762 GhostGPT: AI Hacking Threat or Hype?

[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals and managed service providers, where we try to do everything we do or everything we can to help you run your business better, smarter and faster. We are here on Wednesday evening in our usual slot. This is the Wednesday live show.

And I have a guest coming up tonight and we're going to talk about a very interesting topic, something called Ghost GPT. So I've got Ryan Miller from RootPoint that will be joining me. And let's see, I've got an interesting, at least in my mind, four to man story that we're going to talk about.

But first, I want to do a couple of things. As we start out the show tonight, I want to first do a little bit of nostalgia, because we are going through a purge in our office. So we've got some files that I've just never gotten rid of.

And we're getting rid of them. And some of them as we're coming across are very old installation guides, tech documents and things of that nature. And so when Kim came to me to show me some of the folders today, they were folders that I thought, man, those things should have been gone a long time ago.

And so I have here some of the documents that we're going to be shredding today. How to troubleshoot virtual memory fragmentation in Exchange Server 20. No, Exchange Server 2000 and Exchange Server 2003.

So that is a document that I had downloaded from support.microsoft.com back in 2005. Also, 2005 monitoring for Exchange 2000 memory fragmentation. Here's one Exchange Server maintenance mode.

And then how to configure connection filtering to use real time block lists, and how to configure recipient filtering in Exchange 2003. So for those of you that wonder what kind of a tech I was, this is the type of stuff I was doing back then. In 2005, I was still working on Exchange 2003 on prem and doing all of this stuff manually.

I did work on, let's see, the last Exchange Server on prem that I worked on, I finally got rid of, I think, in 2021, the year after our COVID. And I actually, the client that I let go at the end of 2017, one of the factors in that that I was so happy to let them go was that every Sunday, their information store would go offline. Now, I don't know if any of you had this issue, but when an information store gets to be a certain size, it just quits.

And for some reason, Sunday morning, I don't know if it was like 12 midnight or 1am or whatever, it went offline, and I would have to get up Sunday mornings, log into the remote server. And yes, I to the Exchange Server. And I was able to do that remotely back then.

But I would get up every morning, every Sunday morning, log in, see the information store was offline, restart it, and mail would be flowing. So that was a joy that I really was happy to be done with. So, Joyce, going down memory lane.

So that was that. I do have a tip that I want to share. And essentially, I'm gonna, I'm gonna say my bad.

In this situation, I have a client that we're doing a 365 migration, we're doing 10 mailboxes. Actually, it's 12 mailboxes now because we found two extras. And we're moving data from a server, a virtual server that this company is using where they were hosted with another vendor, and they're moving away.

And we're moving their data from that server to SharePoint in the cloud. So I'm doing a mailbox migration. And we're using the SharePoint migration tool inside of Microsoft to move their data into SharePoint.

And one of the things that I've always been able to do in the past is, of course, have access to the full environment of where you're going from, and where you're going to, but in this case, the company doesn't want to give up their data. They don't want to give us access to anything. We couldn't get into the mail portal to see the mailboxes.

I couldn't see the sizes of the mailbox. They would not create an admin account for me to log on to the server to do a lot of stuff. I had to use the owner's account to go in.

That owner is not an admin, but they did at least, after some pushing and shoving, they actually made it to where we could copy files off the server. When I first tried to do the migration, after like five minutes, all of a sudden we were getting error denied, error denied, and I could not move files from the server into SharePoint through the migration tool. So we had to have them reset permissions so that the owner would be able to do that.

The other thing we found out after, I think it was four days of moving their mailboxes, yes folks, four days for 12 mailboxes because the connection was slow. And when I mean slow, like I've done 30 mailboxes in a couple of days. We were on day four of these 12 mailboxes and started getting, as they would finish, I got four mailboxes where the receiving mailbox was full.

So they had hit their 50 gig limit. When I checked the mail server, I mean the exists not the mail server, when I checked their server where their profiles were, I couldn't get an idea of the size because they were not using the OST files. They were actually not in a cached exchange mode.

They were literally online direct to the server. And I just kind of went by what I saw with some old PST files, which they were, you know, the biggest ones range from like 20 to 30 gigs. And I'm like, okay, don't know why they went directly online, but I'll use that as a guide.

So I thought at the most, we'd have a 30, maybe a 40 gig mailbox. Well, no, four of them were over 50 gigs. And so, of course, we had to then request that we actually get a full report of the mailboxes and it took two days to get that.

So we finally got that. And the reason we had to ask for the actual full report is because I wanted to know if any of these mailboxes were over 100 gigs. Because, of course, as many of you know, there aren't many options in the 365 that are let alone above 50 gigs, but a lot of them, you're still capped at 100 gigs.

So I forget if it's, if you do, it's 365 standard or premium. And then you add an online two license, you can get 100 gigs or something like that. Or you have to go to E3 or E5 to get a primary mailbox at 100 gigs.

Now, you can archive up to 1.5, but that wasn't the issue. I wanted to know what the primary mailbox size was. So two of the mailboxes are actually over 100 gigs.

So I found that out yesterday. Today, we're talking with the client to see what they want to do in terms of upgrading a license or stuff. And the reason I want to say this is a tip that you should do, and my bad, is insist.

Insist ahead of time, even if you don't have access to the environment, get those reports. Because here we are now more than a week past what we should have been in terms of getting them migrated. And in some sense, I've got to start over with these four mailboxes at the worst, because we may have to blow them out and make them archive stuff or stuff, you know, something like that.

So very interesting thing. Oh, I forgot this point. So that was just the mailbox part.

The SharePoint actually stopped as well, because we ran out of space in the C drive, because the SharePoint migration tool, if you do not know, you have to have a minimum of 150 gigs of empty free space for the temporary folder. And I'll be honest, I didn't think about that, because I, for many years, you know, have not checked it, because when they give you those requirements about how much free space is needed, we've always had it. And I did not think, well, let me double check what the requirements are.

And I went, and when we first looked at the C drive, the person at the company said, oh, yeah, it's 90 gigs free. And I'm like, okay, no big deal. No, no, no, no, no.

The actual partition size of the system was actually only 100 gigs. So it was like 96 or whatever. That's the total size.

Their free space was something like 12. So we didn't have enough just to do that. And I found a script that is supposed to allow us to move that temporary storage location from the C drive to the D drive.

Although the first time we ran it, it did not work. And of course, I can't do it myself, I actually have to have the other company help me because it's a script that has to be run in an elevated command prompt. So when I go to run it, it asks for the admin credentials, somebody from them has to be on the server with me to give me the admin credentials.

So it's a big mess. So I still have to go back, move that temporary file storage so that I can continue with the SharePoint migration. And that's a joy.

So fun project. And if you're wondering, have I charged them enough so far? Yes.

I overbid the project, assuming that there would be issues. Yes, there were. So, so far, I could still go another 20 hours into this project and eke out a little bit of money.

But obviously, if everything goes well, we'll all be good. So that's there. And lastly, before we get on with the show, I want to talk about something I got today released.

I don't know why I just saw the press release on this was just released today. But December 19th of 24, there was a report put out from the, it is called the independent test of antivirus software. And it is a summary report put out by the website av-comparatives.org.

Actually, let me show this and share this here. Let me see if I can do this on the fly here, share screen, throw that up there. So there is the report.

And I will actually make this available for download on my website. This report is 75 pages. And I did not have enough time to go through it today to look at everything.

But it has 16 of our commonly known antivirus vendors on there, Avast, AVG, Avira, Bitdefender, ESET, F secure, G Data, Kaspersky, McAfee, Microsoft, Norton, Panda, Quick Heal, Total AV, Total Defense, and Trend. And then it goes through and gives a whole bunch of summary tests that it did. But I just want to give you the real short answer first.

What was considered the product of the year? ESET was the number one product. And then the top rated awards went also to Avast, AVG, Bitdefender, and Kaspersky.

So there's additional awards that were given in terms of false positives, overall performance, blah, blah, blah. But again, I will have this report available for you to download. And look, I found it a very interesting perusal.

I haven't read the whole thing yet, but that's where we are with that. So that's a lot in the opening monologue. But now it's time to get to our guest.

And let me see here. Before we do that, let me go ahead and get a little bit of sponsor stuff done out of the way. Our show tonight, obviously always presented by NetAlly, our friends with the handheld network testers.

And I'm actually started filming some of the shows that I talked about where we're going to go through each of the tools they have. And the first one is going to be in honor of my good friend DJ, a desktop junior that I work with, who told me last week when we were trying to troubleshoot a network connection, why a computer wasn't connecting to the network. And I asked him, you know, is it plugged in properly, blah, blah, blah.

His response to me was, I don't have a tester. So I had to go on site and use my tools to check all that out. So we're going to talk about all those tools and what everyone should have.

I'm actually going to highlight Rhythms right now, the internet in a box company. My good friend Steve Copeland has provided me with the box that I will be using over the next few months. One of which is to attend the Florida Man games that are happening March 1st in St. John's State Park, Florida. I will be up there. And then of course, Florida Man series is currently on Netflix for you guys to watch there. But Rhythms is the portable internet in a box.

If you've got a client that needs temporary internet and for some reason can't get access, or if you've got an event that's coming up where you need internet and the hotel costs too much or anything like that, take a look at Rhythms and they'll help you out. All right. Coming to the stage, Ryan Miller with Root Point.

[Ryan Miller]
Thank you for having me on.

[Uncle Marv]
I don't like that picture either. Ryan, how are you, sir?

[Ryan Miller]
Good, good. It sounds like that one customer said, hey, we need you to chop down this 25 year old oak tree using a stick because they didn't give you enough privileges. That's crazy, man.

[Uncle Marv]
Well, and it's funny how, you know, when you talk to the client at my first meeting, they're like, oh, yeah, we've been with this company a while, though. They're fantastic to work with. They'll give you anything they need.

And of course, as soon as you start asking for stuff, we can't give you permission to do that.

[Ryan Miller]
And it's like you guys realize that we're just burning hours here, right? Trying to find workarounds and just help us out.

[Uncle Marv]
Absolutely.

[Ryan Miller]
Man.

[Uncle Marv]
All right. So, Ryan, let me explain to people who you are. You are with the company.

So the company is based out of Miami down here. A good friend of mine, Andrew Renkes, who I reached out to, he gave us your name. You are serving as the chief information security officer and the virtual CISO for Root Point.

And why would you have both titles?

[Ryan Miller]
Because we need to be as secure as our customers, right? We can't expect our customers to do things that we don't do. It's not only stupid, but it's unethical, in my opinion, as a security practitioner.

Because like I tell a lot of people, security deals with protecting information that is a lot of times intimate to people's lives, medical conditions, social security numbers, medications that they're on, a whole slew of information, right? So if we say, hey, you need to protect yourself this way and we have access to your systems, we need to be protected or more.

[Uncle Marv]
All right. Now, I said you're based out of Miami, Florida, but now you guys are, I know you're technically international, but are you national in a sense, regional? How does it work?

How many offices and all that good stuff?

[Ryan Miller]
I'm actually up in Hanover, Pennsylvania, and we have a couple of customers up here that are within a day's driving distance. But the rest of the team is down in Miami, which is where the bulk of our customers are. But we do some project work for companies out in the Midwest and on the West Coast.

So it's a pretty good mix of things that we do.

[Uncle Marv]
All right. Now, am I correct that I remember you guys were in Europe at one time? Yes, no?

Or am I just mixing up Andrew's companies because he's all over the place?

[Ryan Miller]
I don't know. I know Andrew because he has a chemical company and then he has a medical supply company. All right.

[Uncle Marv]
Maybe I'm the chief.

[Ryan Miller]
Yeah. His chemical company, he's done some work in Europe, I believe.

[Uncle Marv]
Okay. All right. Well, at some point in time, I'll get Andrew on the show and he can clear all that up.

I know he's got his hands in a lot of stuff.

[Ryan Miller]
Clarify the spider web.

[Uncle Marv]
All right. So when I had reached out, one of the things that I wanted to chat with, because, Andrew, I thought would be a good resource for this, but apparently you were going to be as well. There was a thing that I had read about for the last couple of days that I found very interesting, something called Ghost GPT.

And basically the headline said that this was a new uncensored AI chatbot that allows hackers to create malicious code, develop malware, and craft convincing phishing emails. And it operates without ethical safeguards. So my first question I'm going to ask is, had you heard about this?

And if so, what did you think?

[Ryan Miller]
I had heard about this. And what I think is I'm not surprised. There's a lot to unpack in that intro that you just did, but I'll start here.

Humans, like with anything, we industrialize something and then we commercialize it. And so that has happened with the malware as a service industry for threat actors developing now over roughly the past 20 years. So back in the 2000s and even before, you had really specialized people that were like genius coders and they wrote this malware.

And maybe you could get ahold of it. Maybe you couldn't. You had to pay a high price.

And then people that controlled the malware repositories goes, hey, even though it may be competition, we could make a lot of money and step back from actually breaching people and just make revenue off of renting out our malware, renting our botnets. And so as that advanced and as coding became more available education wise to the public through learning management systems that you could just go and pay for instead of enrolling at a university and going for software development or computer science, whatever it may be. Malware became more easily obtainable in those delivery systems.

So now we've gotten to the point where we have these large language models that us, non-threat actors, the blue team and then the good red team guys, go, hey, this could make our jobs a little easier. We could do things faster, and a little more efficiently. And we may learn something new.

So guess what threat actors did? They did the same thing that we did, because as useful as it is to us, it's as useful it is to them. There are some things in the articles that I've read that I disagree with.

In that one, there's nothing novel coming out of these LLMs. These LLMs are not creating something that's never been seen before because they're using learning data that previously existed because a human created it, kind of putting it together. So there's nothing truly novel there. And LLMs, their nature is to be random.

So you can ask an LLM the same question about how to make a piece of malware five times, and you're getting five different answers. Ghost GPT isn't going out there and creating new malware and, oh my God, the sky is falling sort of thing, which is kind of the subtext of some of these articles. We're on the brink of disaster here.

No, we're not. The people that know how to code, it makes it faster for them. And so really what you're looking at is you're not looking at an expansion of skills, because in order to take the code that Ghost GPT creates, you still have to tailor it for environments.

So you still have to know what you're doing when it comes to operating systems, the hardware that's running them, which is all done in the reconnaissance phase of Kill Chain. So it's not allowing someone off the street who's touched a computer five times in their entire life and going in and making them this wizard hacker, which is kind of what these articles make it sound like. That's not happening.

What it will allow threat actors to do is scale much, much better, because us as humans, we like to industrialize and commercialize. Scale, scale, scale, scale, scale, right? Like scale ad nauseum in the MSP world.

You have to scale, right? So threat actors are doing the same thing. So statistically speaking, you're at greater risk because there's a higher volume of attacks.

Even when you're doing all the right things, you have your layer of security, right? Starting at ring zero with your employees, you're educating them. You're not tricking them with phishing simulations, right?

You're their employer. You're not their part-time pretend hacker, right? You educate employees and empower them to be able to recognize, hey, this looks like AI, right?

Am I supposed to be getting these kind of requests or demands from this person? And then you create internal processes. You go, hey, anytime anything seems off, call the person that emailed you.

And if they're going, I didn't email you that, you report it, right? And then outside of that, you have your endpoint protection that should not rely on static detection whatsoever. None whatsoever.

In fact, static detection was really out of style as far as effectiveness goes at least 15 years ago. What proper endpoint protection really needs to do is it needs to look at the, I think there's like 25 or 26 ways you can exploit software. So you have that exploit detection.

On top of that, if there's no exploit involved, you need to look at what that piece of software is doing in memory, what it's doing in processes, what it's doing on disk, and what it's doing over the network. That can include command line where you're doing TLS inspection, right? And then on top of that, you have your email filtering system, which you can create data control rules.

You have threat detection engine levels for filtering. And so even with increased volume, if you're doing things properly, your likelihood of breach and your risk goes up a little bit because of volume, but it's not this, oh my God, everyone's going to get hacked because ghost GPT exists. And these research groups do a really good job.

And it's the nature of the business, these research groups, they need PR. So when they discover something, they need to make it sound pseudo novel, right? Like we discovered this amazing thing, it can do all these things and it really can't.

There's some embellishment in there, right? Because they want that attention. They want to see all their services.

[Uncle Marv]
Yeah, they start off by saying that this is going to lower the barrier of entry for cyber criminals. But yeah, you still have to know what to ask, how to code and stuff like that. Just like you have to know how to use, you know, co-pilot and chat GPT.

Now, you know, one of the things that is a little bit of comfort for me is that my end users that have tried to use chat GPT to fix their computer. You know, I'd say most of the time they get to the point where they're like, all right, I had to call you because chat GPT wasn't working. So I can see some of the same things with this.

I want to go back and ask you, you had made a comment early on this malware as a service. Because this just seems to be the next step, because one of the articles I read where they're actually pricing this as a monthly recurring thing. Yeah, subscription model.

They're charging access to this as if it's, you know, a stack item.

[Ryan Miller]
Yep. I mean, how else are they going to get MRR?

[Uncle Marv]
Yeah, I get it. But part of me thought, well, why wouldn't they just use this to write their, you know, scripted kitties or whatever they do, you know, and then sell that. Because that's what they had been doing before is they'd find, you know, they create a group of scripts that would, you know, go out and do the work and they'd sell that.

Right. Now they're just saying, well, here, we'll sell you a monthly subscription to this, let you play around with it. I guess at some point, if you get fed up, then pay us to help you learn how to use it.

Is that the next step?

[Ryan Miller]
Yeah. And so you bring up a really good point. The actual lowering the barrier to entry into the threat actor world was the industrialization and commercialization of malware as a service.

I don't, I don't need to know anything really much about technology in the hacking sense, because I can, I can get an onion address, install the onion browser, go to it, right, sign up at one of these marketplaces and say, hey, I would like my phishing emails to have this theme. I would like for them to deploy ransomware. I don't know much about it, but it locks it up and I get payment for it.

So I'll do that. And then the people that run these marketplaces are like, oh, here's this really nifty dashboard. You can see who's clicked on your email.

You'll see who's clicked on the link inside. You'll see where ransomware has been deployed, where it hasn't, where there's been an issue. It'll actually send telemetry back.

Hey, we had partial encryption antivirus stuff. Well, you know, that's busted. Next victim.

Right. And so that was the true barrier reduction into getting into being a threat actor, not ghost GPT. In fact, ghost GPT really, in my opinion, exists because hackers got tired of fiddling with prompts to get around the guardrails, right, because the guardrails are okay.

And you can just change language here and there to really kind of get the result you want. And hackers naturally are like, well, I want to do this easier. So I'll just jailbreak an LLM that already has all of the learning data in it, and I can just put in whatever prompt I want and remove the guardrails.

So that way, instead of asking seven or eight questions to get what I want, I'm now down to three or four, maybe even one, if you're good enough at it or fortunate enough.

[Uncle Marv]
Right. Do you and I'm asking weird questions and not expecting great answers, but I'm going to ask, I mean, have you guys worked with this sort of thing? Do you know how people are actually jailbreaking AI?

[Ryan Miller]
I don't want to overstate my expertise here.

[Uncle Marv]
So I'll say I'm trouble either.

[Ryan Miller]
Yeah, yeah. I'm not really sure. Okay.

I do. I do have a friend of mine that is a data scientist for AI, a government contractor. And I'll put it to you this way, what he told me was getting rid of the guardrails in an LLM is rather arbitrary.

So, to get a hold of an LLM model and take the guardrails off is part of the setup process, essentially. Do you want guardrails or not? No.

Okay. I don't know exactly how it's done, but, but that's, that's more or less how he conveyed it to me.

[Uncle Marv]
Right. And I'm sure that all of these companies that are adding AI and create that stuff. I mean, they're probably putting in their own guardrails so that their product will stay within the boundaries that they're using it for.

Right.

[Ryan Miller]
Yeah. Yeah. Yeah.

Because the last thing a company needs is being sued because someone did a prompt of how do you commit the perfect murder.

[Uncle Marv]
Right.

[Ryan Miller]
Disaster awaits.

[Uncle Marv]
Yeah. One of the articles had a thing called telegram. You know what that is?

[Ryan Miller]
Yes. Yeah. Yeah, it's for hackers and porn basically.

[Uncle Marv]
Okay.

[Ryan Miller]
I was on it. I was on it once when Russia. When Russia invaded Ukraine, there was a Ukrainian similar to anonymous hacking group, but they were in Europe.

And I did security research for a number of years and I got out of it because I just got threatened to be sued way too many times for just trying to do the right thing. Like, like people were assuming I was trying to extort them when I'm like, Hey, here's misconfigurations I found of your systems publicly. Here's how you fix it.

I'm not asking for any money. That's literally what I would say. And then the next phone call, there would be a lawyer on the line accusing me of extortion.

I'm like, I never asked for money, dude. So I got out of that business. But that being said.

I was really interested to see how they were going to run their operations. And there were like thousands of people in in in this channel and they ran it really well. They had, of course, they had some Russian moles, and they had some, a number of rogue people, I would just go off.

But, uh, yeah, it was ran well, but that was my only dab into telegram. And then I was like, okay, this is sounds bad. I was like, okay, I'm getting kind of bored, bored being a fly on the wall for this it's getting a little repetitive so I left telegram.

[Uncle Marv]
Okay. So it's actually its own service I just assumed it was something like a board of announcements or something like the telegram is hey we're telegraphing that these things are available or something like that but this sounds like a whole marketplace in a sense.

[Ryan Miller]
You can have it that way. Yeah, yeah. And I don't, I don't have a ton of experience with it.

That was my only experience I was in a channel with thousands of people discussing on how to hack Russia and bring down ATM service bank services outside of ATM. Going after power plants, gas stations, I mean, everything was on the table. It was wild to see.

[Uncle Marv]
Now, here's the question because what you just talked about, in a sense of letting people know hey hey these are vulnerabilities, you may want to fix me in a sense that's a penetration test right.

[Ryan Miller]
I mean, sort of, I never, I never did any malicious payloads. It was more, it was more configuration checking in a read manner of what you could do publicly. Right.

[Uncle Marv]
But that's the same thing as a as a pen test right we that's what we do if we commission a pen test we're checking their public IPs for what could happen, not necessarily.

[Ryan Miller]
I would label it more as a vulnerability scan. Okay, then really pen test because I never went in and said, Hey, I absolutely can do directory traversal and I got to a folder in the server through your web server, that should not be. Okay, accessible, like the C drive.

Right. I never went that far. If I could traverse freely within a web server, and basically just fiddle with URLs and get wherever I want it.

There's a pretty good chance that if I went far enough, I may be able to get into the local file system. So that's the type of things that I would do. Which is kind of a gray area.

Honestly. But, uh, yeah, yeah, I had some close calls.

[Uncle Marv]
All right. So I guess the next question that people would ask is kind of a two part or one is this something we need to worry about. And to how do we tell our customers that we're going to protect them against those GPT.

[Ryan Miller]
Protect against TTPs. So what you want to do is you want to threat model. You want to look at your assets and where most of your attacks are coming through.

Right. And your two big ones is going to be anything publicly accessible, like a web server. A user portal, a web app login, whatever it may be.

And email. That's typically your two primary attack factors. And you can get pretty good detection mechanisms there.

The other big one that is much more difficult and seemingly impossible to get a hold of is your vendor risk. Right. Like, like, I can go and I can say, hey, you know.

I'm peeling open your software here and you have outdated libraries from 2005 that have vulnerabilities with no patches and you're using them in your software. OK, cool. Thanks for letting us know.

I mean, they don't care. They know we're going to keep using their software because we don't have any other choice or many other choices. Right.

You're embedded with them, ripping out software, going to a different vendor. It could be a huge pain. So you really have to rely on the goodwill of your vendors to address the things that you find and bring to them.

Now, if you're a big fish, if you can go, hey, if you want my millions of dollars in contract, toe the line, buddy. Which is a nice position to be in.

[Uncle Marv]
You're talking about our vendors, right? Not the vendors our clients use. So the tools that we're using are RMM, PSA, all of that stuff.

[Ryan Miller]
All of it. Customers, too.

[Uncle Marv]
OK.

[Ryan Miller]
Yeah, yeah. Which why it irks me, RMMs, right? Hey, you have to do.

Scheduled and real time. Scanning and monitoring exceptions for the temporary folder. Right.

So now it if a threat actor. Compromises my RMM, he's got an undetectable foothold in every PC that is configured to best practices for that RMM. He can put whatever malware he wants.

He wants on there because when you exclude that temporary folder, it's not looking at process. It's not looking at memory. It's not looking at disk and it's not looking at network.

Anything that spawns from a file that's in that folder. Because the RMM saying, hey, you can't mess with anything here or you might break me.

[Uncle Marv]
All right.

[Ryan Miller]
That's nightmare scenario stuff.

[Uncle Marv]
That's the RMM. But we still have additional software and I'll throw out a vendor's name because. I'm using them just for this reason that, you know, even admins can't run stuff unless it's approved with my use of ThreatLocker.

But I don't think ThreatLocker ignores the temp folder, right? Unless you tell it to.

[Ryan Miller]
Right, right. And that's the thing is you have vendors that come in with software that says you have to do these things if you expect it to work correctly. Instead of the other way around going, hey, us as a vendor, we're going to do what we can to work with endpoint protection software.

So you don't have to make those exceptions because for vendors making the software, it's low hanging fruit. They don't want to put the extra work into it. To them, it's not worth it until their customers start getting breached.

And then it comes out, oh, well, you require all these exceptions to work, to enable my customer's business to thrive. And now they've been breached and it's through your software and your systems.

[Uncle Marv]
Which is one of the reasons why I do hate whenever something goes to be installed. One of their requirements is that you disable your scanning, your antivirus or malware scanning. I'm like, why should I have to remove that or disable it in order for you to install something?

[Ryan Miller]
Do you want to know the worst case I've ever heard of this? Mitel. If you have a Mitel on-premises server, you juicy man.

Mitel requires that you disable the service that's responsible for all of the inspection activity in the operating system for Windows Defender and any third party antivirus or endpoint protection.

[Uncle Marv]
Yeah. Still now?

[Ryan Miller]
Yes. Yeah. In fact, you can't even install any patches on it because it'll break.

So whatever patch level you install that Mitel white server, you can't patch after that. And they say you have no antivirus, even Windows Defender. There's a couple of services that they say you need to turn these off in order for us, for our software to reliably work.

And I'm thinking to myself, even if you segment that, if you put it inside of like an internal DMZ, not like a traditional DMZ to where it has public access. But it's the only thing on that segmented network, right? Internally, you're still poking holes in the firewall and it can be exploited from another device, right?

Exploit pivot sort of thing. I just like, guys, this is 2025. Is Mitel on the side of threat actors here?

Like, I don't know.

[Uncle Marv]
I thought I was fighting a battle. Last year, I still had one of my law firms where they have software where the users have to be admins. There is no way around it.

And this is a client that probably won't be a client after this year that I think he's retiring. But they already have till October because we've got to upgrade. They've got to upgrade their Windows 10 machines.

Their server is still 2012. When I said, look, if you're still in business in October, everything gets upgraded. Or we won't serve you anymore, but I don't know if we'll make it that long.

But yeah, it's too big of a risk. Yeah. And it was literally that their program would not run.

And I was talking to the vendor. I'm like, how can you exist in this day and age? And I said, fine, ThreatLocker.

[Ryan Miller]
And the funny thing is, is when you look at a lot of the software, it's not performing ring zero actions, right? It doesn't actually need elevated privileges. It's everything it can do is inside user space.

So it doesn't need it. But as a just in case, we're like, hey, let's require this because it doesn't have driver access, right? It's just using the user space API to access the TCP IP stack to access the network.

It's not making driver changes. It's not figuring anything with virtual adapters. And then outside of that, it's just a little SQL like database for some applications to where you work.

And it syncs to the service and none of it needs administrative privileges. But they're like, you know what, let's just do it.

[Uncle Marv]
Yeah, they're lazy. They ran into one little problem that they couldn't fix. Well, we'll just get that bad access.

[Ryan Miller]
You know what, instead of really figuring this out and doing the best thing for a customer, let's just increase the risk. Yeah, much better option.

[Uncle Marv]
Joy, joy, joy.

[Ryan Miller]
Yeah, yeah, we actually use auto elevate. And it does. I'm sorry.

[Uncle Marv]
So our good friend, Cyber Fox.

[Ryan Miller]
Yes. Yes. I, I absolutely love, love the product because I can say, hey.

I don't need to worry about taking local admin privs away. Right. I can lock it down and say, OK, this, this employee needs to do these administrative accidents on the end point.

And that's it. I create a role for it. Everything else is blocked.

So if I start getting alerts, right, I'm going, OK, is this threat actor activity? Is this now insider risk? Is this the employee?

Maybe there's been a change to the role. Right. An internal transfer.

Maybe they have new responsibilities and they have new software and they just didn't let us know. But it, it, it, it, it, it definitely makes things easier, especially with Entra ID, because when you join a machine to Entra ID, the account that you join it with automatically gets administrator privileges. Good one, Microsoft.

Good one. Right. We're dedicated to security.

Here's admin. So now you have to go and create a join device account like that, use that account to join it, and then have the employee sign in. So they're unprivileged.

And then it goes, oh, actually, you know what? Because a bunch of software they use, it's easier just to give them local admin privileges and throw auto elevate on it and create roles and just be done. And instead of going into every prompt and typing in global admin credentials.

[Uncle Marv]
Yep. It's fun. Yeah.

Let me ask you one question about RootPoint before we run out of time here. And I don't know how much you can answer, but I saw that you guys have a tagline now that says make it or make IT awesome.

[Ryan Miller]
Yes, that was coined by our late CFO, Jeff. Okay. He was brilliant coming up with these things.

Really, really good guy, too. I love being around him. He always went out of his way to make sure that if you were around him, you were involved in conversation.

Right. He never let anyone feel like they were left out. But the idea behind make IT awesome is that we are an MSP that doesn't come up with MSP solutions for enterprise.

We come up with enterprise solutions for enterprise customers. And I think that's where a lot of MSPs go wrong, is there's a typical way of doing things in the industry. And it's usually listening to the customer a little bit and then just doing what you know, instead of maybe having to learn something completely new in order to meet your customer's requirements, instead of meeting your requirements.

That's an MSP for technology and processes. And so we put a lot of work into our sales process is a little longer because we go into quite a bit of detail with our customers to get things exactly how they need it to be. It takes time, but the result is systems that need little maintenance.

It's a happier customer. It is a customer that says, hey, I have other business friends that have a lot of problems. Their systems are breaking.

Ours aren't. Here's their information. And then we go off and we solve more problems.

[Uncle Marv]
Sounds great. Sounds a little bit like I operate, although I'm on a much, much smaller scale. But I can tell you, it sounds like it makes the customer experience so much, so much better.

[Ryan Miller]
It is. And a lot of feedback we get is that even though we have more conversations leading up to actual work than most other MSPs, our customers feel hurt. And that's the important point, right?

We're not going in and forcing something down their throat that may not work for them, but it's something we know. So that's just what we do. We make sure we get what they need.

And if we have to learn something new, we learn it. We implement it. And then we train them on it.

And it's been serving us pretty well so far. In fact, really, our sweet spots are co-managed environments, because as an MSP, you're not in day-to-day operations of that business. So you don't know all of the minutiae of what goes on daily.

And a lot of important contextual information can be missed, so problems can go unreported for a long time. Finally, the customer gets sick of it and blows up at the MSP. And that's just going to happen, because MSPs can't be in there every day, working their systems, talking to all of the employees and stakeholders.

And so with those co-managed environments, you have that inside person. In fact, for our co-managed environments, I have regular, sometimes weekly, conversations with them. Hey, what's going on?

Are there any pain points? Is anything kicking your ass right now? I'll pop in their teams, just start cracking jokes, because a lot of times when you go in and you alleviate day-to-day business tasks of their employees, they start talking, man.

And you can find out, oh, hey, this really hasn't been working consistently. But it's something that they probably never bring up. They would just live with it.

And so now you have something that you can go and fix for them, that once you fix it, they're going, oh, wow, I was a lot more annoyed by that than what I thought. That's awesome. Thank you.

And then word starts getting around.

[Uncle Marv]
Let me ask this, because I've got a couple of co-managed, that's why I have the terms junior. I have a DJ, a TJ, and an AJ right now. And for those of you that are keeping track, CJ is gone.

So the acronyms all mean something. So DJ is a desktop junior. AJ is an admin junior, somebody who's HR for the office, but they want to do the tech stuff and all of that.

And I've got TJ, a tech junior, and CJ was a Cisco junior who thought he could handle Active Directory stuff because he was Cisco certified. One of the things that I found is that you've got to have the right relationship with either the owner, the champion of the business first to make it so that those techs on site are willing to talk to you or that there's not somebody at that office that's playing gatekeeper. And one of the situations that I ran into a while back until we had that conversation is that there was a management person who wanted everything to go to them and they would contact us when support was needed.

And stuff would get lost in translation. And I would tell them, look, just let me talk to the tech. We can figure it out and talk the same language.

Or if we don't, we'll figure it out. It took a while, but they finally made it so that, yes, the tech could reach out to my office directly. But they had to do some research first.

They at least had to try to fix things. I'm like, all right, I'll live with that. That's better than nothing.

[Ryan Miller]
Baby steps. But next step is like real collaboration now in near real time would really, really help. Yeah.

Yeah. And that's something that I've always been very sensitive about through my cybersecurity career is the collaboration portion of it. Right.

Because if you want a good feedback loop from the people that are impacted the most by your consulting and advising on policy creation of processes and implementation of technology. You have to be able to have conversations with those people that's using that technology every day. And a lot of times, IT and even cybersecurity professionals, unfortunately, build walls to that because they don't want to deal with it.

They're just sick of this. They're sick of that. Or they get a big kick out of creating a phishing email that has to do with an employee's family member that recently died and they pat themselves on the back of that.

Yeah, man, I really exploited the death of that employee's family member for a funeral scam. Like what? And I used to see that stuff on Twitter all the time.

I'm like, you guys sound like psychopaths. Like, why are you treating your own employees like this? They don't want to talk to you.

They probably hate you and you have high turnover. Congratulations. You suck at your job, actually.

I mean, the stuff and things I've heard and I've had. Before I went to the MSP world, I had CEOs and I did independent consulting, too, but before I went MSP. And I had them just dead set on phishing simulations.

And I'm like, if you don't want your employees to like you, do that. I'm not going to do it. Find someone else to do it but do that.

Because now you're going to have issues that go on and they're not going to tell you because they know that you're out there trying to trick them. Because when you fail a phishing simulation, a lot of times there's feelings of shame or guilt. Like, I failed.

No one wants to fail. You're already having to filter through so many potential phishing emails every day. You don't need your employer sticking their finger in your email flow.

It's ridiculous. And so I've always been dead set against that. I've had to do a lot of shielding in that regard.

[Uncle Marv]
Those are tough because in some offices, it's almost a game that the employees play with each other. Who failed this time?

[Ryan Miller]
And, you know, if you do phishing simulations and you gamify it and you're upfront about it, right? You don't shame them. You reward the people that passed in private.

Right. I'm okay with that. But I've seen cases where they would have like a wall of shame of people that failed phishing tests.

Send it out in emails, have it on TVs.

[Uncle Marv]
That's not right.

[Ryan Miller]
Like, are you sure you need to be around other people in general? Because you sound crazy doing this stuff to your own employees. Man.

Yeah. Boggles my mind. And then these people are like, no one talks to me.

That's what I would expect. Good job.

[Uncle Marv]
Right. All right. Let's end on a good note here.

Any good projects? Any great stories that you've had recently that bear the mark of victory?

[Ryan Miller]
I don't know. I've been doing this long enough where nothing’s really great anymore. Right.

Like everything's a little accomplishment to me. I mean, one, I guess one of the things for a customer, we've been supporting them with their internal employee that does scripting and coding and building automated systems for their bookkeeping. And so I've been doing consulting on that.

I've been doing some sales engineering on that for them with the vendors going through setting expectations of what security is going to look like from an IAM standpoint, from a monitoring or detection and then response standpoint. Everyone's responsibilities within that triangle. So I guess I would say that's it because it's been going really smoothly.

[Uncle Marv]
All right. Nothing wrong with that.

[Ryan Miller]
The smoothness is a victory.

[Uncle Marv]
Yeah. All right. Well, let us end off with a nice laugh, courtesy of Florida Man.

And I had a lot of stories to choose from in the last couple of weeks and everything from a teacher having a rave party for high school students and is as sad as somebody running over a child that they left in the middle of a road and a whole bunch of other stuff. But this one I'm reading today, a Florida man accused of mouthing off to a cop who is investigating a car crash and ignoring the deputy's lawful commands insisted that he could not go to jail because he had to abide by his court ordered curfew. So Sebastian Angel Suarez, I love it when they give the full name, allegedly walked up behind a deputy who was investigating a car crash around 930 p.m. on Tuesday. So that's how it is recently. He walked up to the deputy and said, Yo, what the F happened? The deputy said he was investigating a crash.

No one was hurt. But Suarez allegedly responded, No, S man, a car crash happened. Who hit who?

And then got within arm's length of the deputy. The cop asked Suarez to go over to the sidewalk and said he would speak with him once he was done with his investigation. Suarez refused and said, F you, man.

You can't tell me what to do. The deputy said that Suarez was violating the halo law. And Suarez would be arrested if he didn't back off.

But Suarez didn't budge. He allegedly said, I'm on an ankle monitor with a curfew. You can't do S.

You can't take me anywhere. So the deputy had enough and placed him into custody.

[Ryan Miller]
And I was thinking this was a situation of someone trying to do the right thing while doing the wrong thing. But it actually turns out that he was just trying to stand on business with a conviction.

[Uncle Marv]
Yeah, he was. And apparently what he didn't realize was Florida's halo law. Just went into effect January 1st of this year.

And what it does is it establishes a 25 foot buffer zone around first responders actively performing their duties. So basically, if they're doing stuff, you cannot walk up within 25 feet of them if they give you a verbal warning. Violations can occur if individuals impede a first responders duties, threatens physical harm or harasses them.

And they can face second degree misdemeanor charges punishable up to 60 days in jail and a $500 fine. So now the question is, he already had an ankle monitor on and he had a curfew. So why did he have that on?

Well, he was under a previous conviction for willful child abuse. And so now he is facing new charges of interfering with a first responder, two counts of resisting arrest and the violation of the probation of that willful child abuse.

[Ryan Miller]
Well, that story went from bad to worse. So stupid, stupid idiot. Well, I mean, now we have an explanation of why he was treating the cop the way he was.

[Uncle Marv]
Yeah, because you can't. I'm on a monitor. I have to be home for curfew.

You can't take me. Yeah, we can.

[Ryan Miller]
We know where you are. And also his kid or a kid.

[Uncle Marv]
All right. Well, Ryan, thank you for hanging out with me tonight. And I do want to thank you, especially because the listeners don't know this, but it was kind of short notice that we got you to come on here.

And. I don't know if you owe Andrew anything because of this but tell him thank you. And I should probably give a special shout out to Ashley.

At your office, who I don't know, actually, I did not know she was a fan of the show, but apparently he is and could have been here.

[Ryan Miller]
Yeah, yeah, she's a big podcast nerd. And she's recommended yours in the past, along with a couple others.

[Uncle Marv]
All right. Well, I'm going to have to meet Ashley and thank her for that. We'll have to see if she'll be willing to come on later.

[Ryan Miller]
All right. Well, thank you for having me on. This is I really enjoyed myself.

It was a good conversation.

[Uncle Marv]
Oh, good. Good. Ladies and gentlemen, those of you that are here joining watching live.

Thank you very much. I see some of you on YouTube. I see a couple of you on the LinkedIn.

And I don't know about the Facebook, but. If you're there, thank you very much. If you're watching after the fact, thank you.

Of course, I do want you to sign up for all the shows, whether they're video or audio. Go over to the IT business podcast dot com and select your favorite pod catcher. So you'll get all the shows when they are released.

Support the sponsors that I have on the show. You can do that. You can support the show by buying me a coffee or clicking over something to Kofi.

And, of course, vendors looking for some sponsors for this year need a music sponsor, a couple of travel sponsors. So check out what you can do there. We will be back next week.

I think next week is part two of a cyber security series that I'm doing with Fort Mesa where we have a technical attorney that is on with us going over left of boom at the boom and then right of boom in the third part. So next week will be the second part at the boom that we'll be doing live here on the channel. So, again, Ryan, thank you for hanging out with us.

And ladies and gentlemen, his information will be in the show notes. Ryan Miller from Root Point based out of Miami, Florida, down here in the south. And that's going to do it.

We'll see you all in a week or so. Or you can hear me in your ears, in your pod catcher. That's going to do it.

We'll see you next time. Holla!