Going Back to Basics to Thwart Attacks

May 7, 2025
We chatted with Chuck McWhirter, principal solutions architect at ReversingLabs, about the importance of sticking to basics when it comes to thwarting attacks. 

EPISODE TRANSCRIPT

Paul Roberts: [00:00:00] Welcome back everybody to another episode of ConversingLabs Podcast. I'm Paul Roberts, the host of ConversingLabs, and I'm the director of editorial and content here at ReversingLabs. Really thrilled to have in the studio my colleague Chuck McWhirter, who is a principal solutions architect here at ReversingLabs, and we're gonna be talking today just about, first of all, Chuck's amazing journey in cyber and also the state [00:01:00] of affairs right now for organizations as they're struggling with both, very complex threat landscape, software supply chain attacks, and the whole menu of threats and risks and challenges that are facing organizations. This is stuff that Chuck deals with pretty much every day in his job. Chuck, welcome to ConversingLabs.

Chuck McWhirter: Thanks Paul. Glad to be here.

Paul Roberts: Really glad to have you. For our listeners who may not be familiar with you or LinkedIn contacts of yours, just tell us a little bit about kind of your background and your journey to cyber and what brought you here.

Chuck McWhirter: Yeah, sure. So I've been in the space now for a little over 28 years.

I got my start in the Air Force and so worked in a variety of different capacities in cybersecurity, in the Air Force. Worked in information assurance, is what it was called back then before we really had the cyber titles. And then also spent some time with Air Force Intelligence working at the AF CERT and [00:02:00] designing and maintaining the global intrusion detection system across 150- something or other Air Force bases. So that was back in the nineties. And then, from there, went into consulting for a while and spent time working on 2002 Winter Olympic Games. Went to a few different large projects around the globe. And then I've been in the vendor space now since about 2006 and the last seven years of that have been with ReversingLabs.

And I've just really come to love not only the company, the technology, founders, but yeah, just what I do on a day-to-day basis here is super fulfilling in my job.

Paul Roberts: It's really interesting 'cause when you think about, 28 years, you go back to the mid, late 1990s- very different, obviously, height of the .com period.

So there was a ton of focus on technology, but really different cybersecurity landscape in some ways. Yeah, there [00:03:00] wasn't really a cybersecurity industry back in the mid-late nineties. It was just emerging. When you were coming up, again with the Air Force and stuff, did you even think about what you were doing as cybersecurity or how did you read the landscape back then of, what you were doing and what the problem was?

Chuck McWhirter: Back then, a lot of the information that we had access to is vastly different than today. And whereas there's all sorts of training seminars, there's all sorts of boot camps, there's all sorts of, online videos for people to really get in and learn the industry, that didn't exist back then.

You had to do a lot of your learning from different chat forums and IRC channels and, you're out there learning from some of the same criminals that are perpetrating a lot of the bad stuff. It's interesting and fascinating over 28 years to see how the industry has really grown up and matured.

And how cybersecurity, which back then it was just, we called it information security and it didn't have that delineation of whether or not the information was in cyberspace or whether the [00:04:00] information was in a cabinet drawer or a safe. It was all within the same domain. And to see it grow up and really gain the respect that it has.

And I think that there's several reasons for that. One is the proliferation of attacks. The amount of attacks that we saw 28 years ago in comparison to what we see today is it's exponentially different. There's just not even a comparison. But too, even the maturity of the practitioners. We used to look at security as the way that we implement this is with a sledgehammer.

I say no, therefore it's no because we're in information security. Whereas that's hard to really get a seat at the table in business because, business isn't cybersecurity. Business is moving widgets, moving products, providing a service, right? And the practitioners have begun to mature and become much more business savvy, in understanding business risk. And yeah, it's fascinating to see how the industry, and not [00:05:00] only the practitioners, but the- just corporate America has grown up and come to develop a respect for the field.

Paul Roberts: It's true. That was the kind of common thinking for so long, which was the security folks are the know people and if you want to get your project done, get your product to market, realize sales and profits, best to find a way around them. Which had big consequences for all of us, obviously, because as we know, security matters, right?

Chuck McWhirter: That's right.

Paul Roberts: So one of your, as you mentioned, one of your early kind of formative experiences was helping out with IT and info security protections around the 2002 Olympic Games.

These were the games in Salt Lake City, Utah. That we hosted. There was, if you weren't alive back then or not aware- they got off to a rocky start. Mitt Romney came in and took charge and got everything, working well and the games were [00:06:00] fairly successful.

And it was, I think the first Olympic Games I'm aware of where there was a cyber attack that got registered, in the news and made headlines. And you obviously had a kind of a front row seat on that whole thing. So talk to us about kinda what were you doing back there with the 2002 games?

What was the IT infrastructure like? And tell us about this attack that happened.

Chuck McWhirter: The Schlumberger, which was the company I worked for at the time, they recruited me and some other individuals to come in and provide the security operations for the 2002 Winter Olympic Games. We had about a eight man team that I worked with.

Just highly talented individuals. It was a great honor to work with them. And what was interesting was, and this is something that talks about to our previous conversation about the immaturity then versus the maturity now of how security is viewed. When we got there in August of 2001, the [00:07:00] games go operational in February of 2002. And all of the, you know, the server teams, the network teams, all of those teams have been in place for three years prior to us coming there. So it tells you that security-

Paul Roberts: Doing what?

Chuck McWhirter: Building the Olympic games infrastructure. And we were the only security folks and we're showing up eight months before operations.

Everything's designed, everything is almost at a point of change, freeze. So in other words, you can't bring anything in. And when we arrived, we're like, great. What kind of budget do we have and what tooling do we have? And they pointed to a room and they said there's about 30 gateway desktop computers in there, and that's what you got.

And so, we had practically no budget for purchasing tools. So we had to build everything from scratch using open source tooling. We ran all of our intrusion detection systems. We were using Snort [00:08:00] with a D-mark backend. For those who don't know what that is, don't bother looking it up.

It's antiquated. It's dinosaur material. But what happened of interest is we got in and we were able to put sensors and put controls in place where we needed to and get optics on traffic flows. So we were ready to go and we designed incident response processes. One of the things I built was a forensic toolkit that would, if a system was compromised, you could dump all of the volatile memory information out to a cryptcat session.

And, I received a thank you letter from the Secret Service, 'cause they were like, Hey, do you mind if we have that after? I'm like, yeah, go ahead, take it.

Paul Roberts: That is in itself is yeah, I built that tool because there was not, it didn't exist, right? That says a lot.

Chuck McWhirter: And you know it, when I say built, when we talk about it, it was batch scripts that called a bunch of, different commands and used trusted shutdown stuff. But it worked. It worked. But what happened was, and for those who are alive to remember the Olympics back then, we have one of our speed skaters [00:09:00] that as he was competing in an event, he was tripped by one of the South Korean skaters.

And they went back, they replayed it. The guy's arm came out and hit our skaters, one of his skates and tripped him up. And what happened was the skater got disqualified and when he was disqualified, South Korea launched a denial-

Paul Roberts: The South Korean skater was disqualified for tripping him.

Chuck McWhirter: Yeah, the South Korean skater was disqualified for tripping our skater. And so what happened was they launched a denial of service against our networks. Thankfully, none of the games' networks had any public exposure. They were completely isolated. While the front of the firewall and the front networks took an absolute pummeling, it didn't interrupt any of the games' networks.

But what did come through and our team caught, and this is what made part of the headlines was there was a series of death threat emails that went to Mitt Romney, who is the CEO of the games. Yep. And it wasn't me personally, it was my teammates [00:10:00] that worked that part of the monitoring. They caught it and they escalated that to the FBI and so yeah, that was, by proxy that, that was my claim to fame of the games is the guys I knew and worked with caught those.

Paul Roberts: Do you think that was on their, on the radar of like your, of the security team or even just the management of the games that if there's some, you know, a controversial call or something, there could be a IT-based response or incident that occurs, because back in the late nineties, that was not, that hadn't necessarily fused into people's brains that, that might be a way that a country would express its, dissatisfaction with something that happens in the Olympic Games or some other major event. Do you think that was on the radar or do you think that was like, whoa, we didn't see this coming.

Chuck McWhirter: It wasn't completely off of the radar. We were planning and poised to handle things like denial of service attacks. But I [00:11:00] don't think that situation was really front and center.

They were- I don't wanna say distracted, but if you remember that games was the games that immediately came after 9/11. And so the heightened sense of awareness. We went from one day, it was partying and great times in the streets to the next day, there's Black Hawk helicopters flying over and Jersey Bouncers and Humvees. It really went to a state of being locked down very quickly and you could feel this heightened sense of tension around the games. So everybody was on, we had FBI, we had Secret Service there. We even had at that time Carnegie Mellon CERT individuals who were on, who came in to support us and work side by side with us during the operations. And so yeah, it was very, it was before Department of Homeland Security and back then Secret Service ran the game in that department. And but yeah it wasn't something like, that wasn't a contingency that was in our risk management or in our [00:12:00] planning.

Paul Roberts: Right. Subsequent to that, I think almost every Olympics since then, there has been, we now almost take for granted that there's gonna be some kind of targeted cyber attack. Especially since, Russia's been exempted from, you know, kicked outta recent games. There's always some disruptive something.

But yeah, back then it was definitely not the case. What was the takeaway from the games from your standpoint beyond, obviously it's really cool being at the Olympic games and, that's a great-

Chuck McWhirter: A lot of great souvenirs and things like that. Yeah. What was great and I really appreciated the way that you know, Schlumberger and then they, Atos Origin bought our division and ran the Olympic games afterwards, is that from the 2002 games our team was interviewed extensively for the games out of Athens.

And even I spent some time over in Italy and consulted with some of the folks on the 2006 Torino games. And it was really wanting to know what worked, what didn't work. And one of the biggest things, and this is something that [00:13:00] we've seen mature across the industry, is having cybersecurity folks at the very beginning of an implementation, a design. Yeah. Versus coming along as after the fact. So that, again, cybersecurity practitioners, we don't have to be the no guys. We can be the yes guys, and here's how we are enabling whether it be the Olympic Games or whether it be, a huge project within a corporation.

Here's how we can come along and enable this. Not get in the way of efficiency, but increase the security. And that way we're mitigating risk to the project, to the business processes, whatever that may be. And so that was a big takeaway from the games, is being able to see the importance and the contrast.

Because the other games that we consulted on, completely different story as far as the security equipment and tooling. That they had to operate the game.

Paul Roberts: [00:14:00] Sure. Yeah, it's that whole notion of bolt on security, right? Which really governed both, enterprise IT as well as unfortunately, kind of application development and application design for so many years, which is you design the product and then, before you ship it out, oh yeah, maybe we should have a security audit done, or maybe we should get security people in here. But of course, the design decisions and investments have already been made.

That really ties your hands as a security team. Which brings us to the next topic, which is, your role at ReversingLabs, your principal solutions architect. If you look back in your professional life , this is a role you've had for a number of years, even before you came to RL.

So one of the things that you're doing is working with companies and ReversingLabs, obviously we work with both software producers, on the software supply chain side and software development side, as well as end user organizations on threat detection, threat hunting side.

So is that a conversation that you have with the organizations, the companies that you work on right [00:15:00] now as you're helping them to think through their own security investments and plans?

Chuck McWhirter: Yes, absolutely. It's something that is- it really comes up as part of some of my initial conversations with a customer.

Being at ReversingLabs for- and even before ReversingLabs, working with some very complex technologies, one of the first things that we have to recognize is that every prospective customer out there is somewhere along that journey in their maturity for cybersecurity and mitigating the risk of their business.

A global, fortune 50 financial services company is going to have a completely different risk posture and risk tolerance than, a Fortune 2000 regional bank, for example. And so their appetite for controls and their appetite for what they can successfully manage within an organization is gonna be completely different.

[00:16:00] Being able to come in and work with those customers, whether whatever side of that pendulum they're on as far as the, their maturity is super exciting. It's something that allows me to really be a consultant with them and understand that hey, I appreciate that you're interested in our technology, regional bank.

However, there's some things that you have to take care of or look at before we would even be a value to you. Because the amount of information and depth that we go into is not something that would help you at this time. Whereas working with the large financial services company, I get to see just- and work with some of the top talent of practitioners in the world and solve really complex problems and to be able to see how each of these two organizations approach risk management and approach solution adoption, and where they're entering into the process, if you will, bolt-on [00:17:00] versus very early on in a given project. It is really fascinating to see that full example.

Paul Roberts: What's your sense? Is there a real difference between the way a Fortune 50 company is looking at and addressing their cyber risks versus a Fortune 2000 or just an SME or, in terms of the problems they're concerned about, the threats concerned about, and their vision for how to address them?

Or is it pretty much the same, but obviously money, more options and resources at the Fortune 50 company than at the SME. Interested in your thoughts on what you're seeing.

Chuck McWhirter: Yeah. And I would say all of that, right? Yes, they are dealing with the same types of threats. Yeah. We talk about nation state actors would love to impact a regional bank with with a ransomware and pull money from them.

Paul Roberts: That's where the money is, right?

Chuck McWhirter: Feed into- yeah absolutely. They would love to do that. Just like they would love to do that with a Fortune 50. So they're dealing with the same threats. It's more [00:18:00] of how they can go about mitigating those threats. And the manpower that they have and the sophistication they have. And this is not to talk about, say anything about the security talent. I've worked with some of the best and brightest that are at a small regional bank. It's just that they are having to work at a smaller scale. In other words, they may not have the ability to have a team of 10 developers build automated pipelines and orchestration and automation and be able to look at that full scope of risk.

And so they have to find ways to have other compensating controls in place. Whereas the Fortune 50, they are really, they're out there on the edge and really looking at the ability to do things that are new and innovative and eventually move the needle in the industry, both, either in the financial services industry or even expand even beyond that into [00:19:00] other facets of critical infrastructure. And so yeah, it it just depends on, it depends on scale and it depends on capabilities and resources of those individual organizations-

Paul Roberts: Wendy Nather talked about the security poverty line, right? Which is, just this unfortunate reality that many of the most effective and potent tools and services out there are pretty expensive and beyond the ability of smaller organizations to afford them but that can translate into higher cyber risk, right? More likelihood of being a victim of attack. That seems to me to be something that we as a industry and maybe as an economy need to need to find a way to address.

I think one of the things we're hearing a lot about these days is the sort of cyber tool sprawl problem. We're 30 years into this industry and the dynamic to date has been, new threat, new problem pops up, new tool crops up to address that problem.

And then, oh, there's another problem. Here's a new tool. And obviously after a couple decades of that, you end up with a [00:20:00] pretty heavy tool belt. Are you seeing that in your interactions with these customers and, what's the answer to that?

Chuck McWhirter: I think if I had the answer to that, I'd probably retire tomorrow. I feel for a lot of our a lot of the prospects, the practitioners and operations out there, I really do. Because, 30 years ago we had a few hundred security vendors. Now we have thousands, and they, the marketplace is so noisy, so noisy. And on top of that there's complex problems that we are explaining to customers how those problems get solved using very high level, vague language that, that a lot of times, and I'm speaking in general around the market and the customer is faced with all these vendors that are trying to get their time. They're having to decipher and really get underneath a lot of these terms and these buzzwords to just get the [00:21:00] simple question of exactly what problem do you solve and exactly how do you do it.

And a lot of times that's very difficult. And for one problem, when you've got 10 vendors trying to give you how they do it with this language, it's very confusing. Very confusing. And so what I see is I see teams that have invested in a product that they find out that the product solves 40% of the problem they have, and now they need to either build or buy a product that solves the other 60%.

And finding that exactly, that's more money going back to the answering the question of then we buy that product to solve this problem. Yes, but it doesn't quite do that. And it creates a lot of problems. Tool sprawl is one of them. The other is alert fatigue, because now for one problem you have multiple tools sending alerts for that problem.

And sometimes those tools, despite living in the 21st century, still don't talk to each other. And so yeah there's a lot of [00:22:00] challenges there. And again, I don't have, I don't have the solution to the problem. I know that one of the things that we do is, we will provide information around what we do, but at ReversingLabs, we're very conservative and we don't embellish what it is that we do. And I think that's really a culture that's driven from our co-founders of being very careful about, Hey, this is what we do. We do it very well, but we're not gonna embellish what we do. And and that's something that, that we've adopted and I think it gets, it's very clear to our customers when we speak to them about what we do and how we do it and why that's important.

Paul Roberts: Yeah. One of the problems that we're addressing with a lot of our customers these days is the software supply chain risk that you are inheriting via your use of both open source and closed source commercial software.

You're bringing, whether you're a software publisher or you're an end user organization, you're regardless, you're bringing in a lot of binaries, using them either in your own software [00:23:00] products or deploying them in your environment. And there are a lot of risks and threats potentially even in that code.

Do you get the sense that companies are aware of that risk? Or is the focus still more on the sort of traditional, keep the bad guys out type thinking?

Chuck McWhirter: I am super encouraged as of late because I really feel like the industry is maturing in this direction. And again, this is somewhat anecdotally, it's somewhat based on things that we've seen is, when software supply chain incidents occurred years ago, we're probably, coming up on, five years since, probably one of the most notable breaches took place with SolarWinds, we're starting to see where customers are now realizing that vulnerabilities are not the end all be all. Open source packages is not the end all, be all. You have to close-

Paul Roberts: All the stuff we're seeing with CVEs right now, if [00:24:00] that's not telling you that you gotta broaden your scope.

Chuck McWhirter: Exactly, a hundred percent. Having that broad view of, across all aspects of the software. You've gotta look at that entire threat landscape of your software supply chain. Vulnerabilities is an aspect of it, but that's not the end all be all. You've gotta look at all of the different risk families.

Has the binary been tampered with? Are there malicious behaviors inside of it? Do we have embedded secrets? All of those things combined give you a risk assessment. And so what I'm seeing is that the industry is realizing that there's a huge visibility gap with commercial software, and a questionnaire does not answer the question of whether or not that binary that I'm about to bring in my environment is safe.

Paul Roberts: That's right.

Chuck McWhirter: And oh, what do I do if that binary changes, like every single time there's an update to it. That's a material change. That's new software in the environment. How do I handle that? And these questions we're hearing from a lot of the [00:25:00] more sophisticated larger, for example, financial services, I use that because that's where I primarily work, in that sector. They're asking those questions now. It's no longer questions just around the vulnerability side. So it's very encouraging. I see the industry really maturing and waking up to this visibility gap.

Paul Roberts: We saw this with 3CX, right? Where it was a desktop client, VoIP desktop client, update that all of a sudden, SentinelOne and all these, EDR products were like blowing up, yo, this thing's malicious. And it was like no. That's a false positive. It's not malicious. It's not malicious. And then it was like, oh, actually it is, sorry.

And it's, you can just imagine, how likely that scenario could potentially play out for any company out there like that just, Hey, we got an update for our desktop client. We distributed it, it's deployed. That's good from a security perspective. Actually not 'cause there was a backdoor in that update, it's just...

Chuck McWhirter: Yeah. That one really is fascinating. First off, there was no vulnerability involved right? In that, right? [00:26:00] It was, the other thing was, is as we looked through the forums when 3CX went down, is you have this one little mention of, Hey, I've got this vague heuristic that triggered in SentinelOne and they were the only ones.

It was a vague heuristic. You have guys saying, Hey, I uploaded it to this reputation service. It came back good. You know nothing here on my EDR. Nothing here, over here. It must be good. Then you have the, just the golden dream of every security practitioner's day is when they see this and, Hey, here's how you get around the heuristic.

Paul Roberts: Yeah, that's right.

Chuck McWhirter: So that SentinelOne so that you doesn't flag it. There we go. Because that's exactly what we wanna do is figure a way around our security controls.

Paul Roberts: That's right.

Chuck McWhirter: And so a false positive, but yeah, its getting down and understanding that there was no signature. There was nothing that detected that, hey, this thing was malware.

It was a red flag of you had a DLL that had been tampered with. And you can only see that if you're able to [00:27:00] unpack, look at every single artifact, look at every single piece of that binary.

Paul Roberts: And look at the delta, right? Whats changed?

Chuck McWhirter: Exactly.

Paul Roberts: And you gotta wonder, have there been other incidents of that where you know, something was registered as a false positive? Everybody kind of whitelisted it right? With the understanding from the vendor and the consensus this is a false positive, but maybe it wasn't a false positive. You gotta wonder if there are other incidents out there like that.

Chuck McWhirter: If I'm standing at the table in Vegas and I have to bet on whether there were, or whether there weren't, I know where I'm gonna put all my money. Because yeah I'm quite sure.

Paul Roberts: Me too.

Chuck McWhirter: The things that we're discovering on a daily basis are scary.

Paul Roberts: That is not a hardy bet. That is, that's a lot higher. Okay. Do you have time for two more questions? Yeah, of course. So just picking up on that on what you were saying.

What would your advice be to security teams today as to, where they should be focusing their energies and attention, whether you're Fortune 50, whether you're Fortune 2000, but just at a high level, where do you [00:28:00] think they should be focusing their time and effort to get the most bang for their buck in terms of, risk prevention? Threat prevention?

Chuck McWhirter: That's a very broad question and it's gonna be from one organization to another, potentially different. There's a lot of different emerging threats that are out there. Obviously today we've talked a lot about the threat landscape around software supply chain.

Malware is always, is still one of the hottest vectors into an environment, so certainly looking at those visibility gaps. But in a broad sense, looking across the industry as to, where they'd be focusing their time, it comes back to one of the fundamentals we talked, we've talked about how we've evolved over 30 years, and one of those fundamentals is risk management.

Paul Roberts: Yeah.

Chuck McWhirter: Understanding where the risk is in your environment, understanding how it impacts what you do as a business and where do you have those gaps. For companies that are migrating into the cloud, how are you managing all of [00:29:00] your identity and access management across, cloud-based, hybrid cloud, things of that nature?

Are you leaving stale accounts out there, whether they be machine accounts or user accounts?

Paul Roberts: Yeah.

Chuck McWhirter: How are you handling things like mergers and acquisitions? Are you bringing in risks to your organization that you don't have visibility into? Because, so...

Paul Roberts: Procurement generally, right? We, so much, like you said, is still questionnaire based and we already know that's not gonna give you what you need.

Chuck McWhirter: A hundred percent. Now obviously me being biased here and being super focused on the software supply chain and file threats, there's a massive visibility gap in the industry right now around trusting third party software, whether that's software that we're bringing into merge into our own builds that we have, or whether that's software that we're purchasing from vendors. Again, we talked about this. It's like the application is a black box. And, I can run, I can do pen testing [00:30:00] against the app.

I can do some basic security, maybe even some fuzzing against the app. But unless I really get in and understand what is inside of that binary and look at every single artifact and scrutinize every single piece of that, you're not gonna catch the 3CX, you're gonna be, you're gonna be the next victim of a breach. We say don't buy a breach.

Paul Roberts: And if you want a vision of where things are going in terms of your industry, check out what's going on within, cryptocurrency right now and the way that sophisticated cyber, criminal and nation state actors are targeting crypto application development pipelines, crypto infrastructure, exchanges. And it is just, it's nonstop. And some of these campaigns are very subtle and long term. And I think one of the things we said in our most recent report is this is a canary in the coal mine for other industries as well. Yeah.

Chuck McWhirter: A hundred percent, yeah.

Paul Roberts: So I'd be crazy, I'd be not doing my job if I didn't end the interview with the, of course the elephant in the living [00:31:00] room, which is machine learning and AI. And I know you said you work a lot with financial services firms that have the budget and the resources to really leverage cutting edge technology.

What's your sense on how AI is being- we know how it's being applied for ill purposes, for malign purposes by the bad guys. How are the good guys using it and leveraging it to increase their security response and readiness?

Chuck McWhirter: Yeah, so there's obviously here we've used it for years in building out detections and being able to train models on detecting with efficacy reaching near a hundred percent on variety of different forms of malware. And so we've been using that for years. I think that, where we really see the industry going and using AI, dealing with things like what we talked about earlier, alert fatigue, and being able to really take large sets of data and find [00:32:00] those important pieces of information or anomalies that are buried deep, that tend to get lost in a lot of the noise. I do think, and I'm gonna say this with a nuance here. I think that one of the challenges that as the cybersecurity industry is blown up, you have a lot of folks that originally, that came into the industry.

It was almost mandatory that you knew how to write some code or to script and to build those automations in place because a lot of the tooling was open source and you had to adjust it. A lot of that's been lost over the years, and so you have a lot of practitioners nowadays that they're not coders.

They don't script, things of that nature. So using AI by the good guys to help shrink some of those skills gaps can be very important. I use AI to debug or help me get past getting stuck in my code from time to time. But I think it also highlights how good guys are using it and potential problems, in that [00:33:00] AI has really become part of the supply chain now. Where we are seeing more companies go to using AI to build software. And I get it. You wanna move faster, you want to be more efficient, you want to...

Paul Roberts: Save ton of money

Chuck McWhirter: Reduce overhead. Yeah, a hundred percent. But oh my goodness, that is a, there's some significant risk there. You've gotta make sure those models are secure. You've gotta make sure that you don't have some malicious behaviors in there that as we recently saw with BadSeek, that will, inject back doors into the code. Or even write insecure code. It's just not there yet.

Paul Roberts: Yeah. It's like you're blown away, like you put in this prompt and you got just a, hundreds of lines of code, which is like blowing your mind like, oh my God, that code looks good. Is it actually good? What's in it? What are the, we've seen recently about imagine dependencies, right? That a lot of this AI is creating, like making up dependencies. It's like it would make up like legal precedents when you were asking it to write a legal case [00:34:00] and then, and malicious actors are targeting that. Oh look, it imagined this non-existent dependency. Let's create that thing so that it will pull in our malicious code.

Like you said, the fact that these are not generated by humans, is amazing and also comes with a lot of baggage.

Chuck McWhirter: And don't forget that a lot of the popular models that people use, they're not private. And so...

Paul Roberts: Right.

Chuck McWhirter: To your point of threat actors using those hallucinations, it's just like with non-private repositories that you upload files to see if there's malware in it. The threat actors know that you've uploaded that there and they're going to go and find, what was uploaded and use that to better. Enhance and tweak the malware of the writing.

If I'm sitting there and building software and I'm just in, ChatGPT, which it sends up to the cloud, that may not be the most secure way. It's not the most secure way to have my own internal code being [00:35:00] written that with a good prompt, somebody can go and pull up.

Yeah, it's exciting times. It's never a dull moment in this industry.

Paul Roberts: Yeah. Oh yeah. It's transformative. It's gonna be really interesting to see the way things turns out. Hopefully security will get better than it has been in the last few decades, but we'll see. Hey, Chuck McWhirter, principal solutions architect here at ReversingLabs.

Thank you so much for coming on and talking to us on ConversingLabs. It's been a pleasure and I'd love to do it again.

Chuck McWhirter: Absolutely. Thank you so much, Paul. It's been a great time.

Special Reports

The 2025 Software Supply Chain Security Report

The 2025 Software Supply Chain Security Report

Software supply chain attacks are an increasingly popular tool for malicious actors. And the rapid embrace of AI and machine learning (ML) tools is introducing new supply chain risks. Here's what your organization needs to know.

March 12, 2025