Security Cryptography Whatever

Facing the Vulnpocalypse with lcamtuf

Season 5 Episode 6

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 1:11:29

Either the most interesting time in the history of InfoSec or the second most interesting after their arrival of the West, Hello. Welcome to Security Cryptography, whatever. I'm Deirdre. I'm David. Thomas. and And I'm Michael. Yes. Sorry, that's okay. You That solves the. I think that. this is the first time, I think that's actually happened in, in almost three years. We have a very special guest today. Uh, you may know him from the internet as, oh my God, I say tu, Yes, look. but, you have like a, you know, a, a real world human name. Uh, Michael Leski. God, That I, I know we were all hung up on the, we were all hung up on the first name. can't believe you were hung up on the second name. That, that, that, that was absolutely terrible. Yes. sorry. Yes. no, that's fine. Uh, yeah, the, the Polish pronunciation is miky, but I, I usually just go by Michael and, yeah. Oh my God. I pronounced the w wrong cwe. Nevermind you, you're, you're justified. I'm, I'm just as wrong as you are is, this is, this is the most disappointing podcast I have, you know, ever done in my life, we'll get so much worse. Don't worry, we is commits so worse. right? we thought right now was a good time to talk because of all of the AI vulnerability discovery stuff that's going on. And I feel as if we would have a very easy time finding people to talk to that were all lit up about vulnera, like agent based vulnerability discovery. I'm one of those people. Um, but it's trickier to find somebody who is both, skeptical might be the wrong word, but like on the exact same page as everybody else, and who also has your track record in the space particularly, and I said this a little bit earlier, like. 90% of what I talk about here is just me exercising demons from Hacker News. And like one of my, like one of my continual irritants on Hacker News is that anytime a story, um, from one of the Frontier Labs comes up, um, like three people always say Fuzz at all this stuff already. And like the problem is that Google isn't running Fs or Apple isn't running Fs or Yeah. uh, yeah, so you're the author of American Fuzzy Lop A FL, which is like the defacto standard tool in that space. So I kind of wanted to get like your perspective, not right away on the AI stuff, but just basically on the trajectory of how we've been doing, um, you know, automated vulnerability assessment, let's call it. Uh, so that is, that is a. That is a very open-ended question. I think, uh, know, like most of vulnerability research is being done automatically, and, and it's been like that for a, for a, for a long time, right? If, if you look at the browser space, I would wager that 80 or 90% of what's actually found and fixed is a product of automated tools. At the same time, you know, though it is automated, you can have dramatic sort of, you know, step improvements or, or sort of, you know, like revolutionary shifts in the tooling that we are using. And I think LMS do represent such a shift. so I'm not gonna take the, the, you know, the contrarian position of all this, All, of this sucks and it's the same as fuzzing and, you know, time is a flat circle. But, um, but at the same time, I do have fairly, you know, complex thoughts about the. Impact of the, of the AI angle specifically. And I can sort of, you know, get into that now, are, are we gonna, get there more gradually. but yeah, sort of, you know, to to, to directly answer your question, I think this is, this is a very interesting time to be in. I think we are seeing a very fundamental shift. The technology is real. Real, it's amazing, and you should be using it as a part of your workflow. I think that's the bottom line. Yeah, so I think the, the, the first thing I wanna like. I have like my own personal experience using like, kind of fuz arrangements of various kinds to do projects, but I've never done the, like the at scale work that like, you know, Google did in like the 2010s, um, you know, so like large farms full of things doing, you know, profile guided, you know, a FL coverage and all that, right? So I have a mental model of like fers as tools of like, they're like literally things that I would build as like shop tools, um, to get like, you know, individual projects done. Um, but like of these, like one of the worries I always have when people say like, FERS, that all this stuff is like my, um, like my advanced fuzzer knowledge is not all that up to date. I understand exactly what the tools are doing, but like the difference between that and actually finding vulnerabilities with them, like actually having the field experience with them and seeing where like the, you know, the sharp edges are or where they were, they're really, really effective or whatever. I feel like I have less real world experience. So if I said that like. the way I wanna get into this is just to like make a, make a a claim that it's probably gonna be wrong, but I'll make it anyways. It's just so that you can tell me that I'm wrong. Right. Um, my like experience of this is that Fs are a really good way of getting a, a pile of, you know, variably quantified or variably qualified crashes in programs. Right? Um, and that like people that run large scale fuzzing, um, you know, quickly get adept at, you know, building mountains and mountains of crashes. Um, and in those crashes I think there's like a general understanding that there are vulnerabilities, but the work is going from that pile of crashers to actual vulnerabilities. And if you're not doing that work, you're not actually solving the problem. Yeah, I think, you know, a large portion of, of, of running furthers at a scale and actually getting pulmonary diabetes fixed is the automation around the actual sort of, you know, permutation engine. Right? Like, it's how you. Uh, how you get projects on board in the first place. That's a, you know, a major bottleneck for, for open source. And I think, you know, quite often you have to do it yourself, and then it's gated on the capacity of software engineers to actually instrument code, plug it in the right place, make sure that the right functionality is being exercised. And then the really difficult part is, you know, crashes are open good enough. Like I think open source developers don't necessarily need an exploit. They don't need a very detailed write up, but they want a repeatable crash and you need to bring it to them using the workflow that they prefer, you know, in a, in a fashion that works for them. Some of them have their own, you know, pet peeves and uh, uh, sort of, you know, complex ideologies that you have to. Work with to, to, actually make sure get fixed. So I think it was always bottleneck, profiling. Not all of this goes away with agents. I think interactions with open source developers continue to be. A very challenging touch point that you can't really automate with, with an LLM and expect good results. Right. Right. yeah, I think, like, again, I, I think, uh, the way I've, I've been describing this, and that goes way beyond vulnerability research, is that, you know, most of problems really boil down to text comprehension at a scale, but then faces on scale, right? Like, we never have enough resources to actually at every event generated by an enterprise, you know, detection pipeline or to sort of, you know, look at every line of code that that's, that's being written. And I think LLMs really profoundly changed the game on a number of fronts, Yeah. Let me, like, let me try really quickly, just like, I mean two things, right? First of all, cards on the table. My interest in all of this stuff is, um, like almost purely on the capability side, right? Like what vulnerabilities are we finding is a much more interesting question to me than how, um, how this works as an engineering process, right? Like how we solve the open source, metabolizing these things, all that stuff. Those are really important and valid problems that I have. Passing interest in. Right. But like, I'm, I'm really focused on like the raw capability side of it. Right. And then like with respect to how fuzz of have traditionally worked, I have like a radicalizing moment a couple years ago, like maybe a year and a half ago, where like, um, an engineer in our team, um, who, uh, is amazing, um, once a week he was finding game over vulnerabilities in our platform and like, you know, resolving them. And one of them was, um, this wasn't a game over vulnerability, but it was a really good concern that we hadn't thought about. We, we run farms of virtual machines for our customers, multi-tenant on the same hardware. Yep. um, at, at, at in, in some corner of our system, we were doing file system maintenance, um, for VMs on the host side. So like we do like file system repair before backup or something like that. It was like, whatever. current equivalent of F disc is or whatever, but we'd run that. Um, on the host side, he's like, well, you know, the file system obviously is controlled on the guest side, so you now you're exposed to the entire kernel surface for whatever this file system is. That's a really good find. We, we solved that pretty quickly. Um, but like we're, trying to figure out how big of a deal it was. He's like, I'm just gonna go to SIDH collar and find Crashers and run them through it. And like there were crashes for it. Like he was immediately able to repro, um, you know, don't, you know, you can't call it a memory corruption vulnerability just'cause it panics or whatever. But like, you know, things where if we had found them ourselves, we would've gone and investigated them. And like I have now this perception that there is just a mountain of his collar things that are just sitting there and like, somebody should my dad's. But like, are they vulnerabilities or are they not vulnerabilities? know. We're in a state of uncertainty about them. Right. no. So I, I think that's a, that's a, like a fundamental change, right? And, and again, it doesn't matter as much as people sometimes claim, but I think it does matter, especially if you have like, you know, Heisenberg, that you don't really, you know, you can't immediately decide what's causing this. It doesn't reproduce consistently. It happens in a weird place that maybe, you know, miles away from the original fault. so look like, again, in terms of technical capability and how it the game for, for InfoSec, I'm not actually a contrarian at all, right? my contrarian position lies somewhere else. and it's, it has more to do with how we as an industry think about vulnerability research in the first place, right? And. I should say, like, I'm saying that my interest is in X, Y, Z, but like, I don't speak for David, you or Deirdre. I think I'm a, I'm a weirdo in this, in this one thing, right? Like, I find vulnerability research really very motivating, um, as a reason to learn pretty much everything I've learned about technology and math. Um, but that's just me, right? Like, I think you're right to like, call out the, the industry. You, you just said something interesting that I've heard you say before, which is just like, um, how the industry kind of looks at vulnerability research. And you've said in other places, like, I get the impression that you generally feel like we way overvalue vulnerability research as an intrinsic good. So, know, maybe let me answer that in, in the form of a, of a run and, and I'm, I'm, I'm gonna get to like a very precise AI related point on the line. But, uh, yeah, I, I, I I've come to, you know, to test InfoSec punditry on some level because I think we, we consistently get fixated on things that are not really representative of what actually matters, uh, day to day. And, you know, you mentioned Hacker News and I, I actually checked Hacker News today and there was someone talking about how InfoSec sec, uh, information security has already ceased to exist as a field, as a consequence of, you know, AI vulnerability discovery. and, and I That was not me for the record. me let me call my boss real quick and let her know the field doesn't exist anymore. so, you know, and, and, and, and it's not just that I think, you know, like, uh. when you think about what arguably changed enterprise security the most in the past 15 years, it's not the stuff that people present at Black Hat or that we, you know, sell at our RSA. It, it was the one thing that we all love here. I think Bitcoin, right? It used to be that ransomware was this niche thing that basically was constrained by how much money you could move through Western Union, which was not a lot, right? And now it's this like global economic powerhouse that funds hostile regimes and really is the one thing that keeps most CSOs up at night. And, you know, post quantum cryptography doesn't I, I'm, I'm sorry to say that, right? And, and yeah. And, and so in, in my mind, you know, the, the discourse around AI vulnerability discovery kind of fits that mold, although not, again, not in the pe in the way that many people claim. And, you know, ma, many folks think that the technology itself is hype or, and, and it isn't, right? Like, again, it's real, it's impressive and you should be using it. but, um. Uh, and, and, and again, as I, as I mentioned, right, I think most of security is text comprehension at a scale. And now we have a, and, and we were really severely constrained by scale. And now we have a tool that largely removes that constraint, and that's. That's amazing, that's transformative and it's absolutely gonna change the practice of InfoSec. but to get to, to my actual point, I, I think, you know, our industry has long overstated the practical importance of vulnerability research. And, and I think it's part par, partially because it's sort of, you know, our origin story and then it's a part of our collective identity. It's how we can, you know, it's what we can bring up to show how clever we are and why we need to be paid more than, uh, everyone else. has cool ties to spycraft and, and all the other things, but, fundamentally, you know, like zero days were generally not how enterprises get popped. And, and having five times as many zero days or 50% less doesn't really change the nature of the game. and, and part of it is, you know, sort of physical constraints too, right? Like the technology is not magic. It doesn't give you an endless play of, you know, zero days in openness. SH for example. gives you some respectable numbers of new findings in software that was already kind of busted and had exploitable bugs every Yeah. And, and, you know, and, and that you probably have somewhere in your enterprise in a version that's five years behind, right? So we, we were always kind of operating in that reality and, and we have far more basic problems that we can't quite solve or couldn't, you know, inventory, patching human behavior that are adding up to a much larger and less tractable attack surface that actually keeps biting us in the back over and over again. and this is actually where LLMs are absolutely amazing and are gonna change the, because like all of sudden you can actually reason about every single thing that's happening within your enterprise, quite possibly, right? you can take action on that. And, on the offense side, it's kind of, you know, the same thing that like the attackers can now afford to pull on every single door handle within your enterprise. they can do that more quickly and they don't have to care. Like, you know, if you're using an agent, you have to worry about it deleting your production database. They don't. Right. Like, if it messes up, well that's a shame, but that was your data not theirs. Right. so, uh, so I like, again, I think there's a lot of interesting wake up calls for, for security. Uh, that and, and things we need to reckon with, and things we need to start building. But like, you know, the vulnerability research side amazing and it's, you know, on some level it is. Depressing to me that, you know, this is the, the one thing that I always enjoyed and, uh, you know, same as Thomas, right? Like, it really motivated me to learn now, you know, there's a computer that can do it better, the same or better and, and, you know, for a lot less. but yeah, I that, that's sort of, you know, the genesis of my skepticism here, right? I think the, the AI apocalypse in the industry or the day of reckoning is coming, but it's probably not the, you know, v apocalypse right angle specifically. Yeah, I, I, I wanna, you go, sorry. Uh, I, no, I, I mostly, uh, agree with you. Um, the way that I would put it is that, that it seems like ex, like zero day exploitation is or let's see, pre AI was not supply constrained at all. It was demand constrained. Um, because like for the most part, works in the sense that it is like not a good career option for anyone on this call to decide to like go into exploitation. And if they do like actual, like computer exploitation, not like vulnerability research. And if they do, like you said, you're probably just gonna go after unpatched things anyway. It's not clear that increasing the number of available zero days results in more like actual. Operationalized, uh, uh, exploits. Yeah. I, to, to, be and it seems like it won't. I, I think, you know, that there are quantitative differences, right? Like I'm, I think it lowers the bar, right? And sort of, you Absolutely. think, you know, it's gonna alter the market dynamics, right? Like, if you wanna Yeah. maybe you're gonna be able to buy it for less. Yeah, we may have the Jevons paradox It's for, for. qua qualitative versus quantitative, I think is the distinction. I see. Yeah, so I, I think there will be, there is like a risk that like in like, let's say Southeast Asia, not to rag on them, that are currently running like tech support scams, um, may find that it is now economical to run subset, subset of like AI driven exploitation things on some subset of users. But but I back would look different kind of in the same way that like reading music got replaced with like listening to Spotify versus like everyone just started paying 99 cents a song. Like I, so I, I, I think I'm like the, the, the resident. Vulnerability research and AI maximalist in this conversation. Right. And I do think that the, like, the emphasis on, um, you know, the, the first tier targets like Chrome and iOS and all that, right? feel like mostly a competitive thing, if that's the right way to put it. It's mostly kind of like a, it's, it's tournament logic, right? It doesn't have that much to do with making things more secure. I, I feel like when we talked to, uh, mark Dow about like the markets and vulnerability research, I didn't come away from that with the sense that like they were lacking for possible vulnerability avenues to chase down. Um, and like there's a, like, there's a persistent logic that, you know, state level actors or whatever are stockpiling vulnerabilities, which turns out not to be true, like it's a software product, like every other software product. And they're literally more concerned about paying maintenance costs for vulnerabilities and exploit kits than they are with like, you know, having 15 different backup vulnerabilities. So. you could look at the situation and say, okay, the fact that it's gonna get cheaper to find Chrome vulnerabilities, like a chrome drive-by or whatever. Um, and that won't change that much because everybody that you cared about having Chrome drive-bys already had 'em. or already a market that makes that work. already an they really needed and no more. Yeah. and I, An early Uber investor a few weeks ago was saying, oh, I don't know why we didn't give Mythos like to the US government and then use it to hack China, like before announcing it. And it's like, well that's'cause that's not how any of this can works. Like we're not short. The reason that like the US military can or cannot get into something in China has nothing to do with like a shortage of exploits. The, the, the other reason why I, I'm kind of skeptical about the vulnerability situation specifically is that I think there's like inherent symmetry to it, right? Like any tool that the bad guy can use, the, the good guys can use exactly the same way, right? So if Chrome or you know, Microsoft or whoever Apple want to. Sort of, you know, much the increase in the availability of zero days. You know, they, they have a simple lever to pull and they can sort of, you know, get where they want to be to restore the, the, the, the previous equilibrium. Right. Or even go beyond. I think there are many other areas in security where that symmetry doesn't hold. Right. Like the, the, the, the example I mentioned, like, you know, the defense versus offense on the, on, on the, on the, on the enterprise side this, as symmetry baked in, it's a a lot easier to crank out hyper targeted spear phishing emails to exec than to detect and stop them reliably. Right. Even with ai. And so, uh, I, I think that's where the, the AI gives the bad guy is a lot more. Advantage that is more difficult to counter Right. you know, we were fing chrome before, now we are also gonna, you know, throw some l LMS at it. Right. And, and that's kind of, you know, the eternal struggle between good and evil. Right. It changes things operationally a lot for all of the reasons that like Thomas doesn't care about, um, which are, I think the ones that are interesting to, to me. And so like. You, you have a question? Even like right now, had people come to me at Chrome who like work on other parts of Chrome and are basically like, aren't we just drastically overinvesting in basically like anti exploitation things. And if you look at it like by the numbers, right? There's like not that many people whose chromes get popped every year. So in some sense we are, other hand, like what we're really doing is, is like we're winning sort of for some definition of winning. And like if we stopped doing all of this, it will go back and it would look like two early 2000 or the late nineties again. And so we just kind of have to do all this work to run in place sort of. then like what, like AI bug finding has done, has, I think in many ways like just validated things that a bunch of security people already knew. Like for, for platforms, basically like let's ignore the open source projects, which is like. interesting. I agree. I, I agree with everyone else that I don't really care about. How about, about like small open source projects and instead, like, let's just talk about like things that previously were targets for exploitation, which is like client side platforms like browsers Let's not talk about stuff like XZ, right? Like who cares about that? Um, I mean, in practice, uh, um, in practice, like, uh, I, I would just, I would quote Hermione, um, and, and say, you know, when that turns out, when that happens, we're pretty good at catching it. Um, uh, but. Like the deluge of AI bugs has created, like has magnified all the things that were already stupid about bug bounties, which was that like a bug bounty is like the worst possible way to prioritize security work because it's entirely interrupt driven. And so instead, what you have is you have just deluge of bugs that were basically validating everything the security people said, which was like, your code's full of memory safety vulnerabilities, and these are the areas that are the worst. then people are like, oh, you know, I don't know, like, and security people are bad at their jobs at getting people to change anyway. And so all these bugs show up and then you have this operational question of like, how do we deal with that? And you have to deal with it, even though the like impact of increased exploitation might not be that bad because eventually, like if we just chose to not deal with it, we'd be back in the two thousands again and we don't want that. So you have to figure out how to deal with it and like, yeah, you get the AI tools to help you deal with the problems that the AI solved. Um, but again, I think it is a little bit harder for defenders because like if, if you're an engineering team, you need to like make sure this stuff is repeatable and can either run on every commit or you have like a consistent way of using a harness to find bugs and patch them and prevent them from coming back. Whereas if you're like selling exploits, even if you're operationalizing it, what you need is a fuzzer you can run for a few months that pops out a big enough backlog and then a couple months later you need to be able to do that again. I'm kind of, I haven't actually worked for an offensive firm so I don't know that for sure, but there's a difference between finding a lot of bugs once and then like actually solving a problem. And again, the people working on the platforms actually have to solve the problems again. And, and that just always sucks 'cause you're, you know, doing the work. you know, like with, with, you know, browsers in particular, I think, you know, the implicit assumption is that given the developer velocity, the choice of languages and the features that are sort, you know, being shipped every year, we are accepting, implicitly accepting a certain baseline of security failures, right? So like, we are not aiming for a state of having zero vulnerability because that would be insane. And also, yeah. Uh, and so. I, I, yeah, you wanna lower the base rate. You know, you wanna run the same tools that the the guys are running at the same or larger scale to make their lives harder, but ultimately more hinges not on the inability to find another bug in, you know, WebGL or whatever, but, uh, actually on mitigations, right? like up and making it really difficult to reliably exploit and, and the cost up, right? Like most of the mitigations you can eventually bypass if you get lucky, if you can, if you chain together, you know, five or 10 bucks. But a large of why zero days have gotten so expensive is you need to do all that legwork that wasn't necessarily essential before. Right? And with that a little bit in the sense that like enough mitigations, like do you actually have an impact on attackers? But you can like affirmatively say, like a given bug that comes into your queue, like doesn't matter at like at this line of code, ideally by like inspecting the line of code being like, oh, this uses a span. So I know it's not an out of bounds read unless the span is constructed wrong or it uses raw putter, miracle pointer and chrome. So we know the use after free doesn't matter. no, no. Like if you have something where like, oh, maybe it's just a right and not a read, you still have to treat it like it's bad I, was, and then it comes through your whole process as an engineer. I was talking about, the offense side, right? Like Yeah, but you can't discern. The problem is the defender can't discern which ones were useful and which ones were not. And so you have to treat them all the same. And so if you just apply mitigations, even if you are actively hurting the ability to actually exploit Chrome, like you're not solving your problem, of you have this massive interrupt queue of security issues, um, which eventually, like you're just gonna stop looking at. Yeah, yeah, we we're basically doing two things that are not solving the problem, but, Y Yeah, trying to ate all the bugs, but yeah. So there's like an implicit assumption here in this conversation that like the vulnerabilities that, um, agents might find, um, and we can get into like more of why we think. You know, agents might or might not find different kinds of vulnerabilities, but like the vulnerabilities they're gonna find are gonna be of the same kind of, they're gonna rhyme with all the vulnerabilities that we've seen so far, and like we're accepting a certain amount, uh, annually or every month or whatever, of memory, corruption, vulnerabilities and client side software or whatever it is. Right. And so, like, I think we feel like we have a decent beat on where things are going. like I do feel like we've of. like organizationally and as kind of an industry, we've metabolized a certain level of, you know, dealing with vulnerabilities, right? Like the sky doesn't fall every time a new vulnerability comes out, you're much more likely to get popped with phishing, um, or by a dumb misconfiguration or an S3 bucket or something like that. Like fully agree on that, right? And like LLMs apply to that stuff the same way they apply to everything else, which is super interesting. But I wanna push back on the idea that like. What agents are gonna do is, um, you know, get us to peak oil on memory corruption vulnerabilities, somewhat that, right? Like there were moments in the past when we as practitioners, like we were practicing one SQL injection, you know, broke out. Right. And there's, there's like a before, after moment that was probably the span of like just a couple months where like. there were a bunch of things that were hard to break into and after like for a while, everything was trivial. The first commercial pen test I ever did, um, was like, it was, it was a, it was an application where I logged in with quote or quote equals quote, which is literally the first sequel injection I ever attempted. And it worked, which totally ruined me for vulnerability research ever after that.'cause I'd always think that would work. And it almost like you, you never get blatant SQL injection vulnerabilities like that. But I did in that one instance and thought they were that common. But like, so like when we discovered seql, when, we first published Stack overflows, right? There's a clear before and after, um, to enablement for Stack Overflow vulnerabilities, before lots of software it's know resilient And then after the entire internet was vulnerable. And in those moments it's really material. The vulnerabilities that you're finding right in those moments, it actually really matters a lot that there are all these new vol. It becomes the dominant vector that things get popped with, um, until you kind of figure that out. And I'm not as certain as, I think the implicit assumptions in this conversation are that we're not gonna see more things like that. So, um, you know, side channel attacks are a good example of where there's like lots of kind of intellectually understood vulnerabilities that we don't viscerally feel and we don't deal with because there isn't enough elite attention to develop them into real vulnerabilities. How certain are the three of you that, like all go memory, race vulnerabilities are not gonna really be practically exploitable? Um. So I, I, I think you're sort of, you know, inching toward this sort of, you know, a GI question here, maybe Is that a GI? It's like it's We declare a GI Once you can ex GI. Uh, exploiting a go raise condition. A GI confirmed. Yeah, no, I, I, I think, you know, on, on to, to some extent, you know, all, all, all that I have seen so far is that LLMs are very good scaling the methods that we've been using in the past and finding the problems that we've been finding in the past. Uh, now I think, you know, there's also like. Less numerous data points from other fields that they are actually so good at combining and synthesizing information from the sort of, you know, training corpus that they arrive at completely new conclusions, completely new findings. Like, you know, like fundamentally new math, right? And so on. Uh, and I, I, you know, like, I think you're asking about unknown unknowns, right? Like, a future where we, it, actually turns out that there's a, an, know, nearly inac accessible supply of zero days in openness, sage in places even thinking about. Uh, but I, you I, have no Yeah. or disprove that, Hold on in, hold on. In fairness, I wanna say I actually don't think we're gonna get like a bottomless supply of openness stage vulnerabilities. I have like a, despite it being an old school C code base, I Yeah. high opinion of the openness stage code base. Right. I'm actually thinking of things where like I have a nagging suspicion that there are already things there. And to me it's not as much about advancing LLM like frontier model capabilities, although that's a factor. It's not as much that as it is the new abundance we have of elite attention, right? where Like it doesn't take that much time for me to set up the conditions to like do, you know, a side channel testing harness across the internet or something like that. Where like I, I'd have to do a whole lot of studying and research and like trial and error to get that, like those harnesses set up for myself to do that kind of testing. And now I can just dispatch it and have it done. Um, like it's, it. So I feel like the really high end vulnerability research has been for the past 20 years done by Like A reasonably large number of people, but it's still an elite in the industry and I don't like that. right? that's always been kind of bullshit. And like, one of my big things is just I don't think that the people doing this work on the high end are really in any fundamental sense, more gifted or capable than any other engineer. They just, they, they've been inducted into the field and they get to do that work, right? And like, I think the bottom has fallen out of that, right? And so now if you imagine 10, a hundred times more people being able to do that work because it's no longer as time consuming, I think a lot more things get kind of proved out than would've gotten proved out before. like, know, like where do you even get the knowledge to start the thing that requires, like, that also requires time, but it, it requires some sort of like en entry point of like, how do I even get started on this path? And now you don't even have to know anything. You just like, go look for VUL in place. Like, here's your guide. Start here, enter here. And it will find something more, more likely than not. Uh, if it's a, if there is a VUL there, it won't, you know, maybe it'll hallucinate something that's not really there. But then you can write a test that'll actually, it'll ask it to write a test to be like, confirm that this is broken. So there's, it's, it's not even just the time amplifier, but like, there's a lot of stuff that you used to be, have to be able to know what to ask or know where to start or know how to approach a thing, um, that you, you basically have a, a very powerful shortcut on. I, I, would say this, I think that a lot of money and compute has been thrown at this problem by the Frontier Labs over the past couple of, you know, weeks or months. And we are gonna start seeing, uh, trickle or, or a we, mean, we, we, we have already started seeing some some of the, the sort of, you you know, public results from that. My understanding of, you know, what I've seen so far and what I can talk about is that they are not fundamentally different from, again, you know, the, kind of vulnerabilities, kinds of targets, the kinds of attack surfaces that we've been seeing before. I think that doesn't disprove your, your theory, but I think the. It, it would hinge. I think we would depend on some, you know, additional breakthrough breakthroughs before we get to this point where you can point 5.5 or or whatever at, uh, at Chrome and come up with completely in your classes of vulnerabilities or, Yeah, again, Right. of the kind stuff. we, we, thought are not exploitable in past. Like, I think I, possible like it happened before. not what I, that's not what I think. Right? Like, so there's, the big thing with Mythos has always been Nicholas Carini being able to aim those frontier models at a piece of software and just say, give me a zero day exploit, right? And those words put together and getting real output from that was a huge thing. I, I, I, that's, it's, it, that's a real thing, right? like, I'm not coming from a place of, you know, pointing, you know, a frontier model at a code base and saying, come up with an entirely new bug class. just gonna figure that out. more coming from like, do you really not have nagging suspicions? So first of all, this might just be me, right? It might just be because I learned all the computer science I learned by reading exploits, but like, it's like, it's like all I think about is like what? Like what the new bug classes are gonna be like, specter, like that was amazing for me. Right? Like things like that. Like those are, that's the punctuation for this whole kind of career that I have, right? So it's like I'm always thinking about what the, what weird things could turn out to be entire bug classes. Do you not have anything like that? Do you not think that way? Are you not a vulnerability researcher? I, I, have a lot of thing like, you know, there, there's a lot of places, there's a lot of rocks that I think we have not peaked under. And I, and I think LLMs are gonna, like, you know, in the embedded world, which is, you know, something I, I'm spending a lot of time with hobby. There is a lot of absolutely terrible things that are absolutely everywhere right now. I'm not talking, you know, like a crappy Htt p stock on a, a, a more, fundamental level, right. Like, you know, the radios and, and, and RF for, for, yeah. And, and I think this is, but, but at the same time, you know. So, yeah, I I we're gonna unlock a lot of interesting things. Does that, is it's not, a fundamentally qualitative change versus, you know, some researcher deciding, oh, actually I'm gonna throw a at this hardware, as, as it happened many times in the past and, you is the actual, like, you know, specter again, like of bugs. I know. I know what you're gonna say. it, like, I know what you're gonna say. right. Like, I, I absolutely loved it. Every, every bit of it. And, you know, Sure. amount of resources we But we agree. We, we probably agree. of the trusted compute base. It's a lot of, it's a, it's a lot of things that kind of we worry about in cryptography is Right. highly difficult to exploit in a lot of cases, but it's the foundation of trust Yeah. that we build on I know. I know. Fundamentally, the impact of Specter was simply to make all of our computers slower. I understand this, right, but that's, you can't say It could have been a I, but you, you can't say that about SQL injection. Fundamentally, the popularization of SQL injection materially changed the susceptibility of, like, of, of networks to attack, right? Spectra didn't do that. SQL Injection did do that. SSRF more recent example, right? Yeah. but, but I. again, like, you know, you, you also have tools to eradicate it more quickly now. So I think there is symmetry, right? we get like, you know, we, we've, we've been through those cycles before many times before, and both on the sort Probably the update the, uphill portion of it when, you know, someone discovers exercise and it turns out that you can do absolutely terrible things with it, including, you know, running code on your device because we moved everything to the web, right? Including control over, over endpoints. uh, and then. of, you know, we've seen people actually make progress. those classes of issues goes away, go, go away, right? Like, you know, like if you wanna find an excess on google.com, you're gonna have a hard time, right? Because of the investments, uh, that the company has made into getting rid of. Entire class of, of Into safe coating specifically, like again, not mitigations like Right, coating. Stop the bug at the source. so, so I think, you know, like, like if you're, if you're asking me if security is gonna be interesting for the next couple of years, absolutely. And vulnerability research is gonna be interesting. And a lot of other, you know, attack and defense related, aspects of it are gonna be fun as well. again, again, like, you know, and I guess, it's, a question of where we drove the line between apocalypse and, and and business as usual. Right. And maybe we are just defining it a bit differently. didn't come up with bug apocalypse or whatever. It's, I don't think there's any apocalypses coming. Right. We'll, we'll figure it. I think the RF thing is like such a good example just because of, so many times I had the experience of being on projects where there was an RF target and like we'd go in and like everyone wanted to like get good at canoe radio or whatever people were using like SDRs and all that, right? And like by your second project, you just knew going into that like, no, you're not gonna do anything with an SDR for this RF target. You have no idea how complicated it is to actually get a protocol up and running like that, Inevitably you're just going to do the hardware hacking to find like the serial bus that you can like turn this thing into a modem for its own protocol. That might not be true anymore though, right? Like now, like that's, that seems like a reasonable task to stick an LLM on.'cause it's got like in the training set, there is all the RF knowledge. It's just like none of us are electrical engineers, so we were never trained to do that stuff. But like the models and electrical engineers, every kind of engineer I, I just think that's. I know, I get what you're saying, like like widespread RF attacks probably wouldn't, I don't know, maybe it'd be more destabilizing than Specter, but like. No, like, you could probably build some cool, warm, right, and like, I'm, but again, you know, we, we've done that. We, we've been What's a worm? We've seen worms. Yeah. the apocalypse isn't going to be on users. It, the, the, the, the let's classify projects into like three shapes. There's like some stuff like open SSH and boring SSL that pretty much doesn't have bugs. Um, What like open SSL? in Boring ssl, specifically boring SSL, which has had the AIS pointed at it. And they have not found any high severity memory issues, whereas they have found many in other SSLs. Um, and like open SSH, like, there's like three people in the world that can write like safe C code, like, uh, uh, the wire guard. Uh, Jason is one of them. But, so there's some projects that like, we've actually managed to make safe. There's another set of projects that just like don't actually matter that much. then there's the like, set of projects that are like actually juicy exploit targets. And I think we're all loosely in agreement that those will not, that, that like, we're not really expecting a ton more exploitation. Like maybe it's a risk, like we'll see what happens with the market dynamics, but. The, the, the apocalypse there is on the engineering teams of those products because you have more and more bugs than ever. And there's, there's not a good way to prioritize, like how you handle this. You need to be taking the set of bugs and turning it into like a queue of actually preventative actions, not just mitigations, because you need preventative actions to like save the time of an Im of the actual engineering teams. And if you just choose to say, you know. Well, exploitation was already like, um, demand bound, not supply bound. So it doesn't matter, like doing nothing will result in the jevons paradox and like bad things happening. So you have to do something. And so apocalypse is just like, you have this massive queue of interrupt work, um, that is saying like, uh, you got 20 million lines of c plus plus and Chrome, while not all of them are gonna be winners, right? Um, Yeah, And. and, if it's one bug per like a thousand lines, that's, Yeah. 20,000 high severity bugs. And if an AI finds 10 a day, well, I'll see you in like three to 10 years. Yeah. And that's not even including like, you know, up the past couple of months, couple of years, like there's been sloppy reports to bug bounty programs and, and bug trackers and stuff like that. And like you can get rid of a lot of the, the crap reports. It's laborious, but you can do it now. The reports are just very, very good and a lot of them Yeah. slop. And that is like when they're all very good and they're all Yeah. to deal with that Can I take a minute? Can I just take a minute here? I, another hacker News thing just blew up in my brain. I'm sorry. I'm, I'm having a message board stroke. Okay, my God. talk, can we talk for a second need like hacker, new statins or something. going on? What are we doing? Can, we talk for a second here about the idea that Curl is the benchmark for how effective a vulnerability tool is, Fuck. Why this is complete, this is entirely am I, I'm, I'm, I'm waiting for, for any of the three of you to tell me that I'm wrong and that Curl is deceptively difficult software to build and that you wouldn't expect it to work properly.'cause all I hear is like Mythos didn't find awesome thing, like they did a mythos scan on Curl and it didn't find any new curl zero days. It's like you could do a mythos scan on cat, and I wouldn't think that Cat would have zero day vulnerabilities either. it's a little bit more complicated, the cat, but you know, it's not open BS, D, so I wouldn't expect it to be very that juicy. You shut your mouth. I. I, also, you know, like we, we, like, I think there's also the risk of like, you know, I, I had, I had the opposite of this conversation Oh. with many folks many years ago before AI that, you know, like, uh, in, the context of some of the mitigations we've, and, and, and sort of, you know, defenses and, and, and so, and, and, and practices we've been developing at Google that all of this is cool, but it works for this one company in the world sort of, you know, has a code base, of a, of a, sufficient complexity and, and a sufficient amount of funding and so on. And everyone is sort of, you know, struggling with more basic problems, Right. Uh, so I think Curl is actually representative of a lot of what's out there, right? it's, it's actually a pretty good Yes. base that isn't terrible. It's not not some of the, it's it's amp, Like you can't throw a father at it and, and have like, you know, 50 bucks in an hour. Hmm. Uh, but it's also not like, you know. like very simple trivial library that. Is not gonna have bugs. So I I think Curl matters a lot. I think Curl Matters. I just don't think it's a complexity I think, you know, there are people making arguments both ways that this is like pro, like basically if, if someone tells you that outcome with curl good or bad is proof of anything, then they are probably full of it. Uh, but. I feel bad putting this to you because I, I feel like fundamentally the subtext of what you're saying is like, we're way over indexed on vulnerability, discovery and response in general, right? Um, and like we can go different angles on that. We can talk about backup software, we can talk about the oddball stuff that I'm worried about getting, you know, popped right now that like isn't Chrome or whatever. Right. But like, more generally, I, I, I, wonder, like, one big problem that we have is, um, it's, really easy to imagine, you know, next week, like Mythos two is gonna find a reliable KVM exploit, right? Um, like something that broadly impacts everybody. And like, I'm gonna have to reboot every single, you know, server in our fleet. And that's a lot of hardware to reboot. It would take us a, it would take us a, we've, we've tabletop this. It's, it's doable, but like, it's, it's rough, V wouldn't be anything. I think we're speculating the bo, the V wouldn't be anything like completely alien that no one's ever seen before. It's just threading pieces together in a way that holds all this context in its court, in its head, quote head, it's able to thread them together and, and find an exploit. on. Forget, forget M's. Finding this. Imagine, you know, just Tabis, Ory publishes this next week, right? Which he has done to us before. a shower and then, you know. I've like gotten lunch and come back and like Zen Bleed is happening, right? Whatever. aside how the, I, I admire him. He's amazing. I'm not dunking on him, but that did happen. That did happen to me. My thing here now is on the, on the defender side, right? Like another thing that that agents potentially do for me is put me in a situation where I don't necessarily have to reboot to do that, right? Like it's much more plausible now that I could do a dynamic kernel patch than before. Yeah, but that's kind of one of the places where you do have that asymmetry, right? Like to find vulnerabilities. You, you are like, you are perfectly happy with a, 50% accuracy rate. Like if 50% of the findings, or 90% of the findings, that would be just like absolutely wonderful. will not accept 90% accuracy for No. in production, right? So I think the solution is a lot more challenging than the. I'm like, you're like you're two steps past where I'm at. Right. Just assume we're at the, assume we're in a, in a situation where like we've identified the vulnerability, um, there is an official source level fix for it, that's the right fix and all that. And I, the simple logistical problem of how the hell do I actually apply this patch given I'm gonna have to reboot, you know, tens of thousands of, you know, physical machines or do you the fix? Not, like I'm thinking more just a line of like, we have a known good fix for it. And like can, I can imagine that in most cases even I'd pr in many cases, I'd be able to dynamically given a known good patch, dynamically apply that. And I wouldn't be business operation sense, not in the like software library, like I Yeah. and blast it out to all, you know, official channels, et cetera. No. No. By apply you mean hot patch. Your live running Yeah, installs without rebooting. Yeah, but and I'm not like. that the solution is right, and you just need like a, a, a monkey with a wrench to I. a, I think a lot of things don't get fixed just because it's very difficult to schedule reboots and take the outages. Yes. Or, in, in this case, take the risk of an outage. You might have a lot of confidence that you could live patch this, but that's still risky. If you can get to that point. Yeah. And then, you know, like you still have the problem that, you know, if the agent goes to Reddit and decides to ransomware you instead you, but like, you know, that's, that can be mitigated, right? Like with sandboxing, and it's all probabilistic. But I think we have to get used to the notion that, I I it was always probabilistic, but like humans are probabilistic too, although in a different way and maybe a bit more predictable and we need to build better models of how to deal with the unpredictability of agents every now and then. But yeah, no, like I, yes, I, I don't think you're crazy. So. A nice thing though with software is that you can do all this other stuff outside that the model isn't touching and you can try to get something that's a lot more deterministic to try to like confirm so that it'll spit something out and you can have pretty good confidence in what it will do behaviorally because you did all this other work to like Yeah, wazoo yourself and try to basically mitigate the, the probabilistic My. that you have. Yeah, sorry, I didn't mean to it's fine. Yeah. Uh, I, no, I, I, you know, I have this theory that if we, if we are thinking about using agents in like mission critical settings, like enterprises and so off. the, you No, the, the, the principle, the way build those architectures is not to put agents with humanlike autonomy and humanlike access and hope for them to always make the right decisions. It's to give them tools that are sort of, you you know, secure by default. Provide them with more constrained permissions and more constrained access that is tailored to the differences between those, those, like, you know, they are fundamentally different. Like you can't put them in prison, right? Like, if they delete your data, they can write you an apology letter. But that's kind of, that, that, that, that's kinda as far as it goes. So there's like, you know, the, the usual social contract you have with your employees is gone. and all the negative consequences that come with up. Um, so I so there are architectures that are conductive to building secure agent tech platforms today. And, and we should be leaning into that more in the future. But I don't think this is the direction that the Frontier Labs are moving in, which is basically human like agents that are, coworkers, your assistants, and basically have access and constraints, access to every, everything that you have and, and, uh, and that act with, uh, full out human-like autonomy. mm-hmm. think that that, I may be wrong about this, just don't, until we solve prompt injection and all the other problems that we don't seem to be making as much progress on as on capabilities themselves. I, I yeah, I don't I do get, yeah, I do get squid out. Like I see a lot of places where l LMS are super applicable to defense. Um, but I do get squid out every time I see somebody using an LLM as a reference monitor, right? Like this is the actual defense we have is that an LLM will make smart decisions about things like, I'm sure there are a lot of places where like good, smart decision making is like a good triage step or whatever, but like literally as an access control mechanism of like, doesn't seem right to me. Well, problem you're, they are trying to solve, I think in many cases is that you now have agents on the attack side, right? and they can move quickly, Yes. Compromise lateral movement in, you know, what, 30 seconds, right? And they can do it time. so you find. Humanlike reasoning about what's happening in the enterprise and autonomous decision making on timescales are just fundamentally in uncomfortable with human Workload. you fundamentally rethink how companies are structured and built and and know, you, know, compartmentalize everything a lot better than we are compart analyzing today. So I think on some level, LLM type reasoning is unavoidable On the defense side, if you want that real time clever sort, you know, countermeasures, but, uh, but it's incredibly difficult to get this right and not shoot yourself in the food. Yep. yeah, wouldn't like, it wouldn't be my first move as a defendant. That wouldn't be like the first place I would think of. yeah, yeah. I, think, you like you, need a lot of piping before you even get there, right? you know, it needs to have the right source of information to begin with. And, you know, most enterprises don't even have that right. Let me ask you a weird question. Um, so you've got the book, and I'm gonna ask you about the book. Um, and it's the new book, Okay. in, a second, right? But like, like, how, how, like, how like, security, are you gonna be going forward? like, are you, are you gonna veer off into circuit land? Uh, no. So, you know, so yeah. Uh, I, electronics has been my passion ever since. And I I know, kind of the, I, I ended up doing computer security kind of by accident, know, computers, like I, I, was either gonna become a, an electrical engineer or chemical engineer, and that, that was sort of, you know, my, my childhood thing. And then computers showed up and ruined my life, right? And it was sort of the right time, the right place, right to, to be getting into InfoSec. Um, but. could be the, could be said of all of us. And then computers showed up and ruined my life. Yeah. So I think, you know, so obviously, you know, no, no real regrets about that. Uh, but, uh, but yeah, I, I keep going back to that. And, and here's the thing, like I, I, I'm, I'm still very passionate about security and I think, again, like this is incredibly interesting, Right, is. Either the most interesting time in the history of InfoSec or the second most interesting after their arrival of the West, Yeah, absolutely. nearly as excited about the field for, uh, for a good while, right? Uh, so I wanna be a part of it. Uh, at the same time, I I the things that make you visible in the field, like basically punditry, you know, how, I guess having a TikTok now, right? a podcast, and, podcast Or, doing vulnerability research work. I think, you you know, I, I've, done this long enough that it's still kind of, when you look back at it it feels kind of right? Like, I did two security books. are basically completely obsolete at this point. All the, you know, hundreds of advisories and whatever that I published, you know two decades ago. No one really remembers or cares about any of that Um, and, and it's not that, not, you know, I sort of, you know, I I, like, I'm not seeking eternal fame, but think it's kind InfoSec compared to almost anything. Like, you know, if you publish a book about electronics, yeah, it's gonna be slightly outdated in 10 years and maybe badly outdated in 20, but it's of, you know, it's, it, it, it's not as rapid, it's not as dramatic, right? If you build a, if you're a woodworker and you build a Yep. for yourself, you know it's still gonna be fine. Like, you're gonna still gonna be able to look at it, maybe pass it onto your children, No, like if you like comprehensive catalog of shop jigs in a, in a woodworking book in like 1965, I would probably still be interested in reading that book. So, so I think, you know, I'm trying to balance, like basically I, I looked at at InfoSec legacy and, and, and I to myself, my God, this is is all this is, this is worthless, right? Like this, you know, a FL is gonna get forgotten before long as well. And, and I'm trying to, to, you you know, like find to a more durable different before, you know, before my Sure. the, the, the book, I'm looking at a cover with a, a woman holding a Satter, a hot Satter hot, hot satter iron, way too close to her face. Yes. tell us more about the book. Um, right. what is the name of the book? secret life of circuits, Awesome. uh, yeah. And Let me ask. My first question is, will this book teach me how to solder?'cause I'm terrible at soldering. Uh, it, it, it, it actually contains some, you know, like pretty useful tips, which is basically. Spend more money on a good soldiering island or, or good soldiering island, like a, like a pencil shaped, you know, versus the one that you hold like a toothbrush and, and is about as, as fine of a tool. Um, and, and that really, makes a difference. Um, but it, yeah, so like there's plenty of books about electronics, uh, but I think we have this weird track approach to teaching, uh, that discipline, right? hobby track, which is basically tell people that circuits are like water pipes and, and I guess a diode is like a check valve, and the transistor is knows what, right? Like some sort of a plumbing abomination that you probably don't want in your home. And, all of this is very seductive, but it's also but kind wrong, because, there are interactions between electrons and charges that are happening at microscopic, uh, at, at microscopic distances. Like, you you two wires. And there's current flowing in one and voltage appears in another one. And and can't really explain that. like, well, plumbing analog, right? So you so all, all that stuff that they teach you basically has zero predictive power and, and you struggle to build your own circuits down the line. It's kind of like watching, you know, three blue, one brown videos on YouTube, and you are really impressed by how clearly it's all explained. And then you that don't don't actually know how to apply any of that knowledge to any, you know, practical problems. Um, and then there's the, second track, which is sort of, you know, the college degree approach, right? Where you have a textbook that is more an automatically correct. But the way we teach electronics to students is. We really front load the calculus. You're basically only learning, truly punishing math for the first year and a change before you get to, an LED or like, whatever, right? And, you use that as a foundation to streamline all the electronic theory down the line. this means like college textbooks are basically completely to hobbies because no one is gonna take a, you know, a semester or two of, of calculus. What's the, level of, like, what's the level of math I need for the, I know that you're doing a different track here, which is super, super interesting, right? And you're trying to be like, at least practically, theoretically rigorous. Rigorous about things without to like, solve, you know, partial differential equations. But of math rigor you think you'd need to bring into the college track normally? How far do you have to get in that sequence? Uh, so you, asking about the way people normally touch it? The way people normally teach it. I I, think it goes pretty far. It's like, place transforms and like complex number calculus and, and stuff like that, right? So it's not also basics of the, the you know, rate of change or here's the Yeah. time, right? it's like far more punishing and, and, and the thing that I I that I, I you know, like, I, I don't have an e degree, but I actually try to follow that path. And the, the thing that is really frustrating by the end of the day is that none of the calculus is really explained from first principles, right? you're, given formulas for, you know, this is how you calculate the rate of change of know, this particular function. They, it's like, you a rapid fire of formulas that you're gonna forget if you're not applying it day to day, you know, within like six months of, of, of, of, uh, And the, yeah, the, the approach I've been trying take, in the book is, and, and, and the, the, the, the problem, like, the further problem with that is that is that you, you, the electrical engineers are not, taught the theory in a specific way, and and they kind of know that the complexity is essential to the explanation, right? So if you go to Wikipedia or you go to stock exchange and you just wanna understand why the formula for the reactance of a capacitor, or the frequency response of Yeah. looks this way, the answer is, you know, learn some calculus and come back. Right? and, and I, so I've been, I don't think you have actually have to do that, right? Like for. For sine waves, you can do all can derive all of this from basic trigonometry and it's gonna take you a bit longer and you gonna be more triangles and circles that you have to grow, but you kind of just need like, you know, school, early high school foundations to, explain electronics. So, so I think, you there's a, distinction between essential complexity and the complexity that makes sense and is expedient in a college setting, but doesn't really make sense for hobbyists. And so I'm trying to aim for that middle ground and, uh, it's been a wild ride and a lot of triangles and, uh, like almost 300 hundred drone and So and, yeah. I, I haven't, like, I haven't asked you specifically before, but like I get the sense that you have most of the math already. So I was like, is the work here from like, I can metabolize this stuff because I have, know. like complex calculus and all that, right. Um, to like translating it or this literally you trying to figure this out as you go? no, I I think, you know, you you like, you know the answer, right? And you sort Sort of, you from up, from that point. But But Okay. sometimes when you force yourself to explain something simply, you realize actually, you you do I Yep. I'm just like, you know, why, is it the way it it is? I mean, how do you, do you convey that in a way that makes sense to, to, to a person who, you know, hasn't read the same books right? And hasn't gone down the same rabbit holes. So it is a bit of both, I think. You know, like, trying to explain is when you realize that you don't know certain things and yeah. for sure. How far are you into the book now? I, I saw like, 420 pages. Have you written 420 Yeah. Yeah. It's all, it's all done. It's, it's like, you you know. with the, with the printer right now. So, uh, yeah, you can pre-order and get a free PDF today, and it's gonna be like the entire book. Uh, and then it's gonna ship in September, copies. It's, it's gonna be full color and and, hardcover. So but really, fancy. Well, um, will there be copies at the, at the no starch booth at, uh, DEFCON or, or Blackhead or I, would expect so, not in charge of their marketing, but they usually all the new stuff. It would be a funny role for you to take. uh, Will it. they actually always try to rope me and they ask, you are you going to Defcon or Black Hat, or whatever, and my answer is always, no, thank you. I, I what. know, 20 years ago and that was good enough. Will it teach you how to calculate the equivalent resistance between two resistor nodes that are a knight's move away and an infinite grid of ideal one oh resistors. So, that, that's the good there's a lot of things that we teach to people just to torture them, I think. Right. uh. We're in some cases to be hit by a bus in the next KCD comic. And, I I think, you there's also a lot of things that we teach in a particular way for historical reasons, right? Like if you buy an electronics book, there's probably gonna be a chapter about things like tunnel diodes that, you no one has made commercially since the seventies and you can, you know, buy some surplus on, on eBay, right? Like, if you really want to, or how to wind your own transformer or stuff like that. And no, and, and, and, and the book is not gonna be spent, or or like, like you usually start with NPN or BJT, like, you know, uh, bipolar junction transistors, are kind of not exactly obsolete, but they are more complex than the more common modern field effect transistors, which is what you actually use everywhere, right? In, digital circuits and power switching and so on. So I've been trying to. to Step away from that as well. And like really focus on modern problem, modern, modern problem solving. And that means that, you know, if you wanna build an oscillator, you're probably not gonna be be putting together individual transistors. You're gonna get a microcontroller that costs like, you know, 50 cents and program it to whatever wave form you All right? and if you wanna change the frequency or whatever, you can just upload new code. Um, think think there's a, lot of stuff like that in, in the book, just trying to keep it practical and not, not torture people with math or theory just for the sake of it. Uh, it's just the, just the things you really need or the things you you need to know to make sense of Wikipedia articles or, or college textbooks down the line if you really need to investigate a specific thing. Well, that's very cool. Thank you. Thank you for coming on. Thank you for telling us about the book. Thank you for letting us interrupt you. While you talked about bug finding for like an hour before talking about your book, appreciate it. Okay, cool. Thank you. I mean so much for this is, this has, this has been, um, a very fun conversation for me. Even though I think that vulnerability research is gonna matter more than you think it will. Uh, I am super psyched for the book, although I'm a late in life math student, so I'm actually psyched about the math parts of it. But still, I'm unbelievably terrible with electronics and I did not realize I could, I did not realize I could download the whole book right now, which is awesome. So that is the Secret Life of Circuits. That is, uh, Zakys, Zakys. I'll get it at some point. Uh, new book, um, everything else, he's, we used to give copies of the Tangled Web, which is your second Yes. to every, candidate that applied at Montesano. Just exceptionally good writer. Very fun to read. Um, so yeah, look, thank you so much for doing this. We really, uh, enjoyed talking to you. you. And you know, after the vul apocalypse, I'm happy to come back, uh, onto the show and you can tell me how wrong I was. You're a prepper. That was your, your third book is about like preparing for the, Um. was about preparing for the vol apocalypse, so I'm sure you'll be ready. We'll come to your place because you'll have Water stock pal for us. Yeah. I have an excavator, so, you know, You don't actually have an excavator, do an excavator, I have a tractor. I, you know, I'm, I'm all set. You're like, you're buying all the, like the equipment that two year olds were really fascinated by. You just have the means. You have the means now to buy the real size Tonka trucks. the, the trick is you publish a book to make it look legit, and then you can buy whatever. Okay, well, uh, when the VM pocalypse comes, we're we're running to your compound. Alright. you already invited us. You can't take it back. Yep. whatever is a side project from Deirdre Connolly, Thomas and David Dian. Our editor is Netty Smith. You can find the podcast online at CW pod and the host online at Durham Krest at Tqp f and at David c Adrian. You can buy merchandise at merch, at security cryptography whatever.com. If you like what you're hearing or seeing, give us a five star review wherever you rate your favorite podcast or videos. Thank for listening. I can't believe he has an excavator.