL VPN appliances. it was very fun. Adrian Sanabria (35:40.56) Oh, really? Yeah. Yeah. Yeah. Because that’s now in their actuarial data. When they look at their actuarial data, they’re saying, okay, like 30 % of what we’re paying out on start with these edge devices. if you’re gonna again, the asbestos, that’s why I call it asbestos, right? You know, like, like, the industry knows it to be dangerous. There are alternatives. Paul Asadoorian (35:59.19) Yes. Adrian Sanabria: So as time goes on, you have less and less excuse to use it. You’re going to get fined. You’re going to pay more for insurance. Vlad Babkin: because it’s not that hard to actually exploit your device, even though it looks like it should make exploitation harder, but no. It makes exploitation easier. Paul Asadoorian: Right. The way attackers are hiding on these platforms is, you know, I mean, they don’t even have to be that stealthy because we don’t have great visibility. So that’s why they’re there. Yeah, go ahead, Adrian. Adrian Sanabria: Can I share something real quick, Paul? Yeah, so this is a blog post. I put it in the chat that I wrote up back when I worked at Thinkst. And you can do this with… Yeah, I did. Paul Asadoorian: Mm. that’s right. You worked for Haroon at Thinks, which I love Haroon, the whole team and the company. You guys are great. Adrian Sanabria: So this is just using an HTTP token, which is pretty easy to use. Thinkst is not the only one with these tokens. There’s a couple of vendors now that you can go with. Of course, they do have free ones at canarytokens.org if you just want to play around with this. And so yeah, it’s really important to have the token reminder. I think this is the biggest mistake I see people make, is they try to create a single token and then put it on their whole production infrastructure. But then when you get an alert, Paul Asadoorian: Mm-hmm. Adrian Sanabria: You don’t know where it’s coming from unless you capture that. Yeah, you gotta capture that host name. But here’s where I’m using the user agent. And basically, I forget the command switch, but with curl or wget, there is a switch you can use to put whatever text you want into the user agent. And this is where I use these variables, these system variables to capture the command that they used, the username. Paul Asadoorian: You don’t know which host which host it came from. Yeah. Adrian Sanabria: that they used on which host and then the source IP address that they were coming from. So there you go. You get a lot of useful information to start your investigation. Paul Asadoorian (38:08.46) That’s awesome. That’s awesome. You have more stuff to consider. Yeah, to protect the stuff. Adrian Sanabria: And this is just Netcat I was using as the example here. And so it’s all in a little netcat.sh, probably two lines, three lines long. I think I have it in a gist somewhere. Paul Asadoorian: That’s great. Paul Asadoorian (38:28.11) And you can have your own infrastructure, like open source, right? Like you can do it all yourself with the Canary tokens. Adrian Sanabria (38:35.6) Yeah, I think a lot of it is open source. They have an open source canary, open canary. And with the tokens, I think you can, but I’ve never tried it. I don’t know what all is involved there. But yeah, I it’s not super sophisticated stuff. It’s like the reason you pay for things is you want to deploy a million of these things across your infrastructure. Paul Asadoorian: Right. Paul Asadoorian: Yes. Adrian Sanabria: using their API, right? You don’t want to have to do all that by hand. Paul Asadoorian (39:07.84) Yeah, and you want something low interaction too, which is much safer. Adrian Sanabria: Low interaction, you’re wasting, I just think you’re wasting a whole lot of time when you go high interaction. Like it’s a lot of set up time, it’s a lot of work. And every company I run into, they’re like, I don’t want to study the attacker’s behavior. I just want them gone. I just want to keep them out. Paul Asadoorian: Mm. Paul Asadoorian: No. Yeah. You want to leave that to us, cybersecurity companies, right? We’ll do the honeypot stuff. mean, most cybersecurity companies today, they’re doing any kind of research, either partner or have some of their own honeypots to observe attacker behavior. It’s, look, quite frankly, it’s the best way to get threat intelligence. Because I don’t have to rely on third party sources. If I have my own honeypot system, I can just observe attacker behavior and then I can report things, then I can… Adrian Sanabria: Exactly. Paul Asadoorian: detections for it, to me it’s one of the most accurate, it is the most accurate source of threat intelligence. Vlad Babkin: Yeah, one of the fun ideas that I have in my brain also, like as a defender, if you are defending in a SSL VPN appliance, what you can make is a fake VPN connection into a fake network and deploy like 5-10 devices inside the fake network named like CEO laptops or like CCU laptops or whatever and just let attacker go in there and start trying to interact with those devices. Oh, hey, somebody is interacting with all of that network. Paul Asadoorian: Mmm. Paul Asadoorian (40:29.75) Yeah. I I saw that with Arcane Door. The post-exploitation, it makes so much sense, right? Like, you can read the high-level news, and they’ll tell you, like, roughly what the threat actors do. But I love digging down into the details. What I found with Arcane Door is, well, since the attackers have access to your firewall VPN device, they’re just going to look at all the interfaces on it. Vlad Babkin: Suddenly, if you have on the Lord that Paul Asadoorian (40:56.0) enumerate the interfaces, that gives them all the subnets that it can connect to in VLANs that it can connect to. Then they’re just initiating scans. Inside their malware, they have scanners, and the scanners are running based off what is collected from the actual device. And they’re like, great, you have this subnet. And I enumerated all these Windows hosts on that subnet. And then I sniffed some credentials, or I hooked the better. I love this is my favorite one. they hook the authentication process in the underlying Linux of the SSL VPN device, and they just write the passwords to clear text. And now it doesn’t happen on every platform, but certain platforms, they were able to actually hook that auth process, and they’re just writing it in clear text to a file, and then just exfiltrating that file, and then running the next stage of attack with credentials, with knowledge of where you’re mapping of your internal network. Adrian Sanabria: what. Adrian Sanabria: You can even do it easier than that. could just ship it off. You could skip writing to the local file system entirely and just 500 UDP. What is syslog? You could just syslog it across the internet to some syslog server you’re running in real time. Paul Asadoorian: Mm-hmm. Paul Asadoorian: Yeah, in fact, when we talk about Arcane Door specifically, I can’t confuse if it’s line dancer or line runner, but one of them is a stage. So there’s an early stage payload that then drops the second stage payload. The second stage payload is an in-memory resident piece of malware that gives you all that collection of passwords, credentials, but then they also infect the bootloader for persistence as well for extra measure. the initial malware implant is in memory. Adrian Sanabria: So one thing I think we should mention is that though this sounds like really, really tough with the number of 70 % of exploited vulnerabilities were exploited as zero days. So now your patch vulnerability management is only concerned with 30 % of the problem, right? Paul Asadoorian (42:50.83) That’s crazy. Paul Asadoorian: Yes. Adrian Sanabria: But when you look at all these vulnerabilities, so the other part of my research is going back in time and saying, okay, let’s make a list of all the vulnerabilities that caused any damages in previous years. What does that list look like? And it’s an extremely short list. It’s like a couple hundred vulnerabilities that were actually exploited and used in attacks and resulted in, you know, ransomware, you know, some, some kind of damages. So, and then when you look even further, at those couple hundred vulnerabilities, again, something like over half of them are in edge devices. And then the rest are something I can use to get an info stealer installed, something in a browser or something, web attacks. There’s a lot of web-based products out there that get exploited where I can get into an email system, a web-based email system or something like that. you know, once you, once you actually start looking at these, you see the patterns and you’re like, maybe I should just get rid of really old legacy products that are not well maintained anymore. And a big chunk of my problem goes away. Paul Asadoorian: Yeah, but they’re also exploiting newer stuff too. when I did the, when I prepped to do like a demo, so I’ve been doing a lot of attack demos lately. So I’ll look at the Fortinet and then I will pick a specific product. I’m not, again, I’m not picking on Fortinet. We just did a Fortinet demo. So it’s fresh on top of my mind. So I took FortiOS or FortiGate Firewalls as the product. And then I said, okay, in the past, like, I don’t want to go anywhere before 2024, right? Like that’s probably the oldest I want to talk about. So I’m like, in the past couple of years, what are the exploits or vulnerabilities that have been exploited, right? So, and it’s not necessarily the most critical. I actually wrote a tool that I hope to release that helps me enumerate this data. So I go through and I find the CVEs. And then once I find the CVEs, then I look at which threat actor campaigns have used those CVEs. And then I started to paint the picture together. And like for Fortinet, I came up with six recent I think from 2024 till today. I think I want to say four of which were buffer overflows into where authentication bypasses, the authentication bypasses is very new. And you can tie them all back to specific threat actor campaigns. But again, that’s six out of even in the past couple of years, there’s hundreds that have been released for all Fortinet products, but at least for Fortigate, there was six. Adrian Sanabria: All Vlad Babkin: And in this case, also have to like, attackers don’t really want to exploit complicated vulnerabilities if they have a plain house bypass with one girl. It’s gonna be a lot easier to build your information gathering from that than from some mega complicated like five vulnerability chain which gives you access into Windows machine, which then has antivirus you have to bypass. Paul Asadoorian: Yep. Vlad Babkin: Like we all hackers, you know all of them are bypassable, but that’s still extra time. If you can get all of that by just one curlew and not worry about antivirus at all, why wouldn’t you? Paul Asadoorian: Mm-hmm. Paul Asadoorian (46:21.57) Right, right. Yeah, it’s definitely another reason they’re targeting these platforms is we don’t have that, you know. I’ve talked about it last year. I started talking about how we deploy Windows systems and we harden them and we put extra software on them like EDR and vulnerability management agents. And we don’t have that for these network edge devices. Vlad Babkin: too. Paul Asadoorian: Adrian, you got some data on Fortinet. Adrian Sanabria (46:46.0) This is an old copy of CisaKev, but as of think maybe eight months ago, I already had it downloaded, so that’s why I just pulled it up. But yeah, this is just an overview of, as of like eight months ago, this is everything in CisaKev on Fortinet. Paul Asadoorian: Yeah. Paul Asadoorian: Right. It’s interesting how the older vulnerabilities will end up on there. one of my theories as to why attackers will hang on to older exploits and still use them because they’re valid, obviously. But I think the reason that they’re valid is in order to get the latest firmware or software updates for pretty much any of these network edge devices, is you need a support contract. So you have to pay the vendor to get these software and firmware updates for these appliances. And I think a lot of organizations, especially smaller ones or ones that are working on their budget or have a constrained budget, they will not update the firmware because they don’t have a support contract, so they can’t put the latest firmware on it. And it’s tempting because I know firsthand, You can go to eBay and buy these devices really cheap, and they work just fine. They work great. I mean, these devices are awesome at what they do. Even the older ones have a lot of capability and a lot of capacity on them, but you need that support contract. And I think a lot of people are just either like, I need to update these and I have to pay, but my support contract expired, so now I have to go to procurement and I have to get approval for it. and I’m waiting in that process or maybe I’m just deploying it to my smaller sites that are around and it runs when it runs and I haven’t put a support contract on it so I can’t upgrade the firmware on it, which is crazy. I think that’s how we end up with all these exposed to the internet. I think that’s most of the use cases out there. Adrian Sanabria: That makes sense. People being told do more with less, IT directors being told you’re not getting any more budget. They’re going to make it happen. Paul Asadoorian: Mm-hmm. Paul Asadoorian: Yeah. So obviously you need to keep up with the latest firmware. And if you have these devices, you’ve got to have the latest firmware. You’ve got to have a new support contract. If you can’t do that, you might want to go consider alternatives that use open source. You might be in a better position to do that rather than you don’t want to run older, vulnerable firmware in these devices. Because if you are, you’re probably already owned, quite frankly. If you’re exposing it to the internet, you’re probably already owned. Adrian Sanabria: And don’t put the management interface on the public internet. Paul Asadoorian: Yeah, the problem is with the ones in the SSL VPN service itself that has to be exposed to the internet, which is why I love the tail scale model because tail scale is just wire guard under the covers. You don’t have to expose a port to the internet. The connections are initiated from inside the network to what do they call those like a relay server instance in the cloud. Adrian Sanabria: Yeah, that is for it to work, yeah. Adrian Sanabria: I hope you have a Paul Asadoorian: Tailscale has been making it available so you can run those on your own now. Yeah. Vlad Babkin: Yooo! Adrian Sanabria: And you can run that yourself. Yeah. Yeah. You don’t have to depend on any of their infrastructure. Yeah. Vlad Babkin: Yeah, this is… Yeah, this is a problem with relay servers run by tailscale themselves, is that they are run by third party. So now that you can actually deploy one of those yourselves, that’s great. It’s not like there is a problem with like, hey, extra latency. So depending on what exact two points you are trying to connect, you have to be very careful about where the hell you put that relay server. But… Paul Asadoorian: Mmm. Paul Asadoorian: right. Paul Asadoorian (50:33.6) Mm-hmm. Adrian Sanabria: I, so I’ve deployed this on my network. I was using it from airplane wifi while on an airplane. And I was able to use rust desk is what I’m using to get the GUI of some of my systems at home. And it was like sitting right in front of it. It was, was, was great. Paul Asadoorian (50:55.17) How do like Rust Desk? Do you use the open source version of it or do you pay them? Adrian Sanabria: No, no, I think it’s the open source version and I did a bunch of research. think it might’ve been Network Chuck that I eventually found. He was recommending it out of a bunch of different options. And yeah, I love it. On my iPad, on an airplane. Paul Asadoorian (51:12.76) Okay. Paul Asadoorian: And now do you run the you run the Rust as server? You can run that locally. You don’t have to run it on their cloud. That’s another thing. Yeah, OK. Adrian Sanabria: Exactly. Exactly. What I’m using is I’m using tail scale to get to my network. And then I’m just a Rust desk to Rust desk, just client, client and server. Paul Asadoorian: Mm-hmm. Paul Asadoorian: Yeah, to your own super your own tail scale infrastructure and your own rust desk infrastructure. Good for you. I’m lazy. I just use the I spun up the tail scale cloud free one a while ago. And I haven’t gone gone and done my own yet. But sounds like I need to. And it’s pretty amazing. It’s pretty amazing. So because you can also The nice part, what I like about a personal version of Tailscale anyway, somewhat of a slight departure from our conversation, is you can have routing servers. Is that what they call them? What do they call it? It’s like a routing thing. So you can have one device on your local network that shares its routing table. So if when you connect to your Tailscale, you can access that subnet as if you were on that subnet. And so when I had the studio network up and running, had a tail scale. I actually put it on my OpenSense firewall and it would advertise the route to my studio network. So I’d sit at home and connect to remote desktops and SSH and the things just if I was sitting on the same local network as the studio, which was awesome. Then you can configure an exit node, right? So you can configure one of your nodes that will share its internet access. So when you connect to the tail scale, if you enable the exit node, all of your internet traffic will go over your tail scale and then out whatever exit node you designate in tail scale. So you can use it like a more traditional VPN. I had to get around some restrictions. actually at a soccer event, and the local place was filtering cyber security and hacking sites. And I need to get to these sites, and so I used tail scale. and it worked great. And that’s the free tier. I can’t believe they still give that away for free. So I think one of my recommendations beyond updating your firmware is to consider these technologies. And I’m sure there’s got to be other alternatives to tail scale. Adrian, are you, I know you’re very close to the vendor space today. Yeah, okay. Adrian Sanabria: Yeah, Zero Tier is another good one. I’ve used Zero Tier before. Those are the two main ones that I’ve used. I can’t give you a list beyond those two. Somewhere I’ve got a complete list of them. But yeah, just like the, we were talking about the OPNs or the VPN, mostly being open VPN, but under the covers, I think most of these you find WireGuard at the core. Paul Asadoorian (53:51.18) Yeah. Paul Asadoorian: Yes. Right. Adrian Sanabria: And I threw in the chat there, a tail scales blog that has all the diagrams and explains how this works. Paul Asadoorian: Yeah, you gotta do a little reading on it to get up to speed on it, but then once you get it deployed, I think it runs really well. Although I haven’t done a local deployment, sounds like you have, Adrian, which is cool. Adrian Sanabria: Yep, building up the local lab at home. Paul Asadoorian (54:33.91) Yes. Building labs could be a whole episode we dedicate to that. I’m working on building one too. And I’m trying to design so that I can have virtual systems in addition to physical systems all in the same lab space, but also having to protect that, right? Because if you want to run vulnerable on purpose stuff in that environment, you have to make sure you segment it from the rest of your network. But you also need access to it. Adrian Sanabria: Yeah. Paul Asadoorian (55:02.69) And you can treat it carefully because it’s vulnerable stuff. Again, you don’t want to expose it to the internet. Paul Asadoorian: So I don’t know, I somewhat predict a shift, especially after reading the Avanti article, in seeing how the security posture of these devices is now more and more starting to drive decisions for purchasing in technology selection. a huge, know, in those listening, before you get all up in arms, I understand it’s not easy to switch platforms, right? Especially if you’ve got a large deployment of Adrian Sanabria: me. Paul Asadoorian: Whatever your technology is, we mentioned a whole bunch of vendors in there, if you’ve already got a deployment of that, it’s a lot of work because you have to touch every user, And we’ve all worked in IT. That’s hard. Adrian Sanabria: So, Ivanti is not doing great. By February 2025, they had lost a third of their customers, but they still have two thirds, right? That’s the thing that’s amazing to me. We’ve got the US government, EU telling people stop using these products. And they just went from 50,000 customers to 34,000 customers, which they’re not doing great. They don’t have a lot of cash reserves. Paul Asadoorian: Right. Adrian Sanabria: on more debt. Paul Asadoorian: They have something like $2.5 billion of debt on the books. Is it over three at this point? And forget what their annual revenue is projected to be. Not enough to cover the debt, right? Which is… I’m like, my God. It’s crazy. Adrian Sanabria: Yeah, over three, think at this point. Over three billion. Adrian Sanabria: Not enough. Adrian Sanabria: Yeah, 3.1 billion is their total debt. Paul Asadoorian: Wow. You mentioned the EU. One thing I like about the EU is they adopt open source. In fact, think it was even certain countries like governments, France, Denmark, I’ve seen articles where they’re leaving commercial products to go towards open source. So I appreciate the EU for going towards open source. Now, it’s a double-edged sword, right? You might have a little more maintenance. Adrian Sanabria: Yeah, that’s going to be an issue. Paul Asadoorian (57:25.07) to do and a little more work to keep, get things implemented and keep things running. But the advantage is, if it’s open source, you have access to that layer to do the monitoring, right? If you’re running a PF sense, open sense or, you know, any, and even, I saw a couple of other like alternatives. Yes, yes. But I think that’s the come on to the culture in the EU is they’re more attuned with open source. I think they always have been, right? That’s just been something in Adrian Sanabria: You need people who know what they’re doing. Paul Asadoorian: in the culture in a lot of those countries, adopt and use open source more so than the U.S.? Adrian Sanabria: Yeah. I think the whole idea behind open source, I mean, that’s why Linux came out of Finland, Like you see a lot of this stuff come out of Sweden and Finland, is it jives with the mindset there. Paul Asadoorian: Yes, yes. Adrian Sanabria (58:20.9) Yeah, everything isn’t profit driven. Paul Asadoorian: Yeah. One other thing on a slightly different topic. I did see a Trail of Bits article that released a tool that allows you to do memory forensics without published symbol tables, because that can be frustrating, right? It also was kind of similar to when you develop exploits. Like, I need the binary to… Adrian Sanabria: That was really cool. Paul Asadoorian: reverse engineer the binary to understand how it works in the memory mapping in order to build a ROP chain that can produce a successful exploit. And I believe memory forensic is kind of similar, right? To pull apart the memory, you need the symbol table in order to do that, except Trail of Bits has this tool that they open sourced that eliminates that dependency entirely, is what the article says. It analyzes Linux memory dumps without requiring external debug information. That’s pretty awesome. I that’s… So I sent this immediately to our product research team, and I think other product research teams should be looking at it for the same reasons. Now we can integrate into our product more easily, right, an open source tool to analyze. If we can get a memory dump from a system, now we don’t have to worry about what specific kernel and symbol tables it’s using. Adrian Sanabria: Yeah. Vlad Babkin (59:23.57) Wow. Vlad Babkin: This is. Vlad Babkin: This is a game changer for edge devices because in cases you only have a compiled kernel and no information about what it was compiled from, no debug symbols, nothing like that. Good luck if it is some random ARM32 architecture, if this approach works more than just x86, this is even more amazing because suddenly all of these devices become analyzable. Paul Asadoorian: Right. Adrian Sanabria (01:00:11.6) And not just that, it provides the interface for analyzing the dump as well. They say they were inspired by OS query, but they give you basically like an interactive SQL interface for exploring the dump. Paul Asadoorian: to query it, right? That’s pretty cool. I think it’s one of the… There’s a lot of new tools released. I know, right? They do great, great work at Trailer Bits. There’s a lot of tools released every week. This one definitely caught my eye. There are… It’s interesting how AI has kind of shaped the tools in some of the articles. I’ve noticed a trend that when I see an article on Medium now, Adrian Sanabria: We don’t deserve trailer bits. Paul Asadoorian: 90 plus percent of the time, it’s AI generated and it’s not very useful content anymore. Yeah. I used to get some really good medium articles that just did a great job of explaining things. It seems to have transitioned over the past couple of years now to it’s AI slop. Like almost every article that gets slapped up on Medium is AI slop. Adrian Sanabria: Really? Adrian Sanabria: the Yeah, there’s so a lot of companies are having a pivot because of that. people almost like a huge swath of people just stopped using Pinterest because it got flooded with AI images. And so a lot of these companies are now trying to build filters to detect and filter out AI stuff. Paul Asadoorian: Yep. Yep. Paul Asadoorian: Mm-hmm. Yep. And the users kind of police it too. So I follow a lot of Reddit threads. And Reddit is great for a lot of things. One is fleshing out some of this AI slop. So I’ll see the headline, because I an RSS reader. subscribe to, that’s how I read Reddit, right? And I’m like, that sounds like a really cool tool. And then I’ll go to the Reddit thread, and the moderator has already removed it. And people have made comments that was AI slop. And I’m like, great, you saved me the time from having to go look at that tool and come to the same conclusion myself, right? But some of the AI-coded projects are really good. In fact, we covered a stat that 4 % of commits are Claude in GitHub right now, that nowhere is expected to rise to 26%. And Claude’s gotten really, gets better every day at writing code and doing projects. So if you’re prompting it correctly, you can get a really good Adrian Sanabria: Exactly. Paul Asadoorian: project out of it. fact, I’ve got a couple. In fact, my Linux hacks, do want to, if you go to my GitHub, P Asidorian, so github.com P Asidorian, I just put up a repository called Linux hacks. And it’s very much like the traditional way we’ve done technical segments over in podcasts in years past is I’ve got problems that I need to solve, like for me, and I might write a script for that. And then with AI technology, I’ve taken those scripts and I’ll have Claude go through them and pretty them up and error check them and add error checking. And then I released many of them on that GitHub repository called Linux underscore hacks. And one of them was an a little AI coding thing that I did. So our listeners may remember if you follow the Eclypsium I’ve produced supply chain cheat sheets for Windows, Android and Linux, Windows, Android and Linux. And it basically gives you bunch of commands and utilities that you can use to query your device and your operating system for the hardware that it’s using and the configuration. For example, do you have a TPM? What version of TPM is it? If it’s an actual TPM hardware, what chip is it? And there’s commands you can do to query the system for that. And so what I did was I told Claude, I’m like, hey, based on my Linux cheat sheets document, go create a shell script. that implements everything in that cheat sheet. And it did it, and it actually works really great. So if you want to kind of a taste for our philosophy in looking at your systems, in understanding both the hardware and the firmware and the configuration as it relates to what’s in your system for hardware and firmware, that script is a great starting point for you. And that’s all free open source on my GitHub. Adrian Sanabria (01:04:29.68) Thanks. Paul Asadoorian: I was actually kind of impressed. I ran the script. was like, that’s actually, that’s pretty impressive. That gives you a lot of great, a lot of great information. Now you’ve do all the manual work. Like if it tells you you’re running a BIOS, you have to go say, that the latest BIOS and go apply your BIOS update. But it also tells you about microcode vulnerabilities that might exist in your CPU. And there’s a couple of ways to query those, right? And you can use Linux to update your microcode or that might come from your BIOS update. So. It’s a pretty cool script to of flesh out some of the issues that we’re working on here at Eclypsium. That will bring us to time. Adrian, thanks for appearing on the show this week. Vlad, thank you as always. Thanks everyone for listening and watching this edition of Below the Surface. We’ll see you next time. Over and out. Adrian Sanabria: Bye. The post BTS #69 - Navigating Network Edge Vulnerabilities appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise .