Podcasts

In this edition of Between Two Nerds Tom Uren and The Grugq discuss why it makes even more sense for criminal organisations to adopt AI as compared to regular businesses.

This episode is also available on YouTube.

The FCC relaxes its foreign router ban to allow for security updates, the ShinyHunters group disrupts schools across the globe, a 21-year-old remote code execution bug turns up in FreeBSD, and another Linux privilege escalation bug was disclosed… without a patch.

In this sponsored interview Patrick Gray chats with Knocknoc CEO Adam Pointon about their Greynoise integration.

Knocknoc allowlists network connections from users’ IPs after they’ve been through an SSO challenge. It’s great for protecting vulnerable or risky assets that your org has to connect to the internet. But what happens when one of your users tries to authenticate from a bad IP? You probably don’t want to add that one to your allowlist!

Thanks to Knocknoc’s new Greynoise integration, you don’t have to!

In this podcast James Wilson chats with Niels Provos about his research into using older AI models to successfully hunt for 0day vulnerabilities. Niels has had a long and prolific career in cybersecurity, having worked as a Distinguished Engineer at Google and then heading up security at Stripe.

His interest in AI bug hunting was piqued recently when one of the Mythos 0day vulnerabilities that received lots of attention happened to be in code he wrote for the OpenBSD project 27 years ago.

It got him thinking: Are these frontier models really that magical? Or could we replicate their findings with some clever orchestration instead of relying on the model’s smarts to find bugs with a single prompt?

As it turns out, this was worth looking into. Niels’ orchestration framework, Iron Curtain, works extremely well.

This episode is also available on YouTube

Palo Alto Networks patches a firewall zero-day, Google patches an Android remote takeover bug, Ivanti also patches one, and a leak exposes Russia’s spy and hacker school.

Tom Uren and James Wilson talk about the sudden drive to put regulation around the releases of new AI models because of their cyber security implications. A standardised approach is desirable, but clamping down too hard won’t achieve as much as might be hoped. Experts with older or even open models can get just as far as novices with the latest models.

They also discuss Australia’s new Cyber Incident Review Board. It has been hamstrung and won’t be as successful as it could be because it can’t assign blame.

This episode is also available on YouTube

The DAEMON Tools website was hit in a targeted supply chain attack, Australia gets its own CSRB, the US arrests a wanted VOIP server hacker after 17 years, and Oracle switches to monthly security updates.

On this week’s show, Patrick Gray and James Wilson are joined by special guest co-host Brad Arkin. They discuss the week’s cybersecurity news, including:

• The US Government says we just have to patch faster, but…
• Bugs in cPanel, MoveIt and all Linux distributions this week show that patching alone isn’t enough
• James gets mad about lame AI Agent adoption advice from the US and Australian Governments
• James Kettle and Niels Provos both showed us that any model can find 0day like Mythos
• And the cyber-assisted theft of cargo results in an astonishing loss of $725 million dollars

This week’s show is sponsored by SpecterOps. Their CTO, Jared Atkinson, chats to Pat about the big changes in the threat landscape, brought about by AI, that are causing a pivot away from detection and remediation, and toward prevention.

This episode is also available on Youtube.

In this edition of Between Two Nerds Tom Uren and The Grugq discuss the breakdown of cyber norms. What would have been an unthinkable cyber operation just a few years ago is now a regular occurrence.

This episode is also available on YouTube.

In this podcast James Wilson and Brad Arkin chat about emerging trends in AI agent identity and credential management. Brad was formerly the CISO of Adobe, Cisco and Salesforce, and is now working with all sorts of companies that are deploying AI.

With everyone now in at least a large-scale pilot of agentic AI, the issue of how to manage agent identities and credentials is still an unsolved problem. But, some interesting patterns are emerging.