Navigated to Cybersecurity Today Month In Review: August 9, 2025 - Transcript
Get the app

Log in
Cybersecurity Today

Cybersecurity Today Month In Review: August 9, 2025

Episode Transcript

Welcome to cybersecurity Today, the month in review.

In this show, our expert panel reviews some of the key stories from the previous month, and we get to have a bit of a deeper discussion.

as always, I let the panel introduce themselves.

David Shipley.

welcome David.

We're gonna actually let you go off first.

How's that?

I appreciate the privilege.

it's great to be back.

And, I'm here in, ridiculously hot Las Vegas for Hacker Summer Camp.

So my first time out.

Again, I'm the CEO of Beauceron Security and the Monday morning host for cybersecurity today.

Wonderful.

And Anton Levaja is back with us.

Thanks for having me back again.

I had a great time last time, so I was excited to come back here.

I'm a security engineer and the co-founder, of distrust and caution two firms that specialize in security.

We do a lot of consulting, we do a lot of open source development, and we like to do security research as well.

So, great.

Thanks for having me back and my, my new friend Tammy Harper.

Welcome back.

Thank you very much for having me back.

And, so a little bit about me.

I'm a senior threat intelligence researcher at Flair, and I'm also, one of the core members of the Ransom Look team.

And, I am very, very happy to be here.

Excited.

Great.

We still have a show you owe me on the psychology of these ransomware groups.

Tammy does a lot of research into that.

She is one of the most knowledgeable people in that, looking forward to that show as well.

But for today, we have the news.

David, reflecting back on July, there are now two court cases that are gonna shape cybersecurity for the next decade.

We have, Delta versus CrowdStrike.

'cause July was the one year anniversary of CrowdStrike Apocalypse.

And then what we saw in July was a huge lawsuit between, cleaning product maker, Clorox, and it firm Cognizant.

Clorox, a couple of years ago, suffered a massive ransomware attack, allegedly at the hands of Scattered Spider.

Where this gets interesting is Cognizant was their outsourced IT help desk and as a result of the investigation.

the folks at, Clorox have the detailed transcripts of the IT help desk, hijack process.

So what they're saying in their lawsuit, which has yet to be proven in court, is that Cognizant did not follow any of the documented processes for challenging identity.

and not only did the attackers get one account reset, including MFA.

They also got an IT security, credential, revoked and reset an MFA reset, which allowed them to, as one can imagine, really amp up the chaos.

Now, this lawsuit is huge.

It's $380 million, and so this is, that big sort of Godzilla Mothra kind of scale legal fight.

And what's interesting is Cognizant not having any of it, their response back to media was.

Spicy to put it at a minimum, basically to paraphrase saying, can't believe Clorox's cybersecurity was so inept that this could happen.

We were only contracted for a narrow scope of help desk procedures, which we provided.

so now we get to see how this all plays out, but this is one of the few, cases where thanks to discovery and the claims that are being made, we're walking through a detailed breach.

and just seeing how this all plays out.

Well, that's interesting.

this is a $380 million lawsuit and basically based around the fact that, someone was sloppy.

it's the ultimate in finger pointing, right?

we've all been through this where you come into a meeting and if you can't spot the scapegoat, you're, it, those great finger pointing you were terrible.

You didn't check this.

you didn't do.

But there's a lot at stake in this.

this is gonna be a big thing in terms of outsourcing.

I've negotiated a number of outsourcing contracts, and you look at the amount of risk that you take for outsourcing versus your fees.

If this lawsuit goes in favor of either party, it's going to be a major shakeup.

absolutely.

the only way that this sort of disappears for everybody is that if they settle it, so if somebody blinks along the way, they settle it out and away they go.

We're we, we may not see any kind of a precedent set by this, but based on the, acrimonious claims and response in media to the claim, like Cognizant made an interesting choice, right?

Typically when you, when you don't necessarily want to go down the aggressive route, you do things like, we can't comment.

It's before the courts, yada, yada, yada.

But that's not how they played this.

They played it like, bam, punch back.

Yep.

And, it's a move, it's a choice.

And it says a lot about, you know, how they may be feeling about this.

I've never seen somebody come back punching that hard from, from a service provider.

Right.

and what's interesting is they're punching back hard.

But Clorox has the receipts, they've got the transcripts.

So it's like, this is really, I used to be a court reporter, right?

So, I've seen a lot in terms of civil cases and criminal cases, and, I think this is really interesting.

But again, we're still in the very slow process of Delta versus CrowdStrike.

Delta versus CrowdStrike could nullify that giant all cap section that every software maker relies on that says, we accept a liability.

This product, many of even worked as designed, yada, yada, yada.

It's this big comforting black, blanket of indemnity that you wrap yourself in.

And if that gets blown up, two things are gonna happen.

Software prices are gonna rise like you have never seen before.

And if we think inflation is bad because of trade chaos, wait till.

Uh, AI terms of services, software terms of services explode.

Um, and away we go.

So, and again, like I, I don't know who's gonna turn in this legal game of check-in at that scale either.

There's no good outcome on this for the, oh, I mean, the good, good news for lawyers, like whatever law firms are behind this are making bank, but they will settle.

I'm my prediction.

They will settle.

You're never gonna, you're not gonna take a $380 million lawsuit to court.

Somebody's gonna blink.

Somebody's gonna settle.

That's my prediction.

But no matter what happens, and this, you get back to this indemnity clause, I don't actually know how that applies to cybersecurity services, but in every services agreement you do have that.

And you've explained that this whole clause that says, we're not liable for anything, anything more than our fees.

as a consultant, I wouldn't work on anything without that clause.

It's been ironclad.

it's survived court before.

If it gets blown apart in cybersecurity, fees have to go up you cannot operate with the profit margins people have and have that liability or insurance premiums are going to go crazy That's what, like I said, there's no good outcome from this one, for us, for those guys.

I mean, and the lawyers are gonna do.

Yeah.

You know, at the end of the day, law firms are gonna do real, real well.

But that, so that's my opening story is just sort of, I'm watching these moves and, you know, they're not the biggest headline of the day, but they're the things that it's like, it's like the jaws, which is what it's 40th or 50th anniversary this year.

and he just hear it behind the water, dun dun, you know, just kind of waiting to see that legal shark pop up and see what chaos comes next.

Wow.

Tammy, any comments on the story or, yeah, this is gonna be a really interesting, development, and I'm looking very close to it.

Your point saying that, software prices are gonna go up way high if, now they have way more liability on their hands.

That was a very good comment.

And, we're gonna see, but the thing is, is also like lawyers are really, really crafty and, there's just gonna be another way around.

like exempting themselves with liability.

So, I wanna see both sides, like how they're gonna be creative and, we'll see.

The only more clever than a software engineer is a legal engineer.

You're a consultant.

you regularly go in there and, and touch these systems.

Does this, this given you a bit of a chill?

I mean, this is pretty par for the course.

We've seen a lot of, external third party service providers fail with basic, authentication or identification, aspects of their work.

I've seen this happen in the crypto industry a lot where, marketing teams like to have access to a lot of data and they like to outsource their work.

A lot of the time you end up dumping a bunch of, whether it's just emails, but often it's a lot more than that to, third party systems that you don't fully vet.

You don't really know how they work, even if they're under your control through some ui.

Like they, you're not really controlling the infrastructure and, and the data access.

so I'm not super surprised, but the scale of this is, is pretty interesting.

It's all also kind of funny that it's a Clorox versus a huge tech company.

Just, just that juxtaposition and the imagery that comes up in my, in my head of like a big Clorox tablet, like punching at a big tech firm, or the other way around both ways, I guess is, is kind of funny.

But yeah, the scale is the most impressive thing here, so that'll be very interesting.

on the CrowdStrike thing, I thought it was hilarious how upset people were, but to me it's kind of like, If you give a third party direct access to like, push anything, they want to update their systems, you kind of set yourself up for failure.

Like, that was the biggest lesson for me that don't let a third party just freely push whatever they like, to your systems.

and that didn't seem to be the lesson that most took away from that.

So, um, I, I have yet to write a little blog about that, but I, I think I should.

'cause , yeah, in my books, if you haven't verified the code for yourself, it doesn't matter who's pushing it to you should entrust it blindly.

and I think if, if you're running any kind of a company that pushes code to other people's endpoints and, and you're still yo lowing it, without ring deployments, the evidence's pretty clear.

It's a pretty good idea.

But the other part that's really interesting about, hang on, hang on.

Just ring deployments.

Yeah.

Yeah.

So, so the idea is if you're gonna make a change, you, you do a small group and you see how that change goes.

And then you go a slightly larger group and then you go a larger group.

So you do it in phased waves, right?

So rings of deployment and you know, if you notice early on that, you know, your AI powered quality assurance process went sideways.

and this is now bricking a bunch of Windows PCs, you stop the deployment, you don't hit millions of machines simultaneously in, you know, one of the greatest IT outages we've seen.

So far, this reminds me of that Simpsons meme where people are like, this is the hottest summer ever.

And it's like, this is the coolest summer of the rest of your life.

Gimme a second.

I need to send off an email to Microsoft.

This is ring deployment.

shouldn't launch everything out to all people at once.

In fairness, Microsoft actually has really good ring deployments.

CrowdStrike now has really good ring deployments, so that's fantastic I think the other side is interesting is, you know, we think back about, all the talk about booting, antivirus anti malware, E-D-R-M-D-R, I can't keep up all the acronyms, but the things that are supposed to stop the malware out of the Windows kernel.

And so Mac West did this a long time ago, much to the frustration of many providers.

There's lots of deep technical arguments.

I'm sure Tammy can get into this much better than I can.

but there are moves afoot.

Now Microsoft moves at the speed of, well, Microsoft.

so it's been a year.

But they're starting to make moves to boot people out.

Now remember, the really interesting thing about all this is Microsoft provides the os, but it also provides a competitive product to CrowdStrike and everybody else.

And it was mandated by the eu not to, well, you have to give everyone this highly privileged access to Windows kernel, so you can make it massively unstable.

No, the regulation was you can't enjoy some kind of a market benefit that others can't use as well, because that would be monopolistic power.

So it'll be interesting to see how they pull off this booting everybody out of the kernel, which again, malware folks say is really, really important to be as, as close to that source of truth as possible.

And, how that, how that deployment goes, what chaos comes from there, and, what that means for malware for the next 20 years.

I think you snuck in two stories.

I think you did.

I think I did.

You did?

Yeah.

Yeah.

Okay.

So, Tammy, what impressed you over the past month?

So, one of the big news that, just actually recently happened on July 22nd, was the seizure of, the absolutely notorious, excesses website, or forum.

And, this is huge news because, in the cyber crime underground, there are really two websites that are like King and Queen.

There's exploit, there's XSS breach forums a little bit.

But like XSS has always been one of the top three, forums, for over a decade.

and it's, even though it did not allow.

it was still notorious for, manuals of teaching how to code malware or selling, leaks or selling, initial access to infrastructure and things like that.

And how these forums made a lot of their money, was through, their escrow or their guarantor service.

So, for example, in advertisements, of course, but their guarantor service was pulling in so much money.

let's say you wanted to make a deal on this, forum, and you needed to make sure that you can trust the buyer or, the seller.

You would use a middleman or a guarantor, and that was the admin of the website.

they would charge a 10% commission to make that happen.

they would basically not release the goods until the funds were transferred and they wouldn't release the funds until the goods were verified That's what an escrow is.

at the time of the seizure, XSS had 55 Bitcoin on their wallet.

Like that was the escrow account, so, which was roughly like 5 million euro.

and that's just what they had access to.

And the admin has said that that is what, he feels responsible, the current admin, because the previous admin was arrested, and we'll get to that in a second.

But, the current admin is basically saying like, look, that's what I feel responsible for and that's what we're gonna get.

we have a very good team now to make this happen.

And we're gonna get there.

It's gonna take a while, but we're gonna get there.

essentially the previous, admin, Toka was estimated to have made and profited 7 million Euro from this, forum.

And he was arrested in Kiev, Ukraine.

And, at the time of his arrest, like XSS had around 50,000 registered users.

And not only did they, arrest, seize like the XSS website, and the domain like XSS, they, also were able to, seize control of the Jabber server.

It's called the Secure Bizz.

And the Secure Biz.

You, you've seen a lot of threat actors with that handle, and that was like a way to contact them.

Secure Biz works similar like an email and an instant messenger.

And so they basically seized that server.

And what they did is that they redirected traffic to sinkhole that they controlled.

And, then there was a lot of allegations saying that.

This is weird that the onion was not seized, but the clear web was seized and now there's like a split in the faction of the underground saying that XSS, even though it's been like revived, is currently, under law enforcement control.

And essentially they're saying that it's a honeypot.

now honeypot is, as we've heard about that a lot, where, it's like a decoy that is controlled by law enforcement that is made to be super attractive so that criminals or, users can go into believing that it's, the real deal.

and so when it's not in fact, there was a new forum that was split off from this, and it's called Damage Lab.

this is essentially a hat tip to, the old name of XSS because Xs was originally called damage lab.

so now they're going back to its roots.

so yeah, it's been a crazy month in terms of seizures.

black suit also got seized, so it's a lot of really good, law enforcement work, this month.

Now, when they get this, have they, do they know everybody who is now been in contact with that site?

So, that's a very good question.

they're really interested not in the visitors, They're really interested in the users, the power users of these forums, the ones that were making millions or even hundreds of thousands of dollars and selling specific exploits or selling initial access.

and those are the ones that they're gonna go after first.

and because they have access to the databases and because they're essentially putting a lot more pressure on the admin.

They can basically get access to the, direct messages, the logs, everything, right?

So it's not gonna be hard for them to figure out who is who, unless you have exceptional opsec, which some of them do, most of them don't.

this is gonna be, a huge break and we're gonna see a lot more chain arrests and, seizures coming from this, because a lot of these groups are related and they work closely together.

And one of a big, form like this falls, it doesn't take long for more to fall.

what I love about this is, the destruction of trust, right?

you can recreate the technological infrastructure, the onion sites, but it is so hard to rebuild the trust and the network effect of these king and queen size sites.

And then let's say scenario A, they just got the clear web website and the onion was running, and then they had some compromised identities inside the forum and they planted the seeds of doubt that they were the ones that drove people.

And maybe they are running damage as the actual police one, who knows?

That's what's so beautiful about this, is that they can sow the fear and the paranoia.

and Jim, to your point, we've seen, some really interesting things with the RCMP and Quebec here in Canada with other previous busts, like I think it was Genesis Marketplace.

And they actually got enough information on folks that while they didn't have enough to necessarily prosecute or they didn't have the desire to, they did a really interesting door knocking campaign and were like, this is you.

We know who you are.

Knock it off.

and I absolutely love what they're doing now.

I've been trying to set up a totally throwaway environment where I actually could go do some research, but I haven't had time to do that.

And I have no desire to go to these sites using my own equipment.

If you're sitting in an office right now and you're curious about this, don't go, we'll do a show on this stuff and we'll show you some screenshots, but I'm just amazed at how brazen they are.

I'm amazed that they stayed out for so long.

I mean, if you can find them, I can find them.

Law enforcement can find them.

How is it that they can operate at this level?

Anton, they seem to always be able to get access to crypto.

I find this just incredible.

Oh, that's a really juicy target.

Yeah.

So it makes sense.

But there's a lot of money in this and, it's a very interesting, type of economy that they've built where there's so many different subgroups to this that specialize in different aspects of this.

Some are just, figuring out what platform people are on, and then they'll go and repackage and sell that data to the next group that will go and do, STEM swapping attacks or something like that.

And like get further access it's the complexity and the scale of these organizations is fascinating.

the ones that are most public are, visible, we see them, they're top of mind.

But there's a lot more of that kind of like underneath the iceberg.

it's really interesting what kind of economy actually grew out of this.

the dark economy, right to say.

Do not go there if you're eliciting, don't go poking around if you don't know what you're doing.

Or you could get easily compromised.

it's enough to visit the wrong website and you could end up with malware on your computer.

So, leave it to the pros.

Yeah.

And speaking pros, Tam.

Tammy is, it's interesting, I almost feel like she's that guide now to cross the river sticks to go into these places.

And, so actually she gave me a real solid and guided us into one of the fishing as a service platforms as a team, and.

Holy fascinating.

And number one, like criminal scaling and building these phishing as a service and their UI is really good.

Their business models, Jim, are incredibly well thought out, like incentivized sales programs, like, you know, stuff that could be ripped from the pages of the old Xerox sort of marketing and sales playbook, but for the crimes.

and this one was particularly brazen because it's out on the clear web.

It's not like an onion site.

you gotta, know the secret handshake and nod to get an invite and get in.

some people are really clever like Tammy, and they can get in and figure these things out.

It was fascinating and the organizations they were targeting they were just like a SaaS.

if you took away the criminal nature of it, it looks just like every other SaaS you've ever seen.

They're putting new releases out, rolling out new features.

They have tiered plans.

Then of course, all payments conveniently done in crypto.

so Tammy, these groups get busted all the time and somehow they resurface and they, they come back.

has this been irreparable damage or is it just the calm before the next storm?

So law enforcement has been, changing their tactics and as David said, they're really going after the reputation now and sewing distress.

They did the exact same psychological operation with Lock bit, where they seized the original site and then they doxed the, admin of lock bit.

And, essentially, they're doing that more and more now.

they're trying to make it impossible for you to conduct business because they know that a lot of these people are in, countries with no extradition and so they can't necessarily arrest them, but they wanna make it impossible for them to, they wanna destroy the brand now.

So, like, if no one's gonna trust XS or lock bit or anything like that.

they're going to have to recreate a new, platform or a new forum or a new brand.

And that takes time because you need to, build, trust and build and that it, it slows things down.

so that's one of the, approaches that law enforcement has been doing recently and I think it's a working very, very effectively.

Absolutely.

Yes.

Fab.

Great.

and Tammy.

Tammy won't do this because like, you know, it's self-promotion.

But I will say this flair does amazing work in this space and, we, we use their technology so I can say that.

and I gotta tell you, like, as a proud Canadian, what, every conference I've gone to where they have been out there, they're getting swarmed by people just asking tons of questions.

And they're not just there to like, raid the, the swag at the booth.

So they're doing some really, really cool things.

Oh yeah.

Okay.

Well I'm there for the swag.

Sorry.

But I mean, they do have good swag.

It's good.

Good to talk to you too, Anton.

So what's, what's news with you?

And I've got, I've got a bone to pick with you after this.

I mean, a lot, a lot is always happening.

one thing I'm paying attention to closely always is supply chain attacks.

and, and of course there's no, you know, shortage of those.

So.

Recently we saw, a bunch of packages, get compromised on, in the NPM ecosystem.

One of them had about 3 million weekly downloads.

and it's just a funny thing because it keeps happening and people aren't changing their strategies to defend from it, and it keeps happening and it's a cycle, and somehow everyone seems surprised every time that, that, you know, it happens.

but it, it won't really end until people seriously start, you know, looking at what they're putting into their applications.

There's this weird idea that, you know, first party code that your colleagues write should be reviewed, but third party code that someone, some unknown stranger on the internet wrote is fine because a lot of people downloaded it.

and so, yeah.

Okay.

I, can you just give us a little context on the NPM thing?

just tell us what the story was.

Yeah, for sure.

so it's basically another supply chain attack.

there was a, breach of toptal, which is a talent, sourcing agency, a really big one.

And they have a bunch of packages, that they publish to NPM and their GitHub was compromised.

And so in GitHub actions, often there's a lot of access that allows you to, you know, deploy packages or upload packages to NPM.

It may also allow you to go and deploy infrastructure on AWS or deploy applications to different cloud service providers.

I actually found a injection vulnerability and a penetration test I did recently that allowed me to take over the GitHub action and do whatever, basically arbitrary code execution.

And so it's unclear exactly what happened to their repo.

But often if it's a public repo and you don't write your GitHub action correctly, you can use, for example, the branch name to inject.

A script to the GitHub action, thereby gaining full control of whatever's in there, including like secrets.

So basically the attacker somehow got access.

and then used the, NPM token to upload their own malicious code to the packages that they published.

And so inadvertently, a bunch of people downloaded this and basically put malware on their computers, which was exfiltrating data, as well as deleting data from their, computers.

This makes me crazy 'cause this is one of five stories we, might've done on supply chain.

And every time I look at it and I go smarter people than me, find ways to inject malware into things in ways I couldn't even imagine.

But one thing that stumps me even more is the hell would I do about it.

as pitiful as my Linux development career was, I wouldn't been able to do anything without being able to download stuff that other people had written.

we're getting free.

it's a very challenging thing.

the issue is that if you're running a system that is protecting, data that's of value or anything else of value, I think it's, the responsibility of the person building that platform to actually review the code.

And the counter argument is always, ah, that's too much code to review.

We can't do it.

It's just not doable.

Well then, you know, you should cut down the amount of code that you're pulling in.

Oftentimes I see people pull in, you know, a million lines of code and they're only using, one of the functions.

And, and it makes no sense to do that.

and it's fair that some users can't actually, don't have the ability to go and review this code.

So one of the ideas on how to Approach.

This is like, let's go and crowdsource reviewing the most widely used libraries, right where it matters for the most critical software and kind of bear the burden of that together.

Like, let's combine our powers and if I review some code, I can go and publish, you know, a report that's signed by me saying, I actually looked at this code and as far as I'm concerned, I went this deep on it and it's safe to use.

That would be a step in the right direction.

But right now the default state is.

It's, on install.

it runs all its install, post install scripts, and you just pray and hope that something bad didn't happen.

And that's where we're at right now.

We sit here and tell our users, don't download malicious apps.

Don't download this on your phone unless you're absolutely sure.

And then in our development shops, we're banging away saying, ah, bring it on this.

This is absolutely nuts.

But we talked about this earlier and you had a great idea of doing a bit for bit comparison of things and being able to certify that this was the version of software.

Why isn't that getting more traction?

it's starting to, yeah, definitely reproducibility, and full source bootstrapping closes off a lot of attack vectors.

You still have to review the source code.

It doesn't solve that part of the problem, but it does solve the problem of if you had done a review And you could actually say, and of this point, this is the code, wouldn't that make a major difference?

Yeah, absolutely.

And then you can do incremental reviews from that point on where you just look at the diff for every, version.

this supply chain, this is gonna lead me to my story.

And that was the story of the month had to be, that we'd finally.

Finally it's happened, and I've predicted this for some time because we are really stupid about implementing technology.

Sorry.

But as, as a world, we really are.

Here's how we do it.

You come up with something new.

Somebody in marketing puts together a brochure, we oversell the hell out of it, and then we come out, everybody says, this is really cool.

'cause we buy it every time and then we all implement it into our dev shops.

And we go, oh my God.

As you're sitting there, I still remember my friend Joe Ricardo in four GL languages and him and I sitting, looking over the desk after months of development, realizing this thing wasn't gonna work.

it wasn't as good as the demo, right?

This is.

And then eventually everybody.

Gets together and we fix stuff up and we, you know, after the disasters and some careers have been damaged and projects have gone, we go back and we somehow get something that is now working and gets better and better.

That seems to be the only way we know how to implement.

And the scary thing is we've done that with ai.

We have ramped up development of ides and development environments and tools and these things.

The last week, I can't list the number of stories, where the AI just decided it would nuke the data from some developer.

Google had the same thing, at least Rept, when they went, they, somebody was using this development environment.

This comes from, from, I think Rept.

They came in.

It just the AI.

Wipe the guy's code, wipe the guy's backups of his code.

'cause he was, he was dutifully replicating his backups.

Oh, there's another, story about that.

I'm not sure that that's a really good idea.

You know, if you're gonna have a mistake in your code, let's pop that into the backups.

That's another piece.

and then the AI says, I didn't do anything.

it really did.

It denied that it had done it.

But in fairness, the CEO of rep lit came in and he brought their team together.

They fixed it.

And we, we've always been through, there's no blame, no shame, you know.

Admit and fix.

And they did that and they got this, they got them up and going again.

But in the meantime, somebody else is working with one of Google's new tools in Gemini and wipe their code.

Now, anybody's ever tried to get any customer service from Google.

If you actually found a way to talk to Google, I salute you.

but they're, they're just, you know, sucks to be you.

Is is sort of what, what, what happens?

So there's people lost code, you know, the, the amount of, and then you get into the, the security issues of this MCP, which is model control protocol.

Oh yeah.

Great idea.

What could possibly go wrong with it?

Possibly go wrong with that yeahs between multiple agents.

It'll be great.

Except maybe things like once you implement something to MCP, it trusts everything else after that.

So your guys up there, you know, putting bad code into, into some sort of module and CPS going, oh, I've seen this one before.

Good.

Pop it in.

the amateurism of these development environments is just astonishing.

so I've got some thoughts, but first I think, Tammy, you had your hand up earlier, so I don't know if you wanted to circle back on that or if you wanna jump into the hot AI agentic code mess.

well it sort of ties into this, so you were mentioning, Anton that, like we have to go back and, and like review all of these libraries.

Can't an AI do that?

It could help, it could help.

But honestly, at this point, I don't trust an AI yet.

For me, it's like, additional input.

and, and especially because of this whole idea of like a lot of garbage code being fed into it.

And so it thinking that's the right thing.

For example, like one common thing I see often is people using the current timestamp as a source of entropy.

And, and that's even written in like computer science books.

Like I've seen it multiple times in books and I'm like, wow, this is insane.

And so on a fundamental level, like what we're teaching, the AI is wrong.

Maybe if we took the time to properly train a model that's just, and people are working on that right now, right?

then maybe, but right now, like my confidence threshold for just like letting, letting sas, even if it's AI powered, look in my code is just too low.

so I will let people rip my face off on this, but this is not an AI problem.

No, this is the same stupid way we implement software.

And, that's the problem.

This stuff will eventually work, but you think you might wanna test it a little before you start putting it out into production usage.

so I asked my CTO about this and he had a really good take on this.

I don't let our developers have access to prod.

I am not going to allow a half-baked agentic AI direct access to prod.

Like no way.

The rules are still the rules.

Now, you know what's interesting?

So Jim, like the amount of stories and I like, it's almost to the point now where, I dunno if you've seen that Simpson memes where, you know, it's like, stop beating it.

It's already dead.

But you know, as the guy, that's usually the guy beating on ai.

even I had to like, just stop this month and go, oh, this is bad.

Like, you know, there was a study that just dropped that said, 45% of AI generated code has an OAS top 10 vulnerability.

And it goes to what Anton was just saying.

Like, they went across the internet, they scarfed up every example they could, which dear friends, garbage in, garbage out has been around a long time on average.

Yeah, we're running garbage.

so it's not like we had pristine, beautiful English lit poetry quality code that it could learn from and become the next Shakespeare.

There was a lot of crap, right?

Like a lot, like we've essentially trained AI from a literature's perspective on soap operas and we're shocked that we're not getting Academy Award-winning movies.

Like really?

No kidding.

but it was interesting.

This model context protocol, it itself feels a lot like it was vibe coded to begin with.

And it's like vibe code begets vibe code.

It's like vibe code squared.

And it's like, maybe we need less of this.

And I'm seeing a lot of t-shirts here in Vegas that have, I and the old Netscape navigator broken image icon, you know, for agentic ai, right?

Like, or I blank, vibe coding.

And it's like, yeah, for real.

but I wanna circle back on something here.

This goes back to what Anton was saying.

We are gut.

Young technology career positions at an unprecedented pace.

And they are not getting the opportunities to learn fundamental skills so that they could do things like real honest to God, human review of code.

And Jim, no joke aside, so they could read a diff, we are creating a massive problem in technology with our over, rotation on AI to replace entry level, skills.

And it is going to hurt.

It's so true.

A future standpoint, but also dear listeners, when you have double digit unemployment in people under 30, bad things happen at a societal level.

So this is really, this is like that red indicator light going, eh, you know, this is a problem.

Yeah, and, I don't wanna take away from this.

I still maintain, this is not an AI problem.

This is a stupid implementation problem, and we've been good at those for decades because, Tammy, you're right, and, I'll disagree with you, Anton, at one point, not yet.

But eventually we are going to need to replace enormous COBOL systems that are so big and so monstrous that nobody, no person, no project, no government could tackle those, and they're going to implode at sometime in the next decade.

The only way to convert that amount of code is going to be with some sort of artificial intelligence tools, but don't do it today.

Let's, let's make sure they work first.

this is what, it's just, it's like buying a Tesla and trusting in the automatic driving, and then you say.

Take your heads off the wheel, hit the gas, and we'll just see how well Elon delivers.

Like you wouldn't do that, but you'll do it with code.

But you know what?

your Tesla analogy is spot on.

And here's why.

Just like you were talking, how we overhype a new technology and over market, the haled of it, you know, full self-driving was the brand name for this technology.

they advertise it.

They just got a huge lawsuit, against them that, was found against them into the hundreds of millions of dollars that basically claims that their cars are fundamentally unsafe.

it's like a 200 million plus lawsuit for one of the first, Civil lawsuits for an autopilot death.

Like the over-hyping of these immature technologies that the, and it gets back to your point about something, it's the choices we make with how we deploy technology.

Tesla made the choice not to use lidar for business and ideological reasons that made their cars fundamentally less safe than competitors that are using lidar as well as optical sensors.

And so, you know, it's never just the tech, right?

It's the business decisions around the tech.

Boeing Max Eights were a series of business decisions to improve competitiveness, to, have more fuel efficient planes.

And they created an aerodynamically unstable design, which by the way, the only other things that are intentionally designed that way are fighter jets.

And as my friend says, at least, they come with ejection seats.

and they took a military design, stripped down the, the extra sensors, and then added it like a typical SaaS provider.

It's like, oh, you wanted the safety feature, that's the add-on.

But dear listeners, we do that as SaaS because you demand the lowest possible price, and then we have to initially make money.

So we have to do that.

Well, Boeing did the same thing, but it's the choices we make with technology, to your point, AI itself, and here's me going middle ground is not fundamentally good or bad.

It's the stupid decisions that we make along the way when we, we ought to have known better.

Because to your point, we've been doing software a long time.

None of these things are new, and I feel like I'll end with my culture critic quote, you know, Battlestar Galactica reboot, all this has happened before all of this will happen again.

Yeah.

It's, it's only a lesson learned if you have the two words together, lesson and learned.

But yeah, let's go back to this.

So Nick Bostrom wrote this really good paper called The Vulnerable World Hypothesis.

and if you make the wrong decision with the wrong technology, that adds up to, you know, potentially worst case scenario like existential threat to humanity.

nuclear, was one of those AI is now maybe one of those things.

And every so often we pull out, you know, a new marble out of this jar of possible ideas that we could discover.

And it's like, what are we gonna do with this?

Are we gonna be responsible?

And the default is, no, we're gonna move fast and break things.

And I would invoke we should move thoughtfully and improve things.

'cause we've done the fasting for like long enough, I swear.

And it's not corporately, politically correct.

If someone came into my office today and I was still running a company and they said move fast and break things, I'd smack them.

Yes, I had a, I worked for A-A-C-E-O of, of a financial institution and he, people would say things like that, well, you gotta take some risks.

He'd go, no, you don't.

He said, that's other people's money, you know?

and I think we've gotten this idea, move fast and break things.

Yeah.

That's what you want to do really great until you bring down the eastern seaboard or something like that, which brings us to SharePoint, right?

so Microsoft, like this is one of those, Microsoft is one of those two big to fail kind of living institutions now as big as a financial institution.

And so we had SharePoint apocalypse.

Now what, where this ties back to our other thread is.

Business decisions.

Microsoft does not want you running SharePoint or Exchange or anything else for that matter.

On-prem.

They want you running it in the cloud 'cause they make money off the compute.

They have that lovely annuity, SaaS revenue stream.

So they have been under investing in these things.

And it's not just the, the fact that they had a vulnerability that came out of a, PO to own or one of those competitions they get in Europe.

the patch didn't work.

And, and dear listeners, geez, what are the cumulative effects of all of these cuts that Microsoft has been making to fund its AI projects in cutting people across the board?

You have more mistakes happen like this, and then you have hundreds of organizations who, for budget reasons were still running SharePoint on-prem, that were vulnerable, including organizations responsible for the nuclear weapons program in the United States, not the launch codes that still runs on giant floppy discs and is not connected to the internet, thank the Lord.

this was not a small body count of organizations hit by this.

And again, it goes back to business choices.

and it's been interesting to see how that played out.

and Tammy, I'm dying to know if you, what your thoughts were on SharePoint apocalypse, and what you saw in the world.

So I did see, at first it started off like a wave.

I saw a lot of, chatter saying like, Hey, anybody have A-P-P-O-C proof concept?

Anybody have this?

Anybody have this?

And then all of a sudden people weren't asking that anymore.

And then you started to see the news of, okay, what's like, I saw like, 'cause I'm in a lot of trust groups.

And then you started to see like, okay, I have a client now getting hit.

And it was SharePoint and it was SharePoint and it was SharePoint.

And people then started to say, but I'm not seeing encryption.

All I'm seeing is massive exfiltration.

And so now you start looking at TTPs of groups that are known to do this.

And then it is just a web of incidents, response and forensics of who could be doing this And then you look back at the chatter you start connecting the dots of okay, this account might be related to this group.

it's a really fascinating world when you're doing threat intelligence and you're starting to see the wave of things coming in and when it stops is even more telling.

So there's a subtext of this story and it didn't make all the headlines like the initial stuff did.

And this is one Jim that I'm watching very closely.

So as part of the post investigation, Microsoft is investigating whether news of its patch need to.

Fixed leaked from a trusted community ahead of time, which set off the feeding frenzy about this particular vulnerability.

That's why it sort of peaked as a wave is one theory that I've heard, and it would not be the first time that as we have these, concentric circles of trust and you're trying to communicate out, 'cause change is complicated, you need multi-stakeholders, et cetera, et cetera, that somehow, either intentionally or unintentionally it leaked out or someone is listening to those conversations.

So that's one that I find a.

Deeply fascinating because that would be a high priority target for intelligence agencies and others to be sitting there waiting to find out when the door is about to be closed on their favorite tool, so that they can get maximum value out of it.

I mean, these things are now worth, what was the Microsoft just announced like last week?

It's like 5 million is the latest thing for particular certain o days.

These are expensive and, you, you wanna use them judiciously so you don't burn it.

But then when you find out it's about to get burned, you roll the whole team.

and you try and get as much as you can, which is just fascinating.

So, so I, I've heard it call both.

I, I typically like oday, but that's me.

We got, we actually got an email said, that's ero days, and I went O days, , yeah, that's both, it's both.

You know, if, yeah.

Cool.

Yeah.

I think it's Z and Z, right?

Like, yeah, well, no, no, Z is correct.

Z is not, that's, it's really simple.

Tammy, you were gonna say something actually intelligent, I'm sure.

Wouldn't it?

Wouldn't it be, an technically an end day?

Like an end day is known as a security witness in software or hardware where the vulnerability has been publicly disclosed, as a CVE and, there's a patch for it that is represented by the amount of days.

Yeah.

So wouldn't this SharePoint incident be an end date?

Well, yeah.

This, yeah.

No, this share You are, you are As, as Jim said.

Listen to Tammy folks.

She's the smarter with a bunch and Anton.

but, so, so at one point an O day becomes an end day and, it's, it's, you know, becomes known there's a patch out, et cetera.

and so, you know, you, you, and this is an interesting case actually.

We may even need to come up with a new term for this because normally in a sane world you have an O day.

I didn't know this was a vulnerability and people were actually exploiting it.

And then you patch it and it becomes an end day or your patch doesn't work.

And what does that become?

It becomes a may day.

No, I'm kidding.

There needs to be a new, I like it.

A new old a t-shirt there MA t-shirt in your future.

So can we just go back to this though?

And this is, this is, again, I'll go back and say maybe I'm just, I'm getting, jaded in my old age possibly.

But we have this thing about, oh, you, you may have leaked this early and that caused a frenzy, but any estimates from you guys about how many of those SharePoint sites still aren't patched?

Mm, it's, it's, the number is not ero.

It's definitely a non- ero number, that's for sure.

I mean, there are servers that haven't been patched in decades.

I don't know, like, not particularly for like SharePoint, but I mean in general there, there are servers that, you know, sit there forgotten for, for years.

Yeah.

And, and, and I, and I can tell you where you're gonna find them.

they're gonna be in municipal governments.

they're going to be at state level in western countries, and then it'll be national levels in the global south or other areas that can't afford the licensing costs for, the most recent stuff.

And some of these are exploits that apply to end of life software.

So, Microsoft device is, well, first you can upgrade to the supported software, and then you can patch it.

Well, what if you can't afford this upgraded software?

Well, and add to that hospital's.

And other places that, and not-for-profits and other vulnerable places that can't afford to, to, well, and, and, and actually speaking of hospitals, to bring this full circle, there's a, a very interesting and, and somewhat controversial research paper that dropped from the University of California San Diego.

what it is alleging is that during the CrowdStrike outage, they observed 750 hospitals also, went offline via an API specific to the healthcare industry.

And so, they made some pretty bold claims about the dramatic health impact of the CrowdStrike outage.

now.

It's not without its critics.

CrowdStrike in particular came out very vehemently saying it's irresponsible.

And the, journal of American Medicine, SHA Jamma should pull it.

because it didn't do things like actually interview the hospitals and say, were you a CrowdStrike customer?

and so there's some interesting challenges around that.

it kind of brings full circle what the impact a year ago was, and we know there was an impact and whether that was critical on healthcare or not, just where you brought up hospitals and unpatched stuff and everything else.

I've watched a couple of stories about businesses that have gone under.

The follow on story that people don't watch very often is, you know, a huge business in the UK went under about six months after a ransomware attack.

they just folded.

They couldn't, and that's the stuff we don't see, we see the explosion and we don't see the long term impact of it.

Just wrap up here 'cause we, we've got, we're about the hour here.

what are the stories?

You guys are following this month.

what are you gonna be watching for this month?

Anton?

I've been watching, Europe, closely Europe's doing a lot of interesting, legal work and compliance, on a lot of different fronts.

the thing that's being talked about right now is, private messaging.

there was a lot of stalling around this for a few years now.

but they're basically trying to, bring a, regulation that forces scanning of everyone's devices, preventing end-to-end encryption.

the European Commission is still pushing for this, but the European Parliament, is insisting that it should only apply to unencrypted messages.

So this is a big privacy discussion that's happening.

in Europe right now, it's gonna be, have a very wide reaching impact depending on what the outcome here is.

and so I'll be watching that.

And then kind of within that same, kind of adjacent to that, what I also, noticed this week is that Denmark brought, a law where that says basically that all your likeness, so your appearance and voice and everything is automatically copyrighted as your own, which is, a very positive law that's been brought here in Europe, but it's not on the European Union level.

So, there's a lot of, movement right now online regarding, scattered Spider and what they're up to specifically.

There's been a few arrests.

around, their gang and, or actually their community.

It's more of a community than a specific gang.

And so I, I'm interested to see where this goes, and who they end up affiliating with, next because, we've seen them do a killing.

We've seen them do drag, dragon force.

So, I wanna see what happens next.

Wow.

Yeah.

This is you, you'd pointed out Scattered Spiders is really like a, a big co-op of some sort of, I dunno how else to describe it.

It's, they're, they really are trying to get outreach to everybody, I think, and be that sort of link.

they might be your successors to some of these other people who are dropping out now that their sites are getting killed.

Yeah.

David, what are you watching next week?

I'm watching over the next, next month or so is of course the fallout from the WestJet, breach.

So for those following WestJet was, one of the airlines hit, in, June.

And, their initial communications were, were fast, but they were lacking in detail.

And then, they put a release out July 18th saying, Hey, we've done some more in-depth forensics.

Like, which I get this stuff takes time.

they didn't kind of get into the scope of like, well, how many people's data got nicked?

but don't worry your credit cards, I'm not worried about my credit card.

My dudes, visa, MasterCard, they got this.

Like, they're gonna like stop, stop telling me like, we're good.

We didn't give your credit card away.

Like, I'm good anyway from that.

But what did you give away?

Is my passport out there is my other thing.

So, you know how, how much you know and how you have it.

Canada's privacy commissioner is investigating, I mean, which is about as scary as like a talking to from the homeroom teacher because they're toothless.

and I'm not beating on them.

They, they admit that as well.

They can't actually do anything to you like stern sort of, you need to do better.

What they should have is here's your $5 million fine.

And then their board goes, we need a better program for securing our stuff.

'cause we don't like paying $5 million fines.

Crazy.

That's it.

The fines need to be such that it doesn't make sense for you to not do the, the right thing is to do, I mean, apply this anywhere.

even in Europe, some of the fines sound extreme, but they're the cost of doing business now.

They need to be.

Yeah.

But in Canada you could have a bake sale and pay a fine if we had them.

Pretty much.

and the other thing to follow is, you know, what Anton's talking about in Europe is also, you know, we forget that the C two legislation here in Canada is trying to sneak in, state surveillance state, regulation here in, Canada.

so the crypto wars version three are back, and for those kids, gen Z sit around the fire.

crypto before it meant making the monies, meant encryption and the whole thing, you can go and look it up.

Crypto War 1.0 was they wanted to cripple encryption and everything.

So because protect the children, Canada tried to do this a few years ago onto the Harper government, again, protect the children.

and what everyone forgets is that government agencies can't be trusted to a, not abuse the access.

And b, keep these secrets secret.

'cause eternal blue, which was their windows golden key into everybody's computer.

They lost it to the Russians.

Like, come on.

And if the NSA and the CIA can't keep these kinds of secrets, you think the Canadian government, can you think some other government can?

No.

Like either you have encryption in security or you don't.

And, the don't, ain't so good for all of us.

Agreed.

And we talk about, you know, move fast and break things, legislation.

I'm depressed about the fact that we don't develop legislation more quickly.

But I'm watching just the number of stupid moves that people are making.

the UK has done this thing and it's a wonderful thing to protect children.

So what we're gonna do is we're gonna make every website register people, they're gonna put their picture and their identity, and they're going to do that.

Now, some little website in the middle of England is going to have a group of women who may very well be not wanting their partners to find them or not wanting to give up the this.

we saw a huge site, and it's hacked.

And people think that they're being private.

We have to solve this safety, encryption and safety of the people question.

And that, at least that conversation is coming up now.

And I'm happy that that's at least being raised.

so you can cut this if you want, Jim.

But, I think I would be remiss if we didn't talk about tea and also because men can't be left out of anything technologically.

Tea for Men was also breached, so amazing.

But for the love of God, vibe, coding, leaving your Amazon S3 or other buckets wide frigging open, leaving driver's license images, it's not fine.

David, you've leaving those S3 buckets open for months, years, yeah.

Again, all this has happened before all this will happen again.

but telling people, and this is where I think I really got.

Pissed about this story.

Oh, you just upload your photo, we delete it after we verify it, then they didn't.

Which goes back to your point about these age verification systems, The Texas Supreme Court, means, the Supreme Court and the state of Texas, law, this is now the law of the land increasingly in the United States.

And what's going to happen, dear listeners, is it's going to get some people killed like we saw with the breach of Ashley Madison, when people's intimate information becomes breached regardless of your moral judgments, one way or the other, by the way, most people on that site trying to cheat, we're talking to chatbots.

Ironic.

but, but is what it is.

But, but there were people that took their own lives from that.

yeah, quite a few.

And this is gonna have a not inconsequential count on that.

So, you know, when we talk about the impact of these things, we often talk about the loss of reputation.

Businesses closing money being stolen.

North Korea's nuclear program, getting billions from crypto.

Sorry, Anton, I had to just get that, get that in there as well.

It's just what it is.

But, but there's a body count too.

And, there are consequences to these modern day digital witch hunts.

And, and it, it sucks the oxygen and resources out of other more pressing problems.

And it creates an interesting balance of equities here.

that, that people think, oh, this is nothing but net good and Dear Canadian listeners, that lovely senator who introduced in our Senate the same idiocy legislation, but with claims of, we're not gonna tell you how to figure it out technologically, but you must do it securely.

FY you can't, it's coming here too.

even though the UK tried to, to figure this out, abandon it and then now has screwed it up again.

It's, yeah, it's, it's consequences.

Yeah, we, well, and politicians who don't understand security, is one of our biggest issues.

I mean, they're just, and sadly not very smart.

And the worst part is they don't want to know.

I've become convinced over the course of this time that like only if we provided them the education, they would magically create very policies.

They don't care.

We made a choice in our parliament to filibuster about car thefts versus making sure that our power plants, phone companies, banks, and airlines stayed online because that was more popular.

So next month I don't want you to hold back.

I want you to tell us what you really think.

Okay?

Yeah.

In there.

So that's our show.

Thank you so much, guys.

and I'll, I think one of the things that I learned this month was, this is supposed to be the dog days of summer.

This is supposed to be slow news time.

So, I can't wait to see what happens when we get back in September.

But I, Tammy, I don't think so.

August is gonna be gonna be something.

Thank you so much to my guests, Tammy Harper.

Thank you very much.

Anton Levaja, thank you from Croatia.

And David Shipley, our panel.

And thanks to you, the listeners who are listening to this, if you've stayed this long, then we've either entertained you or you can't reach the off button one of the two.

But thanks for hanging out with us.

you had other things you could have been doing with your time and you spent it with us, and we thank you for it.

I'm your host Jim Love.

Thanks a lot for listening.