Podcasts about mitigations

Podcast: Nexus: A Claroty Podcast (LS 32 · TOP 5% what is this?)Episode: Rob King on OT Asset Exposures, MitigationsPub date: 2026-05-03Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationRob King, Director of Applied Research at RunZero, joins the Nexus Podcast to discuss the security risks and exposures introduced by digital transformation to operational technology environments. As many OT and cyber-physical systems assets are connected online, there could be signification exposures introduced to these internet-facing devices and systems. Rob also discusses the effectiveness of popular mitigations such as segmentation and other controls.  Subscribe and listen to the Nexus Podcast here. The podcast and artwork embedded on this page are from Claroty, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Rob King, Director of Applied Research at RunZero, joins the Nexus Podcast to discuss the security risks and exposures introduced by digital transformation to operational technology environments. As many OT and cyber-physical systems assets are connected online, there could be signification exposures introduced to these internet-facing devices and systems. Rob also discusses the effectiveness of popular mitigations such as segmentation and other controls.  Subscribe and listen to the Nexus Podcast here. 

The expensive, challenging, and humbling journey with open source agents.Sponsored By:Jupiter Party Annual Membership: Put your support on automatic with our annual plan, and get one month of membership for free!Managed Nebula: Meet Managed Nebula from Defined Networking. A decentralized VPN built on the open-source Nebula platform that we love.Support LINUX UnpluggedLinks:

Matt and Nic are back for another week of news and deals. In this episode:  The significance of the new Google and Oratomic papers on quantum computing and ECC256 Why short range attacks are now part of the threat model Is Nic conflicted out from discussing quantum? What will be the fate of the Satoshi coins? What maritime law and shipwreck recovery tells us about the fate of Satoshi's coins Drift protocol is hacked Gary Gensler does not like prediction markets DATs are selling BTC Content mentioned in this episode: Cain et al, Shor's algorithm is possible with as few as 10,000 reconfigurable atomic qubits Babbush et al, Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations  

Cameron Robertson first discovered Bitcoin in 2009, after reading a post on hacker website Slashdot. About a year later, he started mining and mingling with other Bitcoin enthusiasts in the Silicon Valley area. More recently, he created a product named the Burner: an affordable, NFC-based card that enables anyone to gift, save, and spend their BTC within a simple browser-based and mobile-optimized interface. In this episode, we talk about the past, present and future of the Bitcoin project: including topics such as mining, open source development culture, and the quantum threat. Get 25% discount on your Burner card purchase with promo code ”BTCTKVR”: https://www.burner.pro/bitcoin Time stamps: 00:01:15 Introducing Cameron Robertson 00:02:45 Cameron's Bitcoin Origin Story 00:03:40 Early GPU Mining & Startup Life 00:04:46 Meeting with Brian Armstrong of Coinbase & Smart Locks 00:06:10 Evolution of the Crypto Ecosystem 00:07:20 Building Self-Custody Tools 00:08:30 Kong Cash: Physical Crypto Notes 00:10:25 Community Reactions to Physical Crypto 00:11:17 NFTs, Halos, and Physical Authentication 00:12:30 Offline Cash: Improved Bitcoin Notes 00:13:30 Denominations, Sats, and Psychological Value 00:15:30 Challenges of Issuing Physical Bitcoin 00:16:22 From Cash Notes to Burner Card 00:17:30 Web-Based Wallets & App Store Challenges 00:18:48 Bitcoin Banknotes & Physical Representations 00:21:01 Casascius, Legal Precedents & Coinage Laws 00:24:28 Mining, Spending, and Store of Value 00:28:22 Early Bitcoin Community & Mining Stories 00:30:02 Bitcoin as Money vs. Store of Value 00:32:07 Unit of Account Challenges 00:37:31 Development Culture: Then vs. Now 00:39:03 Silicon Valley, Meetups, and Early Builders 00:40:58 Money Changes Everything: 2013–2017 00:46:57 Bear Markets, Building, and Lightning 00:50:23 Future Risks: Mining, Quantum, and Hard Forks 00:54:44 Quantum Resistance: Migration and Hardware 00:56:52 Quantum Attacks: Practical Risks and Mitigations 01:03:20 Consensus, Upgrades, and Developer Culture 01:05:41 Ethereum vs. Bitcoin: Governance and Upgrades 01:14:57 Stablecoins, Sidechains, and Payments 01:18:03 Burner Card Demo & Security Model 01:22:36 Technical Details: Secure Element & Open APIs 01:25:49 Third-Party Wallets & Business Model 01:29:31 Supported Coins & Expansion Plans 01:32:44 Naming & Philosophy Behind Burner 01:34:38 Cameron's Non-Shitcoin Picks & Privacy Coins 01:40:08 Privacy vs. Scaling: ZK Tech & Future Hopes 01:44:31 ZK Apps & Privacy Onramps 01:47:24 16-Year Outlook: Bitcoin & Crypto's Future 01:53:29 No Price Predictions, Just Tech 01:53:37 Promo Code BTCTKVR & Closing Thoughts

Global investment in AI across financial services is projected to grow from USD 38.36 billion in 2024 to USD 190.33 billion by 2030, according to a 2024 market forecast by Markets and Markets. At the same time, UK regulators report that AI adoption is already widespread across the sector. A joint 2024 survey by the Bank of England and the Financial Conduct Authority found that 75 percent of UK financial services firms are already deploying AI, with a further 10 percent planning adoption within the next three years. As AI adoption accelerates, search visibility in finance is no longer dictated by traditional rankings alone. AI overviews, gen AI assistants and zero-click results now sit between customers and brand websites, reshaping how trust, authority and compliance are interpreted online. In this environment, SEO is no longer just a growth channel. It has become a frontline control mechanism for accuracy, regulatory alignment and brand credibility. To address this shift, AccuraCast has published its definitive SEO Guide for Financial Services, outlining the structural, technical and governance frameworks required for finance brands to remain visible and compliant in an AI-first discovery landscape. The insights below come from Lourenço Caliento Gonçalves, SEO Consultant at AccuraCast, who works directly with banks, insurers and fintech firms navigating this changing search environment. 1. SEO in an AI Summary World AI Overviews and assistants now sit between users and brand sites, especially on "what/how/which account/card/loan" queries in finance. Studies on financial keywords show AI modules cite only a small set of domains per answer, so visibility is increasingly about being one of the few trusted citations rather than "position 3 vs 5". Practical shifts for finance SEO: 1. Move from chasing every keyword to owning topic clusters where you can be the definitive, expert, frequently-updated source. 2. Design pages that both: Feed AI (clear entities, schema, citations, expert authorship) and Still convert in a zero?click world (compelling USP, tools, calculators, comparison tables that go beyond the AI summary). 2. SEO's Role in Accuracy and Compliance Because finance is considered a YMYL (your money, your life) category, search systems and AI models heavily weigh accuracy, disclosures and regulatory alignment. Regulators like the SEC, FCA, CFTC, BaFin, ESMA, EIOPA and EBA set rules for product communication, risk disclosure and data/privacy that directly affect how content can be written and tracked. SEO becomes a compliance ally by: Embedding governance into content workflows: versioning, review logs, jurisdiction tagging, "last updated" labels, and mandated disclaimers on all money pages. Hard-coding technical safeguards: secure-by-default (HTTPS, HSTS), cookie and tracking consent, correct handling of PII, and robust legal/Ts & Cs/privacy internal linking so crawlers and users always see compliant context. 3. SEO Challenges When Adding AI and Automation Banks, insurers and fintechs are accelerating AI and agent use across content, but surveys show the main friction points are compliance overhead, skills gaps and governance. SEO?specific pain points typically include: Drift from brand and regulatory language: AI can introduce unapproved promises, omit mandatory risk language or hallucinate product conditions, creating both compliance and ranking risk on YMYL topics. Inconsistent E-E-A-T: At scale, content may lack real experts, citations and author bios, weakening trust signals for both search and AI engines that now cross?check authority more strictly for finance queries. Fragmented workflows: Legal/compliance reviews are often still manual and periodic, while AI can publish or update faster than teams can approve, which creates a backlog or the risk of rogue content going live. Mitigations that work: Guardrailed generation: Fix templates with "non-editable" compliance blocks per product/region; restrict RAG systems ...

The WNBA and WNBPA collective bargaining negotiations are…ongoing. Tyler was boots on the ground at The Players Era Tournament in Vegas. UConn or Texas for the top-ranked team? All of that and more with Chelsea Leite and Tyler DeLuca. HerHoopStats.com: Unlock better insight about the women's game.The Her Hoop Stats Newsletter: https://herhoopstats.substack.comPoll Ponderings by Chelsea Leite: https://bit.ly/4oNwz2NSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

Would you like to know more? Flick me a message!Air North Brasilia accident ATSB ReportE55 Baron accident ATSB ReportPatreon Discount Code - BIRTHDAY4Pilot LogbookDigital Excel spreadsheet logbook for a one off payment. Podcast listeners get 20% Off!!Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Support the showEmail: info@trentrobinsonaviation.com.au Online Training http://courses.flighttrainingaustralia.com.au Affiliate Links: Pilot LogbookDigital Excel spreadsheet logbook for a one off payment. Podcast listeners get 20% Off!! Nav & Co Pilot Nav Bags - Get $10 off using the code FTAPODCAST Social Media Links: Facebook: http://www.facebook.com.au/trentrobinsonaviation Instagram: http://www.instagram.com/trent_robinson_aviation YouTube: https://www.youtube.com/@flighttrainingaustraliaTikTok https://www.tiktok.com/@flighttrainingaustraliaPodcast Episodes: http://www.flighttrainingaustralia.com.au

In this episode of The BlueHat Podcast, host Nic Fillingham and Wendy Zenone are joined by Mike Macelletti from Microsoft's MSRC Vulnerabilities and Mitigations team to explore Redirection Guard, a powerful mitigation designed to tackle a long-standing class of file path redirection vulnerabilities in Windows. Mike shares how his interest in security began, the journey behind developing Redirection Guard, and how it's helping reduce a once-common bug class across Microsoft products. He also explains how the feature works, why it's impactful, and what developers can do to adopt it. Plus, a few fun detours into Solitaire hacking, skiing, and protein powder.     In This Episode You Will Learn:   What Redirection Guard is and how it helps prevent file system vulnerabilities  How Microsoft identifies and addresses common bug classes across their ecosystem  Why some vulnerabilities still slip past Redirection Guard and what's out of scope    Some Questions We Ask:  What is a junction and how is it different from other redirects?  How does Redirection Guard decide which shortcuts to block?  Are there vulnerabilities Redirection Guard doesn't cover?      Resources:       View Mike Macelletti on LinkedIn      View Wendy Zenone on LinkedIn    View Nic Fillingham on LinkedIn     Related Microsoft Podcasts:    Microsoft Threat Intelligence Podcast    Afternoon Cyber Tea with Ann Johnson    Uncovering Hidden Risks       Discover and follow other Microsoft podcasts at microsoft.com/podcasts      The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.  

¿Qué es un ataque de reconstrucción? ¿Aumentan sus riesgos por el uso de datos personales en el entrenamiento de modelos de IA? ¿Qué marco de gestión de riesgos resulta más apropiado para su gestión? Ángela Manceñido tiene diez años de experiencia en la prestación de servicios de consultoría orientados a la privacidad y protección de datos. Durante este tiempo, ha ayudado, trabajando para KPMG, a numerosas compañías de distintos sectores adaptándose y ofreciendo soluciones efectivas y óptimas en un entorno en constante evolución. En el presente, Ángela también se ha especializado en el impacto de la IA desde una perspectiva regulatoria y de riesgo tecnológico. Actualmente guía a varios clientes en este campo, permitiendo a estos afrontar los desafíos y oportunidades que presentan las nuevas tecnologías garantizando el cumplimiento normativo y la mitigación de riesgos. Nuestra invitada participa además en varias asociaciones y grupos de referencia. Referencias: Ángela Manceñido en LinkedIn Marco de gestión de riesgos de NIST (inglés) Caso Holmen: un ciudadano noruego es acusado falsamente por ChatGPT de matar a sus dos hijos (BBC, inglés) NIST: Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (2024) Matriz RACI de roles y responsabilidades (Monday)

We've written a new report on the threat of AI-enabled coups. I think this is a very serious risk – comparable in importance to AI takeover but much more neglected. In fact, AI-enabled coups and AI takeover have pretty similar threat models. To see this, here's a very basic threat model for AI takeover: Humanity develops superhuman AI Superhuman AI is misaligned and power-seeking Superhuman AI seizes power for itself And now here's a closely analogous threat model for AI-enabled coups: Humanity develops superhuman AI Superhuman AI is controlled by a small group Superhuman AI seizes power for the small group While the report focuses on the risk that someone seizes power over a country, I think that similar dynamics could allow someone to take over the world. In fact, if someone wanted to take over the world, their best strategy might well be to first stage an AI-enabled [...] ---Outline:(02:39) Summary(03:31) An AI workforce could be made singularly loyal to institutional leaders(05:04) AI could have hard-to-detect secret loyalties(06:46) A few people could gain exclusive access to coup-enabling AI capabilities(09:46) Mitigations(13:00) VignetteThe original text contained 2 footnotes which were omitted from this narration. --- First published: April 16th, 2025 Source: https://www.lesswrong.com/posts/6kBMqrK9bREuGsrnd/ai-enabled-coups-a-small-group-could-use-ai-to-seize-power-1 --- Narrated by TYPE III AUDIO. ---Images from the article:

Cybersecurity Today: Exploited Vulnerabilities and Innovative Threat Mitigations In this episode of Cybersecurity Today, host Jim Love discusses several pressing cybersecurity issues including the exploitation of a server-side request forgery (SSRF) vulnerability in OpenAI's ChatGPT infrastructure (CVE-2024-27564), leading attackers to redirect users to malicious URLs. He also talks about how researchers at Tiny Hack have made breakthroughs in cracking Akira ransomware using high-powered GPUs, and Malwarebytes' warning about malware embedded in free online file converters. The episode highlights the importance of robust cybersecurity measures, innovative methods to combat ransomware, and cautious internet usage. 00:00 Introduction to Cybersecurity Threats 00:19 Exploiting ChatGPT Vulnerabilities 02:15 Cracking Akira Ransomware 05:01 Malware in Free Online Converters 07:12 Conclusion and Listener Support

Dark Skippy is a new attack that in theory, makes it much easier for a malicious person to steal your coins. Listen in to learn about some of the ins and outs here, as well as mitigation and the path forward for the industry from @utxoclub , @LLFOURN & @robin_linus .  Why air gapping is not the be all end all Dark Skippy in context with other attacks Security while signing transactions, and security while generating keys RFC6979 Deterministic nonce generation Updating PSBT to help mitigate this attack Summary The conversation discusses the ‘Dark Skippy' attack, a new method for leaking secret keys from a malicious signing device. The attack takes advantage of the nonces used in the Schnorr and ECDSA signature schemes. The new attack vector can potentially extract private keys and seed words from hardware wallets. The attack targets the nonce generation process during key generation and signing. The previous versions of this attack were inefficient, but Dark Skippy improves upon them. The contributors explain how the attack came about and its implications for hardware wallet security. They also discuss the RFC6979 deterministic nonce generation and the concept of anti-klepto signing protocols as mitigations against the attack.  While Dark Skippy is a sophisticated attack, it requires a high level of expertise and is not currently seen in the wild. The discussion highlights the importance of secure boot, upgrading the Partially Signed Bitcoin Transaction (PSBT) process, and improving the randomness of upfront key generation as potential mitigations.  However, it is emphasized that current reputable hardware wallets still provide a high level of security, and there is no immediate action required for users. Takeaways Dark Skippy is a new attack that leaks secret keys from a malicious signing device. The attack exploits the nonces used in the Schnorr and ECDSA signature schemes. Previous versions of this attack were inefficient, but Dark Skippy improves upon them. Mitigations against the attack include the RFC6979 deterministic nonce generation and anti-klepto signing protocols. Dark Skippy is a sophisticated attack that targets the nonce generation process during key generation and signing. Mitigations for Dark Skippy include implementing secure boot, upgrading the PSBT process, and improving the randomness of upfront key generation. Reputable hardware wallets currently provide a high level of security, and there is no immediate action required for users. The discussion highlights the importance of ongoing research and development to enhance the security of hardware wallets and protect against potential future attacks. Timestamps: (00:00) - Intro (00:45) - What is ‘Dark Skippy'? (04:39) - Is it an old attack vector? Bitcoin's security evolving with time (12:41) - Sponsor (15:22) - What is a nonce?, RFC6979 Deterministic nonce generation (22:55) - Common ways of people losing their Bitcoin (31:08) - Sponsor (32:07) - Anti-klepto signing protocols; ways to mitigate risks of losing coins (39:51) - Updating PSBT to help mitigate this attack (43:26) - The role of Multisig in preventing the attack (49:57) - Other attack vectors in malicious actor's toolkit (56:49) - Summarizing the steps to improve the ecosystem security (1:00:18) - Closing thoughts Links:  https://darkskippy.com/  https://frostsnap.com/  https://x.com/LLFOURN  https://x.com/robin_linus  https://x.com/utxoclub  https://x.com/utxoclub/status/1820520960476561825  Sponsors: CoinKite.com (code LIVERA) mempool.space/accelerator  Stephan Livera links: Follow me on X: @stephanlivera Subscribe to the podcast Subscribe to Substack

Join Lieuwe Jan Koning on this special Threat Talks as he explores the evolving landscape of DDoS attacks with Junior Corazza and Miguel Regalado Querol. Discover if these cyber threats are truly diminishing or if we're just getting better at defending against them. Tune in to understand the current state of DDoS mitigations and the importance of cybersecurity collaboration. Find all our episodes and request your own Threat Talks T-shirt on https://threat-talks.com/

Why you shouldn't use AI to write your tests, and the crazy deals new AI companies are getting themselves into to access hardware.

Get the latest Patch Tuesday releases, mitigation tips, and learn about custom automations (aka Automox Worklets) that can help you with CVE remediations.

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Companies' safety plans neglect risks from scheming AI, published by Zach Stein-Perlman on June 3, 2024 on LessWrong. Without countermeasures, a scheming AI could escape. A safety case (for deployment) is an argument that it is safe to deploy a particular AI system in a particular way.[1] For any existing LM-based system, the developer can make a great safety case by demonstrating that the system does not have dangerous capabilities.[2] No dangerous capabilities is a straightforward and solid kind of safety case. For future systems with dangerous capabilities, a safety case will require an argument that the system is safe to deploy despite those dangerous capabilities. In this post, I discuss the safety cases that the labs are currently planning to make, note that they ignore an important class of threats - namely threats from scheming AI escaping - and briefly discuss and recommend control-based safety cases. I. Safety cases implicit in current safety plans: no dangerous capabilities and mitigations to prevent misuse Four documents both (a) are endorsed by one or more frontier AI labs and (b) have implicit safety cases (that don't assume away dangerous capabilities): Anthropic's Responsible Scaling Policy v1.0, OpenAI's Preparedness Framework (Beta), Google DeepMind's Frontier Safety Framework v1.0, and the AI Seoul Summit's Frontier AI Safety Commitments. With small variations, all four documents have the same basic implicit safety case: before external deployment, we check for dangerous capabilities. If a model has dangerous capabilities beyond a prespecified threshold, we will notice and implement appropriate mitigations before deploying it externally.[3] Central examples of dangerous capabilities include hacking, bioengineering, and operating autonomously in the real world. 1. Anthropic's Responsible Scaling Policy: we do risk assessment involving red-teaming and model evals for dangerous capabilities. If a model has dangerous capabilities beyond a prespecified threshold,[4] we will notice and implement corresponding mitigations[5] before deploying it (internally or externally). 2. OpenAI's Preparedness Framework: we do risk assessment involving red-teaming and model evals for dangerous capabilities. We only externally deploy[6] models with "post-mitigation risk" at 'Medium' or below in each risk category. (That is, after mitigations, the capabilities that define 'High' risk can't be elicited.) 3. Google DeepMind's Frontier Safety Framework: we do risk assessment involving red-teaming and model evals for dangerous capabilities. If a model has dangerous capabilities beyond a prespecified threshold, we will notice before external deployment.[7] "When a model reaches evaluation thresholds (i.e. passes a set of early warning evaluations), we will formulate a response plan based on the analysis of the CCL and evaluation results."[8] Mitigations are centrally about preventing "critical capabilities" from being "accessed" (and securing model weights). 4. Frontier AI Safety Commitments (joined by 16 AI companies): before external deployment, we will do risk assessment with risk thresholds.[9] We use mitigations[10] "to keep risks within defined thresholds." These safety cases miss (or assume unproblematic) some crucial kinds of threats. II. Scheming AI and escape during internal deployment By default, AI labs will deploy AIs internally to do AI development. Maybe lots of risk "comes from the lab using AIs internally to do AI development (by which I mean both research and engineering). This is because the AIs doing AI development naturally require access to compute and model weights that they can potentially leverage into causing catastrophic outcomes - in particular, those resources can be abused to run AIs unmonitored." Without countermeasures, if the AI is scheming, i...

Guest: Shan  Rao, Group Product Manager, Google  Topics: What are the unique challenges when securing AI for cloud environments, compared to traditional IT systems? Your talk covers 5 risks, why did you pick these five? What are the five, and are these the worst? Some of the mitigation seems the same for all risks. What are the popular SAIF mitigations that cover more of the risks? Can we move quickly and securely with AI? How? What future trends and developments do you foresee in the field of securing AI for cloud environments, and how can organizations prepare for them? Do you think in 2-3 years AI security will be a separate domain or a part of … application security? Data security? Cloud security?  Resource: Video (LinkedIn, YouTube)  [live audio is not great in these] “A cybersecurity expert's guide  to securing AI products with Google SAIF“ presentation SAIF Site “To securely build AI on Google Cloud, follow these best practices” (paper) “Secure AI Framework (SAIF): A Conceptual Framework for Secure AI Systems” resources Corey Quinn on X (long story why this is here… listen to the episode)

Memory corruption is a difficult problem to solve, but many such as CISA are pushing for moves to memory safe languages. How viable is rewriting compared to mitigating? Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/254.html [00:00:00] Introduction [00:01:12] Clarifying Scope & Short/Long Term [00:04:28] Mitigations [00:15:37] Safe Languages Are Falliable [00:21:20] Weaknesses & Evolution of Mitigations [00:29:19] Rewriting and the Iterative Process [00:34:55] The Rewriting Scalability Argument [00:41:43] System vs App Bugs [00:48:46] Mitigations & Rewriting Are Not Mutually Exclusive [00:50:25] Corporate vs Open Source [00:54:12] Generational Change [00:56:18] Conclusion Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

In this episode of the Security Swarm Podcast, our host Andy Syrewicze discusses the key findings from Hornetsecurity's Monthly Threat Report with guest Michael Posey. The Monthly Threat Report is a valuable resource that provides monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space.   In this episode, Andy and Michael talk about recent security events such as the Cyber Safety Review Board's (CSRB) report assessment of the Storm-0558 attack, the FTC's reports on impersonation attacks, and an alarming potential supply chain attack on the XZ Utils package in open-source Linux distributions.  Key takeaways:  The cybersecurity landscape is evolving rapidly with a variety of threats, from supply chain attacks to impersonation scams.  Transparency and security diligence are crucial in preventing and mitigating cyber threats.  End-user training and awareness play a significant role in enhancing overall cybersecurity posture.  Timestamps:  (05:26) - Rising Trends in Email Threats and Cybersecurity Impersonation Tactics (15:26) - The Importance of Email Security and Supply Chain Attacks in Today's Cyber Landscape (18:12) - Uncovering the Storm-0558 Breach: Analysis and Recommendations (27:33) - FTC Reports on Impersonation Attacks and the Importance of End User Training in Cybersecurity (34:25) - Major Security Threat Uncovered in XZ Utils Package in Open Source Linux Distributions (40:22) - Insights on Cybersecurity Issues and Mitigations  Episode Resources:  The Full Monthly Threat Report for April 2024 Fully automated Security Awareness Training Demo 

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Managing catastrophic misuse without robust AIs, published by Ryan Greenblatt on January 16, 2024 on The AI Alignment Forum. Many people worry about catastrophic misuse of future AIs with highly dangerous capabilities. For instance, powerful AIs might substantially lower the bar to building bioweapons or allow for massively scaling up cybercrime. How could an AI lab serving AIs to customers manage catastrophic misuse? One approach would be to ensure that when future powerful AIs are asked to perform tasks in these problematic domains, the AIs always refuse. However, it might be a difficult technical problem to ensure these AIs refuse: current LLMs are possible to jailbreak into doing arbitrary behavior, and the field of adversarial robustness, which studies these sorts of attacks, has made only slow progress in improving robustness over the past 10 years. If we can't ensure that future powerful AIs are much more robust than current models[1], then malicious users might be able to jailbreak these models to allow for misuse. This is a serious concern, and it would be notably easier to prevent misuse if models were more robust to these attacks. However, I think there are plausible approaches to effectively mitigating catastrophic misuse which don't require high levels of robustness on the part of individual AI models. (In this post, I'll use "jailbreak" to refer to any adversarial attack.) In this post, I'll discuss addressing bioterrorism and cybercrime misuse as examples of how I imagine mitigating catastrophic misuse[2]. I'll do this as a nearcast where I suppose that scaling up LLMs results in powerful AIs that would present misuse risk in the absence of countermeasures. The approaches I discuss won't require better adversarial robustness than exhibited by current LLMs like Claude 2 and GPT-4. I think that the easiest mitigations for bioterrorism and cybercrime are fairly different, because of the different roles that LLMs play in these two threat models. The mitigations I'll describe are non-trivial, and it's unclear if they will happen by default. But regardless, this type of approach seems considerably easier to me than trying to achieve very high levels of adversarial robustness. I'm excited for work which investigates and red-teams methods like the ones I discuss. [Thanks to Fabien Roger, Ajeya Cotra, Nate Thomas, Max Nadeau, Aidan O'Gara, and Ethan Perez for comments or discussion. This post was originally posted as a comment in response to this post by Aidan O'Gara; you can see the original comment here for reference. Inside view, I think most research on preventing misuse seems less leveraged (for most people) than preventing AI takeover caused by catastrophic misalignment; see here for more discussion. Mitigations for bioterrorism In this section, I'll describe how I imagine handling bioterrorism risk for an AI lab deploying powerful models (e.g., ASL-3/ASL-4). As I understand it, the main scenario by which LLMs cause bioterrorism risk is something like the following: there's a team of relatively few people, who are not top experts in the relevant fields but who want to do bioterrorism for whatever reason. Without LLMs, these people would struggle to build bioweapons - they wouldn't be able to figure out various good ideas, and they'd get stuck while trying to manufacture their bioweapons (perhaps like Aum Shinrikyo). But with LLMs, they can get past those obstacles. (I'm making the assumption here that the threat model is more like "the LLM gives the equivalent of many hours of advice" rather than "the LLM gives the equivalent of five minutes of advice". I'm not a biosecurity expert and so don't know whether that's an appropriate assumption to make; it probably comes down to questions about what the hard steps in building catastrophic bioweapons are. And s...

In this episode, the hosts discuss Privileged Identity Management (PIM) and common misconceptions and mistakes related to its configuration. They cover topics such as configuring MFA in PIM, different MFA experiences, mitigations for MFA in PIM, authentication context in PIM, requiring approval to activate roles in PIM, considerations for role activation, mitigating role lockout, and using PIM for non-Microsoft apps. They also highlight the ability to use PIM for non-Azure resources, expanding its functionality beyond traditional Azure roles. Takeaways Privileged Identity Management (PIM) allows for just-in-time activation of privileged roles. Configuring MFA in PIM can have different experiences depending on the authentication method used. Mitigations for MFA in PIM include setting a lower sign-in frequency and not allowing persistent sessions. Authentication context in PIM allows for additional conditional access policies to be applied after authentication. Requiring approval to activate roles in PIM can help ensure proper oversight and control. Mitigating role lockout in PIM involves having a break glass account for emergency access. PIM can be used for non-Microsoft apps, allowing for just-in-time elevation of privileges. Expanding PIM to non-Azure resources opens up new possibilities for managing privileged access. ------------------------------------------- Youtube Video Link: ⁠https://youtu.be/uagtZ4KyB8k⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ------------------------------------------- Documentation: https://campbell.scot/pim-common-microsoft-365-security-mistakes-series/ ---------------------- Contact Us: Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://bluesecuritypod.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/bluesecuritypod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Threads: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.threads.net/@bluesecuritypodcast⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Linkedin: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/company/bluesecpod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Youtube: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/c/BlueSecurityPodcast⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Twitch: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.twitch.tv/bluesecuritypod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ------------------------------------------- Andy Jaw Mastodon: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://infosec.exchange/@ajawzero⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/ajawzero⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/andyjaw/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠andy@bluesecuritypod.com⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ------------------------------------------- Adam Brewer Twitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/ajbrewer⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ LinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/adamjbrewer/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠adam@bluesecuritypod.com --- Send in a voice message: https://podcasters.spotify.com/pod/show/blue-security-podcast/message

Welcome to the latest episode of Storm⚡️Watch, where we delve into the most recent cybersecurity events and trends.  We are also joined by our friends at Trinity Cyber.  In this episode, we're excited to announce the arrival of TAGSMAS! This is a special event where we celebrate the power of tags in cybersecurity and how they can help us better understand and respond to threats. We start the show with the team over at Trinity Cyber, with an in-depth discussion about what they do and how they and GreyNoise partner to keep organizations (and humans) safe. The episode continues with a security bulletin from New Relic, who recently identified unauthorized access to their staging environment. This environment provides insights into customer usage and certain logs, but does not store customer telemetry and application data. The unauthorized access was due to stolen credentials and social engineering related to a New Relic employee account. The unauthorized actor used the stolen credentials to view certain customer data within the staging environment. Customers confirmed to be affected by this incident have been notified and given recommended next steps. Importantly, there is no evidence of lateral movement from the staging environment to customer accounts in the separate production environment or to New Relic's production infrastructure. Next, we discuss a phishing campaign targeting WordPress users. The campaign tricks victims into installing a malicious backdoor plugin on their site. The phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user's site with an identifier of CVE-2023-45124, which is not currently a valid CVE. The email prompts the victim to download a “Patch” plugin and install it. If the victim downloads the plugin and installs it on their WordPress site, the plugin is installed with a slug of wpress-security-wordpress and adds a malicious administrator user with the username wpsecuritypatch. The malicious plugin also includes functionality to ensure that this user remains hidden.  In our shameless self-promotion segment, we highlight some of our recent work at GreyNoise Labs. We've been busy analyzing and documenting various cybersecurity threats and trends, and we're excited to share our findings with you. Be sure to check out our latest posts on the GreyNoise blog and sign up for our Noiseletter to stay up-to-date with our latest research. We also discuss some recent vulnerabilities, including a Google Skia Integer Overflow Vulnerability (CVE-2023-6345), an ownCloud graphapi Information Disclosure Vulnerability (CVE-2023-49103), and two Apple Multiple Products WebKit vulnerabilities (CVE-2023-42917 and CVE-2023-42916). These vulnerabilities highlight the ongoing need for robust cybersecurity measures and the importance of staying informed about the latest threats. Finally, we discuss a recent CISA alert about the Iranian military organization IRGC. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors. Thank you for joining us for this episode of Storm⚡️Watch. We look forward to bringing you more insights into the world of cybersecurity in our next episode. Episode Slides >> Join our Community Slack >> Learn more about GreyNoise >>    

Dr. Katarina Koerner, a renowned advisor and community builder with expertise in privacy by design and responsible AI, joins Chris and Robert to delve into the intricacies of responsible AI in this episode of the Application Security Podcast. She explores how security intersects with AI, discusses the ethical implications of AI's integration into daily life, and emphasizes the importance of educating ourselves about AI risk management frameworks. She also highlights the crucial role of AI security engineers, the ethical debates around using AI in education, and the significance of international AI governance. This discussion is a deep dive into the world of AI, privacy, security, and ethics, offering valuable insights for tech professionals, policy makers, and individuals alike.Links:UNESCO Recommendation on the Ethics of Artificial Intelligence:  https://www.unesco.org/en/artificial-intelligence?hub=32618OECD AI Principles: https://oecd.ai/en/ai-principlesWhite House Blueprint for an AI Bill of Rights: https://www.whitehouse.gov/ostp/ai-bill-of-rights/NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-frameworkNIST Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations: https://csrc.nist.gov/pubs/ai/100/2/e2023/ipdMicrosoft Responsible AI Standard, v2: https://www.microsoft.com/en-us/ai/principles-and-approach==> Microsoft Failure Modes in Machine Learning: https://learn.microsoft.com/en-us/security/engineering/failure-modes-in-machine-learningENISA Securing Machine Learning Algorithms: https://www.enisa.europa.eu/publications/securing-machine-learning-algorithmsGoogle Secure AI Framework (SAIF): https://developers.google.com/machine-learning/resources/saif==> Google Why Red Teams Play a Central Role in Helping Organizations Secure AI Systems: https://services.google.com/fh/files/blogs/google_ai_red_team_digital_final.pdfRecommended Book:The Ethical Algorithm: The Science of Socially Aware Algorithm Design  by Michael Kearns and Aaron Roth: https://global.oup.com/academic/product/the-ethical-algorithm-9780190948207?cc=us&lang=en&FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CISA adds to its Known Exploited Vulnerability Catalog. Attacks against industrial systems. DNV is recovering from ransomware. Chinese cyberespionage is reported against Iran. The persistence of nuisance-level hacktivism. Robert M. Lee from Dragos outlines pipeline security. Our guest is Yasmin Abdi from Snap on bringing her team up to speed with zero trust. And a side-effect of Russia's war: a drop in paycard fraud. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/11 Selected reading. Bolster Your Company Defenses With Zero Trust Edge (iBoss) CISA Adds One Known Exploited Vulnerability to Catalog (CISA) GE Digital Proficy Historian (CISA) Mitsubishi Electric MELSEC iQ-F, iQ-R Series (CISA)  Siemens SINEC INS (CISA) Contec CONPROSYS HMI System (CHS) Update A (CISA) Nozomi Networks Researchers Take a Deep Look into the ICS Threat Landscape (Nozomi Networks) A look at IoT/ICS threats. (CyberWire) DNV's fleet management software recovering from ransomware attack. (CyberWire) DNV says up to 1,000 ships affected by ransomware attack (Computing) Ransomware attack on maritime software impacts 1,000 ships (The Record from Recorded Future News) Chinese Playful Taurus Activity in Iran (Unit 42) Playful Taurus: a Chinese APT active against Iran. (CyberWire) Russian hackers allegedly tried to disrupt a Ukrainian press briefing about cyberattacks (Axios) Russia's Ukraine War Drives 62% Slump in Stolen Cards (Infosecurity Magazine) Annual Payment Fraud Intelligence Report: 2022 (Recorded Future)

Watch on YouTube About the show Sponsored by Microsoft for Startups Founders Hub. Connect with the hosts Michael: @mkennedy@fosstodon.org Brian: @brianokken@fosstodon.org Show: @pythonbytes@fosstodon.org Join us on YouTube at pythonbytes.fm/stream/live to be part of the audience. Usually Tuesdays at 11am PT. Older video versions available there too. Michael #1: Secure maintainer workflow by Ned Batchelder We are the magicians, but also the gatekeepers for our users Terminal sessions with implicit access to credentials first is unlikely: a bad guy gets onto my computer and uses the credentials to cause havoc second way is a more serious concern: I could unknowingly run evil or buggy code that uses my credentials in bad ways. Mitigations 1Password: where possible, I store credentials in 1Password, and use tooling to get them into environment variables. Side bar: Do not use lastpass, see end segment I can have the credentials in the environment for just long enough to use them. This works well for things like PyPI credentials, which are used rarely and could cause significant damage. Docker: To really isolate unknown code, I use a Docker container. Brian #2: Tools for parsing HTML and JSON Learned these from A Year of Writing about Web Scraping in Review Parsel - extract and remove data from HTML using XPath and CSS selectors jmespath - “James Path” - declaratively specify how to extract elements from a JSON document Michael #3: git-sizer Compute various size metrics for a Git repository, flagging those that might cause problems. Tip, partial clone: git clone --filter=blob:none URL # Stats for training.talkpython.fm # Full: git clone repo Receiving objects: 100% (118820/118820), 514.31 MiB | 28.83 MiB/s, done. Resolving deltas: 100% (71763/71763), done. Updating files: 100% (10792/10792), done. 1.01 GB on disk # Partial: git clone --filter=blob:none repo Receiving objects: 100% (10120/10120), 220.25 MiB | 24.92 MiB/s, done. Resolving deltas: 100% (1454/1454), done. Updating files: 100% (10792/10792), done. 694.4 MB on disk Partial clone is a performance optimization that “allows Git to function without having a complete copy of the repository. The goal of this work is to allow Git better handle extremely large repositories.” When changing branches, Git may download more missing files. Not the same as shallow clones or sparse checkouts Consider shallow clones for CI/CD/deployment Sparse checkouts for a slice of a monorepo Brian #4: Dataclasses without type annotations Probably file this under “don't try this at home”. Or maybe “try this at home, but not at work”. Or just “that Brian fella is a bad influence”. What! It's not me. It's Adrian, the dude that wrote the article. Unless you're using a type checker, for dataclasses, “… use any type you want. If you're not using a static type checker, no one is going to care what type you use.” @dataclass class Literally: anything: ("can go", "in here") as_long_as: lambda: "it can be evaluated" # Now, I've noticed a tendency for this program to get rather silly. hell: with_("from __future__ import annotations") it_s: not even.evaluated it: just.has(to=be) * syntactically[valid] # Right! Stop that! It's SILLY! Extras Michael: LastPass story just keeps getting worse We will see problems in supply chains because of this too A whole 2 hour discussion diving into what I touched on: twit.tv/shows/security-now Got your new mac mini yet? Or MacBook Pro? Joke: Developer/maker, what's my purpose?

Elliot Jay O'Neill is joined by BT Calloway & Marty Bright to review;   S.30 E.15 “101 Mitigations”   This is a Side Quest Studios Production Huge THANK YOU to our Heroes over at Patreon Grant Prusi // 16_oz_mouse // Philip Wolf // Timothy Burleson // Chris Tar // AlmightyK // Azoko Loko // Freezer // Stephanie // David James Young // Paul Salt // Paul Goodman   You too can become a Hero by supporting us on Patreon and you'll unlock a bonus podcast every week plus access to our back catalogue of over 100 podcasts www.patreon.com/sidequeststudios    Pulp Fury Radio; our fiction anthology podcast. Season 1 available now at www.pulpfuryradio.com (or wherever you get your podcasts)   We also made a video, but it wasn't to appease a judge or whatever, it's a web series.  www.daveplusone.com    We reviewed Game of Thrones in reverse order on our podcast “Thrones Of Game” https://thronesofgame.podbean.com   All the links to our socials are here  Facebook  Twitter  Instagram

A couple of mitigations for a couple of ab testing challenges

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Using artificial intelligence (machine vision) to increase the effectiveness of human-wildlife conflict mitigations could benefit WAW, published by Rachel Norman on October 28, 2022 on The Effective Altruism Forum. 1. Overview This report explores using artificial intelligence (AI) to increase the effectiveness of human-wildlife conflict (HWC) mitigations in order to benefit wild animal welfare (WAW). Two concrete examples are providing more funding, research and direct work into reducing fatalities due to 1) collisions between bats and wind turbines, and 2) culling crop-raiding starlings. The report aims merely to raise awareness of this topic and introduce the idea for discussion, but not yet strongly suggest it is a cost-effective intervention on par with other interventions - see uncertainties, limitations, and potential for harm. What's the problem profile? HWC is increasing due to human expansions and climate change, (Gross et al., 2021) and is starting to be considered in government strategies and policy. The expected future impact of innovative and effective solutions to HWC could be even larger than currently appreciated. Lethal control or other methods which significantly impact animal welfare are still widely used (such as culling), despite preventative non-lethal strategies growing in more recent wildlife management approaches. Currently deployed AI systems directed towards HWC could be expanded further within the next 10-20 years as they become more reliable, more effective, and cheaper. We should not assume they will prioritize WAW concerns, or be widely used for animals of WAW concern, so this should be embedded before they are potentially rolled out at scale. There are already companies working on AI solutions for specific problems involving endangered species, such as protected areas using AI assisted technology for poacher detection. There is already proof-of-concept of an NGO-backed early warning AI system, ‘WildEyes', with this type of solution being invested in by a local governmental department in Tamil Nadu, India. Buy-in from a range of stakeholders (especially when it benefits humans and profits too) offers a way in with conservationists and researchers who may not otherwise consider WAW. Research and development (R&D) on AI-assisted HWC mitigations would likely attract researchers who would not otherwise consider or be motivated by WAW concerns. What should we be doing differently? A very tentative theory of change: if machine vision-based methods prevent HWC, they could be adopted, even on a small scale helps drop prices allowing for systems to be more widely adopted leads to more support and R&D continued price drops and adoption could create space for legislation to ban harmful or lethal methods of animal control preventing HWC could reduce apathy and antagonism towards “problem species” and make it easier for people to consider the welfare of animals, while also directly reducing negative WAW effects of HWC. This report highlights two examples of HWC where advocates could influence AI-assisted mitigation to directly affect substantial numbers of animals, and spread welfare considerations in software and norms: Wind turbine collisions are a leading anthropogenic cause of bat deaths and cause a significant number of bird deaths (600,000 to 949,000 bats and 140,000 to 679,000 birds annually in North America). We should expect fatalities to increase due to expansions in wind power. Culling of crop-raiding species. In one year, the USDA's Wildlife Services culled 1,028,642 European starlings responsible for agricultural crop damage, because other mitigations are ineffective. Despite this, starlings still cause extensive damage each year. More effective mitigation measures would hold value and could prevent culls. There are a number of r...

Breaking into Cybersecurity_ IAM the breach vector - Top 3 Mitigations The Breaking into Cybersecurity Leadership Series is an additional series focused on cybersecurity leadership and hearing directly from different leaders in cybersecurity (high and low) on what it takes to be a successful leader. For the Full Episode, subscribe to the following: https://anchor.fm/breakingintocybersecurity/subscribe Check out our new books: Develop Your Cybersecurity Career Path: How to Break into Cybersecurity at Any Level: https://amzn.to/3443AUIHack the Cybersecurity Interview: A complete interview preparation guide for jumpstarting your cybersecurity career https://www.amazon.com/dp/1801816638/ About the hosts: Christophe Foulon focuses on helping to secure people and processes with a solid understanding of the technology involved. He has over ten years of experience as an Information Security Manager and Cybersecurity Strategist with a passion for customer service, process improvement, and information security. He has significant experience in optimizing the use of technology while balancing the implications to people, processes, and information security by using a consultative approach. https://www.linkedin.com/in/christophefoulon/ Find out more about CPF-Coaching at https://www.cpf-coaching.com Website: https://www.cyberhubpodcast.com/breakingintocybersecurity Podcast: https://anchor.fm/breakingintocybersecurity YouTube: https://www.youtube.com/c/BreakingIntoCybersecurity Linkedin: https://www.linkedin.com/company/breaking-into-cybersecurity/ Twitter: https://twitter.com/BreakintoCyber Twitch: https://www.twitch.tv/breakingintocybersecurity --- Send in a voice message: https://anchor.fm/breakingintocybersecurity/message

Breaking into Cybersecurity_ IAM the breach vector - Top 3 Mitigations The Breaking into Cybersecurity Leadership Series is an additional series focused on cybersecurity leadership and hearing directly from different leaders in cybersecurity (high and low) on what it takes to be a successful leader. For the Full Episode, subscribe to: https://anchor.fm/breakingintocybersecurity/subscribe Check out our new books: Develop Your Cybersecurity Career Path: How to Break into Cybersecurity at Any Level: https://amzn.to/3443AUIHack the Cybersecurity Interview: A complete interview preparation guide for jumpstarting your cybersecurity career https://www.amazon.com/dp/1801816638/ About the hosts: Christophe Foulon focuses on helping to secure people and processes with a solid understanding of the technology involved. He has over 10 years as an experienced Information Security Manager and Cybersecurity Strategist with a passion for customer service, process improvement, and information security. He has significant experience in optimizing the use of technology while balancing the implications to people, processes, and information security by using a consultative approach. https://www.linkedin.com/in/christophefoulon/ Find out more about CPF-Coaching at https://www.cpf-coaching.com Website: https://www.cyberhubpodcast.com/breakingintocybersecurity Podcast: https://anchor.fm/breakingintocybersecurity YouTube: https://www.youtube.com/c/BreakingIntoCybersecurity Linkedin: https://www.linkedin.com/company/breaking-into-cybersecurity/ Twitter: https://twitter.com/BreakintoCyber Twitch: https://www.twitch.tv/breakingintocybersecurity --- Send in a voice message: https://anchor.fm/breakingintocybersecurity/message

Microsoft updates mitigations for ProxyNotShell. Lloyd's of London investigates a suspected cyberattack. Killnet hits networks of US state governments. The FBI and CISA weigh in on election security. Credential theft in the name of Zoom. Tim Eades from Cyber Mentor Fund on the move to early-stage investing in times of war and recession. Our guest is Nick Lumsden of Tenacity Cloud on cloud infrastructure sprawl. The former security chief at Uber was found guilty in a case involving data breach cover-up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/193 Selected reading. Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server (Microsoft Security Response Center) Microsoft updates guidance for ‘ProxyNotShell' bugs after researchers get around mitigations (The Record by Recorded Future) Microsoft Updates Mitigation for Exchange Server Zero-Days (Dark Reading)  Microsoft updates mitigation for ProxyNotShell Exchange zero days (BleepingComputer)  Lloyd's of London investigates possible cyber attack (Reuters) Insurance giant Lloyd's of London investigating cyberattack (The Record by Recorded Future) Russian-speaking hackers knock US state government websites offline (CNN)  Malicious Cyber Activity Against Election Infrastructure Unlikely to Disrupt or Prevent Voting (FBI and CISA) FBI: Cyberattacks targeting election systems unlikely to affect results (BleepingComputer)  Zoom: 1 Phish, 2 Phish Email Attack (Armorblox) Former Uber Security Chief Found Guilty of Obstructing FTC Probe (Wall Street Journal) Former Uber security chief convicted of covering up 2016 data breach (Washington Post) Uber's Former Security Chief Convicted of Data Hack Coverup (Bloomberg) Former Uber Security Chief Found Guilty of Hiding Hack From Authorities (New York Times) Former Uber CISO Joe Sullivan Found Guilty Over Breach Cover Up (SecurityWeek)

LA school data published on leak site Exchange zero-day mitigations bypassed Supreme Court will look legal protections for apps and sites Thanks to today's episode sponsor, Hunters Hunters helps your security team overcome data volume and complexity – while significantlyreducing false positives. Upwork uses Hunters SOC Platform to “remain threat focused”. Because of Hunters, Upwork has been able to stop going through the daily repetitive task of looking at alerts, and doing repetitive, manual investigations. Learn more at: Hunters.ai

Google closes on Mandiant Paying the iron price for Retbleed mitigation Meta hands over the keys to PyTorch Thanks to today's episode sponsor, Edgescan Edgescan offers a single platform solution that covers the full stack, from Web Applications to APIs to the Network and data layer. Continuous Attack Surface Management coupled with automated & strategic Pen-testing as a Service (PTaaS) yields fully scalable coverage.

In this week's episode the cybersecurity experts Bryan Hornung, Reginald Andre, Randy Bryan, and Ryan O'Hara discuss a ransomware attack by the Yanluowang ransomware group who has breached Cisco. Next, the team talks about a fallout of HanesBrands who was hit ransomware and the recap/ lessons they learned from this attack. Also, the crew jumps into some trends in ransomware and what these ransomware gangs are doing. Lastly, the experts briefly will get into a new ransomware group called Zeppelin and the alert that was put out. The FBI/ CISA put these alerts out not to scare but to mitigate this from happening to you and your business. Stay Tuned! Like and Subscribe! Articles that were used in the show: https://www.bleepingcomputer.com/news/security/cisco-hacked-by-yanluowang-ransomware-gang-28gb-allegedly-stolen/ https://www.axios.com/2022/08/11/hanesbrands-ransomware-attack-earnings-report https://securityboulevard.com/2022/08/black-hat-insights-getting-bombarded-by-multiple-ransomware-attacks-has-become-commonplace/ https://www.darkreading.com/edge-threat-monitor/cybercriminals-weaponizing-ransomware-data-for-bec-attacks https://www.cisa.gov/uscert/ncas/alerts/aa22-223a

In this edition of the Soap Box podcast Okta's APAC CISO and former Risky Biz editor Brett Winterford talks about how attackers are getting much better at swiping session cookies via realtime phishing and malware. He also talks about some mitigation strategies to combat this threat and introduces the concept of continuous authentication. Show notes Defending against session hijacking

In this edition of the Soap Box podcast Okta's APAC CISO and former Risky Biz editor Brett Winterford talks about how attackers are getting much better at swiping session cookies via realtime phishing and malware. He also talks about some mitigation strategies to combat this threat and introduces the concept of continuous authentication. Show notes Defending against session hijacking

Helping us get Set for Sentencing this week, an amazing human who happens to be not only a former client, but also the subject of the first full-on sentencing mitigation video ever produced in Federal Court, almost twenty years ago!  I am so grateful that Dustin Arnold agreed to share his incredible journey from gifted student to deep addiction, from arrest to sentencing, and from rehabilitation to true redemption.   His story continues to inspire and amaze.  Dustin tells us what it feels like to put his fate and future in the hands of a lawyer.  He also talks about what it was like to tell his story in front of a camera for a "sentencing mitigation video".   What's a sentencing mitigation video, you ask?  Well, take a listen! We didn't know it at the time, but we were setting the wheels in motion for a completely new and powerful way to advocate.  Flash forward twenty years and the process is gaining momentum in courts all over the country.  Sentencing videos were even the subject of the Simpsons (S. 30, ep. 15, “101 Mitigations”).  So buckle up, and let's get Set For Sentencing! IN THIS EPISODE: What it feels like to be a client in the hands of a lawyer who isn't doing their job (and one who is); How the system can actually do more good then harm when the right resources and the right decision-makers are in place; Explanation of sentencing mitigation videos and how they can make all the difference in a case; A case study in why having discretionary sentencing (and a thoughtful judge) is vital; Mitigation videos are not simply for “wealthy” clients who are trying to "buy a lower sentence." This technique was born and raised in the office of the Federal Public Defender; Sentencing videos on The Simpsons?!; The seed that grew into the mighty oak – the evolution of mitigation filmmaking; Dustin's best advice, heart to heart, from a client to a lawyer; Who doesn't love a happy ending???? LINKS: The Simpsons, "101 Mitigations" Snippit of Dustin Arnold Sentencing Video FREE RESOURCE:  Doug Passon's Article from The Champion on Sentencing Mitgation Videos:  Using Moving Pictures to Build the Bridge of Empathy at Sentencing.   Click here to Download

Watch the video with slides at: https://youtu.be/y3lYUARfw-sAn in-depth look at recent research papers on the environmental consequences of nuclear war and some survival mitigations. This was pretty depressing work to make this.TimestampsIntro: 0:00Relations can degrade quickly: 2:14First impactful major nuclear winter study 1983: 3:56Intermediate-Range Nuclear Forces (INF) Treaty in December 1987: 4:26Nobody wants nuclear war - Treaties 4:55The thermonuclear bomb: 7:57Have you heard of Gnomon and Sundial nuclear devices (gigaton)?: 11:12Terragrams: 16:30Limited Nuclear War Research (India versus Pakistan): 19:00Full-scale nuclear war research (2008 paper): 25:32Full-scale nuclear war research (2019 paper): 39:26Some brief talk about prepping: 52:02Topics I want to look at future videos 1:03:0080s paper on Nuclear Winter: Global Consequences of Multiple Nuclear Explosions:https://www.science.org/doi/10.1126/science.222.4630.1283Joint Statement of the Leaders of the Five Nuclear-Weapon States on Preventing Nuclear War and Avoiding Arms Races:https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/03/p5-statement-on-preventing-nuclear-war-and-avoiding-arms-races/2020 limited war study:https://www.pnas.org/doi/full/10.1073/pnas.1919049117Environmental consequences of nuclear war 2008:https://physicstoday.scitation.org/doi/10.1063/1.3047679Nuclear Winter Responses to Nuclear War Between the United States and Russia in the Whole Atmosphere Community Climate Model Version 4 and the Goddard Institute for Space Studies ModelE:https://agupubs.onlinelibrary.wiley.com/doi/10.1029/2019JD030509Sundial Bomb paper:https://thebulletin.org/2021/11/the-untold-story-of-the-worlds-biggest-nuclear-bomb/#%3A~%3Atext%3DSo%20a%2010-megaton%20bomb%2C20.3%20miles%20(33%20kilometers).https://www.rbth.com/opinion/2016/01/05/nuclear-overkill-the-quest-for-the-10-gigaton-bomb_556351

SpaceX's plans for launching Starship to orbit from Boca Chica cleared an environmental review with the FAA, but more than 75 mitigations are required in order to receive a launch license to carry out flights in the future.This episode of Main Engine Cut Off is brought to you by 41 executive producers—Simon, Lauren, Kris, Pat, Matt, Jorge, Ryan, Donald, Lee, Chris, Warren, Bob, Russell, Moritz, Joel, Jan, David, Joonas, Robb, Tim Dodd (the Everyday Astronaut!), Frank, Julian and Lars from Agile Space, Tommy, Matt, The Astrogators at SEE, Chris, Aegis Trade Law, Fred, Hemant, Dawn Aerospace, Andrew, Harrison, and seven anonymous—and 799 other supporters.TopicsFAA Requires SpaceX to Take Over 75 Actions to Mitigate Environmental Impact of Planned Starship/Super Heavy Launches | Federal Aviation AdministrationSpaceX on Twitter: “One step closer to the first orbital flight test of Starship”FAA environmental review to allow Starship orbital launches after changes - SpaceNewsFAA moves SpaceX a step closer to receiving Starship launch license – Spaceflight NowThe ShowLike the show? Support the show!Email your thoughts, comments, and questions to anthony@mainenginecutoff.comFollow @WeHaveMECOListen to MECO HeadlinesJoin the Off-Nominal DiscordSubscribe on Apple Podcasts, Overcast, Pocket Casts, Spotify, Google Play, Stitcher, TuneIn or elsewhereSubscribe to the Main Engine Cut Off NewsletterBuy shirts and Rocket Socks from the Main Engine Cut Off ShopMusic by Max JustusArtwork photo by NASA

3 Cultural Obstacles to Successful DevSecOps ImplementationWhen our goal is to change security culture we must consider how to influence our developers while still caring for their needs. This article shares helpful insight into implementing successful security culture change within an organization. Brenna Leath -- Product Security Leads: A different way of approaching Security ChampionsBrenna Leath, head of product security at SAS, visited the Application Security Podcast to share her insight on security champions and how she approaches this role in her organization with product security leads. We hope you enjoy this conversation with...Brenna Leath. How GO Mitigates Supply Chain AttacksThis post, from the GO blog, dives into how this coding language mitigates supply chain attacks. GitHub can now auto-block commits containing API keys, auth tokensIt is vital to keep private information, such as API keys, passwords and authentication tokens, secure. GitHub recently released a new update that scans code for this sensitive information before committing the code to a repository.If you're not using SSH certificates you're doing SSH wrong If you use SSH without certificates, this story may make you uneasy. The author argues why we shouldn't be using SSH with anything other than certificates in the modern day.

Guillaume et Emmanuel discutent de l'état des versions de Java utilisées, de Java String template, et de beaucoup de failles de sécurité. On pourra presque se renommer Les Cast Sécu ;P On y ressussite aussi la rubrique débutant et discutons du piège de la classe URL. Enregistré le 20 mai 2022 Téléchargement de l'épisode LesCastCodeurs-Episode–279.mp3 News Langages L'état de Java selon newrelic Java 11 commence enfin à être utilisé plus que Java 8 en prod (48% vs 46%) Dans les versions non LTS, c'est Java 14 qui a l'air d'avoir le plus de succès non LTS en prod est 2,7% Après Oracle, c'est la distrib de AWS qui est pas mal utilisée suivi par adoptium Beaucoup d'utilisation de Java dans des containeurs (70%) avec 1 seul core, donc aussi moins de bénéfices dans l'utilisation de G1 pour le GC Toujours dans les containeurs, les applis Java tournent souvent avec moins de 512MB de RAM (45%) String templates en Java les string template c'est ce qui a fournit log4shell donc attention Replace certains usages de stringbuilder , stringfromat et messageformat Beaucoup de langages offrent ça (bash ahah) Exemple d'usage html, json, yaml etc Ils veulent permettre des règles de transformations et de validation (escape caractère) Peut même éviter le,passage par l'étape du passeur Objet template a le template et la policy Embedded expressions: chaînes de caractères, arithmétique, invoque méthodes ou champs, pas besoin d'échapper les double guillemets. Lignes multiples Quid capture des variables locales sans l'avis du développeur. Pas d'exemple meta où le template est importé ou construit. Un article détaillé sur ce qui est nouveau niveau GC dans Java 18 Librairies Quarkus 2.8 et 2.9 WebAuthN Confluent Schema Registry Kotlin Scala RESTEasy Reactive est la couche par défaut GraalVM 22 Elasticsearch Dev Services Outillage Un nouveau décompilateur avec du code plus lisible Tous plus ou moins un fork de celui d'intellij maintenu par JetBrains, le fork d'avant est de Minecraft Reconstruit des constructions de plus haut niveau et plus moderne. Exemples Sécurité Une vulnérabilité dans struts 2 Un problème qui n'avait été que partiellement corrigé. Lié à OGNL'et une double évaluation via %{…} sur du contenu venant de l'utilisateur. Le gros trou de sécu sur les signatures Java 15–18 attaque sur les approches ECDSA (elliptic curve digital signature algorithm), typiquement plus modernes cibles Java web start, Java applets, web services qui utilisent ECDSA (JWT, SAML, OIDC Id tokens, WebAuthN version Oracle Java 7, 8, 11, 15, 16, 17, 18, OpenJDK 15, 17, 18 (backport Oracle) Comme un psychic paper de dr who: peut signer numériquement un papier sans infos (paramètres de la courbe peuvent être à 0 ce qui permet de valider tous les messages (0) L'interprétation pour un framework comme Quarkus Spring4Shell avec risque de remote code execution (unfolding) Mitigations: mettre a jour 5.x, mettre a jour tomcat (tactique), setDisallowedField pour excludes les accès aux getter/setter class, passer a Java 8 La RCE est basée sur la navigation non restreinte de class.module.classLoader Spring MVC Early Announcement Spring Cloud exploit announcement Spring MVC Exploit Announcement Spring4Shell HelpNetSecurity assessment Spring4Shell Sonatype Assessment Qualys assessment Personal Security Checklist Recense les bonnes pratiques en terme de sécurité numérique Selon différents thèmes Authentication Browsing the Web Email Secure Messaging Social Media Networks Mobile Phones Personal Computers Smart Home Personal Finance Human Aspect Physical Security Google offre aux clients Google Cloud des libairies validées en sécurité Une équipe de maintenance Open Source chez Google Loi, société et organisation Apple va supprimer au téléchargements les applis non mises a jour depuis 3 ans et peu téléchargées ça a fait réagir et râler Des applis finies Mais surtout une résumassions c'est du taf (nouvelles règles, peut être mise à jour de framework) Du cote de Apple c'est nettoyer un peu la longue queue d'applis Et encourager les gens à rester au top (eg privacy infos) Les duchesses ferment leur slack aux hommes pas fait de gaité de cœur mais réaction aux événements temps des Modérations plus passe sur les posts d'hommes que de femmes Sensation de pas laisser la place aux femmes Maladresses et manques de respect Coupé dynamisme et la sécurité de parole Et beaucoup d'hommes et du coup sentiment d'épier Les duchess feront toujours des événements mixtes mais cet espace avait perdu son utilité première Comment la guerre en Ukraine ébranle la tech russe fragilisation fuite des cerveaux (depuis 2014 et la crimée (cerveaux emprunts de plus de liberté) manque .5 à 1 millions de developpeurs Karspersky et les doutes de ses clients (80% du chiffre d'affaire à l'étranger) Yandex moteur de recherche protégé car marcher local mais démission du CEO Default de paiement (endettement) e.g. VK 400 millions de dollars Envisager de raid de disque dur pour consommation locale Outils de l'épisode Faire le la configuration conditionnelle dans git includeIf permet de faire la condition Utile pour changer l'email entre bureau et perso par exemple. [aheritier] je le fais souvent avec des repertoires différents pour boulot vs oss/perso Rubrique débutant La comparaison des URL Les URLs sont égales si les IP sont égales donc DNS lookup donc pas constant pour la vie de l'instance de JVM vive les hash des Set et Map :) Conférences JavaDay au Paris JUG: Le futur de Java - le 22 juin 2022 Nous contacter Soutenez Les Cast Codeurs sur Patreon https://www.patreon.com/LesCastCodeurs Faire un crowdcast ou une crowdquestion Contactez-nous via twitter https://twitter.com/lescastcodeurs sur le groupe Google https://groups.google.com/group/lescastcodeurs ou sur le site web https://lescastcodeurs.com/

In this episode we are going to look at Network Attack Mitigations.We will be discussing The Defense-in-Depth Approach, Keep Backups, Upgrade, Update, and Patch, Authentication, Authorization, and Accounting, Firewalls, Types of Firewalls, and finally Endpoint Security.Thank you so much for listening to this episode of my series on Introduction to Networks for the Cisco Certified Network Associate (CCNA).Once again, I'm Kevin and this is KevTechify. Let's get this adventure started.All my details and contact information can be found on my website, https://KevTechify.com-------------------------------------------------------Cisco Certified Network Associate (CCNA)Introduction to Networks v1 (ITN)Episode 16 - Network Security FundamentalsPart C - Network Attack MitigationsPodcast Number: 84-------------------------------------------------------Equipment I like.Home Lab ►► https://kit.co/KevTechify/home-labNetworking Tools ►► https://kit.co/KevTechify/networking-toolsStudio Equipment ►► https://kit.co/KevTechify/studio-equipment 

What are the energy challenges in the Lebanese industrial sector, and how can we boost Lebanon’s economy by increasing and structuring its industry practically and economically? Laury Haytayan, MENA director at the Natural Resource Governance Institute (NRGI) hosts Paul Abi Nasr, CEO of POLYTEXTILE and Board Member at Association Of Lebanese Industrialists ALI. Energy Espresso is a solution-oriented podcast that will answer all your questions on the status and future of Energy in Lebanon and how Renewable Energy can help the energy transition.

For our second special for Earth Week, we are talking to Bilge who works as a research scientist at Meta AI. Her open-source project Carbon Explorer evaluates solutions to make data centres operate on 24/7 renewable energy. Why this is easier said than done and how engineers can help within their day-to-day work to reduce their carbon footprint are among the many things Pascal and Bilge discuss in this episode.   Got feedback? Send it to us on Twitter (https://twitter.com/metatechpod), Instagram (https://instagram.com/metatechpod) and don't forget to follow our host @passy (https://twitter.com/passy). Fancy working with us? Check out https://www.metacareers.com/. Links: Carbon Explorer: https://github.com/facebookresearch/CarbonExplorer Holistic Approach for Designing Carbon Aware Datacenters: https://arxiv.org/abs/2201.10036 Open Catalyst: https://opencatalystproject.org/ Open Catalyst SchrepTech Interview: https://ai.facebook.com/blog/how-ai-is-helping-address-the-climate-crisis/ Timestamps: Intro 0:05 Intro Bilge 2:18 Optimising for the Environment 4:01 Carbon Explorer 5:02 Mitigations for Renewable Intermittency 7:17 Operational and Embodied Footprints 10:57 Motivations for Carbon Explorer 13:06 Battery Storage 14:36 Renewable Curtailment 15:52 Empowering Engineers 18:20 Carbon Intensity APIs 19:22 AI Carbon Intensity Forecasts 22:07 Carbon Metrics 23:17 Where to Learn More 25:38 Outro 27:32 Bloopers 29:45

The allied cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russia's invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and US allies and partners. AA22-110A Alert, Technical Details, and Mitigations. March 21, 2022, Statement by U.S. President Biden. CISA Shields Up Technical Guidance. Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure. Joint Cyber Defense Collaborative Australian Cyber Security Centre's (ACSC) Advisory. Canadian Centre for Cyber Security (CCCS) Cyber Threat Bulletin. National Cyber Security Centre New Zealand (NZ NCSC) General Security Advisory. United Kingdom's National Cyber Security Centre (NCSC-UK) guidance on how to bolster cyber defences in light of the Russian cyber threat. All organizations should report incidents and anomalous activity to CISA's 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

To which extent is renewable energy a solution for our current electricity crisis? What are the top reforms that need to be made in order to fix the energy sector? Guests: Pierre El Khoury, LCEC President/Director-General

In this episode, E&S Grounding Solutions President David Stockin continues looking at an example of lightning striking a large metal tower. The connection between electrodes and earth will determine the potential difference across the ground, so it is important to understand what causes the potential difference and why engineers should work to minimize that difference. The formation of electromagnetic fields and step and touch voltages are other factors to consider in the design and analysis of a grounding system. Mitigations are possible by adding copper wire, copper ground ring(s), and electrodes that are specially-designed to help dissipate leakage current. Many of the principles applying to a large metal tower could apply to other structures. For a video of this podcast, please visit our YouTube Channel at E&S Grounding Solutions. For more information or to sign up for some of our world-renowned educational classes, please visit our website at www.ESgrounding.comPlease follow us on Social MediaPlease follow us on Social Media for updates and behind the scenes info:Instagram:@AskTheGroundingExperts@ESgroundingFacebook:https://www.facebook.com/esgroundingYouTube:https://www.youtube.com/channel/UCWWjcaK6ozQI5DCF0wf58HQ

Comprehensive coverage of the day's news with a focus on war and peace; social, environmental and economic justice. 10 dead, 150 remain missing in Florida after apartment building collapses. California lawmakers set to approve budget with a $1 billion windfall. Dozens arrested at White House demanding greater climate protections in infrastructure bill. California adds 5 more states to it's travel ban of states that violate LGBTQ rights. Supporters of bill to decriminalize psychedelics in California speak ahead of assembly hearing. Two Catholic churches on indigenous land in Canada burned to the ground. Memorial service held for Tyrell Wilson, black man killed by white Contra Costa County Sheriff, Andrew Hall. San Francisco Supervisor Matt Haney urges increase in 24 hour bathrooms in city. Photo of protesters at White House 6-28-21 by Sunrise Movement @sunrisemvmt. The post Dozens of climate justice activists arrested outside White House, demanding robust climate mitigations in infrastructure bill; California adds 5 more to it's travel ban of states that violate LGBTQ rights; Supporters of bill to decriminalize psychedelics in California speak ahead of assembly hearing appeared first on KPFA.

Mitigations against Mimikatz Style Attacks https://isc.sans.edu/forums/diary/Mitigations+against+Mimikatz+Style+Attacks/24612/ LibreOffice Macro Vulnerability https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html Firefox 65 Breaks HTTPS AV Scanning https://bugzilla.mozilla.org/show_bug.cgi?id=1523701 RDP Client Vulnerabilities https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/ DNS "Lookingglass" https://isc.sans.edu/tools/dnslookup.html