Breaking the Chain of Custody

Speaker 1: I wanna talk about something called Eternal Blue.

Speaker 2: It's not my favorite color, but

Speaker 1: Back in 2017, a mysterious hacking group calling themselves the Shadow Brokers released a big archive of offensive cyber tools onto the Internet. We've talked about them before. At the time, no one knew where these tools came from. What researchers did know pretty much immediately was that the archive contained a number of very advanced exploits, capabilities normally only seen at, like, nation state level operations.

Speaker 2: The good stuff. We call that the good stuff.

Speaker 1: On that good stuff. And amongst the tools in the archive was an exploit called EternalBlue. Researchers figured out that EternalBlue targeted a very serious vulnerability inside of Windows. The exploit worked against server message block protocols used by Windows machines for file and printer sharing on local networks, And basically, by sending a a specially crafted packet to a vulnerable machine, an attacker could trigger remote code execution without any kind of authentication. What that basically meant was like there was no phishing email in this hack. There was no malicious download, no having to make someone click something. Basically, EternaBLUE let attackers remotely take over unpatched Windows systems just by reaching out to them over the internet or a local network.

Speaker 2: Right. I I would call that a

Speaker 3: Hollywood hack. It's a Hollywood hack. You went to the wrong

Speaker 1: you didn't even have to go to the wrong site. You went to the wrong you didn't even have to go to the wrong site. Microsoft had already released a patch roughly a month before this leak, but millions of systems around the world hadn't installed it yet. And once that exploit became public, attackers moved fast.

Speaker 2: As you do when you have something that powerful. When you got

Speaker 1: the heat, you gotta move. A bunch of very famous hacks that relied on EternalBlue. May 2017, just weeks later, the ransomware known as, you might have heard of it, WannaCry began spreading around the globe using EternalBlue as its, like, entry point. If you're unfamiliar, that malware spread automatically from machine to machine, and within hours, the worm had reached more than 150 countries. It had disrupted hospitals and telecom providers and pet you. For new listeners, these are two extremely famous incidents. Again, using the same exploit to propagate across corporate networks. It looked like ransomware at first, but researchers later figured out that the attack was designed to destroy data. Big multinational companies, huge portions of their global IT infrastructure wiped out. Just those 2, billions of dollars in economic damage. As security researchers continued to analyze the exploit behind both of these attacks, EternalBlue, they started to figure out where it came from. The code contained like distinctive characteristics that matched tools previously associated with a highly advanced hacking group known as the equation group. Over time researchers and intelligence analysts came to a consensus that EternalBlue wasn't originally a criminal tool at all. It was likely a government cyber weapon that had leaked. The exploit had reportedly been developed by the US National Security Agency as part of offensive cyber operations, and for years, it had been used in intelligence activities. But once that shadow worker archive appeared online, the exploit escaped its original chain of custody. This very sophisticated exploit developed for intelligence leaked, and within weeks, it's being used to power global cyberattacks. Which is why today, when security researchers warn that a new exploit toolkit, this time targeting mobile, could represent another eternal blue moment, they're invoking this very specific story that we've started with. A powerful exploit, probably built for government use, that has somehow escaped its intended operators and is now circulating way beyond the intelligence community. Bringing us to now. According to a report released Tuesday, security researchers at Google say they've identified a sophisticated iPhone exploitation framework floating around in the world, an exploit that they're calling Karuna. The toolkit contains five separate chains capable of bypassing iPhone security protection and silently installing malware when a target visits a compromised website. And while Google's report refrains from speculating as to where this extremely complex exploit came from, a second research report suggests that this is probably an eternal blue moment, where a powerful new compromise floating around in the world might have its roots in a leak from a government program. So we're gonna start this chatty chat here, with the story of Karuna, here on Hacked. Rum Solo. Karuna. Karuna. How you doing, Scott?

Speaker 2: I'm good. I'm good, Jordan. How are you?

Speaker 1: Doing good.

Speaker 2: I just love the thought. Mhmm. This isn't what happened, but, you know, somebody just accidentally making their GitHub repo public.

Speaker 3: Sure.

Speaker 1: It's like the Someone at the NSA accidentally making their GitHub repo public. Yeah. Yeah. Yeah.

Speaker 2: Yeah. Just like, oh my god. I just leaked, you know, all of this crazy stuff. Didn't even realize it.

Speaker 1: Yeah. You know that bespoke piece of malware we paid, like, a half $1,000,000,000 to? Oh, it's open source now. Incredibly

Speaker 2: yeah. We wanna keep incredibly secret for the moment that we actually need to use it instead of just handing it out freebies on the dark web to be used and destructive data destruction worm malwares?

Speaker 1: That can be, like, geotargeted to a specific region So you just

Speaker 2: need to We don't like this country.

Speaker 1: Go. Like, pretty much. We're gonna get into into that here of, like it's really fascinating where these geotargets were. Yeah. You got it.

Speaker 2: Well, the I'm intrigued to see you know, just to to tap back to the last episode talking about how, you know, the Mexican government's being compromised by anthropic clode. It's gonna be interesting to see how much reverse engineering and how good these models get at reverse engineering to the point that those new bespoke complex malwares can be developed at a a much more expedient pace.

Speaker 1: Yeah. There's a a lot of really interesting timeline stuff here of when exactly was this developed over the last, call it four years, and the exact point where we go, that was probably human authored, and the language of the code is

Speaker 3: relevant versus that was likely not human

Speaker 1: authored, and the language of the code isn't relevant. There's a lot of, like, sleuthing to be done in this code, and the language that it was written in. The bit instances of natural language and the language that those are in is very relevant to the story.

Speaker 2: Well well, please, you're teasing. You're teasing us all. Please tell us. What

Speaker 1: was it written in? There's a lot of English.

Speaker 2: I'm gonna say I'm gonna say Cyrillic. No?

Speaker 1: No. No. Oh, okay. No. Though relevant based on where it was found used. So we're talking about an iPhone compromise. There's no message, no click. In the in the versions that researchers were analyzing, a vulnerable iPhone can be hijacked by just going to a booby trapped website. You don't have to do anything once you go there. Just go, and you're donezo. Payloads delivered. Payloads delivered. Google's threat intelligence group describes Kruna as ex it's like a full exploit kit. There's five complete iOS exploit chains that all kind of work together, 23 total exploits. It's complicated. And it targets iOS 13 through, like, seventeen point two point one. So quite recent. There's another research firm embroiled in all this, and they're important to understand as the two characters here. There's Google, and then there's I Verify. I Verify's entry point into this was criminal infrastructure. Weeks before all of this popped off in March 3, I Verify had spotted, like, a a set of suspicious domains. I have them listed here. I won't say them on air. You can find it. They seem to be, like, kinda patched and cordoned off at time of recording, but who knows what happens. So I'm not gonna air them.

Speaker 2: The equation group that you mentioned in regards to the the first malware that you mentioned, EternalBlue, They're not relevant in the Karruna Karruna landscape?

Speaker 1: Not to my knowledge.

Speaker 2: K. Because because equation group is actually pretty interesting. They're, most people think that they're actually the tailored access operation unit of the actual official NSA. They're like I don't know if they're a sub or, like, a subcontractor or what.

Speaker 1: But Yeah. You see the external group that everyone knows about. There's, like, there's probably just like a an elbow of insert government body. Yeah. Totally. I I wanna talk about some of the places that they found Karuna. There are a lot of Ukrainian websites with geo targeting locked on them. Alternatively, there's a lot of, like, Chinese crypto sites. So this has truly gone wide and is being used in some very targeted interesting ways. IVerify managed to extract this, like, one click chain that combined, like, a vulnerability in Safari with local privilege, like, escalation, all stewing together to allow full device control. They nicknamed it Crypto Waters because they first found it being used on these, like, cryptocurrency wallet scams, and that the deployment looked like a watering hole, like infecting visitors that come to

Speaker 2: a site.

Speaker 1: Y'all renamed later, but it's a pretty good name for it.

Speaker 2: Pretty good. Yeah.

Speaker 1: And they'd note again that, like, this doesn't use a one time link. This isn't, like, tightly targeted in some way. They could reinfect the device over and over and over again if they reset it. Like, it just you just keep it kinda works. And it's very consistent with, like, criminal scale operations rather than anything like boutique or targeted.

Speaker 2: So so you were saying there was a number of pathways in it and a number of exploits in the framework or in the kit. So, essentially, if you ran into a website that had this injection on it, it would essentially run a host of exploits at you. And the ones that worked worked, and the ones that didn't didn't. Is that kind of the vibe?

Speaker 1: That's my non deep in the wool security researcher understanding of this is that it's multiple paths to the same conclusion.

Speaker 2: Right. So instead of it being one exploit, one vulnerability, they've got a package and a kit of them, like a root kit of exploits, and they're gonna just gonna throw them all at you and see which ones work.

Speaker 1: It's like, I don't know, but it to me, it tells a story of a big operation that's been banking these things. Sure. And saying, like, we just sort of keep this up to date with all of the best ways to muck up an iPhone.

Speaker 2: And then using it all to steal your crypto.

Speaker 1: Bingo bango. Let's tango.

Speaker 2: A cool dollar wrench.

Speaker 1: It's not a $5 wrench.

Speaker 3: It's a

Speaker 2: insane package of o days.

Speaker 1: It's a $200,000,000 bundle of old days.

Speaker 2: Yeah.

Speaker 1: Google's Threat Intelligence Group published its findings on the same thing. They named it Karuna. That name comes from allegedly its developers. That name was found inside of it. We'll talk about that in a little bit.

Speaker 2: That could be indicative of something.

Speaker 1: Yeah. It's a really interesting name. Google's big meta narrative here isn't like, this is very advanced, which it, of course, is. It's the the thing you get from reading that report is like, oh, this is proliferated. This compromise is very, very widespread, by the time we're recording this. They figured out kind of its prior life up to this point. I'll skim through it. In February of last year, Google says it captured parts of this, just like a little bit of this iOS iOS exploit chain, embedded in, like, a a freshly discovered then JavaScript framework. They attributed to quote in the report of, like, it seems to have connections to a customer of a surveillance company. They don't name the surveillance company or the customer. That summer, they reported that the framework appeared, embedded in hidden iframes on a laundry list of compromised Ukrainian websites, specifically activated when, like, the visitor was coming from the Ukraine. It was geotargeted. Okay. Pretty interesting. In this phase, Google says delivery was, like it was selective at this point. They attribute it to UNC six three five three, a suspected Russian espionage group. But, again, that is the user, not the developer. Right. By late twenty twenty five, it goes really, really wide. They say they identified Kronos Framework now hiding somewhere else on this vast set of, like, fake cryptocurrency websites coming out of China. A lot of finance related stuff. This is no longer restricted by geolocation. It's It's financially motivated. It's going wide. It's scam sites.

Speaker 2: Mhmm.

Speaker 1: And in this wave of scam sites, Google says they actually deployed a a debug build, which exposed the internal name Karuna. That's where it came from.

Speaker 2: So so what I'm hearing and what I will fabricate Speculate. Wildly. Wildly is is somebody built it. Yeah. Russia probably deployed it against the Ukraine. It yeah. Yeah. And then and then and then once it became less relevant and less exciting, they gave it to their friends in North Korea to steal cryptocurrency.

Speaker 1: Oh, fast. That's a that's an interesting read. I hadn't actually gotten there.

Speaker 2: Yeah. Like because North Korea loves to steal crypto. Like, they have an entire department based on it.

Speaker 1: Yeah. They will do your IT work, and they will steal your crypto.

Speaker 2: Yeah. Definitely.

Speaker 1: And they will do a pretty good job at both is the weird thing. It's good fun. Yeah.

Speaker 2: They have a government revenue line item for stolen crypto.

Speaker 1: So And fake IT work. I love that parallel of, like, do you need help with sysadmin stuff? If we find your crypto while we're doing it, we will take it. But otherwise, we'll we'll do it. Give us five stars. Tip your driver. Like, it's it's a little bit of that.

Speaker 2: Put this laptop in your house, and we'll give you $500 a month.

Speaker 1: That was a wild one. So, like, what is it being used for once it's on people's system and it's, like, obviously crypto wallet extraction. There's, like, little modules inside of it that are very seemingly targeted towards it, but it's like, can we get access to your photos? It's good at that. Can we get access to your WhatsApp? It's great at that. Can we get access to your notes, emails? Like, it's it's a it's full system compromise. I wanna dig into the clue that changed how researchers understood what this was. As they're digging into the, like, the code behind Karuna, a clue stood out almost immediately, which was overlap with the previous iPhone exploitation campaign known as Operation Triangulation. Triangulation was a highly sophisticated iPhone hacking campaign uncovered back in 2023, that targeted Kaspersky employees. This all gets who said what, but Russian authorities publicly accused the NSA of running that operation, and the US government never responded to that claim. Targeting Kaspersky employees Telling silence, Katie. Telling silence.

Speaker 2: Sorry. I'm in that mood today.

Speaker 1: No. No. It's good. It's all very conspiratorial. It's good. It's good fun. I hope I hope you're enjoying some conspiracy vibes while you do your dishes or whatever you're doing while you listen to this. According to some reporting in Wired, which is very, very good, and everyone should check out, both Google and I verify say that Karuna appears to contain, components that were previously used in that triangulation tool chain. You see where this is going? Mhmm. That overlap is a very strong clue as to what's going on here. There are other breadcrumbs pointing in the same direction. Google's report notes that parts of the exploit framework contain documentation and code comments written in like, well, that's pretty clearly native level English. Docstring's typical of a very professional corporatized development environments. The timeline of this, putting it as kind of, like, in a blurry in between of AI development suggests it's human authored, and that can still be used as a signal. Give it two years, that won't be a useful signal at all.

Speaker 2: Give it give it two months, Jordan.

Speaker 1: Co code comments is interesting because is that the system writing those? If it was AI generated, would that be the system? Would that human author going in? Like, it all gets really muddy, but looks like

Speaker 4: couple years ago is probably a real real human

Speaker 1: involved in this. And it especially given that it's built on a stack that went by years went back years prior to that.

Speaker 2: The the quality of agentic engineering, a fancy way to say vibe coding, is, has gone up greatly in the last, you know, four to six months.

Speaker 1: There you go.

Speaker 2: Ago, it would have been would have been a liability in something this sophisticated and elegant.

Speaker 1: Which is where iVerify's Rocky Cole, I believe CEO there described it as a a, quote, eternal blue moment for mobile malware. Cole's kinda argument is that corona probably represents that same dynamic starting to play out in smartphones. You got, like, super high level top tier exploitation capability that starts in espionage and then gradually just, like, kinda bleaches its way outward first probably to other state level actors and eventually just down to, like, the open Internet in criminal campaigns. Yeah. Crypto theft. Crypto theft. Google's threat intelligence group is, like, a little kinda cautious about making that connection. I like just how swinging for it iVerify is. They're like it's the government. And they've got, like, the corkboard and the yarn. But

Speaker 2: The yarn strings.

Speaker 1: I feel it.

Speaker 2: I need one of those from my background in my webcam. Totally. But

Speaker 1: they do acknowledge in their report that they're like, this all suggests an active market for secondhand zero day exploits, and you can, kind of surmise where those would come from naturally. There's one other detail that caught researchers' attention that I think is interesting here. Cole says that Corona didn't look like a toolkit assembled from, like, stolen fragments by different groups. It reads like a coherent system. The the phrase that jumped out from his report was a single author. This is not stitched together. Someone a group sat down and tried to make this. Suggests where this escaped from and how it got into circulation.

Speaker 2: Something that sophisticated that many years ago, an elegant software engineering project for a bunch of brilliant minds looking to exploit things. Any, any indication if it made it into the malvertising? You're mentioning, like, compromised websites. But,

Speaker 1: That's an interesting application for it. I didn't read about it. I only saw malware and destructive applications of, like, we're gonna delete your stuff. We're gonna steal your crypto. Money. And if you pay us money, we might still delete your stuff. Also, we're gonna steal your crypto. Like, that was sort of the thrust of the examples I saw, but you can imagine how it would have applications in malvertising.

Speaker 2: Yeah. And it would depends on how complicated it is to deploy. But if it's something as simple as, like, a JavaScript, often you can deploy those through mal advertising and there you go.

Speaker 1: Well, you know where to find it.

Speaker 2: I'm gonna do this weekend.

Speaker 1: So to do this there's all the comments in the last episode asking if we had referral codes for wrenches. And I was like, we're not telling you how to do this stuff. Also, shop.hackedmerch. That's where you buy the wrenches.

Speaker 2: Maybe we should make a wrench, little merch wrench. That could be fun.

Speaker 1: Merch wrench. I I suggested that to

Speaker 2: one of the commenters. $5 wrench?

Speaker 1: A $5 wrench. We

Speaker 2: have to give XKCD his his cut, though. This is true.

Speaker 1: This is very, very true. The the the point of the Google doc when you get to the end of it it's not Google doc. The the Google research report is they really linger on the idea of, like, we cannot confirm where this came from, but what we do really are reminded of here is that there is a thriving market of brokers buying and reselling these kinds of extremely high level, like, state level zero days. And important to know is there probably isn't clean exclusivity by the time we're all hearing about it. Like, they'll sell it to a bunch of different people. We can look at the sentencing of a US contractor, like, executive, a guy named Peter Williams of Trenchant for selling hacking tools to Russian brokers and the thing called Operation Zero. Like, there's a there there are concrete examples of these things getting bought and sold, and one group thinks it's exclusive, but they're actually selling it to multiple multiple people. There is a big thriving market of this stuff, and it operates very, very sketchily. And it goes without saying, Karuna is no longer effective on iOS on the latest version of it. They the big takeaway is, like, hey. Update your phone. And if you can't update your phone, lockdown mode. Because otherwise, you can totally just go to a website where this could happen to you.

Speaker 2: You mentioned, US contractors, which brings I did. Into my head a story that I saw seeing as this is a chatty chat.

Speaker 1: It's a chatty chat.

Speaker 2: I read a story the other day about a US contractor's son and how he had managed to steal $46,000,000 in cryptocurrency from seized wallets by the US Marshals Service.

Speaker 1: Oh, okay. Wait. Wait. Wait. There's a there's a how did the contractor have access to the US Marshals Service's, like, seized crypto wallets.

Speaker 2: I'm assuming the contractor worked in and around that stuff. Maybe they were

Speaker 1: a tech

Speaker 2: cybersecurity consultant, whatever. Anyway, the John Dejita, That's I don't know how to pronounce his name. I keep laughing. If you're a long time listener of the show, you will know that this is something that I do.

Speaker 1: My trick is that I just confidently I storm into the name There

Speaker 3: you go.

Speaker 1: And then keep going. So I'm I'm not pronouncing them righter than you. I'm just pronouncing them faster than you. Okay. I'm gonna try this. Okay.

Speaker 2: John Daeta, known online as Lick It works. Was caught after bragging about it in a Telegram chat about how much money he had in crypto. This is the kid? The kid. The kid of Yeah.

Speaker 1: Oh, what a dipshit.

Speaker 2: He's 25 years old. He's not a total kid, but, yes, language What a dipshit. Dipshit.

Speaker 1: Oh, no. Okay. So daddy were daddy has a contracting company.

Speaker 2: Daddy has a contracting company. Our daddy contracts to the US Marshals Service by the sounds of it. Okay. And the kid knew how to get access to these wallets and stole the money. And Wow. So they had a federal investigation that ended up with, you know, them realizing who this the theft the thief was.

Speaker 3: Yeah. Sure.

Speaker 2: Arresting this kid. Yeah. I think he was in, like, The Bahamas or Saint Mark's. That's where it was. So, you know, living it up, penthouse life, all this free money.

Speaker 1: Yeah. Right. Do they have extradition? Did he go to the a sunny place with extradition? Guy.

Speaker 2: He was arrested by the FBI, so I'm assuming yes.

Speaker 1: Sure.

Speaker 2: It was an international collaboration with, the French. Fuck.

Speaker 1: The French intelligence thing

Speaker 2: that Yeah.

Speaker 1: We all know the name of. Gendarmerie.

Speaker 2: The French Gendarmerie in Saint Martin, partnered with them.

Speaker 1: Okay.

Speaker 2: So, yeah, so, anyway, they they, I just remember reading the story. And when you mentioned US contractors, this one just dropped into my head Sure. Of, like, you know, just a classic play there of, you know It's the, daddy's access. I know what to do with you. Give me the money.

Speaker 1: It also it also evokes the trope of the, like, police station evidence room full of, like another word for evidence is extremely valuable stuff. And the idea of the person just going into the evidence room and taking stuff out, and it's like, but the evidence room is your father's security contracting company's giant pile of seized cryptocurrency assets.

Speaker 2: Yes.

Speaker 1: It's per it's perfect.

Speaker 2: The lot of the research here was done by Zach xBT. He's, like, a Twitter user and kind of a crypto you know? Yeah. You should know who he is. Yeah. Pretty popular guy. Read his stuff all the time.

Speaker 1: Cool stuff.

Speaker 2: And, yeah, Dakhida didn't like, was mocking him on Telegram.

Speaker 1: Mocking xBT?

Speaker 2: Yeah. Because he was the one researching it and posting all this information and kinda led to the, like, unearthing of it. And, like, this person, like, went to war with them online and now is in jail. So

Speaker 1: So it turns out it doesn't matter if you're on the Dutch side or the French side of Saint Martin. I just learned there's two. They both have extradition treaties with The United States.

Speaker 2: Yeah. If you got $46,000,000 in crypto that you stole from government evidence lockers, maybe you should've went somewhere a little bit less friendly to The US. Yeah.

Speaker 1: And there's, like, a list of them too.

Speaker 2: Yeah. Just yes. Like, I feel

Speaker 1: like you could be living very well in Hong Kong right now. Like, you'd be fine.

Speaker 3: You'd be you'd be great.

Speaker 1: March Again, not evidence. You can't buy tickets to Hong Kong in the merch store. Not instruction, I mean. Wow. That's rookie moves, man. Rookie moves.

Speaker 2: Rookie moves. Friday. We're recording this a little early because I'm out of here on the next week. But the, yeah, it kinda ended with the Da Gita started sending small amounts of the stolen money to Zach xBT's public crypto address. So he was, like, dusting his wallet with, like, transactions with the stolen money is, like, part of the gag. Like, this is just somebody that grew up on, like, troll culture

Speaker 1: and, like,

Speaker 2: Internet troll culture and and is now gonna be in jail for a considerable amount of time.

Speaker 1: They coulda just ghosted.

Speaker 2: They coulda just kept their head down, hid the money, went to an extradition country.

Speaker 1: You had tens of millions of dollars in nontraceable currency. It was like, hey. You're you're done.

Speaker 2: Loosely nontraceable. But still, even then, even if they can't

Speaker 3: do it Or

Speaker 2: to get back. Yeah. Exactly.

Speaker 1: Yeah. Traceable. Yeah. No. They can watch as you send it. Exactly. This is true. Yeah. They can totally it's like a big thick six inches of plexiglass between you and them just being like, oh, he's buying a boat this time. It's like, yeah. It's fine.

Speaker 3: When, the one of the

Speaker 2: best things is when he was arrested in, like, a real nineties, like, gangster pic scene, he had a solid metal briefcase entirely packed full of hard cash in, like, bands. Like, he had $10,000 bricks just filling a briefcase walking around with it. That's when they arrested him, and he had in his possession.

Speaker 1: Kinda yeah. Yeah. Would I do different? Like, every decision up to that point, the answer is definitively, yes. I would do different. I wouldn't do any of the things that led him into this situation. But by the time you find yourself living on an island, sort of just waiting for the international police to come get you because you didn't go to a place without extradition to the country where you committed your crimes, Totally. Would I have a metal briefcase full of cash?

Speaker 2: Yeah. Yeah. Yeah. Probably. Yeah. Handcuffed to my wrist.

Speaker 3: Yeah.

Speaker 2: A bunch of bodyguards.

Speaker 1: Yeah. Exactly.

Speaker 2: Crazy. Yeah. But, apparently, they link the the fight and and blow up on Telegram as, like, hard evidence to why they knew it was the was him. Don't

Speaker 1: feed the trolls. Yeah. Just But you have pockets full of stolen crypto, like, just come on. The ego. Rookie move. Rookie move.

Speaker 2: Rookie move. Yeah. When you steal $50,000,000, just quietly disappear.

Speaker 1: Just vanish. You're so close already. Yeah. We we really have a nice spread in the first chunk of this episode of, like, about as high level in operation as you can get and just some clown car noise. Like, like, it's like a good good spread.

Speaker 2: Should we break for

Speaker 1: I think we should break, and then when we come back, I wanna we don't talk about consumer electronics very often. I wanna talk about the educational consumer electronics market stat. Starting some new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button is used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, That's shopify.com/hacked.

Speaker 5: This Father's Day, do more with dad and spend less with low prices guaranteed at the Home Depot. Get him fired up with a new grill and accessories, like the next grill five burner for just $299 so you can spend more time together while he becomes the grill master he was always meant to be. Or build memories with savings on top brand power tools so you can tackle projects side by side. Gift more and do more together this Father's Day with help from The Home Depot. Exclusions apply to homekeeper.com slash price match for details.

Speaker 6: Whatever your thing, it could be anything. Canva helps you make that thing a thing. Canva is a simple online tool thing. It's a way to design with our magic AI tool things. You can social media your thing, generate images or videos of your thing, make decks for presentations to show your thing. Whatever needs to be done for your thing, Canva can make it an even better and bigger thing. Canva, the thing that makes anything a thing.

Speaker 2: Welcome back. Welcome back. So last episode, you had brought up a supply chain attack about Klein on I did. And I had I was so keen to talk about other things that we cruised right by it.

Speaker 1: We and I just glanced off of it. It's like another instance of, like, what can happen when anyone can vibe code some crazy crap. But I feel like there's a lot more depth there that I didn't get to.

Speaker 2: Yes. So I have since read up on it, and I think it's a cool thing to talk about because Please. It's very I don't wanna say it's complicated, but it's a very interesting route. K. So

Speaker 1: Provide a primer for the people that maybe missed last episode because it was a small detail in that. Sure. So the Kleinjection was discovered by

Speaker 2: a security researcher, Adnan Khan, and I've read his his blog or post on this. And it kinda shows some of the risks of AI prompt injection. And it shows those risks through executing a supply chain attack that poisons GitHub, actions, caches, which changes NPM library requirements, which then means that anybody that installs this open source package gets a little Easter egg in the form of and in in this form of, it was OpenClaw, but we'll get to that. K. So somebody posted a issue title in GitHub. There's the ability to post, like, problems. Like, hey. Here's an issue with your repo. If if I'm in this situate like, you can you know, whatever. Just imagine you download some open source software. It doesn't work as it should. You can post an issue with the description, and then the developer sees it, has the ability to act on it. Somebody figured out that they were using, AI to parse their issues and kinda prioritize them and and bucket them and stuff like this. So somebody put a prompt injection into the title of an issue. That prompt injection led to the triage bot leveraging tool access to the shell or bash. It flooded its cache, evicted its legitimate build dependencies, and inserted new poisoned versions of the dependencies. Does that make sense?

Speaker 1: I believe so.

Speaker 2: Okay. So Cline's GitHub, somebody posts an issue with a prompt injection in the issue title, then the AI agent that they have that organizes their issues reads that issue title. The prompt injection runs on it. What it does is it uses that issue at LLM o I c. Bash access to overwrite the dependencies for the project, inserting poison versions of certain things that have bugs and malware and Easter eggs inside of them, Trojan horses inside of them. So then later later in the in in the CIDCD, you know, integration and deployment process, something that, like, is packaging up this this popular piece of software for delivery runs, it puts in these new poison dependencies into it. Does that make sense?

Speaker 1: Yeah. I'm realizing now the high level thing here is on Git, there's, like, there's there's an an issues system that allows people to give feedback of, like, there's something wrong here

Speaker 2: Yes.

Speaker 1: Exactly. That they had, like, basically, an AI powered issue Manager. Resolving triage. Exactly.

Speaker 2: Yeah.

Speaker 1: Yeah. That is responding to these things. And inside of that issue, there was a command, a prompt injection, like a natural language, like, I'm just gonna tell you what to do, TriageBot. And that was the toehold that they used for this compromise.

Speaker 2: Correct. And the TriageBot used its shell access to look in the build cache and replace valid packages with poisoned versions of those valid packages that were then bundled up and packaged into the deliverable of the actual piece of software. And, really, what they were delivering was OpenClaw.

Speaker 1: So why would you wanna have open I I have a sense of why you would. But for the sake of discussion, why would you wanna get OpenClaw installed on someone's system without them knowing about it?

Speaker 2: Well, it is a remotely controllable AI agent that has full shell access to it. Shell access.

Speaker 1: It's about as ground level control as you can possibly get.

Speaker 2: Yes. It's like the

Speaker 1: Which is fine if you want it to be there because you're giving this system that you're controlling ground access of your own system. The your is very, very important.

Speaker 2: Yes. Yes. Okay. So the it was only live for about eight hours before they caught it, which is actually pretty impressive that they caught it that fast given that that it was just baked into the build caches. They must have had some other other systems going through and and probing it, but they they assumed that it was on thousands of computers. Crazy. Anyway, I just thought it was something that we glanced past last week or last episode that I then read up on after the fact and was like, oh, shit. We really should've talked about that because it is pretty cool.

Speaker 1: It's nice to get to dig into it a little bit deeper because I sort of just drove by it during that discussion. It's, the idea of prompt injections in issues on Git is really, really fascinating, because I feel like more people are wiring stuff up to just sort of I feel like more people are wiring AI up to auto resolve issues like this, because why would you need someone to do that? And it's like, well, you're kinda leaving it alone in a dark room with the open Internet, and they might come up with some bad ideas for it.

Speaker 2: Well, the yeah. And, the researcher here, Khan, states that, like, one of the things you should never do, which is one of the founding principles of lots of the new Agentic systems, is give Bash access to an agent. Sure. Yeah. And so but, like, OpenClaw is entirely based on that. You know, even Cloud Code, but they run it inside of a docker. Like, they put them inside of tiny little isolation chambers. The but yeah. Anyway, it's just a really interesting process as now that yeah. As you were saying, agents are people are using AI to try and automate, facilitate so many processes. A lot of the big agentic are, like a lot of the big LLM companies are spending a lot of time on figuring out how to fight prompt injection. But there's a really good chance that something like a small triage agent was using, like, a small cheaper model, and maybe it doesn't have as comprehensive anti, injection programming and identification. But even then, those systems will as we know in our dealings with LLMs, even if you tell them don't do something, sometimes they'll just do it.

Speaker 1: Sometimes they'll just do it.

Speaker 2: Sometimes they'll just do it. So, yeah, prompt injection's gonna be a fascinating twist.

Speaker 1: Can you do it on a MacBook Neo?

Speaker 2: I don't know what you can do on a MacBook Neo. Why don't you tell me?

Speaker 3: No. I'm not sure what it does.

Speaker 1: This is such a hard pivot. Have you ever used a Chromebook?

Speaker 2: I have. My wife has one.

Speaker 1: Does she really? She doesn't know that.

Speaker 2: She's a bit of

Speaker 1: a Luddite. Does she like it?

Speaker 2: She hates computers in general. And I got sick of her asking to use mine when she needed a computer. So on Black Friday one year, I just bought her a $200 Chromebook and was like, if you ever need a computer

Speaker 1: Use this one.

Speaker 2: It will be collecting dust in in your, you know, in your closet. Get it when you need it.

Speaker 1: Sure. I'm surprised you well, I'm I am, and I'm not. I was gonna say I'm surprised you didn't go with an iPad, but I think the existence of this product speaks to the use case of why an iPad of when an iPad doesn't work. Exactly. Exactly. The world has shifted to just being Chrome web apps. We're talking in one presently. Like And we certainly are. Yeah. Yeah. And so the whole world is just running Chrome web apps. Oh. And for a long time, it's like those run for context horribly on iPads. And so for a long time, it felt like Apple was trying to sell this vision of the iPad is the cheap computer. If you need a cheap computer, if you're a kid, if you're a student, if you just do a little web browser and just get an iPad. But that, you know, doesn't make a lot of space for running good Chrome web apps, which the whole world runs on. And as such, a weird niche product category that is Chromebooks was able to sort of proliferate, specifically in the educational market, which Apple used to, like, dominate. There used to be an iMac and iMacs in every school. Like, it was just a huge part of their market. Anyway,

Speaker 3: I

Speaker 1: think we're talking about this because they've just announced a thing called the MacBook Neo, which if you're into consumer electronics, is really fascinating. If you're not chapter locators and, you know, skip ahead.

Speaker 2: Skippy, skip.

Speaker 1: Skippy, skip.

Speaker 2: And then Jordan and I like to take a diversion into consumer electronics, and Yes. Apple just released a bunch of stuff, so buckle up.

Speaker 1: Yeah. So they're dropping a new entry level laptop, brings that Mac OS ecosystem to a super low price point. It's $5.99 MSRP. The the only reason USD the only reason I even wanna talk about this isn't that price point. Probably wouldn't be talking about this normally. It's $4.99 educational pricing. So Apple, and by extension macOS, now has a sub $500 USD for schools solution available, like an aluminum MacBook. A unibody chassis

Speaker 2: Unibody chip. Retina display. Unibody chassis. Exactly. Here here so, like, I'm just gonna let's get chatty chatting about this.

Speaker 1: Let's get chatty chatting.

Speaker 2: When I saw this, I was like, how is my phone Mhmm. So much more expensive than this thing? Like, this has a 13 inch liquid retina display. My phone has a 4.6 inch liquid retina display. You know? Like, I get that there's cheaper pieces, and they have a lot more space, and it's not as dense a battery and blah blah blah. Don't I I get it. I get why small things cost more money, but it has so much in it for $499 USD for educational pricing.

Speaker 1: Unreal. Like, that's a it's just a very, very good value. And it's interesting because it speaks to a world where, like, there's gonna be a lot of kids coming up now with these as opposed to Chromebooks. And it's going to really, like there's going to the wall that already exists around computing, where it's like, I have an iPhone already. I would just like the computer that works with it. It's like that wall, I think, just got a lot taller. Because now you're gonna have kids coming up on MacBooks. They're gonna be as familiar with macOS as they are with iOS by a certain age. You know, maybe they didn't get it quite as early in life, but they're gonna get into that ecosystem way, way earlier.

Speaker 2: Yeah. The I've always joked that the, like, MacBook Airs were just iPad Pros with a keyboard. Yep. But running macOS instead of iOS or OS, whatever, they dropped the I on it. My apologies, Mac family. The but the MacBook Neo runs the a 18 Pro chip, and there there's apparently a bunch of nerfing to this thing. Apparently, it has USB port

Speaker 1: speed things.

Speaker 2: Like, there's a bunch of, like, they've degraded the qualities that we've come to just expect from an Apple device. They've lowered those to make essentially a cheap consumer product, which is probably phenomenal for shareholder value because I do agree. Like, if I had a child, this is what I would buy them. They come in pretty colors. They're very much intended for a specific audience, and they're probably just good enough, especially given the fact that most Gen z's and and gen a's don't even know what a file system is.

Speaker 1: The chips have been getting so powerful for the last few years that to put an a 18 pro, which for context is the same chip in an iPhone 16 pro

Speaker 3: Mhmm.

Speaker 1: Into a laptop is, like, it was better than the m one chip from four or five years ago. Like, what what still a

Speaker 2: totally adequate chip. Like, if you have any Totally service chip. Laptop, it's great. Works great.

Speaker 1: So why wouldn't you? And you've just driven the cost down because that's a cheaper chip for them to make. Because they're making it at the scale of an iPhone. And it's like, what what other things can we find in this? And it becomes a really fascinating industrial design and manufacturing question. It's such a physical trackpad. Like, a non haptic like, just a literal big clicky button. It's like you if you're a MacBook person, you haven't seen one of those in a half a decade. But the supply chain for manufacturing them was probably really bumping, and they could get them really, really cheap before they stopped using them. So, yeah, okay. Bring it back. What else are we really good at manufacturing at scale? Break it on out again. Because the people that are it goes without saying, almost no one listening to this will wanna buy this. No one really interested in technology at all for themselves would wanna buy this. Just buy a MacBook Air or a MacBook Pro. But, man, for that secondary device or that kid's device or that your wife's device just doesn't care and just wants it to work.

Speaker 2: It's like Totally. They're gonna move units. Well, that's just it. Like, to go back in time, like, even though the, the Chromebook was, like, $250

Speaker 3: Yeah.

Speaker 2: If I was put in that situation again, I would probably just buy one of these because I know how to manage like, it's a UNIX computer. Like, this is a great little it's I'm so familiar with it. Like, I've been a Mac user since they went to the FreeBSD kernel base in OSX, and it's great. I think for me, this is just a like, as a to flip into the hacks investment side of things. Sure. Given rampant inflation, given, you know, so many things going on in the world, the businesses that are succeeding in the in the markets are the one coming down to meet people where they are rather than trying to push the top end up. And I think you see this with Apple here. They're full McDonald's ing it here. You know? Let's let's make the Happy Meals cheaper. Let's do this. Let's add cheaper value add on packages. Like, there's a bunch of things that companies are doing now to adapt to the current market conditions. And I think this is Apple just saying, hey. They probably forecasted out if we make this thing, it'll add x billion dollars to our top line revenue, and it's not gonna touch their MacBook Pro lines, Studio lines, Mac mini lines. This is just totally satisfying and servicing a niche that they're currently not talking to.

Speaker 1: It's also getting people it's serve it's satisfying that niche. And then to our earlier point, it's also getting people into that ecosystem younger and preventing Android from getting that toehold. It's like Chromebook has been shifting. They've had this weird bifurcation where there's Chrome OS and then there's Android, and then there was kind of a desktopy version. And, like, this is just messy. They've been consolidating that Yes.

Speaker 2: They have.

Speaker 1: Where Android is going to run on Chromebooks and and on phones. And what an amazing way to introduce people when they're young to this ecosystem. So even if mom and dad have an iPhone, they're very comfortable in Android, and then maybe hardware or or or pushes them into making that jump away from the iPhone. This is just a way of saying, like, you will you will maybe never use a non Apple computer. If you if you just get given a phone when you're a teenager and get given a Chromebook.

Speaker 2: Or a Apple Neo, MacBook Neo.

Speaker 1: Or an app or a MacBook Neo when you're in school. It's like you just won't touch other types of computers, which is like it's tough. They they make a great product. It is less like, there's an anti competition y. There's something complicated about it to me where I'm like, it is nice when people know how different types of devices work. I think it's preferable in a lot of ways, but just the sheer quality difference. It's like those Chromebooks are not respectfully good devices.

Speaker 2: They they are what they are. They are they are what they're intended to be. And here's the thing is, like, in the Chromebook world, you know, you can buy a 150 Chromebook, or you can buy a $1,500 Chromebook.

Speaker 1: Yeah. A better way of putting it is Chromebooks have issues. Like a

Speaker 2: an Android laptops. Let's call them Android laptops. There

Speaker 3: you go.

Speaker 2: They're they're such a and they'd run Linux. Like, that's another thing. Like, I love having my wife's Chromebook because I have the whole Linux subsystem installed on it. I can go into it and use it like a Linux laptop if I need to. The I do agree with you that it is very much like a market play, market saturation play. It'd be really, like, strange to give your kid, like, a year old iPhone. Maybe they get AirPods for Christmas, and then you're giving them an Android Chromebook or an Android laptop as their, like, primary work computer. Where in this case, this is essentially servicing that market. Like, I know in a lot of the early tech breakdowns, they were saying essentially, like, if you actually wanna buy one of these and you're not just buying it for your child who wants, like, a pretty purple computer Yeah. Like, just go find a MacBook Air with an m two chip in it. It's a better computer, and you'll get it for less money.

Speaker 1: And and that's Well, that's what's gonna be interesting about this is, like, right now, everyone's saying, do you get a MacBook Air, or do you get an Air? And it's like, if you're reading a tech blog that would write about that, don't buy this computer. Is is that is the real takeaway there. But it's like, well, what happens in five years when these are used? Because now there's a, like, $300 MacBook.

Speaker 2: Or it'd be, like, 200, probably.

Speaker 1: You know, that you can like, it's kinda workable. And it's, like, it's it's metal. It's decent. It runs macOS. Like, it kinda works. Like Yeah. These chips seem to have, like, longevity in their the thing I'm really curious to see is, like, so you took an iPhone chip and you put a laptop battery in it? Like, is this thing just a beast on performance in that regard? Like, obviously not in, like, video editing performance, but it's like, is the battery life just insane because of the chip efficiency, or are these chips not that much more efficient than the m line? Oh, they better be. I would think they would be.

Speaker 2: But I guess it also depends on how hard the laptop goes on them versus how hard a cell phone goes on them. This is true. Because the cell phone's kind of entirely designed. So I'm looking at the battery and power estimates, and it's saying sixteen hours of video streaming, eleven hours of regular use with a 36 and a half watt hour lithium ion battery, which is a pretty tiny battery. It actually has a 20 watt USB c power adapter, which is essentially a fast charger for your cell phone versus, like, I think my MacBook Pro has a 120 or 140 watt USB c adapter. Actually, no. I have the new Meg. They went back to MagSafe. Great decision by them. Mhmm. But the, but these are almost half the price of the base MacBook Air. So if you're if you're standing in an Apple store and all you need is something to do online work, work inside of Chrome apps and, you know, we've talked about this before on the show where everything is just an Electron app now. Electron being a frame a development framework to essentially embed Chromium into, you know, native operating systems. So, you know, Slack is is Electron. You know, Notion is Electron. Title, Spotify, I think, is Electron. So Electron's just kind of everything now. And, like, there's no reason not to build a new application in Electron because it deploys instantly across multiple native, computer systems because it's just essentially a website build.

Speaker 1: Crazy. It it does raise Yeah. There's this weird thing of, like, does have does having a, a really good value over here reveal a lack of value over here? And I'm just struck by the fact, and I I have no beef with the Apple Watch. I can't help but notice that a base level Apple Watch Series 11 costs $50 less than this computer. And I know they're both computers, but, like, the watch costs pretty much the same price as the MacBook. If you have the educational discount, it's actually $49 more. You wanna go up to an Ultra, it's two of them.

Speaker 2: Yeah. Yeah.

Speaker 1: It's nuts. Like, I'm a AirPods Pro guy. Like, how it's the better part of a laptop.

Speaker 2: It's crazy. Well but but here's the thing. It's the great divide. So, like, truthfully, I just ordered a new MacBook Pro for the company. And if you get a relatively decently spec'd out MacBook Pro with a pro chip, not even a max chip

Speaker 3: Mhmm.

Speaker 2: You're touching $45. Like like, the the gap is huge. So you could buy you could buy an entire fleet of these Nios for the price of, like, one MacBook m five Ultra.

Speaker 1: The daisy chain them. Yeah. So it really you

Speaker 2: know, when it comes to hardware planning for businesses and even personal use, looking at how much power certain people actually need is now a massive like, if you've got 200 employees and most of them just, you know, work in

Speaker 3: Chrome?

Speaker 2: Gmail and Notion, you know, they can get an $800 computer versus the person who's needs a bunch of horsepower for audio, video, animation, coding, you name it, you know, because their computer is gonna be five, six k.

Speaker 1: And they made them purple.

Speaker 2: And they made it cute and purple.

Speaker 1: It's like not for nothing. The, cute little blue MacBook Pro? Maybe I buy that one.

Speaker 2: I just wanna talk. I'd like just, keep on the Apple train. And now that we're talking about alright. Now that I've started talking about the the higher end chips. The Pro and the Max, and they haven't released the Ultra yet. Everybody's highly anticipating the Ultra release because everybody the OpenClaw frenzy has led to a Max Studio frenzy As the Mac Studios I we've talked about it on the show before, but the Mac Studios with lots of shared memory, you can get them with they used to be able to get them. Apple has stopped selling them with 512 gigs of shared memory.

Speaker 1: In this economy?

Speaker 2: The current m three Ultra. No. No. They were literally selling off the shelves. Woah. So they I remember watching it because we have a we have a custom Apple store for our company, so we get kind of our own back end access into the Apple store. And they went from an m three Ultra with 512 gigs of memory went from, like, delivered in five to seven days

Speaker 1: Yep.

Speaker 2: To delivered in five to seven weeks, to delivered in, like, three months, to you can't order this anymore in, like, seven days. Yes. And then Apple, I think, came out the other day. Everybody's waiting for the m five Ultra Mac Studios to essentially just be LLM servers. But, Apple came out the other day and said they won't be selling any m m three Ultras 512 gigs. So everybody's kinda hoping that's a good indication that they're not building anymore because they're prepping for the launch of the m five ultras.

Speaker 1: I'm hoping that everyone who's going to go Open Claw insane has done so already. And the the the pricing of RAM could just sort of reach its homeostasis again because I this cannot persist.

Speaker 2: The, I wanna keep talking about some apple chips. Bring up Open Claw crazy in a few minutes because I've got some given my the feeling I'm in today, I got some interesting observations I wanna make about the Open Claw world.

Speaker 1: I'm I'm I'm looking forward to it.

Speaker 2: The, but, anyway, the the m five Pro Max and what I can only assume the Ultra chips have a brand new core inside of the main chipset. They have neural accelerators, which are actually Apple is suggesting that they're presenting up to 400 increases in AI tasks. So the m five Ultra Mac Studio will be hotly demanded if it is that capable.

Speaker 1: Yeah. They're not dumb. They see these things flying off the shelves as, like, development units for all these hijinks, and they're like, well, that's great. Totally. What a what a wonderful thing to to get out of having invested in this vertical supply chain of chips. It's like, oh, we're suddenly very in demand.

Speaker 2: Well, the the the big the big question mark is gonna be what the price is given how expensive RAM has gotten and how AI has led to this just frenzy on quality RAM chips. So 512 gigs, like the Mac Studio in that structure, the m three Ultra was about 10,000 US, which is a lot of money. But for a server capable of running a model that can shove itself into 450 gigs of VRAM is a steal of people. Like, the, I don't know if you've looked at GPU prices lately, but they're also completely insane.

Speaker 3: I haven't I haven't checked in on it.

Speaker 1: I I know it had gotten insane. GPUs have gotten insane. It feel it feels like they've been going nuts for a while. RAM, the last, like, year and a half, has just gone crazy. The joke had been, you know, of all of the things that Apple marked up, the gnarliest was always RAM. It was like the jump from eight gigs, like, a barely usable eight gigs up to a usable 16 gigs was like

Speaker 2: $400.

Speaker 1: And, like, an order of magnitude greater than the actual cost of, like, of that that literal stick of RAM. It's like for us to put it in this computer, you're gonna pay hundreds of dollars. Yeah. And now that that gap is almost closed. It's like that's actually kind of just what it costs. Like, the hysteria in the RAM market has rendered Apple's ridiculous pricing kind of coherent, which I never would have thought I would have seen.

Speaker 2: The the other big thing is, like, the the new m five, upper end chips, the Altras and stuff. The memory bandwidth, which is super important for AI tasks k. Is incredibly fast. K. For, like, for essentially a consumer electronic, like a a Mac Studio that I could just go to apple.com and order right now, The new versions of them will be very competitive with the boutique products being built by other AI manufacturers. And Apple's invested pretty heavily into their MLX program, which is their kind of version of CUDA. So it's like the way that the models can talk directly to the system and the chipsets and the the memory. So a lot of these models are coming out optimized now for MLX, which means they're optimized for Apple use. So there's a lot a lot going on in this space, and I'm intrigued to see what's gonna happen. I'm I'm intrigued mostly to see what the price of these things are. Mhmm. Did they come back out at $10,000 for an m five Ultra with 512 or 768 gigs of RAM? Because that's the other thing that they're realizing is most of these supermodels, like Kimmy k two five or any of the big, big, you know, DeepSeek was one of them. They require at least two of these studios if you wanna run one of the premier models, and they have to cluster them, which then adds extra delays and latency because, you know, Thunderbolt five is the fastest interconnect. So I don't know. There's a ton of technical stuff going on, but I'm pretty pretty intrigued to see what they do. If they release an m five Ultra with a terabyte of built in shared memory, it'll be mayhem.

Speaker 1: I'm gonna run these models on a Neo, and you can't stop me.

Speaker 2: You can. Some of the

Speaker 3: new Can can you really?

Speaker 2: Yeah. Yeah. Yeah. Some of the some of the new Gwen models, like the Alibaba models, they've made incredibly lightweight versions of them that will run on your iPhone. No problem. I can actually show you. I have one installed right now.

Speaker 1: I am fascinated. Yeah. You will need to show me that, actually.

Speaker 7: I will.

Speaker 2: They're they're

Speaker 1: Can I can I run it on an Apple Watch?

Speaker 2: Maybe.

Speaker 1: May actually, maybe. Yeah. If it runs on

Speaker 2: a for $800, I would hope the Apple Watch

Speaker 1: It's totally the Apple Watch Ultra. It it's up to a molten ball

Speaker 2: on your wrist. Yeah. Yeah. It's a scarification tool.

Speaker 1: It's a scarification tool. K. Let's wrap it up with your open claw madness. Take out the cork, but we're to take out the the Yes. Yarn

Speaker 2: connect it.

Speaker 1: Take us out with a hot tick.

Speaker 2: Vibe coding, open claw madness. K. People creating you know, people vibe coding frameworks to run virtual companies of agents, all of these things. One of the things that I've been noticing

Speaker 1: k.

Speaker 2: It's a lot of the same people that were huge Web three crypto people. Like, this is this is

Speaker 1: There it is.

Speaker 2: You know, they're not software engineers.

Speaker 1: There it is.

Speaker 2: They just you know, the it's the the new wave of hype, And I've just it's something I've noticed. Like, there are there are the software engineers that are adopting agentic development like myself. Of course. But the the hype, the the the GitHub repos, the of just insane tools that have had zero testing. You know? There's just so much stuff being thrown out into the world. And every time I see a Twitter user that's, like, publishing some new massive you know, here's how you run a billion dollar company with my new tool. And I look at their profile, and it's like NFTs Yes. Web three. It's the it's the same crowd.

Speaker 1: My guy? Same crowd. It was drop yes. It was drop shipping. It was I'll give you buy my course that teaches you how to make courses. It was Amazon Kindle books written by ChachiPT. It's a company of a billion dollars made entirely of agents. It's the same shit. Yeah. And it's frustrating because deep below that parmesan rind of shit, there's really interesting novel technology, and it is just you can't even see the light. Like, it's so thick on top of it. Yeah. I'm with you. I'm so with you. I just as

Speaker 2: I I've spent a little bit more time on Twitter as of late, and I'm just seeing it all, and I'm like, this person just released what they're calling a, like, production system to do all this stuff. And it's like, I can tell just by like, it's just straight vibe coded. And it's like, it might sure. It might be able to run, but it's like now they had now I feel bad for them because they probably had no idea, you know, when 8,000 or 80,000, you know, cryptobros set up their companies and run into all of the bugs that are probably nestled inside of their piece of software, how long it's gonna take them to try and resolve them all. Like, they've just created themselves a full time job in the open source community. And I'm just like, ugh.

Speaker 1: A 100%. We talked about this last episode. It's like it's quick to make. It's quick to deploy. It is not quick to maintain.

Speaker 2: Like Oh. That's that's the real Especially when especially when 80,000 people start pressure testing it, it's gonna go one of two one of two ways. It's gonna go they run into a bug and they uninstall it and they never use it again, which I'd say is, like, a bad customer story, or they file a bunch of issues and and yell at you on Twitter. And it's like those are the those are the two outcomes.

Speaker 1: You and I have talked before about the, the hit of dopamine you get when you start a project versus the slow drip of cortisol and stress of actually getting a project moving and getting and I'm not even just talking about software development. I'm kind of more talking about non software development, but I think it applies here. The spike of excitement of a new idea and the first few steps and then the disproportionate slog of the next 10 steps before it equilibriums back out and is just I'm working on a project.

Speaker 2: And Yeah. I have another job.

Speaker 1: I have another job. And I decided, and it was intentional, and I made the choice to pursue this new project. It feels like this tech has enabled people to think they've jumped over those shitty five steps. Like, the part where it's work, it's like, no. I can just make it, and it's instantaneous, and it's out in the world, and it's done, and it's there, and it should be making me money and providing value and and and and it's like I'm

Speaker 2: getting tons of likes on Twitter. I'm getting shares here. You can't stars on GitHub. You can't

Speaker 1: skip the five steps. The five bad ones that follow the two good ones, it's like you can't there's just no way. They just move. You've just moved them into trying to maintain a thing that barely works that you don't know how to maintain because you vibe coded it. It's like, that's all you did. You just delayed it a little bit, and you extended the good feeling at the start a little bit because you got further. And I get it. I really, really get that cycle in wanting to hack it, but it it it abides. It cannot be hacked.

Speaker 2: Well, the it's it's like, vibe coding, agentic engineer well, depends on who you are. I'll say that there's there's two camps there. I think if you don't know how to program and you don't understand the the structures, what's underneath what you're looking at, you're a vibe coder. If you're a software engineer that uses AI to facilitate your process, but you still are critical of how it's doing things, what it's doing. You understand when you see a bug, what it's probably doing under the surface, and you can, like, give it explicit instructions. You're like an agentic engineer as the new fancy term for that. The but here's the thing is that, like, the if you were like an idea person, like, you're like, I got an idea. I wanna build this thing. It costs so much time and money. Five years ago, it would have cost you years of your life to go from that idea to a product or a workable concept. Even if you were like a solo person is building in your in your spare time, it would have taken you years to build out a proof of concept for this idea of yours. And now you can do it in, like, forty five minutes. And that that I think is the you hear a lot about how engineers in Silicon Valley, young tech workers, you know, computer science students are are just not having social lives anymore. They're not going out. They don't hang out. They don't drink. There was a joke the other day from the y Combinator. I don't think it was a joke. A tweet from the y Combinator CEO talking about how he's quit drinking so that he can have better mental capacity for his, like, long agent decoding sessions because he's just getting so much stuff done. And I I think that's totally valid. Like, so I built I think I sent it to you, repocost.dev. If you've got if you're bored, go to repocost.dev. You can throw in a GitHub URL, and it will use a proven model to estimate how much time and money it would have cost to make that repo. And just so people can vibe code a product, and then five years ago, that product would have cost 5 like, even repo cost dot dev, I vibe coded, has a value of, like, $84,000 for the time. But that And it would've taken one year. Yeah. And it built it while I was in the dentist chair getting a checkup.

Speaker 1: But that kind of product that requires functionally no maintenance after you make it and put it out in the world is so different. Like, to go back to whether this is different for the agentic engineer versus the vibe coder, it's like, I actually don't care what your skill set is. I care the story you're putting out into the world about the thing that you've made.

Speaker 2: Yeah.

Speaker 1: And a fun thing that you can just sort of make and deploy and it's cool and it's a tool, it's useful to some people and it's out there quickly is so different than, like, Salesforce is cooked. I made a better one over the weekend. It's like, no. You did not. Stuff like that. Cool stuff. Quick stuff. Little like ideas and kinda trying to catch, you know, a moment so different than insert whole industry is over bro because I did this in a weekend. It's like I promise I I promise you didn't.

Speaker 2: Yeah. The the but the thing like, the I could see the attraction of it. Like, as somebody that likes to build things, it does move so fast. Like, I've been building Loom for myself. Like, it's and that's the thing. It's, like, I don't really care. I think it's cool. I think people should check it out, but I'm building it for myself. It's a very functional user

Speaker 1: base to me.

Speaker 2: Yeah. And and that's it. Like, I wanna I want it. I will use it, so I'm building it. And I think that's a good motivation if your motivation is, I'm trying to build the next cool thing to get hyped on the Internet. I wanna build the next open claw. There's so many people trying to build the next OpenClaw. I think maybe that's a good idea. Vibe coding it out every day. There's 10 new ones on Twitter.

Speaker 1: I think maybe that's a useful place. It's like, are you I'm not saying you can't make a ton of money in software development with stuff that was created using these tools. I'm not saying that at all. But I'm saying, are you fundamentally trying is there a thing that doesn't exist that you wanna make exist that sounds cool to you? And so you're using these tools to that end? Or are you going people always got really rich off software development, now it's cheap, so I can get rich cheap? It's like one of those is a fool's errand. And the other one is, like, just objectively true. If you just have a cool idea and you wanna try and make it, that got easier. And if you think you can become the next Sam Altman using Sam Altman's tools, you're out to lunch.

Speaker 2: Well, the a common thing on Twitter, if you look if if you just look for anybody talking about stuff they're working on, vibe coding, you'll see the ones who were, like, clout chasing and posting all their successes have their monthly reoccurring revenue numbers

Speaker 3: Yeah.

Speaker 2: In their description. They're, like, 15,000 MRR heading to a million, and it's like they're they're just vibe coding up tools and throwing them into the world hoping somebody pays them for them, and then they will get rich due. And some people are making money. Like, I'm not taking that away from

Speaker 1: the machine. People got rich drop shipping too.

Speaker 2: Totally.

Speaker 1: You put a coin into the slot the Internet slot machine and hope it comes up, and there's a bit more skill to it than that. But, like, yeah. Totally. You can get rich doing the thing that makes most people no money. That's always been true. Yes. Oh, that's fascinating.

Speaker 2: So repo cost .dev. Check it out. It's an interesting tool. Loom is currently at $15,700,000 development time. This is and this is, like let's go back to I I messaged Jordan this the other day. So there's about 1,360 estimated man months into Loom. 1,360 man months. It would have taken 37 and a half devs three years to build it. I have built it in a month. And that means that I am, with my AI friends, a 1,350 x engineer. Gone are the days of one x, two x, three x, 10 x. We now have thousand x engineers.

Speaker 1: But can I run it on my Apple Watch? Probably probably. Probably.

Speaker 3: Probably. Probably. Probably. Probably.

Speaker 2: This is this is pretty lightweight.

Speaker 1: I I kinda like that. It's the new metric.

Speaker 2: It's multi threaded. Yeah. I think there's threading on the Apple Watch. There must be.

Speaker 1: A molten a molten ball on your wrist. Eternal Blue, Karuna, the MacBook Neo Line. Line. I think that's another one in the bucket. Yeah. Feeling good? Anything we missed? Feeling good. No.

Speaker 2: I don't think so.

Speaker 1: So either.

Speaker 2: Thanks for joining us.

Speaker 3: Thanks for

Speaker 1: joining us. I'm gonna go buy a a purple laptop, and no one can stop me.

Speaker 2: I'm gonna buy a MacBooks Mac Studio with a bunch of RAM in it.

Speaker 1: The two most different computers. Can you put them on the same order just to confuse the Apple rep?

Speaker 2: But here's the thing is if you're offloading all of the computation onto your Mac Studio, if it's doing all the heavy lifting, all you're gonna need is a terminal.

Speaker 1: It's like the MacBook Neo is the terminal of the vibe coding. We're we're

Speaker 2: just going back in time now Right? You know? Exceptional. It'll be a big server and a small terminal. The MacBook Neo is the terminal. The huge Mac Studio is

Speaker 1: the same. Of just a Mac not even a Mac. An iPad mini dangling by the cable. It's it's light enough that you don't even it's just dangling from a cable in the middle of the room, and that's your terminal for, like, a server farm of Apple of Mac Studios. Just Yeah. Swinging in the middle of the room. Just boot type run. So thanks for listening everybody. And as always, we will catch you in the next one.

Speaker 2: Take care.

Speaker 1: It was fun.

Speaker 8: Where's your playlist taking you? Down the highway, to the mountains, or just into daydream mode while you're stuck in traffic? With over 4,000 hotels worldwide, Best Western is there to help you make the most of your getaway, wherever that is. Because the only thing better than a great playlist is a great trip. Life's a trip. Make the most of it at Best Western. Book direct and save at bestwestern.com.

Speaker 9: This episode is brought to you by Nespresso. Life moves quickly and taking care of yourself shouldn't feel like another chore. With the new Nespresso Virtual Up machine, morning routines become rituals. Whether organizing, getting the household moving, or preparing for the day, your coffee shouldn't ask for more. With Vertuo Up, just press brew and your morning begins. Rich aroma, bold flavor, zero effort. Press to explore. Every coffee, a new world. New Vertuo Up. Shop now at nespresso.com.

Speaker 7: Stitch Fix. Stop shopping. Get styled. Not today's sweatpants. Somebody's wearing jeans that fit.

Speaker 1: No photos, please. I'm just a regular dad who happens

Speaker 2: to have a stylist. I really look my best when someone else makes the decisions. Hey,

Speaker 4: we can all see you two way mirrors.

Speaker 7: Just show your size, style and budget and your stylist sends personalized looks right to your door. Stitch Fix. Get started today at stitchfix.com.

Speaker 4: I wanna hug you. I'm gonna hug you. I'm come

Speaker 3: I'm

Speaker 7: coming in for a hug.