Videos

In this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, joined by a special guest. BBC World Cyber Correspondent Joe Tidy is a long time listener and he pops in for a ride-along in the news segment plus a chat about his new book.

This week news includes:

• Did the US cyber Venezuela’s power grid, or do they just want us to think they coulda?
• US govt might boycott the RSAC Conference ‘cause Jen Easterly being CEO makes them mad
• MS Patch Tuesday fixes CVSS5.5 bug and … stops you shutting down
• Wiz pulls off cloud stunt hack that ends with control of everyone’s AWS console…

In this edition of Between Two Nerds Tom Uren and The Grugq talk about what information warfare even is, revisit a 30-year-old paper and examine why Western governments struggle with the concept.

Tom Uren and Amberleigh Jack talk about the Chinese government’s reactive approach to tackling scam compounds. It’s driven by bad news on domestic media and therefore focusses on the compounds that are targeting Chinese citizens. Rather than eliminating the industry, that may instead be shaping the industry to focus on other countries and particularly Americans.

They also discuss the role of disruptive cyber operations in the US’s raid to capture Venezuelan President Nicolás Maduro.

Risky Business returns for 2026! Patrick Gray and Adam Boileau talk through the week’s cybersecurity news, including:

• Santa brings hackers MongoDB memory leaks for Christmas
• Vercel pays out a million bucks to improve its React2Shell WAF defences
• 39C3 delivers; the pink Power Ranger deletes nazis, while a catgirl ruins GnuPG
• Cambodian scam compound kingpin gets extradited to China, and we don’t think it’ll go well for him
• Krebs picks apart the Kimwolf botnet and residential proxy networks
• So many healthcare data leaks that we have a roundup section

This week’s episode is sponsored by Airlock Digital. The founders of the application allow-listing vendor, David Cottingham and Daniel Schell, discuss Microsoft’s ClickOnce .NET app packaging, and how attackers have been abusing it to load code. Airlock hates it when you load code!…

In this edition of Between Two Nerds Tom Uren and The Grugq about the role of cyber operations in the US capture of Venezuela’s president Nicolas Maduro.

Tom Uren and Patrick Gray talk about America’s increasing dependence on Chinese manufacturers for electrical sector equipment. This doesn’t seem like a good idea when China is hacking electric utilities for sabotage and PLA researchers are dreaming up ways to attack the grid.

They also discuss the possibility that the US was responsible for a cyber attack on Venezuela’s state oil company and how Russian state-backed hacktivism is so dumb.

In the final show of 2025, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• React2Shell attacks continue, surprising no one
• The unholy combination of OAuth consent phishing, social engineering and Azure CLI
• Venezuela’s state oil firm gets ransomware’d, blames US… but what if it really is a US cyber op?!
• Russian junk-hacktivist gets indicted for cybering critical… err… a car wash and a fountain
• Microsoft finally turns RC4 off by default in Active Directory Kerberos
• Traefik’s TLS verify=on … turns it off, whoopsie 🤡

This week’s episode is sponsored by Sublime Security, makers of an email filtering solution that’s up for dealing with modern problems. Founder and CEO Josh Kamdjou joins to talk about calendar invite phishing, and the extra steps they’ve had to take to reach into people’s calendars and fix the mess. …

In this edition of Between Two Nerds Tom Uren and The Grugq talk to Hamid Kashfi, CEO and founder of DarkCell, about the Iranian cyber espionage scene.

Kashfi talks about how the regime once forced people to hack and crushed the domestic security research scene. He describes how and why the government has changed its approach and is now reaping the rewards of improved Iranian capabilities.

In this sponsored Soap Box edition of the Risky Business podcast, Patrick Gray chats with Jared Atkinson, CTO of SpecterOps, about BloodHound OpenGraph.

OpenGraph enumerates attack paths across platforms and services, not just your primary directories.

A compromised GitHub account to on-prem AD compromise attack path? It’s a thing, and OpenGraph will find it.

Cross-platform attack path enumeration! So good!

In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

• There’s a CVSS 10/10 remote code exec in the React javascript server. JS server? U wot mate?
• China is out popping shells with it
• Linux adds support for PCIe bus encryption
• Amnesty International says Intellexa can just TeamViewer into its customers’ surveillance systems
• …and a Belgian murder suspect complains that GrapheneOS’s duress wipe feature failed him?

This week’s episode is sponsored by Kroll Cyber. Simon Onyons is Managing Director at Kroll’s Cyber and Data Resilience arm, and he discusses a problem near to many of our hearts. Just how do you explain cyber risk to the board? …