Podcasts about cves

Coming up in this episode * AI's Won't Take Over Yet * Is Rust Open Source? * and All Kinds of Feedback The Video Version https://youtu.be/LxMpNIfhFiA 0:00 Cold Open 3:56 Curl's "AI Slop" Problem 25:12 A Little Viral Licensing 42:12 So Much Feedback ❤️ 42:30 ukwan / Youtube 51:16 jliljj / Youtube 56:35 fredstech1 / Youtube 1:00:15 conan kudo / Youtube 1:02:06 amanita / Patreon 1:05:13 redvamp128 / Youtube 1:09:35 The Rules, Commands & Next Time 1:19:12 Stinger The Curl project pushes back on AI slop The Ars Technica article (https://arstechnica.com/gadgets/2025/05/open-source-project-curl-is-sick-of-users-submitting-ai-slop-vulnerabilities/) The Curl project on Hacker One (https://hackerone.com/curl?type=team)

SAN FRANCISCO — RSA Conference 2025 "Sixty percent of the attacks we're tracking target low-profile vulnerabilities—things like privilege escalation and security bypasses, not the headline-making zero days," says Douglas McKee, Executive Director of Threat Research at SonicWall. Speaking live from the show floor at RSA 2025, McKee outlined how SonicWall is helping partners prioritize threats that are actually being exploited, not just those getting attention. In a fast-paced conversation with Technology Reseller News publisher Doug Green, McKee unveiled SonicWall's upcoming Managed Prevention Security Services (MPSS). The offering is designed to help reduce misconfigurations—a leading cause of breaches—by assisting with firewall patching and configuration validation. SonicWall is also collaborating with CySurance to package cyber insurance into this new managed service, providing peace of mind and operational relief to MSPs and customers alike. “Over 95% of the incidents we see are due to human error,” McKee noted. “With MPSS, we're stepping in as a partner to reduce that risk.” McKee also previewed an upcoming threat brief focused on Microsoft vulnerabilities, revealing an 11% year-over-year increase in attacks. Despite attention on high-profile CVEs, SonicWall's data shows attackers often rely on under-the-radar vulnerabilities with lower CVSS scores. For MSPs, McKee shared a stark warning: nearly 50% of the organizations SonicWall monitors are still vulnerable to decade-old exploits like Log4j and Heartbleed. SonicWall's telemetry-driven insights allow MSPs to focus remediation on widespread, high-impact threats. SonicWall's transformation from a firewall vendor to a full-spectrum cybersecurity provider was on display at RSA Booth #6353 (North Hall), where the company showcased its SonicSensory MDR, cloud offerings, and threat intelligence. "We've evolved into a complete cybersecurity partner," McKee said. "Whether it's in the cloud or on-prem, we're helping MSPs and enterprises defend smarter." Visitors to the SonicWall booth were treated to live presentations and fresh coffee—while those not attending can explore SonicWall's insights, including its February 2024 Threat Report and upcoming threat briefs, at www.sonicwall.com.

Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 109 In this episode of CHAOSScast, host Georg Link is joined by Cali Dolfi, Senior Data Scientist at Red Hat, and Brittany Istenes, FINOS Ambassador. The discussion delves into the importance of measuring open source community health and the role of Software Bill of Materials (SBOM) in ensuring software security and compliance. They talk about the rising threats in open source software, the need for standardizing SBOMs, and how organizations can leverage these tools to proactively manage risks and project health. Also, they touch on practical steps being taken at Red Hat and other organizations to address these challenges. Hit download now to hear more! [00:00:21] Our guests introduce themselves and their backgrounds. [00:01:55] Georg explains the rise of malicious packages (700%) and the risks of neglected open source components. [00:04:36] What is a SBOM? Brittany explains SBOMs as a list of all software components and libraries in each application and automation and tooling adoption is discussed. [00:06:08] Cali outlines the lack of consensus on SBOM fields and formats and advocates for including upstream repo links to assess project health. Brittany mentions companies being cautious about publicizing SBOMs due to IP concerns. [00:09:12] Georg gives a historical overview about SBOMs began as tools for license compliance and how SBOMs now cover more including cybersecurity, post U.S. Executive Order 14028 (May 2021). [00:15:51] Georg shares three pillars of SBOM strategy: License compliance, Security, and Project Health and how CHAOSS Metrics can be combined with SBOMs to move from reactive to proactive strategies. [00:16:59] Brittany emphasizes risk analysis and good design from project inception and proactive open source strategies save effort later. [00:18:43] Cali talks about using project health metrics and advocates for tracking maintainer activity, patch frequency, and project responsiveness. [00:21:28] Brittany stresses internal engineering education on project health and risk and developer smush understand what makes a project “healthy.” [00:22:55] Georg talks about how open source has evolved and details using CHAOSS metrics for risk assessment and CI/CD integration. [00:27:36] Cali shares Red Hat's efforts to define what makes a project vulnerable and how it's focused on detecting and sunsetting unmaintained dependencies. [00:31:37] Brittany emphasizes risk from version mismatches and misinterpreted CVEs and mentions a CHAOSS doc to read, “Metrics for OSS Viability” by Gary White. [00:34:17] We end with Georg sharing some upcoming events: CHAOSScon North America, June 26 and Open Source Summit North America, June 23-25. Value Adds (Picks) of the week: [00:36:08] Georg's pick is building a platform for his dog to look out the window. [00:37:06] Brittany's pick is spending time with Georg and Cali. [00:38:12] Cali's pick is her great support system since having ACL surgery. *Panelist: * Georg Link Guests: Cali Dolfi Brittany Istenes Links: CHAOSS (https://chaoss.community/) CHAOSS Project X (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) podcast@chaoss.community (mailto:podcast@chaoss.community) Georg Link Website (https://georg.link/) Britany Istenes LinkedIn (https://www.linkedin.com/in/brittany-istenes-91b902152/) Brittany Istenes GitHub (https://github.com/BrittanyIstenes) Cali Dolfi LinkedIn (https://www.linkedin.com/in/calidolfi/) State of the Software Supply Chain (Sonatype) (https://www.sonatype.com/state-of-the-software-supply-chain/introduction) CHAOSScast Podcast-Episode 103: GrimoireLab at FreeBSD (https://podcast.chaoss.community/103) CHAOSS Community: Metrics for OSS Viability by Gary White (https://chaoss.community/viability-metrics-what-its-made-of/) CHAOSScon North America 2025, Denver, CO, June 26 (https://chaoss.community/chaosscon-2025-na/) Open Source Summit North America, Denver CO, June 23-25 (https://events.linuxfoundation.org/open-source-summit-north-america/) Fintech Open Source (FINOS) (https://www.finos.org/) Cyber Resilience Act (European Commission) (https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act) Rising Threat: Understanding Software Supply Chain Cyberattacks And Protecting Against Them(Forbes) (https://www.forbes.com/councils/forbestechcouncil/2024/02/06/rising-threat-understanding-software-supply-chain-cyberattacks-and-protecting-against-them/) Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity (The White House) (https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/) Types of Software Bill of Material (SBOM) Documents (https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf) OpenSSF Scorecard (https://openssf.org/projects/scorecard/) OSS Project Viability Starter (CHAOSS) (https://chaoss.community/kb/metrics-model-project-viability-starter/) Show Me What You Got: Turning SBOMs Into Actions- Georg Link & Brittany Istenes (https://lfms25.sched.com/event/1urWz) Special Guests: Brittany Istenes and Cali Dolfi.

Forecast = Scattered phishing attempts with a 90% chance of encrypted clouds. ‍ In this episode of Storm⚡️Watch, the crew dissects the evolving vulnerability tracking landscape and the challenges facing defenders as they move beyond the aging CVE system. The show also highlights the rise of sophisticated bot traffic, the expansion of GreyNoise's Global Observation Grid, and fresh tools from VulnCheck and Censys that are helping security teams stay ahead of real-time threats. In our listener poll this week, we ask: what would you do if you found a USB stick? It's a classic scenario that always sparks debate about curiosity versus caution in cybersecurity. It's officially cyber report season, and we're breaking down the latest findings from some of the industry's most influential threat intelligence teams. GreyNoise's new research spotlights the growing risk from resurgent vulnerabilities-those old flaws that go quiet for years before suddenly making a comeback, often targeting edge devices like routers and VPNs. The FBI's 2024 IC3 report is out, revealing a record $16.6 billion in reported losses last year, with phishing, extortion, and business email compromise topping the charts. Mandiant's M-Trends 2025, VulnCheck's Q1 exploitation trends, and other reports all point to a relentless pace of vulnerability weaponization, with nearly a third of new CVEs being exploited within 24 hours of disclosure. We also dig into a series of ace blog posts and research from Censys, including their push to end stale indicators and their deep dives into the sharp rise in attacks targeting edge security devices. Their recent work with GreyNoise and CursorAI on botnet hunting, as well as their new threat hunting module, are changing the game for proactive defense. VulnCheck's quarterly report is raising eyebrows with the revelation that 159 vulnerabilities were exploited in Q1 2025 alone, and 28% of those were weaponized within a single day of disclosure. This underscores how quickly attackers are operationalizing new exploits and why defenders need to move faster than ever. We round out the show with the latest from runZero and a look at GreyNoise's recent findings, including a ninefold surge in Ivanti Connect Secure scanning and a spike in Git configuration crawling-both of which highlight the ongoing risk of codebase exposure and the need for continuous vigilance. Storm Watch Homepage >> Learn more about GreyNoise >>  

What would happen if the US government halted funding for the CVE program? In this episode, we explore the controversies surrounding the funding of the CVE program, the role of CVEs in the cybersecurity industry, and the recent launch of the CVE Foundation. We also discuss the Trump Administration's executive order that revoked the security […] The post The Impact of Politics on Cybersecurity: CVE's and the Chris Krebs Executive Order appeared first on Shared Security Podcast.

Forecast = Prepare for scattered CVEs, rising bot storms, and real-time threat lightning. Keep your digital umbrellas handy! ‍ On this episode of Storm⚡️Watch, we're breaking down the latest shifts in the vulnerability tracking landscape, starting with the ongoing turbulence in the CVE program. As the MITRE-run CVE system faces funding uncertainty and a potential transition to nonprofit status, the global security community is rapidly adapting. New standards and databases are emerging to fill the gaps—Europe's ENISA is rolling out the EU Vulnerability Database to ensure regional control, while China continues to operate its own state-mandated systems. Meanwhile, the CVE ecosystem's chronic delays and the NVD's new “Deferred” status for tens of thousands of older vulnerabilities are pushing teams to look elsewhere for timely, enriched vulnerability data. Open-source projects like OSV.dev and commercial players such as VulnCheck and Snyk are stepping up, offering real-time enrichment, exploit intelligence, and predictive scoring to help organizations prioritize what matters most. The result is a fragmented but innovative patchwork of regional, decentralized, open-source, and commercial solutions, with hybrid approaches quickly becoming the norm for defenders worldwide. We're also diving into Imperva's 2024 Bad Bot Report, which reveals that nearly a third of all internet traffic last year came from malicious bots. These bots are getting more sophisticated—using residential proxies, mimicking human behavior, and bypassing traditional defenses. The report highlights a surge in account takeover attacks and shows that industries like entertainment and retail are especially hard hit, with bot traffic now outpacing human visitors in some sectors. The rise of simple bots, fueled by easy-to-use AI tools, is reshaping the threat landscape, while advanced and evasive bots continue to challenge even the best detection systems. On the threat intelligence front, GreyNoise has just launched its Global Observation Grid—now the largest deception sensor network in the world, with thousands of sensors in over 80 countries. This expansion enables real-time, verifiable intelligence on internet scanning and exploitation, helping defenders cut through the noise and focus on the threats that matter. GreyNoise's latest research shows attackers are exploiting vulnerabilities within hours of disclosure, with a significant portion of attacks targeting legacy flaws from years past. Their data-driven insights are empowering security teams to prioritize patching and response based on what's actually being exploited in the wild, not just theoretical risk. We're also spotlighting Censys and its tools for tracking botnets and advanced threats, including collaborative projects with GreyNoise and CursorAI. Their automated infrastructure mapping and pivoting capabilities are helping researchers quickly identify related malicious hosts and uncover the infrastructure behind large-scale attacks. Finally, VulnCheck continues to bridge the gap during the CVE program's uncertainty, offering autonomous enrichment, real-time exploit tracking, and comprehensive coverage—including for CVEs that NVD has deprioritized. Their Known Exploited Vulnerabilities catalog and enhanced NVD++ service are giving defenders a broader, faster view of the threat landscape, often surfacing critical exploitation activity weeks before it's reflected in official government feeds. As the vulnerability management ecosystem splinters and evolves, organizations are being forced to rethink their strategies—embracing a mix of regional, open-source, and commercial intelligence to maintain visibility and stay ahead of attackers. The days of relying on a single source of truth for vulnerability data are over, and the future is all about agility, automation, and real-time insight. Storm Watch Homepage >> Learn more about GreyNoise >>  

IBM has released the 2025 X-Force Threat Intelligence Index highlighting that cybercriminals continued to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined. IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. The 2025 report tracks new and existing trends and attack patterns - pulling from incident response engagements, dark web and other threat intelligence sources. Some key findings in the 2025 report include: Critical infrastructure organizations accounted for 70% of all attacks that IBM X-Force responded to last year, with more than one quarter of these attacks caused by vulnerability exploitation. More cybercriminals opted to steal data (18%) than encrypt it (11%) as advanced detection technologies and increased law enforcement efforts pressure cybercriminals to adopt faster exit paths. Nearly one in three incidents observed in 2024 resulted in credential theft, as attackers invest in multiple pathways to quickly access, exfiltrate and monetize login information. "Cybercriminals are most often breaking in without breaking anything - capitalizing on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points" said Mark Hughes, Global Managing Partner of Cybersecurity Services at IBM. "Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data." Patching Challenges Expose Critical Infrastructure Sectors to Sophisticated Threats Reliance on legacy technology and slow patching cycles prove to be an enduring challenge for critical infrastructure organizations as cybercriminals exploited vulnerabilities in more than one-quarter of incidents that IBM X-Force responded to in this sector last year. In reviewing the common vulnerabilities and exposures (CVEs) most mentioned on dark web forums, IBM X-Force found that four out of the top ten have been linked to sophisticated threat actor groups, including nation-state adversaries, escalating the risk of disruption, espionage and financial extortion. Exploit codes for these CVEs were openly traded on numerous forums - fueling a growing market for attacks against power grids, health networks and industrial systems. This sharing of information between financially motivated and nation-state adversaries highlights the increasing need for dark web monitoring to help inform patch management strategies and detect potential threats before they are exploited. Automated Credential Theft Sparks Chain Reaction In 2024, IBM X-Force observed an uptick in phishing emails delivering infostealers and early data for 2025 reveals an even greater increase of 180% compared to 2023. This upward trend fueling follow-on account takeovers may be attributed to attackers leveraging AI to create phishing emails at scale. Credential phishing and infostealers have made identity attacks cheap, scalable and highly profitable for threat actors. Infostealers enable the quick exfiltration of data, reducing their time on target and leaving little forensic residue behind. In 2024, the top five infostealers alone had more than eight million advertisements on the dark web and each listing can contain hundreds of credentials. Threat actors are also selling adversary-in-the-middle (AITM) phishing kits and custom AITM attack services on the dark web to circumvent multi-factor authentication (MFA). The rampant availability of compromised credentials and MFA bypass methods indicates a high-demand economy for unauthorized access that shows no signs of slowing down. Ransomware Operators Shift to Lower-Risk Models While ransomware made up the largest share of malwa...

In this interview, we're excited to speak with Pravi Devineni, who was into AI before it was insane. Pravi has a PhD in AI and remembers the days when machine learning (ML) and AI were synonymous. This is where we'll start our conversation: trying to get some perspective around how generative AI has changed the overall landscape of AI in the enterprise. Then, we move on to the topic of AI safety and whether that should be the CISO's job, or someone else's. Finally, we'll discuss the future of AI and try to end on a positive or hopeful note! What a time to have this conversation! Mere days from the certain destruction of CVE, averted only in the 11th hour, we have a chat about vulnerability management lifecycles. CVEs are definitely part of them. Vulnerability management is very much a hot mess at the moment for many reasons. Even with perfectly stable support from the institutions that catalog and label vulnerabilities from vendors, we'd still have some serious issues to address, like: disconnects between vulnerability analysts and asset owners gaps and issues in vulnerability discovery and asset management different options for workflows between security and IT: which is best? patching it like you stole it Oh, did we mention Matt built an open source vuln scanner? https://sirius.publickey.io/ In the enterprise security news, lots of funding, but no acquisitions? New companies new tools including a SecOps chrome plugin and a chrome plugin that tells you the price of enterprise software prompt engineering tips from google being an Innovation Sandbox finalist will cost you Security brutalism CVE dumpster fires and a heartwarming story about a dog, because we need to end on something happy! All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-403

In this episode of CISO Tradecraft, host G Mark Hardy delves into the crucial topic of Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Learn about the history, structure, and significance of the CVE database, the recent funding crisis, and what it means for the future of cybersecurity. We also explore the intricacies of CVE scoring and how it aids in prioritizing vulnerabilities. Tune in to understand how as a CISO, you can better prepare your organization against cyber threats and manage vulnerabilities efficiently. Transcripts: https://docs.google.com/document/d/13VzyzG5uUVLGVhPA5Ws0UFbHPnfHbsII Chapters 00:00 Introduction to CVE and CVSS 01:13 History of Vulnerability Tracking 03:07 The CVE System Explained 06:47 Understanding CVSS Scoring 13:11 Recent Funding Crisis and Its Impact 15:53 Future of the CVE Program 18:27 Conclusion and Final Thoughts

In this interview, we're excited to speak with Pravi Devineni, who was into AI before it was insane. Pravi has a PhD in AI and remembers the days when machine learning (ML) and AI were synonymous. This is where we'll start our conversation: trying to get some perspective around how generative AI has changed the overall landscape of AI in the enterprise. Then, we move on to the topic of AI safety and whether that should be the CISO's job, or someone else's. Finally, we'll discuss the future of AI and try to end on a positive or hopeful note! What a time to have this conversation! Mere days from the certain destruction of CVE, averted only in the 11th hour, we have a chat about vulnerability management lifecycles. CVEs are definitely part of them. Vulnerability management is very much a hot mess at the moment for many reasons. Even with perfectly stable support from the institutions that catalog and label vulnerabilities from vendors, we'd still have some serious issues to address, like: disconnects between vulnerability analysts and asset owners gaps and issues in vulnerability discovery and asset management different options for workflows between security and IT: which is best? patching it like you stole it Oh, did we mention Matt built an open source vuln scanner? https://sirius.publickey.io/ In the enterprise security news, lots of funding, but no acquisitions? New companies new tools including a SecOps chrome plugin and a chrome plugin that tells you the price of enterprise software prompt engineering tips from google being an Innovation Sandbox finalist will cost you Security brutalism CVE dumpster fires and a heartwarming story about a dog, because we need to end on something happy! All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-403

What a time to have this conversation! Mere days from the certain destruction of CVE, averted only in the 11th hour, we have a chat about vulnerability management lifecycles. CVEs are definitely part of them. Vulnerability management is very much a hot mess at the moment for many reasons. Even with perfectly stable support from the institutions that catalog and label vulnerabilities from vendors, we'd still have some serious issues to address, like: disconnects between vulnerability analysts and asset owners gaps and issues in vulnerability discovery and asset management different options for workflows between security and IT: which is best? patching it like you stole it Oh, did we mention Matt built an open source vuln scanner? https://sirius.publickey.io/ Show Notes: https://securityweekly.com/esw-403

What a time to have this conversation! Mere days from the certain destruction of CVE, averted only in the 11th hour, we have a chat about vulnerability management lifecycles. CVEs are definitely part of them. Vulnerability management is very much a hot mess at the moment for many reasons. Even with perfectly stable support from the institutions that catalog and label vulnerabilities from vendors, we'd still have some serious issues to address, like: disconnects between vulnerability analysts and asset owners gaps and issues in vulnerability discovery and asset management different options for workflows between security and IT: which is best? patching it like you stole it Oh, did we mention Matt built an open source vuln scanner? https://sirius.publickey.io/ Show Notes: https://securityweekly.com/esw-403

In this episode of Product Talk, Peter and Steph are joined by special guest Josh Kriese, Senior UX Developer at Automox, to dive into the latest product updates and design innovations. They cover the release of Automox Analytics, a powerful new reporting engine that introduces MTTR benchmarking and visibility into known exploited vulnerabilities (KEVs). The team also unveils the new end user notification system, built to improve reboot compliance and user trust. Plus, Josh gives a behind-the-scenes look at the evolving Automox design system—what it means for usability, accessibility, and why consistent UI matters more than you may think.

Treasury's OCC reports a major email breach. Patch Tuesday updates. A critical vulnerability in AWS Systems Manager (SSM) Agent allowed attackers to execute arbitrary code with root privileges.  Experts urge Congress to keep strict export controls to help slow China's progress in AI. A critical bug in WhatsApp for Windows allows malicious code execution.CISA adds multiple advisories on actively exploited vulnerabilities. Insider threat allegations rock a major Maryland medical center. Microsoft's Ann Johnson from Afternoon Cyber Tea is joined by Jack Rhysider, the creator and host of the acclaimed podcast Darknet Diaries. Feds Aim to Rewrite Social Security Code in Record Time.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest In this episode of Afternoon Cyber Tea, Ann Johnson is joined by Jack Rhysider, the creator and host of the acclaimed podcast Darknet Diaries. You can hear the full conversation here. Be sure to catch new episodes of Afternoon Cyber Tea every other Tuesday on N2K CyberWIre and your favorite podcast app.  Selected Reading Treasury's OCC Says Hackers Had Access to 150,000 Emails (SecurityWeek) Microsoft Fixes Over 130 CVEs in April Patch Tuesday (Infosecurity Magazine) Vulnerabilities Patched by Ivanti, VMware, Zoom (SecurityWeek) Fortinet Patches Critical FortiSwitch Vulnerability (SecurityWeek) ICS Patch Tuesday: Vulnerabilities Addressed by Rockwell, ABB, Siemens, Schneider (SecurityWeek) AWS Systems Manager Plugin Vulnerability Let Attackers Execute Arbitrary Code (Cyber Security News) Tech experts recommend full steam ahead on US export controls for AI (CyberScoop) Don't open that file in WhatsApp for Windows just yet (The Register) CISA Warns of Microsoft Windows CLFS Vulnerability Exploited in Wild (Cyber Security News) CISA Urges Urgent Patching for Exploited CentreStack, Windows Zero-Days (SecurityWeek) Pharmacist accused of spying on women using work, home cams (The Register) DOGE Plans to Rebuild SSA Code Base in Months, Risking Benefits and System Collapse (WIRED)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Cisco Systems has a sprawling portfolio of home-grown and acquired products. What’s it like trying to find and address bugs and vulnerabilities across this portfolio? Omar Santos, a Distinguished Engineer at Cisco, gives us an inside look. We dig into how Cisco identifies security bugs using internal and external sources, the growing role of AI... Read more »

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we search for guidance that makes software more secure. Segment resources https://owasp.org/Top10/A042021-InsecureDesign/ https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/securebydesign https://kccnceu2025.sched.com/event/1xBJR/keynote-rust-in-the-linux-kernel-a-new-era-for-cloud-native-performance-and-security-greg-kroah-hartman-linux-kernel-maintainer-fellow-the-linux-foundation https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah https://daniel.haxx.se/blog/2025/04/07/writing-c-for-curl/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-325

Cisco Systems has a sprawling portfolio of home-grown and acquired products. What’s it like trying to find and address bugs and vulnerabilities across this portfolio? Omar Santos, a Distinguished Engineer at Cisco, gives us an inside look. We dig into how Cisco identifies security bugs using internal and external sources, the growing role of AI... Read more »

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we search for guidance that makes software more secure. Segment resources https://owasp.org/Top10/A042021-InsecureDesign/ https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/securebydesign https://kccnceu2025.sched.com/event/1xBJR/keynote-rust-in-the-linux-kernel-a-new-era-for-cloud-native-performance-and-security-greg-kroah-hartman-linux-kernel-maintainer-fellow-the-linux-foundation https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah https://daniel.haxx.se/blog/2025/04/07/writing-c-for-curl/ Show Notes: https://securityweekly.com/asw-325

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we search for guidance that makes software more secure. Segment resources https://owasp.org/Top10/A042021-InsecureDesign/ https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/securebydesign https://kccnceu2025.sched.com/event/1xBJR/keynote-rust-in-the-linux-kernel-a-new-era-for-cloud-native-performance-and-security-greg-kroah-hartman-linux-kernel-maintainer-fellow-the-linux-foundation https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah https://daniel.haxx.se/blog/2025/04/07/writing-c-for-curl/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-325

Forecast: Patchy with a 32% backlog surge, CVE squalls causing auth bypass showers, and Lazarus fronts looming—keep your threat umbrellas handy!"

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we search for guidance that makes software more secure. Segment resources https://owasp.org/Top10/A042021-InsecureDesign/ https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/securebydesign https://kccnceu2025.sched.com/event/1xBJR/keynote-rust-in-the-linux-kernel-a-new-era-for-cloud-native-performance-and-security-greg-kroah-hartman-linux-kernel-maintainer-fellow-the-linux-foundation https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah https://daniel.haxx.se/blog/2025/04/07/writing-c-for-curl/ Show Notes: https://securityweekly.com/asw-325

Trump fires NSA and CyberCom leadership, CISA looks likely to be halved in size, hackers hit Australian pension funds, and NIST gives up on old CVEs in its backlog. Show notes

In a conversation that sets the tone for this year's RSA Conference, Steve Wilson, shares a candid look at how AI is intersecting with cybersecurity in real and measurable ways. Wilson, who also leads the OWASP Top 10 for Large Language Models project and recently authored a book published by O'Reilly on the topic, brings a multi-layered perspective to a discussion that blends strategy, technology, and organizational behavior.Wilson's session title at RSA Conference—“Are the Machines Learning, or Are We?”—asks a timely question. Security teams are inundated with data, but without meaningful visibility—defined not just as seeing, but understanding and acting on what you see—confidence in defense capabilities may be misplaced. Wilson references a study conducted with IDC that highlights this very disconnect: organizations feel secure, yet admit they can't see enough of their environment to justify that confidence.This episode tackles one of the core paradoxes of AI in cybersecurity: it offers the promise of enhanced detection, speed, and insight, but only if applied thoughtfully. Generative AI and large language models (LLMs) aren't magical fixes, and they struggle with large datasets. But when layered atop refined systems like user and entity behavior analytics (UEBA), they can help junior analysts punch above their weight—or even automate early-stage investigations.Wilson doesn't stop at the tools. He zooms out to the business implications, where visibility, talent shortages, and tech complexity converge. He challenges security leaders to rethink what visibility truly means and to recognize the mounting noise problem. The industry is chasing 40% more CVEs year over year—an unsustainable growth curve that demands better signal-to-noise filtering.At its heart, the episode raises important strategic questions: Are businesses merely offloading thinking to machines? Or are they learning how to apply these technologies to think more clearly, act more decisively, and structure teams differently?Whether you're building a SOC strategy, rethinking tooling, or just navigating the AI hype cycle, this conversation with Steve Wilson offers grounded insights with real implications for today—and tomorrow.

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-324

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Show Notes: https://securityweekly.com/asw-324

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-324

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Show Notes: https://securityweekly.com/asw-324

The dark web is full of mystery. Some of it's just made up though. Chris Monteiro wanted to see what was real and fake and discovered a hitman for hire site which took him on an unbelievable journey.Chris Monteiro Twitter: x.com/Deku_shrub, Website: https://pirate.london/Carl Miller Twitter: https://x.com/carljackmiller.Kill List podcast: https://wondery.com/shows/kill-list/SponsorsSupport for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.This episode is sponsored by ProjectDiscovery. Tired of false positives and falling behind on new CVEs? Upgrade to Nuclei and ProjectDiscovery, the go-to tools for hackers and pentesters. With 10,000 detection templates, Nuclei helps you scan for exploitable vulnerabilities fast, while ProjectDiscovery lets you map your company's perimeter, detect trending exploits, and triage results in seconds. Get automation, accuracy, and peace of mind. First-time users get one month FREE of ProjectDiscovery Pro with code DARKNET at projectdiscovery.io/darknet.This episode is sponsored by Kinsta. Running an online business comes with enough headaches—your WordPress hosting shouldn't be one of them. Kinsta's managed hosting takes care of speed, security, and reliability so you can focus on what matters. With enterprise-level security, a modern dashboard that's actually intuitive, and 24/7 support from real WordPress experts (not chatbots), Kinsta makes hosting stress-free. Need to move your site? They'll migrate it for free. Plus, get your first month free when you sign up at kinsta.com/DARKNET.

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: https://www.cisa.gov/securebydesign https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/resources-tools/resources/product-security-bad-practices https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design https://corridor.dev Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-321

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: https://www.cisa.gov/securebydesign https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/resources-tools/resources/product-security-bad-practices https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design https://corridor.dev Show Notes: https://securityweekly.com/asw-321

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: https://www.cisa.gov/securebydesign https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/resources-tools/resources/product-security-bad-practices https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design https://corridor.dev Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-321

Forecast: Cloudy with a chance of compromised credentials and scattered vulnerabilities—stay alert out there! ‍ In this episode of Storm⚡️Watch, we're unpacking some of the most pressing developments in cybersecurity and what they mean for the industry. First, we tackle the state of CISA and its mounting challenges. From allegations that the Trump administration ordered U.S. Cyber Command and CISA to stand down on addressing Russian cyber threats, to financial groups pushing back against CISA's proposed incident reporting rule, there's no shortage of turbulence. Adding fuel to the fire, Homeland Security Secretary Kristi Noem has disbanded eight federal advisory committees, including key cybersecurity groups, citing compliance with a Trump-era executive order. Critics argue these cuts could weaken public-private collaboration and hinder CISA's ability to protect critical infrastructure. We'll break down what all this means for the future of cybersecurity leadership in the U.S. Next, we revisit a shocking case involving a U.S. soldier who plans to plead guilty to hacking 15 telecom carriers. This story highlights the ongoing risks posed by insider threats and the vulnerabilities within telecom networks, which are often targeted for their treasure troves of sensitive data. We'll explore how this case unfolded, what it reveals about vetting processes for individuals with access to critical systems, and the broader implications for cybersecurity in government-affiliated organizations. We also spotlight some fascinating research from Censys on a phishing scam exploiting toll systems across multiple states. Attackers are leveraging cheap foreign SIM cards and Chinese-hosted infrastructure in a campaign that keeps evolving. Plus, RunZero sheds light on a critical vulnerability affecting Edimax IP cameras (CVE-2025-1316), while GreyNoise reports on mass exploitation of a PHP-CGI vulnerability (CVE-2024-4577) and active threats linked to Silk Typhoon-associated CVEs. Storm Watch Homepage >> Learn more about GreyNoise >>  

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: https://www.cisa.gov/securebydesign https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/resources-tools/resources/product-security-bad-practices https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design https://corridor.dev Show Notes: https://securityweekly.com/asw-321

In this episode of Exploit Brokers, we dive into the dark world of cybercrime, exploring two alarming topics: a malicious Android loan app masquerading as a financial tool and Xerox printer vulnerabilities that could be leaking your credentials. Learn how loan sharks have moved from traditional methods to sophisticated digital predation, exploiting unsuspecting users via apps like SpyLoan. We break down how these apps bypass Google Play's protections, steal sensitive data, and push predatory lending practices, especially targeting vulnerable users. Additionally, we uncover how attackers are using patched vulnerabilities in Xerox Versalink C7025 printers to manipulate configurations, capture user credentials, and potentially gain lateral access to entire Windows environments. Whether you're a tech enthusiast or a cybersecurity professional, this episode offers valuable insights into how digital crime is evolving and what you can do to protect yourself. Don't forget to like, subscribe, and hit the notification bell for more in-depth analyses on cybersecurity threats and exploits. #CyberSecurity #AndroidMalware #LoanSharks #XeroxPrinterHack #DataBreach #DigitalCrime #SpyLoan #CyberThreats #ExploitBrokers #TechNews

Forecast = Expect a storm of insights as we tackle cybersecurity's cloudy diversity gaps, edge device downpours, and ransomware winds blowing from Black Basta! ‍ In this episode of Storm⚡️Watch, we kick things off with an insightful interview with Mary N. Chaney, the CEO of Minorities in Cybersecurity (MiC). MiC is a groundbreaking organization dedicated to addressing the lack of support and representation for women and minority leaders in cybersecurity. Mary shares how MiC is building a community that fosters leadership development and equips members with essential skills for career advancement. We also discuss the alarming statistics that highlight the underrepresentation of minorities in cybersecurity leadership roles and explore how MiC's programs, like The MiC Inclusive Community™ and The MiC Leadership Series™, are making a tangible difference. Next, the crew descends into a critical discussion about edge security products, drawing on insights from Censys. These devices, while vital for network protection, are increasingly becoming prime targets for attackers. We examine recent vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog, including flaws in products from Palo Alto Networks and SonicWall, and explore how state-sponsored actors like Salt Typhoon are exploiting these weaknesses. The conversation underscores the importance of proactive patch management and tools like attack surface monitoring to mitigate risks. In the next segment, we analyze leaked chat logs from the Black Basta ransomware group with insights from VulnCheck. These logs reveal how Black Basta prioritizes vulnerabilities in widely used enterprise technologies, their rapid response to new advisories, and even their pre-publication knowledge of certain CVEs. We break down their strategy for selecting targets based on financial viability, industry focus, and vulnerability presence, offering actionable advice for defenders to stay ahead. Finally, we turn our attention to GreyNoise's recent observations of active exploitation campaigns targeting Cisco vulnerabilities by Salt Typhoon, a Chinese state-sponsored group. Using data from GreyNoise's global observation grid, we discuss how legacy vulnerabilities like CVE-2018-0171 remain valuable tools for advanced threat actors. This segment highlights the importance of patching unaddressed issues and leveraging real-time threat intelligence to protect critical infrastructure. Storm Watch Homepage >> Learn more about GreyNoise >>  

RJJ Software's Software Development Service This episode of The Modern .NET Show is supported, in part, by RJJ Software's Podcasting Services, whether your company is looking to elevate its UK operations or reshape its US strategy, we can provide tailored solutions that exceed expectations. Show Notes "I always believe, and this is taking my kind of Microsoft hat off, and I'm sharing my personal view here. I definitely believe regardless of the public cloud provider in question, they're all part of a bigger ecosystem. And I emphasize the word ecosystem. I believe security as, you know, a problem statement of our time, it's just so complex that it really can't be solved by a single company or by a single organization or a single individual. You really need to see like collaboration and cooperation taking place across different sectors, across different public cloud providers."— Bojan Magušić Welcome friends to The Modern .NET Show; the premier .NET podcast, focusing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. We are the go-to podcast for .NET developers worldwide, and I am your host: Jamie "GaProgMan" Taylor. In this episode, Bojan Magušić joined us to talk about both his new book "Azure Security" but also his work as part of the security team at Azure and his top tips for protecting your digital landscape (aka your apps and services) on the public cloud. Not only did Bojan and I talk about the security aspects of protecting your public cloud digital landscape, but we also talked about how all the public cloud providers actually work together to ensure that everyone is protected from CVEs and exploits when they are discovered. An application of the Infinite Game, if you will—if you're not sure what that is, we cover that in the episode, too. "So instead of at times you know thinking of it as a zero-sum game, I definitely believe there is opportunity to kind of expand the ecosystem and partner in meaningful ways where we can share information and share insights and guidance and even skill sets that are going to make us all as an industry and, you know, as clients more secure."— Bojan Magušić Anyway, without further ado, let's sit back, open up a terminal, type in `dotnet new podcast` and we'll dive into the core of Modern .NET. Supporting the Show If you find this episode useful in any way, please consider supporting the show by either leaving a review (check our review page for ways to do that), sharing the episode with a friend or colleague, buying the host a coffee, or considering becoming a Patron of the show. Full Show Notes The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-7/the-infinite-game-meets-azure-security-with-bojan-magusic/ Useful Links Bojan on LinkedIn Azure Security OWASP ZAP—now owned by Checkmarx Supporting the show: Leave a rating or review Buy the show a coffee Become a patron Getting in Touch: Via the contact page Joining the Discord Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend. And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch. You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast. Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show

Cyber Security Today: OpenSSH Vulnerabilities and Black Stash's Stolen Cards In this episode, host Jim Love discusses two significant OpenSSH vulnerabilities that risk man-in-the-middle and denial-of-service attacks. The hacker group Black Stash has released 4 million stolen credit cards for free, potentially enticing further illegal activities. Palo Alto Networks' firewalls face active attacks, with multiple CVEs allowing privilege escalation and bypassing authentication. Critical updates and secure management practices are emphasized to protect systems. 00:00 Introduction and Headlines 00:21 OpenSSH Vulnerabilities Explained 02:39 BlackStash's Stolen Credit Card Dump 04:40 Palo Alto Networks Under Attack 06:21 Conclusion and Contact Information

The hosts analyze a series of recently released vulnerabilities and CVEs, offer expert insights, and detail their implications for cybersecurity. They review key threats impacting Active Directory, Windows systems, and Apple devices, emphasizing the ease of exploitation and the pressing need for timely patching. The conversation stresses the importance of implementing strong, defense-in-depth cybersecurity strategies.

Arnaud et Emmanuel discutent des nouvelles de ce mois. On y parle intégrité de JVM, fetch size de JDBC, MCP, de prompt engineering, de DeepSeek bien sûr mais aussi de Maven 4 et des proxy de répository Maven. Et d'autres choses encore, bonne lecture. Enregistré le 7 février 2025 Téléchargement de l'épisode LesCastCodeurs-Episode-322.mp3 ou en vidéo sur YouTube. News Langages Les evolutions de la JVM pour augmenter l'intégrité https://inside.java/2025/01/03/evolving-default-integrity/ un article sur les raisons pour lesquelles les editeurs de frameworks et les utilisateurs s'arrachent les cheveux et vont continuer garantir l'integrite du code et des données en enlevant des APIs existantes historiquemnt agents dynamiques, setAccessible, Unsafe, JNI Article expliques les risques percus par les mainteneurs de la JVM Franchement c'est un peu leg sur les causes l'article, auto propagande JavaScript Temporal, enfin une API propre et moderne pour gérer les dates en JS https://developer.mozilla.org/en-US/blog/javascript-temporal-is-coming/ JavaScript Temporal est un nouvel objet conçu pour remplacer l'objet Date, qui présente des défauts. Il résout des problèmes tels que le manque de prise en charge des fuseaux horaires et la mutabilité. Temporal introduit des concepts tels que les instants, les heures civiles et les durées. Il fournit des classes pour gérer diverses représentations de date/heure, y compris celles qui tiennent compte du fuseau horaire et celles qui n'en tiennent pas compte. Temporal simplifie l'utilisation de différents calendriers (par exemple, chinois, hébreu). Il comprend des méthodes pour les comparaisons, les conversions et le formatage des dates et des heures. La prise en charge par les navigateurs est expérimentale, Firefox Nightly ayant l'implémentation la plus aboutie. Un polyfill est disponible pour essayer Temporal dans n'importe quel navigateur. Librairies Un article sur les fetch size du JDBC et les impacts sur vos applications https://in.relation.to/2025/01/24/jdbc-fetch-size/ qui connait la valeur fetch size par default de son driver? en fonction de vos use cases, ca peut etre devastateur exemple d'une appli qui retourne 12 lignes et un fetch size de oracle a 10, 2 a/r pour rien et si c'est 50 lignres retournées la base de donnée est le facteur limitant, pas Java donc monter sont fetch size est avantageux, on utilise la memoire de Java pour eviter la latence Quarkus annouce les MCP servers project pour collecter les servier MCP en Java https://quarkus.io/blog/introducing-mcp-servers/ MCP d'Anthropic introspecteur de bases JDBC lecteur de filke system Dessine en Java FX demarrables facilement avec jbang et testes avec claude desktop, goose et mcp-cli permet d'utliser le pouvoir des librarires Java de votre IA d'ailleurs Spring a la version 0.6 de leur support MCP https://spring.io/blog/2025/01/23/spring-ai-mcp-0 Infrastructure Apache Flink sur Kibernetes https://www.decodable.co/blog/get-running-with-apache-flink-on-kubernetes-2 un article tres complet ejn deux parties sur l'installation de Flink sur Kubernetes installation, setup mais aussi le checkpointing, la HA, l'observablité Data et Intelligence Artificielle 10 techniques de prompt engineering https://medium.com/google-cloud/10-prompt-engineering-techniques-every-beginner-should-know-bf6c195916c7 Si vous voulez aller plus loin, l'article référence un très bon livre blanc sur le prompt engineering https://www.kaggle.com/whitepaper-prompt-engineering Les techniques évoquées : Zero-Shot Prompting: On demande directement à l'IA de répondre à une question sans lui fournir d'exemple préalable. C'est comme si on posait une question à une personne sans lui donner de contexte. Few-Shot Prompting: On donne à l'IA un ou plusieurs exemples de la tâche qu'on souhaite qu'elle accomplisse. C'est comme montrer à quelqu'un comment faire quelque chose avant de lui demander de le faire. System Prompting: On définit le contexte général et le but de la tâche pour l'IA. C'est comme donner à l'IA des instructions générales sur ce qu'elle doit faire. Role Prompting: On attribue un rôle spécifique à l'IA (enseignant, journaliste, etc.). C'est comme demander à quelqu'un de jouer un rôle spécifique. Contextual Prompting: On fournit des informations supplémentaires ou un contexte pour la tâche. C'est comme donner à quelqu'un toutes les informations nécessaires pour répondre à une question. Step-Back Prompting: On pose d'abord une question générale, puis on utilise la réponse pour poser une question plus spécifique. C'est comme poser une question ouverte avant de poser une question plus fermée. Chain-of-Thought Prompting: On demande à l'IA de montrer étape par étape comment elle arrive à sa conclusion. C'est comme demander à quelqu'un d'expliquer son raisonnement. Self-Consistency Prompting: On pose plusieurs fois la même question à l'IA et on compare les réponses pour trouver la plus cohérente. C'est comme vérifier une réponse en la posant sous différentes formes. Tree-of-Thoughts Prompting: On permet à l'IA d'explorer plusieurs chemins de raisonnement en même temps. C'est comme considérer toutes les options possibles avant de prendre une décision. ReAct Prompting: On permet à l'IA d'interagir avec des outils externes pour résoudre des problèmes complexes. C'est comme donner à quelqu'un les outils nécessaires pour résoudre un problème. Les patterns GenAI the thoughtworks https://martinfowler.com/articles/gen-ai-patterns/ tres introductif et pre RAG le direct prompt qui est un appel direct au LLM: limitations de connaissance et de controle de l'experience eval: evaluer la sortie d'un LLM avec plusieurs techniques mais fondamentalement une fonction qui prend la demande, la reponse et donc un score numerique evaluation via un LLM (le meme ou un autre), ou evaluation humaine tourner les evaluations a partir de la chaine de build amis aussi en live vu que les LLMs puvent evoluer. Decrit les embedding notament d'image amis aussi de texte avec la notion de contexte DeepSeek et la fin de la domination de NVidia https://youtubetranscriptoptimizer.com/blog/05_the_short_case_for_nvda un article sur les raisons pour lesquelles NVIDIA va se faire cahllengert sur ses marges 90% de marge quand meme parce que les plus gros GPU et CUDA qui est proprio mais des approches ardware alternatives existent qui sont plus efficientes (TPU et gros waffle) Google, MS et d'autres construisent leurs GPU alternatifs CUDA devient de moins en moins le linga franca avec l'investissement sur des langages intermediares alternatifs par Apple, Google OpenAI etc L'article parle de DeepSkeek qui est venu mettre une baffe dans le monde des LLMs Ils ont construit un competiteur a gpt4o et o1 avec 5M de dollars et des capacites de raisonnements impressionnant la cles c'etait beaucoup de trick d'optimisation mais le plus gros est d'avoir des poids de neurores sur 8 bits vs 32 pour les autres. et donc de quatizer au fil de l'eau et au moment de l'entrainement beaucoup de reinforcemnt learning innovatifs aussi et des Mixture of Expert donc ~50x moins chers que OpenAI Donc plus besoin de GPU qui on des tonnes de vRAM ah et DeepSeek est open source un article de semianalytics change un peu le narratif le papier de DeepSkeek en dit long via ses omissions par ensemple les 6M c'est juste l'inference en GPU, pas les couts de recherches et divers trials et erreurs en comparaison Claude Sonnet a coute 10M en infererence DeepSeek a beaucoup de CPU pre ban et ceratins post bans evalués a 5 Milliards en investissement. leurs avancées et leur ouverture reste extremement interessante Une intro à Apache Iceberg http://blog.ippon.fr/2025/01/17/la-revolution-des-donnees-lavenement-des-lakehouses-avec-apache-iceberg/ issue des limites du data lake. non structuré et des Data Warehouses aux limites en diversite de données et de volume entrent les lakehouse Et particulierement Apache Iceberg issue de Netflix gestion de schema mais flexible notion de copy en write vs merge on read en fonction de besoins garantie atomicite, coherence, isoliation et durabilite notion de time travel et rollback partitions cachées (qui abstraient la partition et ses transfos) et evolution de partitions compatbile avec les moteurs de calcul comme spark, trino, flink etc explique la structure des metadonnées et des données Guillaume s'amuse à générer des histoires courtes de Science-Fiction en programmant des Agents IA avec LangChain4j et aussi avec des workflows https://glaforge.dev/posts/2025/01/27/an-ai-agent-to-generate-short-scifi-stories/ https://glaforge.dev/posts/2025/01/31/a-genai-agent-with-a-real-workflow/ Création d'un générateur automatisé de nouvelles de science-fiction à l'aide de Gemini et Imagen en Java, LangChain4j, sur Google Cloud. Le système génère chaque nuit des histoires, complétées par des illustrations créées par le modèle Imagen 3, et les publie sur un site Web. Une étape d'auto-réflexion utilise Gemini pour sélectionner la meilleure image pour chaque chapitre. L'agent utilise un workflow explicite, drivé par le code Java, où les étapes sont prédéfinies dans le code, plutôt que de s'appuyer sur une planification basée sur LLM. Le code est disponible sur GitHub et l'application est déployée sur Google Cloud. L'article oppose les agents de workflow explicites aux agents autonomes, en soulignant les compromis de chaque approche. Car parfois, les Agent IA autonomes qui gèrent leur propre planning hallucinent un peu trop et n'établissent pas un plan correctement, ou ne le suive pas comme il faut, voire hallucine des “function call”. Le projet utilise Cloud Build, le Cloud Run jobs, Cloud Scheduler, Firestore comme base de données, et Firebase pour le déploiement et l'automatisation du frontend. Dans le deuxième article, L'approche est différente, Guillaume utilise un outil de Workflow, plutôt que de diriger le planning avec du code Java. L'approche impérative utilise du code Java explicite pour orchestrer le workflow, offrant ainsi un contrôle et une parallélisation précis. L'approche déclarative utilise un fichier YAML pour définir le workflow, en spécifiant les étapes, les entrées, les sorties et l'ordre d'exécution. Le workflow comprend les étapes permettant de générer une histoire avec Gemini 2, de créer une invite d'image, de générer des images avec Imagen 3 et d'enregistrer le résultat dans Cloud Firestore (base de donnée NoSQL). Les principaux avantages de l'approche impérative sont un contrôle précis, une parallélisation explicite et des outils de programmation familiers. Les principaux avantages de l'approche déclarative sont des définitions de workflow peut-être plus faciles à comprendre (même si c'est un YAML, berk !) la visualisation, l'évolutivité et une maintenance simplifiée (on peut juste changer le YAML dans la console, comme au bon vieux temps du PHP en prod). Les inconvénients de l'approche impérative incluent le besoin de connaissances en programmation, les défis potentiels en matière de maintenance et la gestion des conteneurs. Les inconvénients de l'approche déclarative incluent une création YAML pénible, un contrôle de parallélisation limité, l'absence d'émulateur local et un débogage moins intuitif. Le choix entre les approches dépend des exigences du projet, la déclarative étant adaptée aux workflows plus simples. L'article conclut que la planification déclarative peut aider les agents IA à rester concentrés et prévisibles. Outillage Vulnérabilité des proxy Maven https://github.blog/security/vulnerability-research/attacks-on-maven-proxy-repositories/ Quelque soit le langage, la techno, il est hautement conseillé de mettre en place des gestionnaires de repositories en tant que proxy pour mieux contrôler les dépendances qui contribuent à la création de vos produits Michael Stepankin de l'équipe GitHub Security Lab a cherché a savoir si ces derniers ne sont pas aussi sources de vulnérabilité en étudiant quelques CVEs sur des produits comme JFrog Artifactory, Sonatype Nexus, et Reposilite Certaines failles viennent de la UI des produits qui permettent d'afficher les artifacts (ex: mettez un JS dans un fichier POM) et même de naviguer dedans (ex: voir le contenu d'un jar / zip et on exploite l'API pour lire, voir modifier des fichiers du serveur en dehors des archives) Les artifacts peuvent aussi être compromis en jouant sur les paramètres propriétaires des URLs ou en jouant sur le nomage avec les encodings. Bref, rien n'est simple ni niveau. Tout système rajoute de la compléxité et il est important de les tenir à mettre à jour. Il faut surveiller activement sa chaine de distribution via différents moyens et ne pas tout miser sur le repository manager. L'auteur a fait une présentation sur le sujet : https://www.youtube.com/watch?v=0Z_QXtk0Z54 Apache Maven 4… Bientôt, c'est promis …. qu'est ce qu'il y aura dedans ? https://gnodet.github.io/maven4-presentation/ Et aussi https://github.com/Bukama/MavenStuff/blob/main/Maven4/whatsnewinmaven4.md Apache Maven 4 Doucement mais surement …. c'est le principe d'un projet Maven 4.0.0-rc-2 est dispo (Dec 2024). Maven a plus de 20 ans et est largement utilisé dans l'écosystème Java. La compatibilité ascendante a toujours été une priorité, mais elle a limité la flexibilité. Maven 4 introduit des changements significatifs, notamment un nouveau schéma de construction et des améliorations du code. Changements du POM Séparation du Build-POM et du Consumer-POM : Build-POM : Contient des informations propres à la construction (ex. plugins, configurations). Consumer-POM : Contient uniquement les informations nécessaires aux consommateurs d'artefacts (ex. dépendances). Nouveau Modèle Version 4.1.0 : Utilisé uniquement pour le Build-POM, alors que le Consumer-POM reste en 4.0.0 pour la compatibilité. Introduit de nouveaux éléments et en marque certains comme obsolètes. Modules renommés en sous-projets : “Modules” devient “Sous-projets” pour éviter la confusion avec les Modules Java. L'élément remplace (qui reste pris en charge). Nouveau type de packaging : “bom” (Bill of Materials) : Différencie les POMs parents et les BOMs de gestion des dépendances. Prend en charge les exclusions et les imports basés sur les classifiers. Déclaration explicite du répertoire racine : permet de définir explicitement le répertoire racine du projet. Élimine toute ambiguïté sur la localisation des racines de projet. Nouvelles variables de répertoire : ${project.rootDirectory}, ${session.topDirectory} et ${session.rootDirectory} pour une meilleure gestion des chemins. Remplace les anciennes solutions non officielles et variables internes obsolètes. Prise en charge de syntaxes alternatives pour le POM Introduction de ModelParser SPI permettant des syntaxes alternatives pour le POM. Apache Maven Hocon Extension est un exemple précoce de cette fonctionnalité. Améliorations pour les sous-projets Versioning automatique des parents Il n'est plus nécessaire de définir la version des parents dans chaque sous-projet. Fonctionne avec le modèle de version 4.1.0 et s'étend aux dépendances internes au projet. Support complet des variables compatibles CI Le Flatten Maven Plugin n'est plus requis. Prend en charge les variables comme ${revision} pour le versioning. Peut être défini via maven.config ou la ligne de commande (mvn verify -Drevision=4.0.1). Améliorations et corrections du Reactor Correction de bug : Gestion améliorée de --also-make lors de la reprise des builds. Nouvelle option --resume (-r) pour redémarrer à partir du dernier sous-projet en échec. Les sous-projets déjà construits avec succès sont ignorés lors de la reprise. Constructions sensibles aux sous-dossiers : Possibilité d'exécuter des outils sur des sous-projets sélectionnés uniquement. Recommandation : Utiliser mvn verify plutôt que mvn clean install. Autres Améliorations Timestamps cohérents pour tous les sous-projets dans les archives packagées. Déploiement amélioré : Le déploiement ne se produit que si tous les sous-projets sont construits avec succès. Changements de workflow, cycle de vie et exécution Java 17 requis pour exécuter Maven Java 17 est le JDK minimum requis pour exécuter Maven 4. Les anciennes versions de Java peuvent toujours être ciblées pour la compilation via Maven Toolchains. Java 17 a été préféré à Java 21 en raison d'un support à long terme plus étendu. Mise à jour des plugins et maintenance des applications Suppression des fonctionnalités obsolètes (ex. Plexus Containers, expressions ${pom.}). Mise à jour du Super POM, modifiant les versions par défaut des plugins. Les builds peuvent se comporter différemment ; définissez des versions fixes des plugins pour éviter les changements inattendus. Maven 4 affiche un avertissement si des versions par défaut sont utilisées. Nouveau paramètre “Fail on Severity” Le build peut échouer si des messages de log atteignent un niveau de gravité spécifique (ex. WARN). Utilisable via --fail-on-severity WARN ou -fos WARN. Maven Shell (mvnsh) Chaque exécution de mvn nécessitait auparavant un redémarrage complet de Java/Maven. Maven 4 introduit Maven Shell (mvnsh), qui maintient un processus Maven résident unique ouvert pour plusieurs commandes. Améliore la performance et réduit les temps de build. Alternative : Utilisez Maven Daemon (mvnd), qui gère un pool de processus Maven résidents. Architecture Un article sur les feature flags avec Unleash https://feeds.feedblitz.com//911939960/0/baeldungImplement-Feature-Flags-in-Java-With-Unleash Pour A/B testing et des cycles de développements plus rapides pour « tester en prod » Montre comment tourner sous docker unleash Et ajouter la librairie a du code java pour tester un feature flag Sécurité Keycloak 26.1 https://www.keycloak.org/2025/01/keycloak-2610-released.html detection des noeuds via la proble base de donnée aulieu echange reseau virtual threads pour infinispan et jgroups opentelemetry tracing supporté et plein de fonctionalités de sécurité Loi, société et organisation Les grands morceaux du coût et revenus d'une conférence. Ici http://bdx.io|bdx.io https://bsky.app/profile/ameliebenoit33.bsky.social/post/3lgzslhedzk2a 44% le billet 52% les sponsors 38% loc du lieu 29% traiteur et café 12% standiste 5% frais speaker (donc pas tous) Ask Me Anything Julien de Provin: J'aime beaucoup le mode “continuous testing” de Quarkus, et je me demandais s'il existait une alternative en dehors de Quarkus, ou à défaut, des ressources sur son fonctionnement ? J'aimerais beaucoup avoir un outil agnostique utilisable sur les projets non-Quarkus sur lesquels j'intervient, quitte à y metttre un peu d'huile de coude (ou de phalange pour le coup). https://github.com/infinitest/infinitest/ Conférences La liste des conférences provenant de Developers Conferences Agenda/List par Aurélie Vache et contributeurs : 6-7 février 2025 : Touraine Tech - Tours (France) 21 février 2025 : LyonJS 100 - Lyon (France) 28 février 2025 : Paris TS La Conf - Paris (France) 6 mars 2025 : DevCon #24 : 100% IA - Paris (France) 13 mars 2025 : Oracle CloudWorld Tour Paris - Paris (France) 14 mars 2025 : Rust In Paris 2025 - Paris (France) 19-21 mars 2025 : React Paris - Paris (France) 20 mars 2025 : PGDay Paris - Paris (France) 20-21 mars 2025 : Agile Niort - Niort (France) 25 mars 2025 : ParisTestConf - Paris (France) 26-29 mars 2025 : JChateau Unconference 2025 - Cour-Cheverny (France) 27-28 mars 2025 : SymfonyLive Paris 2025 - Paris (France) 28 mars 2025 : DataDays - Lille (France) 28-29 mars 2025 : Agile Games France 2025 - Lille (France) 3 avril 2025 : DotJS - Paris (France) 3 avril 2025 : SoCraTes Rennes 2025 - Rennes (France) 4 avril 2025 : Flutter Connection 2025 - Paris (France) 4 avril 2025 : aMP Orléans 04-04-2025 - Orléans (France) 10-11 avril 2025 : Android Makers - Montrouge (France) 10-12 avril 2025 : Devoxx Greece - Athens (Greece) 16-18 avril 2025 : Devoxx France - Paris (France) 23-25 avril 2025 : MODERN ENDPOINT MANAGEMENT EMEA SUMMIT 2025 - Paris (France) 24 avril 2025 : IA Data Day 2025 - Strasbourg (France) 29-30 avril 2025 : MixIT - Lyon (France) 7-9 mai 2025 : Devoxx UK - London (UK) 15 mai 2025 : Cloud Toulouse - Toulouse (France) 16 mai 2025 : AFUP Day 2025 Lille - Lille (France) 16 mai 2025 : AFUP Day 2025 Lyon - Lyon (France) 16 mai 2025 : AFUP Day 2025 Poitiers - Poitiers (France) 24 mai 2025 : Polycloud - Montpellier (France) 24 mai 2025 : NG Baguette Conf 2025 - Nantes (France) 5-6 juin 2025 : AlpesCraft - Grenoble (France) 5-6 juin 2025 : Devquest 2025 - Niort (France) 10-11 juin 2025 : Modern Workplace Conference Paris 2025 - Paris (France) 11-13 juin 2025 : Devoxx Poland - Krakow (Poland) 12-13 juin 2025 : Agile Tour Toulouse - Toulouse (France) 12-13 juin 2025 : DevLille - Lille (France) 13 juin 2025 : Tech F'Est 2025 - Nancy (France) 17 juin 2025 : Mobilis In Mobile - Nantes (France) 24 juin 2025 : WAX 2025 - Aix-en-Provence (France) 25-26 juin 2025 : Agi'Lille 2025 - Lille (France) 25-27 juin 2025 : BreizhCamp 2025 - Rennes (France) 26-27 juin 2025 : Sunny Tech - Montpellier (France) 1-4 juillet 2025 : Open edX Conference - 2025 - Palaiseau (France) 7-9 juillet 2025 : Riviera DEV 2025 - Sophia Antipolis (France) 18-19 septembre 2025 : API Platform Conference - Lille (France) & Online 2-3 octobre 2025 : Volcamp - Clermont-Ferrand (France) 6-10 octobre 2025 : Devoxx Belgium - Antwerp (Belgium) 9-10 octobre 2025 : Forum PHP 2025 - Marne-la-Vallée (France) 16-17 octobre 2025 : DevFest Nantes - Nantes (France) 4-7 novembre 2025 : NewCrafts 2025 - Paris (France) 6 novembre 2025 : dotAI 2025 - Paris (France) 7 novembre 2025 : BDX I/O - Bordeaux (France) 12-14 novembre 2025 : Devoxx Morocco - Marrakech (Morocco) 28-31 janvier 2026 : SnowCamp 2026 - Grenoble (France) 23-25 avril 2026 : Devoxx Greece - Athens (Greece) 17 juin 2026 : Devoxx Poland - Krakow (Poland) Nous contacter Pour réagir à cet épisode, venez discuter sur le groupe Google https://groups.google.com/group/lescastcodeurs Contactez-nous via X/twitter https://twitter.com/lescastcodeurs ou Bluesky https://bsky.app/profile/lescastcodeurs.com Faire un crowdcast ou une crowdquestion Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Tous les épisodes et toutes les infos sur https://lescastcodeurs.com/

Podcast: ICS Cyber Talks PodcastEpisode: Part-1: IoT Meetup 05/01/2025 Chen Gruber SW Dev Embedded Security @CheckPoint: Firmware SecurityPub date: 2025-01-24Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationChen Gruber, software developer Embedded Security @CheckPoint about Firmware Security What can hackers learn by extracting data from the file system of the loT Device? Binary scan and static analysis on firmware can give valuable insights into your device and expose the hidden vulnerabilities and weaknesses before hackers find them. In this session, we demonstrate the firmware scanner service of Check Point and review the results to learn how to make secure devices. The service helps you to keep security hygiene and best practices. Also, to comply with security compliance regulations by providing full SBOM and CVEs. Technical Level - 300The podcast and artwork embedded on this page are from Nachshon Pincu, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Take a Network Break! We start with serious CVEs for Perl and Ivanti. On the news front, the FCC wants to license spectrum to raise money to help US telcos rip out Chinese network equipment–even though there’s no evidence Chinese equipment led to telco intrusions by Chinese attackers. Verizon boasts of 5.5Gbps download speeds on... Read more »

Take a Network Break! We start with serious CVEs for Perl and Ivanti. On the news front, the FCC wants to license spectrum to raise money to help US telcos rip out Chinese network equipment–even though there’s no evidence Chinese equipment led to telco intrusions by Chinese attackers. Verizon boasts of 5.5Gbps download speeds on... Read more »

Take a Network Break! We start with serious CVEs for Perl and Ivanti. On the news front, the FCC wants to license spectrum to raise money to help US telcos rip out Chinese network equipment–even though there’s no evidence Chinese equipment led to telco intrusions by Chinese attackers. Verizon boasts of 5.5Gbps download speeds on... Read more »

video: https://youtu.be/jqzkplxlr9Q Comment on the TWIL Forum (https://thisweekinlinux.com/forum) This year in Linux was a huge year. So many things happened. So many updates, releases, changes, improvements. Linux Marketshare, in fact, got much better too. So many things. So we're going to be covering everything in the super detail that we normally would on this week in Linux because there's just so many things to talk about. If you would like to learn more about each individual thing, you can check out the episode show notes. There will be links to every single time every single episode in the show notes so go check those out. Download as MP3 (https://aphid.fireside.fm/d/1437767933/2389be04-5c79-485e-b1ca-3a5b2cebb006/15c61f5d-8ade-4b47-96c3-f11e3b43e8df.mp3) Support the Show Become a Patron = tuxdigital.com/membership (https://tuxdigital.com/membership) Store = tuxdigital.com/store (https://tuxdigital.com/store) Chapters: 00:00 Intro 00:40 CVEs & CNAs for Linux Kernel 01:31 Rust added to the Linux Kernel in Linux 6.8 01:42 Linux 6.12 Merging Extensible Scheduler “sched_ext” 02:46 4.55% Marketshare for Linux on StatCounter! 03:57 Security Topics 04:18 Locally Exploitable glibc Vulnerability 05:44 Needrestart Security Vulnerabilities Found 06:29 RegreSSHion: Remote Code Execution Vulnerability In OpenSSH Server 07:44 XZ backdoor found in widespread Linux utility 10:34 CrowdStrike causes Global Outage for Microsoft Windows 13:23 Desktop Environments 15:26 Distro Releases 18:08 Red Hat Summit 2024 18:32 Destination Linux 400 18:53 Destination Linux Interviews 20:23 Explicit Sync Will Finally Solve the NVIDIA/Wayland Issues 21:34 Hardware News 21:52 Gaming News: Anti Cheat Woes 23:34 Gaming News: Valve does good for Linux 25:26 umu launcher 25:49 Application News 27:55 Support the show Links: https://thisweekinlinux.com/262 (https://thisweekinlinux.com/262) https://thisweekinlinux.com/263 (https://thisweekinlinux.com/263) https://thisweekinlinux.com/264 (https://thisweekinlinux.com/264) https://thisweekinlinux.com/265 (https://thisweekinlinux.com/265) https://thisweekinlinux.com/267 (https://thisweekinlinux.com/267) https://thisweekinlinux.com/268 (https://thisweekinlinux.com/268) https://thisweekinlinux.com/269 (https://thisweekinlinux.com/269) https://thisweekinlinux.com/270 (https://thisweekinlinux.com/270) https://thisweekinlinux.com/272 (https://thisweekinlinux.com/272) https://thisweekinlinux.com/273 (https://thisweekinlinux.com/273) https://thisweekinlinux.com/274 (https://thisweekinlinux.com/274) https://thisweekinlinux.com/276 (https://thisweekinlinux.com/276) https://thisweekinlinux.com/278 (https://thisweekinlinux.com/278) https://thisweekinlinux.com/279 (https://thisweekinlinux.com/279) https://thisweekinlinux.com/280 (https://thisweekinlinux.com/280) https://thisweekinlinux.com/282 (https://thisweekinlinux.com/282) https://thisweekinlinux.com/284 (https://thisweekinlinux.com/284) https://thisweekinlinux.com/286 (https://thisweekinlinux.com/286) https://thisweekinlinux.com/288 (https://thisweekinlinux.com/288) https://thisweekinlinux.com/289 (https://thisweekinlinux.com/289) https://thisweekinlinux.com/290 (https://thisweekinlinux.com/290) https://thisweekinlinux.com/291 (https://thisweekinlinux.com/291)

Join hosts James Maude and Marc Maiffret as they dive into a captivating conversation with industry legend Morey Haber. With over two decades of experience—going back before CVEs were even a thing—Morey delivers a bold look at the security threats of 2025 and beyond. Is AI on the verge of bursting its hype bubble? Are hidden paths to privilege the next battleground? The group discusses how today's identity-based attacks are reshaping cybersecurity and how Morey deep-faked himself to expose the alarming reality of AI impersonation. From the roots of early vulnerability research to the cutting edge of emerging attack vectors, this is a must-listen episode to understand how old threats are wearing new masks—and what defenders must do to keep up (and a great episode to wrap-up 2024)!

Take a Network Break! We’ve got a full menu for our post-Thanksgiving episode. We start with a host of critical CVEs affecting Veritas and a couple more for QNAP. Cisco announces EOL for two version of its ACI software, Verizon runs field trials for 1.6Tbps throughput in a single wavelength (with Ciena optical transceivers), and... Read more »

Take a Network Break! We’ve got a full menu for our post-Thanksgiving episode. We start with a host of critical CVEs affecting Veritas and a couple more for QNAP. Cisco announces EOL for two version of its ACI software, Verizon runs field trials for 1.6Tbps throughput in a single wavelength (with Ciena optical transceivers), and... Read more »

Take a Network Break! We’ve got a full menu for our post-Thanksgiving episode. We start with a host of critical CVEs affecting Veritas and a couple more for QNAP. Cisco announces EOL for two version of its ACI software, Verizon runs field trials for 1.6Tbps throughput in a single wavelength (with Ciena optical transceivers), and... Read more »

Take a Network Break! We start with a brief follow-up on our CVE coverage, and then dive into a serious one-two set of vulnerabilities being exploited in Palo Alto Networks software, VMware taking a second crack at patching a vCenter vulnerability, and notable CVEs in D-Link and HPC gear. An AI company loses a quarter... Read more »

Take a Network Break! We start with a brief follow-up on our CVE coverage, and then dive into a serious one-two set of vulnerabilities being exploited in Palo Alto Networks software, VMware taking a second crack at patching a vCenter vulnerability, and notable CVEs in D-Link and HPC gear. An AI company loses a quarter... Read more »