Podcasts about nist

The Department of Homeland Security is pushing cyber modernization across civilian agencies through CISA programs such as zero trust implementation, Continuous Diagnostics and Mitigation, and Trusted Internet Connections 3.0. Budget requests have kept CISA funding near $3 billion, supporting multi-year investments in detection, response, and workforce. Leadership from Secretary Alejandro Mayorkas, CISA Director Jen Easterly, and DHS CIO Eric Hysen emphasizes joint defense, binding directives, and cross-component coordination. Workforce constraints persist despite the Cyber Talent Management System, prompting greater use of training and managed services. Acquisition relies on vehicles like FirstSource III, PACTS III, GSA MAS, NASA SEWP, and CDM DEFEND task orders. Compliance requirements now center on OMB secure software guidance, NIST control baselines, FIPS 140-3, and FedRAMP. Vendors that map capabilities to CISA's Zero Trust Maturity Model and prepare attestations and authorizations can better align to agency buying priorities.Learn more on this news by visiting us at: https://greyjournal.net/news/ Hosted on Acast. See acast.com/privacy for more information.

Are we prepared for the deployment of a functional quantum computer? This week, Technology Now is returning to the topic of post quantum cryptography. We ask why the deadline for migrating to PQC enabled systems has been moved up, we discover what a quantum computer actually needs to be cryptographically relevant, and we pose the question: when it comes to migrating your systems to quantum resistant forms of encryption, could it already be too late for some people to start?This is Technology Now, a weekly show from Hewlett Packard Enterprise. Every week, hosts Michael Bird and Sam Jarrell look at a story that's been making headlines, take a look at the technology behind it, and explain why it matters to organizations.

Le sujet :À l'ère de l'IA, la sécurité n'est plus une option. Les coûts et les délais pour exploiter les failles d'un système sont en train de disparaître. Mais le pire pourrait être à venir. La cryptographie actuelle est menacée par l'informatique quantique, remettant en question de nombreux protocoles. Cette nouvelle donne force une migration de tous les systèmes critiques vers le post-quantique d'ici 2030, une échéance fixée par le NIST. Dans ce contexte, la sécurité de nos actifs numériques, de nos cryptos à nos mots de passe, n'a jamais été aussi précaire.L'invité du jour :Charles Guillemet est le CTO de Ledger. Au micro de Matthieu Stefani, il alerte sur la catastrophe de sécurité imminente due à l'IA et au quantique, et détaille les stratégies de défense, du wallet physique au "25e mot".Au programme :00:00:00 : La mission de Ledger : sécuriser les systèmes00:01:54 : Où sont vraiment "stockés" vos Bitcoins00:04:49 : Comment sécuriser ses cryptos (sans risquer de tout perdre)00:08:30 : Pourquoi l'IA menace la sécurité de vos portefeuilles : l'asymétrie défense/attaque00:17:47 : Les banques tradi sont-elles à l'abri ?00:20:30 : Le quantique : quels sont les vrais cas d'usage00:24:49 : Le QDay : le monde devra changer00:30:51 : Ton téléphone est ta pire vulnérabilité00:36:27 : Les pires mots de passe à utiliser00:38:07 : La preuve d'identité : l'IA et les deep fake00:41:39 : La France et le manque de sécurité : comment se protégerAvantages :Bonne nouvelle ! Nous avons négocié pour vous un avantage exclusif : obtenez 10$ en Bitcoin pour l'achat d'un Ledger, pour en profiter, rendez-vous sur : https://www.ledger.com/lamartingale Merci à notre partenaire eToro de soutenir la Martingale.Allez sur etoro.com et prenez le contrôle de vos investissements. E-T-O-R-O point com.eToro est une plateforme d'investissement multi-actifs. La valeur de vos placements peut augmenter ou diminuer. Votre capital est assujetti à un risque.La libre antenne de votre podcast préféré, Allo La Martingale, a désormais son propre flux ! Abonnez-vous sur Spotify, Apple Podcasts ou votre plafeforme audio favorite pour ne manquer aucun nouvel épisode. Pour s'abonner à la newsletter, c'est ici : https://lamartingale.io/ La Martingale, c'est aussi un assistant IA qui vous apporte des réponses éclairées issues des interventions des experts passés au micro du podcast. Pour tester, direction https://beta.lamartingale.ioLa Martingale est un média d'Orso Media. Vous souhaitez entrer en contact avec a rédaction ? Ou nous soumettre une collaboration ? Ecrivez-nous ici : https://orsomedia.io/contactHébergé par Audiomeans. Visitez audiomeans.fr/politique-de-confidentialite pour plus d'informations.

Is the ultimate cryptocurrency ticking toward a sudden, quantum-powered collapse? In this episode, Chris Tam, President and Head of Innovation at BTQ, joins host Konstantinos Karagiannis to shatter the comforting illusions many Bitcoiners still hold about the quantum computing threat. While many assume that a Q-Day attack would only disrupt future mining, Tam exposes the true, terrifying reality: Quantum computers utilizing Shor's algorithm are on an exponential trajectory to cracking the elliptic curve cryptography that safeguards individual wallets. Even worse, recent upgrades like Taproot have inadvertently introduced more vulnerable public keys into the ecosystem, making a network upgrade more complex than ever.The real crisis isn't just finding a cryptographic fix: it's time. Experts warn that migrating the entire decentralized Bitcoin network to a post-quantum standard could take upwards of seven years, but the network simply lacks the block space to move everyone before quantum adversaries are predicted to break the encryption. To bypass the political gridlock of Bitcoin core development, Tam details how BTQ surgically built a working, post-quantum Bitcoin Quantum testnet to experiment with solutions like BIP 360 in the real world. From the catastrophic ripple effects a Bitcoin hack would have on traditional financial markets to BTQ's pioneering work on day-one quantum-resistant stablecoins in South Korea, this episode is an urgent, eye-opening wake-up call for anyone holding digital assets.For more information on BTQ, visit www.btq.com/. Visit Protiviti at www.protiviti.com/US-en/technology-consulting/quantum-computing-services to learn more about how Protiviti is helping organizations get post-quantum ready.  Follow host Konstantinos Karagiannis on all socials: @KonstantHacker             Questions and comments are welcome!  Theme song by David Schwartz, copyright 2021.  The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by, Protiviti Inc., The Post-Quantum World, or their respective officers, directors, employees, agents, representatives, shareholders, or subsidiaries.  None of the content should be considered investment advice, as an offer or solicitation of an offer to buy or sell, or as an endorsement of any company, security, fund, or other securities or non-securities offering. Thanks for listening to this podcast. Protiviti Inc. is an equal opportunity employer, including minorities, females, people with disabilities, and veterans.  

Parce que… c'est l'épisode 0x306! Shameless plug 24 et 25 juin 2026 - Troopers 26 et 27 juin 2026 - leHACK 30 juin au 2 juillet 2026 - Pass the SALT 19 septembre 2026 - Bsides Montréal 20 au 26 septembre 2026 - BruCON 13 novembre 2026 - DEATHCon 16 au 19 novembre - European Cyber Week 1 au 3 décembre 2026 - Forum INCYBER - Canada 2026 24 et 25 février 2027 - SéQCure 2027 Notes IA ou Ghost in the shell Mythos Anthropic invites EU to access Mythos hacking tech Anthropic scales Claude Mythos to critical infrastructure in 15+ countries Anthropic Expands Project Glasswing Claude Mythos Preview to 150 New Organizations Kevin Beaumont: “Mythos is not great btw. Runni…” - Cyberplace Free AI model powers self-spreading worm in enterprise test network Instapassword Hackers Used Meta's AI Support Bot to Seize Instagram Accounts Instagram Meta AI Vulnerability Allegedly Enables Password Reset for Accounts Hackers duped Meta AI support chatbot to steal celebrity Instagram accounts Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked Kevin Beaumont: “How people hacked Meta account…” - Cyberplace Injecte moi ça ChatGPT for Google Sheets Exfiltrates Workbooks New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Irresponsable Florida sues OpenAI, Sam Altman after multiple ChatGPT-linked murders School shooting survivor sues AI gun detection firm after system failed to spot weapon AI Agents Get Their Own Directory Built Atop DNS Remove all LLM generated commits before people get hurt by this nonsense. · Issue #934 · RsyncProject/rsync Amazon Shuts Down Internal AI Leaderboard After Employees Cheated Open source project contains hidden instruction for “AI” agents: delete my code DOD wants to integrate cyber in all operations, and integrate security into AI Trump plan to test AI models has a problem—US security teams were gutted by DOGE Kevin Beaumont: “xAI have asked a court to stri…” - Cyberplace Commvault says it's time to rethink resiliency as AI crooks leave victims in a ‘dark, dead' state Attackers Use AI to Automate EDR Evasion Testing Pluralistic: Delusion as a service (04 Jun 2026) – Pluralistic: Daily links from Cory Doctorow These LLMs are the best at resisting Russian propaganda RAG Security and Privacy: Formalizing the Threat Model and Attack Surface From Attack Simulation to SIEM Rule: Deterministic Detection-as-Code Synthesis with Probe-Level Traceability Will the Agent Recuse Itself? Measuring LLM-Agent Compliance with In-Band Access-Deny Signals Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution Attacks La guerre, la guerre, c'est pas une raison pour se faire mal! Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems in Cyberattack targeting Middle East Pentagon raised threat of Israeli spying on U.S. to highest level, sources say Souveraineté ou vive le numérique libre! EU plots long game against US digital supremacy OSI welcomes the European Union's “Tech Sovereignty” package Cable lobby warns of chaos if FCC doesn't relax ban on foreign routers Privacy ou cachez ces informations que je ne saurais voir The Pentagon Finally Admits That Location Data Is a Battlefield Problem Age verification for social media – the beginning of the end for a free internet? Privacy isn't dead: it's just that tech companies have made it inconvenient Amazon-owned Ring should pay Americans for scanning their faces, lawsuit says Elon Musk tries again to escape FTC audits of X data handling I am the law Policy-Compliant Cloud Storage Systems GrapheneOS user reported to authorities for using GrapheneOS Red ou tout ce qui est brisé Cachez ce fiasco que j'ai fait Microsoft's Zero-Day Legal Threats Spark Backlash Microsoft Clarifies It Won't Sue Security Researchers Amid Nightmare-Eclipse Controversy Microsoft reaches for olive branch after public dustup with 0-day researcher Nightmare Eclipse incident shows the researcher-vendor fights may never fully go away Another bug hunter leaks Microsoft exploits in defiance of company's handling of vulnerability disclosures Microsoft MSRC Allegedly Dismissed Dependency Confusion Vulnerability, Claims Researcher Just LOL BIN BAS Kevin Beaumont: “Wake up babe, new lolbins and …” - Cyberplace Microsoft's Coreutils project brings Linux commands to Windows Microsoft Investigates MFA Setup Failure and MySigns-In Portal Outage Dozens of Red Hat packages backdoored through its official NPM channel Inspector general finds NIST mistakes have made vulnerability database ineffective Sur le serveur X.Org, neuf nouvelles failles de sécurité dont huit débusquées par une IA HTTP/2 Bomb : une mini-requête suffit pour faire tomber nginx, Apache ou IIS Blue ou tout ce qui améliore notre posture - An Analysis of GrapheneOS's Server Infrastructure - Android phones will soon be able to detect spoofed calls and impersonation scams - Kernel-Level Ground Truth: Why eBPF is Replacing User-Space Agents for Security Observability - Dashlane explains how attackers managed to download encrypted password vaults - Let's Encrypt Unveils Merkle Tree Certificates to Secure the Web Against Quantum Threats Divers ou parce que j'ai aucune idée où les placer - The Infosec Phrasebook - United Airlines Flight To Spain Pulls U-Turn Over Bluetooth Device Name - Cyber Insurance Rates Are Dropping, but Exclusions Widen - DNS is for people - not for IT infrastructure - The US Military Quietly Turned GPS Into a Global ‘Numbers Station,' Evidence Suggests - I led the 2014 U.S. CDC Ebola response. An action plan is needed now - Teen social media ban risks strengthening Big Tech dominance: Bluesky Collaborateurs Nicolas-Loïc Fortin Crédits Montage par Intrasecure inc Locaux réels par Intrasecure inc

The current structural shift centers on the transfer of accountability for AI risk from vendors and regulators to managed service providers (MSPs). Vendors such as Anthropic and Microsoft are expanding their enterprise-focused AI channel programs and services tracks, while regulators pull back from enforcement, leaving MSPs as the de facto accountable parties for AI deployments. Reports and data indicate that vendor-driven channel expansion and regulatory laxity are converging to make service providers the liable layer in AI delivery. Anthropic is broadening its CLAUDE partner network from around 100 to several thousand partners, organized in tiers with outcome-based incentives and a dedicated services track targeting MSPs and system integrators. Microsoft, responding to low Copilot adoption rates (reported at 3.3% of eligible users), is allowing full removal of Copilot from systems. An IDC/Expereo survey of 800 companies found 70% are budgeting for AI, but investment is driven more by competitive anxiety than proven results. Additionally, a concentrated group—top 5% of users—accounts for the bulk of enterprise AI-related risk, according to a separate analysis. Supporting developments include the emergence of Lemhi, an early-stage platform aimed at enabling MSPs to package and sell AI transformation as a recurring service, and warnings from lawmakers about cuts to CISA that undermine federal cyber defense capacity. The episode also highlights a consistent theme: government agencies such as the White House and NIST are shifting toward voluntary measures and measurement frameworks, declining to create enforceable accountability standards for AI in production environments. For MSPs and IT leaders, these developments translate to increased contract and operational risk. Without renegotiated agreements specifying usage ceilings, approval workflows, and liability terms, providers may inherit unpredictable financial exposure and compliance gaps. The absence of effective governance requirements from both vendors and authorities places the operational burden on MSPs to define, monitor, and enforce safe use of AI, including recurring governance services such as data boundary enforcement and audit evidence. Failure to address these issues may result in MSPs acting as uninsured support for unmanaged AI deployments they cannot fully control or price. 00:00 MSP AI Play  04:24 AI's Accountability Gap 06:50 MSP Risk Transfer 09:49 Why Do We Care?  Supported by:  ScalePad Moovila 

In einem vielfältigen Garten mit verschiedenen Nist- und Überwinterungsmöglichkeiten können sich Nützlinge niederlassen und alljährlich «Schädlinge» in Schach halten. Jetzt aktuell: Nistglocken für Ohrwürmer aufhängen, Holunder setzen, Holzbeige aufstellen, Gräser setzen. Ohrwurmglocken in Beerensträucher und Obstbäume aufhängen Ganze Ohrwurmfamilien verstecken sich tagsüber in den Ohrwurmglocken (kleine Tontöpfe, gefüllt mit Holzwolle). Nachts gehen sie auf die Jagd nach Blattläusen, Apfelwickler- und Pfirsichwicklerlarven. Holunder an Kompostplatz oder Hausecke setzen Holunder (Sambucus nigra) hat Nektarien an Stängeln und Blattstielen. Sie produzieren zucker- und aminosäurereichen Saft, der Blattläuse anzieht. Im Frühling ist dies eine wichtige Nahrungsgrundlage für Marienkäfer und die Larven der Schweb- und Florfliegen. An feuchten Stellen kleinere Holzbeigen aufschichten Das Holz zersetzt sich langsam und im entstehenden Mulm finden verschiedene Laufkäfer Unterschlupf und Überwinterungsmöglichkeiten. Sie fressen Schnecken, Schneckeneier, Kartoffelkäfer, Raupen des Frostspanners etc. Heimische Gräser setzen, die nicht zurückgeschnitten werden An halbschattigen Standorten Waldschmiele (Deschampsia caespitosa), Wald-Segge (Carex sylvatica) und im Topf Schneeweisse Hainsimse (Luzula nivea) setzen. Die Graspolster sind Überwinterungsorte für Schlupfwespenweibchen. Im Frühling legen sie ihre Eier auf und in die Raupen des Pfirsichwicklers, Apfelwicklers und anderer Schadschmetterlinge sowie in Rapsglanzkäfer, Blattläuse, Schildläuse und viele mehr.

Joe Lubin makes the bull case for Ethereum amid a sea of bearishness. The panel dissects Saylor selling Bitcoin for the first time in four years, the meaning behind 9 senior EF departures, Justin Drake's Q-Day call (50% by 2032), Manuel Araoz declaring all of DeFi unsafe, the ThorChain hack fallout, the Zama/Overnight Finance USDC freeze saga, and the CFTC greenlighting the first US perpetual futures product. Welcome to The Chopping Block — where crypto insiders Haseeb Qureshi, Tom Schmidt, Tarun Chitra, and Robert Leshner chop it up about the latest in crypto. This week Joe Lubin is stepping in to make the bull case for ETH on what he admits is a tough day to be bullish. We open on Strategy's first Bitcoin sale in four years and whether the STRC preferred stock structure is "an algorithmic stablecoin with too many steps," as Tarun puts it. Joe pivots to pitching Ether DATs, then we get into the Ethereum Foundation's brain drain -- nine researchers gone, CROPS as the new mandate, and a mysterious new developer organization taking shape behind the scenes. The episode's meatiest block covers DeFi security: Justin Drake warns Q-Day is 50% likely by 2032, Manuel Araoz says all of DeFi is unsafe, ThorChain's been offline for two weeks post-hack, and the panel debates whether we're entering a rough 12-24 months where attackers outrun defenders. We close on Hyperliquid's all-time highs and the CFTC opening the door to US perps.  Listen to the episode on Apple Podcasts, Spotify, Pods, Fountain, Podcast Addict, Pocket Casts, Amazon Music, or on your favorite podcast platform. Show highlights

All links and images can be found on CISO Series We think of cybersecurity as a discipline. But when do ideas like best practices and NIST frameworks change into a system of belief? Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Davi Ottenheimer, principal, Flying Penguin. Joining is Joshua Copeland, director of security, Crescendo. In this episode: Tools, not religion The case for structured discipline The management problem underneath Fix the damn holes A huge thanks to our sponsor, ThreatLocker ThreatLocker delivers Zero Trust Network Access and Zero Trust Cloud Access that verifies both user and device before granting access to specific applications. No broad access, nothing exposed, and no reliance on credentials alone. It's a smarter way to control access and reduce risk. Learn more at ThreatLocker.com/CISO.

Honeywell-backed Quantinuum priced its U.S. IPO at $60 a share and raised roughly $1.68 billion, according to Reuters reporting carried by CNBC. The listing signals growing investor appetite for commercial quantum computing and sets a new public valuation reference point. IonQ, Rigetti, and D-Wave remained the limited set of public comparisons after going public via SPACs, with volatile trading. Enterprise pilots continue across finance, pharma, automotive, and energy, often accessed through cloud platforms from Amazon, Microsoft, and Google. U.S. policy, including the National Quantum Initiative and NIST's post-quantum cryptography work, is shaping adoption signals. Founders should track buyer metrics, structure pilots around measurable outcomes, and plan funding around verifiable progress and partnerships. Learn more on this news by visiting us at: https://greyjournal.net/news/ Hosted on Acast. See acast.com/privacy for more information.

Joe Lubin makes the bull case for Ethereum amid a sea of bearishness. The panel dissects Saylor selling Bitcoin for the first time in four years, the meaning behind 9 senior EF departures, Justin Drake's Q-Day call (50% by 2032), Manuel Araoz declaring all of DeFi unsafe, the ThorChain hack fallout, the Zama/Overnight Finance USDC freeze saga, and the CFTC greenlighting the first US perpetual futures product. Welcome to The Chopping Block — where crypto insiders Haseeb Qureshi, Tom Schmidt, Tarun Chitra, and Robert Leshner chop it up about the latest in crypto. This week Joe Lubin is stepping in to make the bull case for ETH on what he admits is a tough day to be bullish. We open on Strategy's first Bitcoin sale in four years and whether the STRC preferred stock structure is "an algorithmic stablecoin with too many steps," as Tarun puts it. Joe pivots to pitching Ether DATs, then we get into the Ethereum Foundation's brain drain -- nine researchers gone, CROPS as the new mandate, and a mysterious new developer organization taking shape behind the scenes. The episode's meatiest block covers DeFi security: Justin Drake warns Q-Day is 50% likely by 2032, Manuel Araoz says all of DeFi is unsafe, ThorChain's been offline for two weeks post-hack, and the panel debates whether we're entering a rough 12-24 months where attackers outrun defenders. We close on Hyperliquid's all-time highs and the CFTC opening the door to US perps.  Listen to the episode on Apple Podcasts, Spotify, Pods, Fountain, Podcast Addict, Pocket Casts, Amazon Music, or on your favorite podcast platform. Show highlights

On this week's show special guest co-host Andy Boyd joins Patrick Gray and James Wilson to discuss the week's cybersecurity news. Andy is the CEO of REDLattice, which makes the Paragon “intelligence collection and reconnaissance” solution. They cover: Adversaries are tracking US troop locations with commercially available location data A new Signal phishing campaign is going after message backups 404 Media is suing ICE to get its spyware contract with REDLattice (lol) Microsoft's tone-deaf response to ‘never justifiable' zero-day disclosures Mini Shai-Hulud pops up again just as Glassworm gets shattered Much, much more This week's episode is sponsored by Authentik, an open source identity platform that you can host yourself. In this week's sponsor interview Authentik's CEO Fletcher Heisler joins Patrick Gray to talk about how they're keeping up with the bugpocalypse, and also the work they're doing to support identities for AI agents. This episode is also available on YouTube. Show notes The Pentagon Knew Enemies Could Track Troops' Phones for Years. Now They Are | wired.com U.S. says troops were targeted with location data, as senator warns ad industry is a ‘national security threat' | TechCrunch Security DOD location data attachment (Wyden) | Risky Business #830 -- LiteLLM and security scanner supply chains compromised | Risky Business Media US has seized nearly $1 billion in crypto from Iran, Bessent says | Russia claims foreign spy agencies hacked officials' phones | therecord.media Hackers are trying to steal Signal users' backups in new wave of phishing attacks | TechCrunch Security We Sued ICE to Get Its Spyware Contract. The Agency Is Redacting Essentially Everything | Social Signals Microsoft calls zero-day releases ‘never justifiable' as researcher threatens to drop more | therecord.media A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure | Social Signals Microsoft says it will not pursue security researchers after zero-day backlash | therecord.media IBM's new $5B initiative will help enterprises rapidly patch open-source vulnerabilities | Social Signals Federal audit reveals NIST's NVD is plagued by poor planning and duplication | cyberscoop.com Hackers Used Meta's AI Support Bot to Seize Instagram Accounts | krebsonsecurity.com Critical Windows Netlogon RCE flaw now exploited in attacks | BleepingComputer CISA adds exploited Palo Alto Networks GlobalProtect flaw to KEV | Cybersecurity Dive Password manager Dashlane says hackers stole some customers' password vaults | TechCrunch Security CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain | cyberscoop.com Botnet of more than 17 million devices dismantled | arstechnica.com Chinese-speaking fraud gang could be stealing millions from 2026 World Cup fans | therecord.media ACCC investigating Olympics ticket scam | ABC Dozens of Red Hat packages backdoored through its offical NPM channel | arstechnica.com Solo podcast: A deep dive on TeamPCP - Risky Business Media | Trump administration releases scaled-back AI executive order | cyberscoop.com Google security engineer accused of turning confidential search trends into $1.2M win on Polymarket | cyberscoop.com

A federal watchdog questions NIST over its vulnerability database backlog. Google patches an Android zero-day. Citizen Lab exposes a powerful location-tracking platform. Malware hides commands in Steam comments. Researchers spot AI-assisted malware development. Attackers compromise Red Hat's npm namespace. DriveSurge spreads malware through ClickFix and fake updates. FreePBX patches a critical flaw. And Dashlane responds to a brute-force attack. Our guest is ⁠Laure Lydon⁠, Opening Chair for Infosecurity Europe and VP of Security and Infrastructure, Flo Health, sharing her expertise on digital health platforms. Meta's AI support bot proves a bit too eager to help. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, Maria Varmazis speaks with ⁠Laure Lydon⁠, Opening Chair for Infosecurity Europe and VP of Security and Infrastructure, Flo Health, sharing her expertise on privacy, security, and trust in digital health platforms, especially in sensitive areas like women's health. This interview is part of our partnership with Infosecurity Europe. Selected Reading Inspector general finds NIST mistakes have made vulnerability database ineffective (The Record) Google fixes one actively exploited Android zero-day, 124 flaws (Bleeping Computer) Uncovering Webloc: An Analysis of Penlink's Ad-based Geolocation Surveillance Tech (The Citizen Lab) GoDaddy found malware on 1,980 WordPress sites using Steam as C2 infrastructure (Security Affairs) Threat Actor Uses AI to Build EDR Evasion Tools (Infosecurity Magazine) Attackers Hijack Red Hat npm Scope to Steal Cloud Secrets (Infosecurity Magazine) Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks (Bleeping Computer) Critical Hard-Coded Credentials Vulnerability in FreePBX User Control Panel (Beyond Machines) Dashlane password manager users locked out by brute force attacks (Bleeping Computer) Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry's most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Send us Fan MailJoin Mike this week on Bench Boost as he explores the basics of conductivity measurements. We review the theory of how conductivity is dependent on ion concentration, charge, and mobility. He describes how contact probes work, emphasizing the cell constant and how proper probe selection to avoid poor sensitivity or signal saturation. Temperature is highlighted as a major variable, often ~2–3% per °C. Lastly we cover calibration using NIST-traceable KCl standards, and how calibrating near the sample range and controlling errors can lead to accurate and reliable data.

Infosec Decoded Season 6 #40: NIST FailsWith sambowne@infosec.exchange and Doug SpindlerLinks: https://samsclass.info/news/news_060226.htmlRecorded Tue, June 2, 2026

The National Institute of Standards and Technology's AI Safety Consortium will now be called the NIST Artificial Intelligence Consortium, the agency said Friday, continuing a shift in approach to the technology under President Donald Trump. According to NIST's announcement, the renamed group will retain some of its previous work but will change its scope. The group is also seeking new member organizations to carry out its aims. Craig Burkhardt, deputy NIST director, said in a statement included in the release. “To encourage more extraordinary AI technological innovations, NIST is seeking to expand its AI measurement efforts by harnessing the broader community's interests and capabilities.” The decision comes about a year after the Trump administration changed the name of NIST's AI Safety Institute, pivoting away from “safety.” That organization, which was originally established under the Biden administration, is now called the Center for AI Standards and Innovation. It's also the first news about the consortium in some time. The consortium was established in 2024 alongside the AI Safety Institute as a venue for input from companies, universities, and other organizations on measurement standards for AI safety. NIST is in the headlines once more this week, but not for reasons it's going to be excited about. Department of Commerce inspector general report released Thursday found that the National Institute of Standards and Technology has mismanaged a critical cybersecurity vulnerability database through poor planning, inefficient operations, duplicate federal programs, and failure to communicate with users. The National Vulnerability Database, maintained by NIST since 2005, collects information about computer security flaws and adds details like severity ratings and affected products. This information helps cybersecurity professionals across government and the private sector decide which security problems to fix first. In February 2024, the database's enrichment contract lapsed, creating a backlog of unprocessed security flaws that has only grown worse. The report identified the lack of strategic planning as a core problem. NIST leaders admitted they had no long-term plan for clearing the backlog, even as it grew from about 13,000 unprocessed security flaws in June 2024 to over 27,000 by the end of 2025. NIST publicly promised in May 2024 that it would clear the backlog by September 2024, setting a goal of processing 6,200 security flaws per month, but the agency had never processed more than 5,000 per month in the past. The Daily Scoop Podcast is available every Monday-Friday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast  on Apple Podcasts, Soundcloud, Spotify and YouTube.

Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks ChatGPT share links used to host fake outage pages to deliver malware Federal audit reveals NIST's NVD problems Get the show notes here: https://cisoseries.com/cybersecurity-news-globalprotect-vpn-exploited-chatgpt-share-links-exploits-feds-criticize-nist/ Huge thanks to our episode sponsor, Vanta Your team just added its 67th AI tool. And unfortunately, also your 67th security blind spot.   The good news: The Vanta  [rhymes with Santa] Agent works like a GRC engineer in the background, finding every app your team uses, scoring the risk, and drafting fixes for you.   Vanta is the platform used by over sixteen thousand fast-moving companies like Ramp, Cursor, and Harvey who are shaping the future with AI, AND staying ahead of AI risk.   Get started at vanta.com/headlines. 

A new Palo Alto Networks firewall bug is being exploited in the wild, Russia expands SORM surveillance, NIST is looking for new post quantum algorithms, and ENSOC launches in Europe. Show notes Risky Bulletin: Russia greatly expands SORM surveillance requirements

Quantum technical debt is the idea that some devices cannot be upgraded to PQC. In this episode, Thorsten Stremlau, a Systems Principal Architect at NVIDIA and Co-Chair of the Trusted Computing Group (TCG) Marketing Work Group, joins host Konstantinos Karagiannis to discuss the critical role of hardware roots of trust in protecting against the quantum computing threat. Stremlau outlines the challenges of integrating heavier PQC algorithms into resource-constrained chips like the Trusted Platform Module (TPM), highlighting technical hurdles such as increased computational intensity, memory bloat, and heightened vulnerability to side-channel and denial-of-service attacks. To counter these quantum threats while maintaining historical stability, the TCG has released the TPM 2.0 library version 1.85 paired with the platform specification 107. This combination leverages built-in crypto-agility to implement mature algorithms like ML-KEM and ML-DSA, while still supporting hybrid classical-quantum models to ensure a smoother migration path for enterprises. However, Stremlau issues a stark warning regarding the industry's timeline and the reality of quantum technical debt, revealing that achieving full PQC readiness will require a complete hardware replacement rather than simple in-field firmware updates. Government entities are aggressively mandating PQC compliance for procurement by 2027. But the enterprise sector, particularly critical infrastructure and server environments, faces an incredibly long transition cycle due to a traditional preference for operational stability over rapid upgrades. While a PQC-ready TPM is a foundational piece of the puzzle that secures firmware signing, boot processes and platform attestation, it is not a silver bullet. True quantum resilience requires a defense-in-depth strategy where the entire software and data ecosystem, including AI workloads, edge networks and data pipelines, is systematically upgraded alongside the hardware foundation.  For more information on Trusted Computing Group, visit https://trustedcomputinggroup.org/. Visit Protiviti at www.protiviti.com/US-en/technology-consulting/quantum-computing-services to learn more about how Protiviti is helping organizations get post-quantum ready.  Follow host Konstantinos Karagiannis on all socials: @KonstantHacker             Questions and comments are welcome!  Theme song by David Schwartz, copyright 2021.  The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by, Protiviti Inc., The Post-Quantum World, or their respective officers, directors, employees, agents, representatives, shareholders, or subsidiaries.  None of the content should be considered investment advice, as an offer or solicitation of an offer to buy or sell, or as an endorsement of any company, security, fund, or other securities or non-securities offering. Thanks for listening to this podcast. Protiviti Inc. is an equal opportunity employer, including minorities, females, people with disabilities, and veterans.  

https://youtu.be/sUyjA0muVgM Tom Kirkham, Founder and CEO of Kirkham IronTech, believes business should create value for everyone involved — employees, clients, vendors, and the broader community. After overcoming major personal challenges and rebuilding his perspective on leadership, Tom embraced stakeholder capitalism and built a company culture focused on long-term partnerships, trust, and continuous learning. In this conversation, Tom shares the IronTech Framework — a practical approach to modern IT management built around three core pillars: Generate ROI and Productivity, Make Cybersecurity Core, and Surround it with a Governance Layer. He explains why businesses should stop treating IT as an expense and instead view it as a strategic investment that improves productivity, protects the company from cyber threats, and aligns technology with leadership goals. Tom also dives into the massive scale of the cybercrime industry, why governance is often the missing piece in cybersecurity, and how proactive IT strategy can dramatically improve business performance. — Turn Your IT into Your Growth Engine with Tom Kirkham Good day. Steve Preda here with the Management Blueprint Podcast, and today’s guest is Tom Kirkham, the Founder and CEO of Kirkham IronTech, where he helps businesses build strong, secure IT foundations, whether fully managed, co-managed, or cybersecurity only. Tom is a keynote speaker on cybersecurity, and he’s the author of two books, Hack the Rich and The Cyber Pandemic. Tom, welcome to the show.  Oh, it’s great to be here, Steve.  Well, great to have you here. And I am curious to dive in, and would like to ask you my favorite question. What is your personal ‘Why’, and how are you manifesting it in Kirkham IronTech?  That’s a great question. So the company’s about twenty-six years old. I went through a lot of personal health problems, and then my wife was real sick, and she ended up passing away—it's been about eleven years ago now. And I was fortunate enough to put a friend of mine in the company, and he was able to take over while I was dealing with this for a couple of years. And when most of it was done, I took some time off and did a lot of traveling and a lot of thinking and a lot of reading. And I’m a lifelong reader, a lifelong learner, and I went back through my history of investing techniques, understanding what makes a good company great. If you’ve read Jim Collins, you know what I’m talking about. And so during those times, I was reflecting, studying philosophy, studying biographies of other CEOs like Elon Musk, Steve Jobs, Andy Grove—gosh, the list goes on and on. Whether you like them or hate them, it doesn’t matter, right? There’s always something you can learn. And I came upon and read a lot about stakeholder capitalism. Like Peter Drucker says, “Culture eats strategy for breakfast.” And I understood what that meant, and it was kind of weird. So when I re-engaged with the company, I identified one of the weaknesses, and I said, “Well, if we need to do marketing in this business—which we have to do in any business—I really need to master marketing.” So I spent a lot of time with marketing gurus, most of them are what I would consider household names these days, and re-engaged with the company to do marketing to establish a great culture around stakeholder capitalism. In other words, we exist as a for-profit business not just for the shareholders but for everyone—the community, vendors, employees. And I really wanted to be around people I enjoyed being around. I wanted them to enjoy coming into work.Share on X And so we’ve been trying to perfect that system in the culture for the past ten years. Of course, no one's perfect, but if you pursue perfection, you can achieve excellence. And I think we've done a really good job. We have very low turnover. Everyone seems genuinely happy to be there, and it's really fulfilling. It's more of a personal feeling because I've been a successful investor practically my whole adult life. I started investing in stocks when I was nineteen, and I'm sixty-four now. So I didn't really need the company. I could have just closed it up or sold it or whatever. But I really wanted to have my own reasons. Those are the things that drive me, and I hope they drive everyone else too.  What resonated with you with this idea of stakeholder capitalism? It just made sense. The obvious part is with employees—all of that is true. That's obvious to any good leader or manager, right? As you well know, there's a difference between leadership and management, and understanding that distinction, and the difference between sales and marketing, and understanding those things. A good example is dealing with vendors. There are all sorts of vendors that supply products and services to us, so we carefully vet these tools and vendors to see if their values align with ours, just like we do with prospects. But especially with vendors, if it's something new—a new tool that we're going to invest a lot of time, money, and energy into to make their product or service successful for us and successful for them—we make a commitment to that vendor.  So it's not about the money or how cheap I can get it. What I want is a good partnership with every stakeholder. And I want to make sure that when I'm dealing with a vendor, if it fails for us, it's not our fault—it's their fault, right? Either they oversold the product or they didn't deliver on the service component. I didn't want it to be because we failed to do the right training, or didn't communicate properly, or missed all the other things that are just part of doing business the right way. And that applies to our employees, our local community, and every stakeholder in the company.  Yeah. I like it. So you're looking for partnership-based relationships where it's win-win. And yeah, if you want people to stick around, it has to make sense for them too. You can't exploit your partners forever without consequences. So that makes a lot of sense. So Tom, let me ask you this other question. This podcast is called The Management Blueprint because I'm always looking for frameworks—something practical that helps businesses achieve results. Usually it's some kind of three-to-five-step process that helps you grow the business, get customers, improve operations, or understand something at a deeper level. So when I ask about your favorite business framework, what comes to mind?  Well, we have a thing we call the IronTech Framework.  Okay.  And it was something that we came up with many years ago and started practicing seven or eight years ago, and it's a framework. It's like the NIST Cybersecurity Framework. I looked at NIST and there's five components to it, and it's about cybersecurity. And I looked at this and I go, “None of this works without the right policies and procedures in place.” The security training—it's not enough just to throw it out there and tell all your people to take it. You've got to follow up, you've got to manage, and coach, and everything like that. And so I started adding this governance component to the way we sold it, presented it, and practiced what we do for our clients day in and day out. Help them develop the policies and procedures for all of the different things, the protocols.  If somebody accidentally fires off a ransomware attack, they need to know they're not going to be penalized for it. We need to know as soon as possible to stop it. And just little things like that, there's a lot that really improve the effectiveness of all of these tools and services that we provide to their clients. And unbeknownst to me, NIST, who has the cybersecurity framework, they added governance about three years ago to the other five things. And so that was kind of nice to know that we were exhibiting some thought leadership. And so when we go in, it's all well and good if you want to put these protections in and these particular products, but we're a best-of-breed company. Like one of our critical tools that's required for our clients to put in place, to buy it and use it every single day on every single computer, is what's known as an EDR. And it's basically an AI-based super turbo antivirus.  To even call it an antivirus is not doing it justice. So there's three legs to the IronTech Framework. We want to make sure that you're getting a return on your investment in IT, because that's why you buy it. If you treat IT as an expense, you need to kind of change the way you're thinking. You want to improve productivity and efficiency.Share on X The second leg is cybersecurity, because a bad cyberattack can put you out of business. I think the last stats I saw were something like 40 to 60% of businesses go out of business within two years of a significant cyberattack. And then finally, the third is governance. That's the three legs of our IronTech Framework. So part of governance is engaging with our clients' management and leadership—the CEO, finance, of course the CIO, the CISO or security officer, and maybe even the board sometimes. Really getting to know: what are your objectives, and how can we utilize our services to best help your company realize those objectives? Because for most companies, there's no other vendor they engage with as much as us.  We're talking to Susie every day. We're talking to Bill every day. We know that Mary's out sick and Steve's on vacation. I mean, when you're running help desk, stopping attacks, providing training, and all the support we provide along those lines, we get to know their company better than practically any other vendor by far. So it really helps if our clients treat us as a partner to help them realize their goals and objectives. And when all of that clicks into place, then it makes recommending things easier.Share on X “Okay, you need to replace these 30 laptops that are four years old. You're not getting an ROI on them.” “This server's five years old. Let's start thinking about replacing it.” “We have this new tool that's really excellent. We're recommending everybody get it.” And because we've developed that trust, those conversations become pretty easy. For the most part, everybody just says yes. But of course, we don't sell just to sell, especially when it comes to things like hardware. That's not really what we're here for. We're here for the day-in, day-out work: keeping things running, stopping breaches, and putting the policies and procedures in place to run your company as smoothly as possible.  Yeah. I love that. So when I had an IT back in the 2000s, I had an IT person who was a contractor, but he was very active in my business, and I always wanted to talk to him and pick his brain. What are the new things out there? How can we make our business more efficient, more effective, more attractive to employees? Cooler. I wanted to be cool. So I wanted everyone to have a PDA in the early 2000s with email on it—a PalmPilot. And we had multiple screens, and I was looking at, okay, how can we manage data in the cloud and on our server so we don't have to deal with it in the office? That kind of stuff. And I really thought about it as a great investment because it was much cheaper than hiring people. And if you give people good tools, they're going to be more motivated and more effective. So I thought it was a no-brainer.  Yes, but there's still a subset of people that treat IT as an expense. Then there are some companies that tend to put IT under the finance guy because the finance guy usually has a lot of IT experience, but never actually did it as a career or a job, right? And those situations are hard because I need CEO-level or owner-level approval, and I need a direct route to that person.  Yeah, that makes sense. So Tom, tell me, what drives growth in your business?  Yeah. From a growth perspective, for us, number one is maintaining our clients and reducing churn. Number two is—I don't know if you're asking about tactics or strategy—but of course we want to get new clients for the right reasons. So we prefer inbound strategies. We don't cold call people unless we've already contacted them in another way, if that's what you're asking.  Yeah. I'm asking what the real driver of growth is. I understand that you do marketing and inbound marketing, but what makes people want to have an IT service partner like you? Well, they understand those three pillars of the IronTech Framework. They may not believe in stakeholder capitalism, but they don't treat IT as an expense. And they understand—especially after talking to me—the true risk of being hacked. A lot of people don't understand the size and scale of that industry. It's a $10 to $12 trillion industry now.  Wow.  If it were a country, it would have the third-largest GDP. The US would be first, China second, and then the hacking industry. It is an industry that hacks at scale. So when these companies—maybe a small 10-person accounting firm in North Dakota in the middle of nowhere—get these ransomware emails and someone tries to hack them, and we alert on it and trap it, and nothing goes wrong, everything's fine… If they don't already understand it, they go, “Well, why are they trying to hack me?” And I say, “You don't understand. That email was one of 100,000 emails that got blasted out. They don't know who you are, nor do they care who you are.” They're playing a numbers game. And it's kind of like marketing. They're looking at conversion numbers. Yeah.  Let's say it's 100,000 emails. They got a list of all the certified public accountants in 10 different states. They set up the email, they send it all out, and let's say 1% become victims. And let's say they collect an average of $10,000 per victim. Well, that's a multi-million dollar payday for about a week or two of work. And then they rinse and repeat. It's done at scale, and it's a much bigger industry than that. That's just a taste of it. Some of our clients are targeted. In other words, hackers are investing time, money, and energy specifically into that company. We're one of them. Any law firm that does intellectual property law—especially around patents, manufacturing, and things like that—you've got China and other nation states not only trying to get into your client, but you're also a threat vector. You're a way to get into that client's patents and secrets.  So we've got to treat that differently. It's not just about the money. There are different types of threat actors, and we have to educate clients, bring them up to speed, and say, “Well, because of this case, you need this other service and tool that we're offering to prevent China from breaking in.” Or, “You need to follow this practice.” Maybe you don't publicly talk about one of your clients being Ford Motor Company or NVIDIA. You just keep that quiet. You don’t want that to be public knowledge. That's one of the things we do. You spent time on our website, and you didn't see a single client name on there. And that's just one of the small things we do to protect our clients' security and privacy, because privacy and security go hand in hand. Yeah. That is fascinating. So what is it that you’re trying to figure out in your business right now? What’s the big thing for you?  I think because of all the chaos in the United States, making a decision to do anything—everybody's kind of frozen. There are a lot of hiring freezes. I know we've got a freeze on right now because we're looking to see, well, do we really need to add somebody, or can we do this with AI? The hackers do the same thing. That's one of the challenges, is getting people over the hump. No matter what you do, if you've got an IT company doing your stuff and you only call them when things are broken, there's a much more profitable way to do that. You're spending more money.  So there are benchmarks in industries, right? Basically, the research—and these aren't numbers we made up, this is legitimate research from many independent sources—says the average professional service provider, like law firms, accounting firms, healthcare providers, and on and on, should be spending 6 to 12% of their revenue on IT and cybersecurity. And that's everything. I'm talking servers, wiring, cloud, security, defense—all of those things should be 6 to 12%. We know that. That's the way it works. So when we engage with a prospect and find out they're only spending 3 or 4%, then I already know they have gaps. I don't even have to do an assessment to see what they're not doing.  They're either not getting a return on investment, or they're not secure. That's it. If all the accounting firms are spending 6%, and you're only spending 4%, don't just pat yourself on the back. That's one of those moments where you should ask, “What am I missing?” Because I do that often. Someone on the management team will come up with an idea, and we all agree. Well, that's a red flag for me. I want to know: what are we missing? If we all agree on this, is there some gotcha or something we haven't uncovered? And those are some of the things we try to educate our clients on. They don't have to tell us their revenue. I can give them the numbers. I can do the math. I can show them the numbers for something like laptop replacement. Maybe it's $1,000 to $3,000 depending on the industry. If the employee using that laptop is making $100,000 a year, why are you trying to squeeze another year out of a $2,000 investment when it's hurting productivity by 10% or more? Yeah. That’s a no-brainer.  Yeah. It should be.  Yeah. It's not just in IT. I had a client years ago in civil engineering, and they had a rule that they would never keep equipment longer than four years. And they were selling equipment that still looked brand new. And I asked them, “Why are you doing this? It seems like this equipment still has a lot of life left in it. Why are you selling it or giving it back to the lease company?” And he said, “We did the math, and we figured out that this is the optimal time to replace it.” If they got rid of the equipment at that point, they wouldn't have to deal with fixing it. There would be less disruption. They would stay state-of-the-art all the time. And their clients would be impressed. And it actually worked for them. It was a high-margin civil engineering firm.  Precisely. I mean, we're so tuned into that that we're a Mac house. We all use Macs. We all have laptops, and we all have setups with screens at home and in the office. We spare no expense on that. If somebody wants an extra screen for their house—alright, here it is. We'll order it and get it there for you. We're so tuned into that, that we went all Mac back when they were still Intel Macs. And I don't know how much you know about Macs, but they were…  I have a couple. Okay. Yeah, we're Mac people too. Yeah, so they were running Intel processors. Well, Apple decided to build their own processor and moved to the M-chip. And so I bought an M1, and it was like, holy cow, everybody in the company has got to have one of these. And I don't think there was a single one more than two years old at that time. So we replaced them all. Now, the M-series generations themselves—M1, M2, M3, and on—those changes aren't as dramatic as going from Intel to the first M-series chip. But it's still unusual. I said two years, but there are probably people right now with a three-year-old laptop. But we definitely trade them in. That's where the sweet spot is on trade-in value. We rotate them every two to three years and they're out. I think mine is maybe a year old, but I'll probably keep this one for a couple more years.  By the way, you're the first IT company and MSP I've met that doesn't use PCs—you use Macs. Yeah. And I long had this theory that all the IT companies I worked with were always anti-Mac, and I never understood why. And when I got my first Mac, I realized I actually didn't need them anymore since I had the Mac.  Yeah, that's kind of funny because it really started with me during Covid. It may not have been seven years now, but whatever it was, it kind of started with Covid. And for years I was a PC guy. I tried Macs briefly back in the old MacBook days—you know, the white plastic ones? Whatever that was, 15 or more years ago.  Yeah. Classic. Very classic.  Yeah. But what I kept trying to do with a Windows laptop—and I like Dell, I had Dell XPSs, good Dell computers, and we're a Dell partner— What I could never get a Windows computer to do was seamlessly come off a docking station and then plug into another monitor at my house. It would always blue screen or something. So when I went back to a Mac, I was like, “Holy cow, it doesn't break. It doesn't mind being unplugged from a docking station. It just works.” Yeah.  And then all the other things—that they're generally built better, they have a longer lifespan, and they hold their resale value longer, and all of that. Even as old as I was, I forced myself to really get proficient at using a Mac. And when we sent everybody home during Covid, I said, “Well, everybody's going Mac.” And, oh, there was a revolt. And I said, “Just give it a few months.”  Yeah.  About half the office resisted it. And I said, “You gotta try it because I think you'll like it, and if you don't, then we'll deal with it then.” We had Linux people, PC people. So then I said, “Well, maybe we should open it up and let people pick what they want.” Yeah, I love it. Yeah. So our time is coming to an end, but if someone is running on Mac and they're finally talking to an IT service company that's not anti-Mac, and they want to connect with you immediately, where should they go and where can they learn more about Kirkham IronTech and maybe connect with you personally? The website is the best place to go. It's www.kirkhamirontech.com. Just give us a call, fill out a form, let us know what you're thinking, because we want to know what you're thinking and see if there's a fit with the way we do things. Macs started becoming important with executives. That's where we first started seeing it. So even though they may still have to run Windows, the owners and executives wanted to carry Macs for the very reasons I mentioned. So we're perfectly happy with that.  Yeah. Okay. Very good. So if you're listening to this and you enjoyed hearing about how to make your IT work—how to increase ROI, make sure you're doing cybersecurity right, and implement governance so you can use IT as a strategic tool to run your business better—then definitely reach out to Tom Kirkham. Or stay tuned to this show, because you're going to hear from other entrepreneurs who are very smart about business. And preferably do both. Tom, thank you for coming and sharing your wisdom, and thank you for listening.  Oh, it’s been my pleasure, Steve. Important Links: Tom's LinkedIn Tom's website

Have you ever finished a project and thought… “Wait, where did all the money go?”One of the biggest mistakes creatives make is treating money as something that shows up at the end—rather than something that needs structure from the very beginning. And that mindset? It quietly drains your profit, your energy, and your confidence.In this episode, I sit down with Lauren Nist, a bookkeeping and advisory expert who works behind the scenes with creative businesses. Together, we unpack the most common money mistakes interior designers make—from underpricing and scope creep to poor billing systems—and how to fix them. If you want financial clarity, stronger boundaries, and a business that actually pays you back, this is your starting point.Featured GuestLauren Nist is a co-founder of Magnolia & Main, a virtual bookkeeping and advisory firm dedicated to helping small business owners gain financial clarity and confidence. With years of experience supporting creative and service-based businesses, Lauren specializes in simplifying the money side of business—from pricing and billing systems to job costing and cash flow management. Her approachable, judgment-free style helps entrepreneurs feel empowered, supported, and in control of their finances.What You'll Learn in This Episode✳️ Why creatives struggle with financial structure✳️ How to protect your cash flow early✳️ Billing ahead vs. acting like the bank✳️ Spotting red flags in client behavior✳️ Simple profit planning for interior designersRead the Blog >>> Interior Design Money Mistakes (And How to Fix Them)NEXT STEPS:

Security operations for MSPs are undergoing a structural shift from simply deploying additional tools to establishing a liability-focused accountability model, where the ability to provide operational evidence of controls is becoming as critical as the tools themselves. This shift is catalyzed by corporate insurance, procurement, and third-party verification structures—such as those cited by WatchGuard, Assurix, and the NIST AI cybersecurity overlays—demanding verifiable security outcomes and alignment with external standards, rather than relying on provider assertions alone. Survey data referenced from Cybersmart and Beta News reveals that 75% of MSPs experienced at least one breach in the past year, while 54% endured multiple incidents; concurrently, SMB buyers state security is a top priority, but only 13% of microbusinesses operate proactively. According to WatchGuard's global survey of 842 professionals, 94% of clients using dedicated MSPs feel adequately protected, yet 58% indicate intent to change providers within three years—highlighting a disconnect between perceived and delivered value. The emergence of Assurixs' live MSP Trustmark, based on 64 operational controls, further formalizes evidence requirements as market prerequisites. These dynamics are reinforced by shifts in insurer behavior and regulatory alignment. Huntress and Acrisure are collectively rolling out a cyber insurance package contingent on adoption of Huntress's managed detection and response, explicitly tying coverage eligibility to verifiable provider-side controls. The maturing of NIST's AI cybersecurity overlays introduces new standardized control checklists likely to become operational requirements. Additionally, reports from Omdia and MSP Channel Insights note that vendor ecosystems are now rewarded for integrating security as an outcome with automation and multi-tenant integration—reflecting market demand for reliable, defensible evidence of controls. For MSPs and IT leaders, these developments drive the need to restructure contracts to clearly delineate evidence obligations, manage liability exposure, and price evidence production as a formal deliverable rather than as unreimbursed support. Failing to do so risks absorbing unfunded post-incident evidence work, margin erosion, and loss of control over the security value conversation. Operationally, maintaining live accreditations, standing up a formal evidence management function, and explicitly excluding unmanaged SaaS, identity, and AI workflows from baseline service tiers are becoming necessary to maintain profitability and accountability. 00:00 Breach, Then Switch  04:52 SaaS Blind Spot 07:16 Prove or Pay 10:24 Why Do We Care?  Supported by:  Zero Networks HaloPSA   

Podcast: PrOTect It All (LS 27 · TOP 10% what is this?)Episode: AI in OT Cybersecurity: Real-World Risks, Smarter Defenses & the Future of Critical InfrastructurePub date: 2026-05-18Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationAI is rapidly transforming cybersecurity but are critical infrastructure environments ready for what comes next? In this episode of Protect It All, host Aaron Crow sits down with longtime colleague and cybersecurity expert Clark Liu to explore how artificial intelligence is reshaping both IT and OT security operations. From incident response and compliance frameworks to workforce shifts and operational resilience, Aaron and Clark unpack the real-world opportunities and very real risks of integrating AI into industrial environments. Together, they tackle the evolving role of frameworks like NERC CIP and NIST, the challenges of balancing compliance with actual security outcomes, and how organizations can responsibly adopt AI without increasing exposure. You'll learn: How AI is changing OT and IT cybersecurity operations The role of AI in incident response, documentation, and monitoring Why compliance frameworks alone don't guarantee resilience The risks of adopting AI without strong operational foundations How organizations can prepare for AI-powered threats and workforce changes Practical insights for balancing innovation, budgets, and security priorities Whether you're leading OT security, managing critical infrastructure, or evaluating AI adoption in your organization, this episode delivers practical guidance for navigating cybersecurity's next major shift. Tune in to learn how AI is transforming cyber defense and what organizations must do to stay resilient only on Protect It All. Key Moments;  05:33 Understanding cybersecurity compliance frameworks 07:11 Overlooked vulnerabilities in systems 09:59 Balancing multiple firewall vendors 15:17 Delegating tasks to AI 19:11 Importance of documenting commits 21:51 Hospital system shutdown crisis 25:11 AI uncovering software vulnerabilities 26:37 Engineers implementing AI in automation 31:26 AI tools and personal security 32:55 Password security practices 36:46 Using AI for basic tasks 39:38 Transition to off-the-shelf software 42:29 Going back to basics with appliances 47:02 Excitement About Future AI Capabilities Guest Profile :  Clark Liu is a veteran OT cybersecurity expert and one of the original contributors to the NERC CIP standards. With nearly two decades in energy and critical infrastructure security - including leadership roles at EY and GALLO - Clark specializes in OT risk management, compliance strategy, and securing industrial operations from the plant floor to the cloud. How to connect Clark:  LinkedIn :  https://www.linkedin.com/in/clarkliu/ Connect With Aaron Crow: Website: www.corvosec.com  LinkedIn: https://www.linkedin.com/in/aaronccrow Learn more about PrOTect IT All: Email: info@protectitall.co  Website: https://protectitall.co/  X: https://twitter.com/protectitall  YouTube: https://www.youtube.com/@PrOTectITAll  FaceBook:  https://facebook.com/protectitallpodcast To be a guest or suggest a guest/episode, please email us at info@protectitall.co Please leave us a review on Apple/Spotify Podcasts: Apple   - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124 Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4The podcast and artwork embedded on this page are from Aaron Crow, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Sponsor Link:To check out our great NordVPN money saving deal - Click HereAstronomy Daily • S05E107 • Wednesday 21 May 2026 Starship V3 is on the pad and counting down for Thursday's debut launch — we bring you the full update including technical objectives, the Artemis stakes, and a sober note about a worker fatality at Starbase. Plus: a NIST proposal to build GPS for the Moon using lasers inside permanently frozen polar craters; space station startup Vast enters the satellite market; JWST finally has an explanation for the universe's impossibly large early black holes; the Roman Space Telescope locks in a September 2026 launch; and interstellar comet 3I/ATLAS gives up two remarkable new secrets — alien water thirty times richer in heavy hydrogen than anything in our solar system, and pre-discovery images that show it was spotted before anyone knew it was there.   Stories This Episode •       STORY 1 — Starship V3 Flight 12: Launch window opens Thursday 21 May at 6:30 PM EDT (8:30 AM AEST Friday 22 May). Splashdown of upper stage in Indian Ocean off Western Australia ~65 min after liftoff. First flight of Starship V3, first use of Starbase Pad 2. Key objectives: Raptor 3 engines, heat shield imaging by modified Starlink sats, 22 dummy Starlink deployments, Raptor relight in space. Worker fatality at Starbase 15 May under OSHA investigation. •       STORY 2 — Lunar GPS via NIST: Proposal to place ultrastable silicon optical cavity lasers in permanently shadowed craters near lunar south pole (~16K, near-perfect vacuum). Could enable lunar GPS network, atomic timekeeping on Moon, precise satellite ranging, gravitational wave detection. •       STORY 3 — Vast Corporation: Space station builder announces new line of high-power satellites, expanding beyond Haven-1 into commercial satellite manufacturing. Announced 19 May 2026. •       STORY 4 — JWST Black Holes: New arXiv paper proposes 'episodic super-Eddington accretion' in gas-rich dark matter-dominated early galaxies explains overmassive black holes found by JWST. Identifies them as 'missing link' between heavy seeds and luminous quasars. •       STORY 5 — Roman Space Telescope: Launch now confirmed as early as September 2026 — 8 months ahead of schedule, under budget. 100x Hubble's field of view, 1,000x survey speed. Targets dark energy, dark matter, exoplanets. Coronagraph for direct exoplanet imaging. •       STORY 6 — 3I/ATLAS: Pre-discovery images found in Rubin Observatory data from 21 June–2 July 2025, over a week before official ATLAS discovery. Water deuterium ratio at least 30x higher than any solar system comet (ALMA/U of Michigan/Nature Astronomy). Comet estimated ~12 billion years old.   Key Links •       SpaceX Starship Flight 12 livestream: spacex.com •       Flight 12 timeline (Space.com): space.com/space-exploration/launches-spacecraft/what-time-is-spacex-starship-v3-launch-starship-flight-12-timeline •       Starbase worker death (Space.com): space.com/space-exploration/launches-spacecraft/worker-dies-at-spacexs-starbase-in-leadup-to-starship-v3-megarocket-launch •       Lunar laser GPS (NIST): nist.gov/news-events/news/2026/05/shooting-moon-ultrastable-lasers-dark-craters-could-enable-lunar-navigation •       Vast satellite announcement: space.com (19 May 2026) •       Roman Space Telescope launch update: nasa.gov •       3I/ATLAS pre-discovery images: space.com/astronomy/comets •       3I/ATLAS water chemistry (ALMA): almaobservatory.orgBecome a supporter of this podcast: https://www.spreaker.com/podcast/astronomy-daily-space-news-updates--5648921/support.Sponsor Details:Ensure your online privacy by using NordVPN. To get our special listener deal and save a lot of money, visit www.bitesz.com/nordvpn. You'll be glad you did!Become a supporter of Astronomy Daily by joining our Supporters Club. Commercial free episodes daily are only a click way... Click HereThis episode includes AI-generated content.

After the White House's move last year to kill Direct File, three senators are asking the congressional watchdog to examine the alternative program the Trump administration is pushing: the IRS's beleaguered Free File system. In a letter sent Sunday to acting Comptroller General Orice Williams Brown, Sens. Elizabeth Warren, D-Mass., Angus King, I-Maine, and Ron Wyden, D-Ore., requested a Government Accountability Office investigation into Free File, an IRS partnership with private tax prep companies. The partnership has been heavily scrutinized over the course of Free File's 20-plus-year existence, with critics pointing to scant consumer use, hidden industry costs and data privacy issues. “Due to this history of misconduct, we have serious concerns that Free File cannot efficiently, effectively, and securely serve the taxpayers who are statutorily entitled to free tax filing services,” the lawmakers wrote. Direct File, the IRS's consumer-praised free electronic filing tool, was launched in the aftermath of an April 2022 GAO report that recommended the tax agency develop new no-cost filing options. Under the Biden administration, the IRS launched a pilot program of Direct File in a dozen states in 2023, and doubled the number of participants the following year. The Trump administration quickly terminated the program, however, pointing to high costs and low user uptake during the purposefully limited pilot seasons. Federal agencies would be required to develop artificial intelligence standards and use the National Institute of Standards and Technology's AI guidelines under a bipartisan bill introduced Thursday. Led by Rep. Ted Lieu, D-Calif., the bill would require agencies to use the Artificial Intelligence Risk Management Framework, developed by the NIST in 2023, and work with the agency in developing other consistent standards and guidelines. Reps. Zach Nunn, an Iowa Republican, and Don Beyer, a Virginia Democrat, co-sponsored the bill, with Beyer calling it “a natural starting point” to ensure agencies have the tools they need to navigate AI's complexities. “This bill lays the foundation for harnessing the power of AI for the benefit of the American people, while upholding the highest standards of accountability and transparency,” Beyer said in a statement. The bill would also direct NIST to recommend training and use the standards when acquiring any AI systems or services.

What would you do if ransomware told you not only that your data was gone — but that it was encrypted with a quantum-safe algorithm and you have 72 hours to pay? That's not a hypothetical anymore. In this live news episode of The Audit, co-hosts Joshua Schmidt, Eric Brown, and Nick Mellum are joined by IT Audit Labs member Bill Harris for a rapid-fire breakdown of the week's most important cybersecurity stories — and a few conversations that went places nobody expected. 

Please enjoy this encore of Word Notes. A branch of the US Department of Commerce whose stated mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” CyberWire Glossary link: ⁠https://thecyberwire.com/glossary/national-institute-of-standards-and-technology⁠ Audio reference link: Center, M.I., 2022. 2022 Meridian Summit: Cultivating Trust in Technology with NIST Director Laurie Locascio [WWW Document]. YouTube. URL ⁠https://www.youtube.com/watch?v=o43Y9Tk8ZVA⁠ (accessed 1.26.23).

Please enjoy this encore of Word Notes. A branch of the US Department of Commerce whose stated mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” CyberWire Glossary link: ⁠https://thecyberwire.com/glossary/national-institute-of-standards-and-technology⁠ Audio reference link: Center, M.I., 2022. 2022 Meridian Summit: Cultivating Trust in Technology with NIST Director Laurie Locascio [WWW Document]. YouTube. URL ⁠https://www.youtube.com/watch?v=o43Y9Tk8ZVA⁠ (accessed 1.26.23). Learn more about your ad choices. Visit megaphone.fm/adchoices

The May 2026 Microsoft Patch Tuesday release looks quiet on the surface – no actively exploited zero-days, no public disclosures at release, and a CVE count below the four-month average. Don't let that fool you.In this episode, Jason Kikta and Landon Miles break down everything that happened between April and May patch cycles, including Apple's macOS Tahoe 26.5 release with 79 CVEs, the Dirty Frag Linux kernel privilege escalation chain, and two pre-authenticated network remote code execution vulnerabilities in Windows core services that belong at the top of your patch list.They also dig into one of the month's most significant trends: AI-assisted vulnerability research showing up by name in Microsoft, Apple, and Linux acknowledgments in the same patch cycle – including Anthropic researchers credited on a critical Windows graphics component RCE. Ten AI-attributed vulnerability discoveries shipped fixes across all three major operating systems this month.What's covered:CVE-2026-41089: Windows NetLogon RCE (CVSS 9.8) and CVE-2026-41096: Windows DNS Client RCE (CVSS 9.8)CVE-2026-40402: Hyper-V guest-to-host escalation (CVSS 9.3)macOS Tahoe 26.5: Wi-Fi kernel RCE, nine kernel CVEs, 20 WebKit vulnerabilitiesDirty Frag Linux privilege escalation chain and the Copy Fail connectionAI-credited discoveries from Anthropic, calif.io, Theori, and NIST's Center for AI Standards and Innovation- Patch Tuesday Blog- DirtyFrag Blog- What "Mythos Ready" Means

The Weekly Enterprise News This week, in the enterprise security news, Copy Fail The hits keep coming for CVE, NIST and NVD Cyber attacks on breathalyzers insurance carriers pulling support for AI Florida Man pleads guilty ignore the humanities at your own peril offense and defense don't scale the same is it okay to be left behind? scientists gave cocaine to salmon Mind the Gap: Confidence, AI, and the Future of Exposure Management Former ethical hacker, now founder and CEO of Intruder, Chris Wallis explores whether AI can bridge the divide between finding vulnerabilities and understanding real-world attack context as exploit windows continue to shrink. This conversation dives into the structural "confidence gap" uncovered in Intruder's 2026 Security Middle Child Report, where executive risk appetite is increasingly decoupled from front-line operational reality. Check out Intruder's Security Middle Child Report at https://securityweekly.com/intruderrsac. Modern Phishing Attacks Are Under Multi-Channel Siege Recently, there has been a shift in cybercriminals' behavior, marked by a surge in total phishing attack volume. These attacks are fueled by high-scale automation and a coordinated multi-channel siege targeting corporate collaboration tools. Trusted platforms such as email, Teams, calendars and others are in the cross-hairs, bypassing traditional phishing methods that have worked in the past. This segment is sponsored by KnowBe4. Visit https://securityweekly.com/knowbe4rsac to learn more about them! AI is Now Default Enterprise Accelerator The Zscaler ThreatLabz 2026 AI Security Report reveals that enterprise AI adoption has surged by up to 93% year-over-year, yet 100% of tested AI environments remain vulnerable to breaches that can occur in as little as 16 minutes. It highlights a dangerous shift toward "machine-speed" threats, where attackers use generative AI to automate data exfiltration and create sophisticated deepfakes. To combat these risks, the report urges organizations to move beyond simple blocking and instead implement a Zero Trust architecture for safe, AI-native data protection. This segment is sponsored by Zscaler. Visit https://securityweekly.com/zscalerrsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-458

The Weekly Enterprise News This week, in the enterprise security news, Copy Fail The hits keep coming for CVE, NIST and NVD Cyber attacks on breathalyzers insurance carriers pulling support for AI Florida Man pleads guilty ignore the humanities at your own peril offense and defense don't scale the same is it okay to be left behind? scientists gave cocaine to salmon Mind the Gap: Confidence, AI, and the Future of Exposure Management Former ethical hacker, now founder and CEO of Intruder, Chris Wallis explores whether AI can bridge the divide between finding vulnerabilities and understanding real-world attack context as exploit windows continue to shrink. This conversation dives into the structural "confidence gap" uncovered in Intruder's 2026 Security Middle Child Report, where executive risk appetite is increasingly decoupled from front-line operational reality. Check out Intruder's Security Middle Child Report at https://securityweekly.com/intruderrsac. Modern Phishing Attacks Are Under Multi-Channel Siege Recently, there has been a shift in cybercriminals' behavior, marked by a surge in total phishing attack volume. These attacks are fueled by high-scale automation and a coordinated multi-channel siege targeting corporate collaboration tools. Trusted platforms such as email, Teams, calendars and others are in the cross-hairs, bypassing traditional phishing methods that have worked in the past. This segment is sponsored by KnowBe4. Visit https://securityweekly.com/knowbe4rsac to learn more about them! AI is Now Default Enterprise Accelerator The Zscaler ThreatLabz 2026 AI Security Report reveals that enterprise AI adoption has surged by up to 93% year-over-year, yet 100% of tested AI environments remain vulnerable to breaches that can occur in as little as 16 minutes. It highlights a dangerous shift toward "machine-speed" threats, where attackers use generative AI to automate data exfiltration and create sophisticated deepfakes. To combat these risks, the report urges organizations to move beyond simple blocking and instead implement a Zero Trust architecture for safe, AI-native data protection. This segment is sponsored by Zscaler. Visit https://securityweekly.com/zscalerrsac to learn more about them! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-458

The Weekly Enterprise News This week, in the enterprise security news, Copy Fail The hits keep coming for CVE, NIST and NVD Cyber attacks on breathalyzers insurance carriers pulling support for AI Florida Man pleads guilty ignore the humanities at your own peril offense and defense don't scale the same is it okay to be left behind? scientists gave cocaine to salmon Mind the Gap: Confidence, AI, and the Future of Exposure Management Former ethical hacker, now founder and CEO of Intruder, Chris Wallis explores whether AI can bridge the divide between finding vulnerabilities and understanding real-world attack context as exploit windows continue to shrink. This conversation dives into the structural "confidence gap" uncovered in Intruder's 2026 Security Middle Child Report, where executive risk appetite is increasingly decoupled from front-line operational reality. Check out Intruder's Security Middle Child Report at https://securityweekly.com/intruderrsac. Modern Phishing Attacks Are Under Multi-Channel Siege Recently, there has been a shift in cybercriminals' behavior, marked by a surge in total phishing attack volume. These attacks are fueled by high-scale automation and a coordinated multi-channel siege targeting corporate collaboration tools. Trusted platforms such as email, Teams, calendars and others are in the cross-hairs, bypassing traditional phishing methods that have worked in the past. This segment is sponsored by KnowBe4. Visit https://securityweekly.com/knowbe4rsac to learn more about them! AI is Now Default Enterprise Accelerator The Zscaler ThreatLabz 2026 AI Security Report reveals that enterprise AI adoption has surged by up to 93% year-over-year, yet 100% of tested AI environments remain vulnerable to breaches that can occur in as little as 16 minutes. It highlights a dangerous shift toward "machine-speed" threats, where attackers use generative AI to automate data exfiltration and create sophisticated deepfakes. To combat these risks, the report urges organizations to move beyond simple blocking and instead implement a Zero Trust architecture for safe, AI-native data protection. This segment is sponsored by Zscaler. Visit https://securityweekly.com/zscalerrsac to learn more about them! Show Notes: https://securityweekly.com/esw-458

The Weekly Enterprise News This week, in the enterprise security news, Copy Fail The hits keep coming for CVE, NIST and NVD Cyber attacks on breathalyzers insurance carriers pulling support for AI Florida Man pleads guilty ignore the humanities at your own peril offense and defense don't scale the same is it okay to be left behind? scientists gave cocaine to salmon Mind the Gap: Confidence, AI, and the Future of Exposure Management Former ethical hacker, now founder and CEO of Intruder, Chris Wallis explores whether AI can bridge the divide between finding vulnerabilities and understanding real-world attack context as exploit windows continue to shrink. This conversation dives into the structural "confidence gap" uncovered in Intruder's 2026 Security Middle Child Report, where executive risk appetite is increasingly decoupled from front-line operational reality. Check out Intruder's Security Middle Child Report at https://securityweekly.com/intruderrsac. Modern Phishing Attacks Are Under Multi-Channel Siege Recently, there has been a shift in cybercriminals' behavior, marked by a surge in total phishing attack volume. These attacks are fueled by high-scale automation and a coordinated multi-channel siege targeting corporate collaboration tools. Trusted platforms such as email, Teams, calendars and others are in the cross-hairs, bypassing traditional phishing methods that have worked in the past. This segment is sponsored by KnowBe4. Visit https://securityweekly.com/knowbe4rsac to learn more about them! AI is Now Default Enterprise Accelerator The Zscaler ThreatLabz 2026 AI Security Report reveals that enterprise AI adoption has surged by up to 93% year-over-year, yet 100% of tested AI environments remain vulnerable to breaches that can occur in as little as 16 minutes. It highlights a dangerous shift toward "machine-speed" threats, where attackers use generative AI to automate data exfiltration and create sophisticated deepfakes. To combat these risks, the report urges organizations to move beyond simple blocking and instead implement a Zero Trust architecture for safe, AI-native data protection. This segment is sponsored by Zscaler. Visit https://securityweekly.com/zscalerrsac to learn more about them! Show Notes: https://securityweekly.com/esw-458

Podcast: Bites and Bytes Podcast (LS 26 · TOP 10% what is this?)Episode: Your Food Waste Has a Second Life. Meet Insect Agriculture with Dr. Heather Jordan & Cheryl PreyerPub date: 2026-05-05Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationMost people have never heard of insect agriculture. By the end of this episode, you'll wonder how you missed it.Bites & Bytes Podcast host Kristin King sits down with Dr. Heather Jordan, microbiologist, professor at Mississippi State University, and site director for the NSF-funded Center for Insect Biomanufacturing and Innovation (CIBI), and Cheryl Preyer, the center's industry liaison and former fast food executive, to unpack one of the most quietly consequential shifts happening in the global food system right now.For consumers, this is where your food waste is going next and why that matters for everything from the fish on your plate to the cost of your groceries. Black soldier fly, cricket, and mealworm farming aren't science fiction. They're converting food waste into high-quality livestock feed, fertilizer, and protein at scale. Research is even showing promise in using these insects to remove plastics, antibiotics, and heavy metals from our environment.For professionals in cyber-physical risk, OT security, and food and agriculture cybersecurity, pay attention. Insect agriculture facilities are automated, sensor-dependent production environments with real operational technology vulnerabilities, and this industry is scaling fast with limited security frameworks in place (aka a factory) This is the circular bioeconomy in action. And it already exists.---------------Guest Contact Information:Dr. Heather JordanProfessor of Microbiology and Molecular Biology, Mississippi State University, and Site Director, Center for Insect Biomanufacturing and Innovation (CIBI)Cheryl PreyerIndustry Liaison Officer, Center for Insect Biomanufacturing and InnovationCenter for Insect Biomanufacturing and Innovation ---------------Episode Key Highlights‍ 00:08:01 — "I Traded Fries for Flies" — Cheryl's Origin Line00:11:49 — Insect Farming Is Livestock Farming00:12:37 — "Feed the Food That Feeds Us."00:16:02 — What a Black Soldier Fly Actually Does as an Adult00:23:19 — Why Organic Chickens Need Synthetic Methionine00:23:50 — The Lauric Acid and Coconut Connection00:28:34 — Using Everything But the Oink00:39:51 — The Cricket Densovirus Crisis That Wiped Out Facilities00:50:15 — Heather's West Africa Origin Story---------------

I've been wanting to have Kathryn Mitchell on The Friday Reporter for a while. She's one of those people in Washington who has earned the right to have a real opinion about one of the most consequential policy debates of our time — and she's generous enough to explain it in terms the rest of us can understand.Kathryn spent nearly a decade in government, moving from Capitol Hill to the Pentagon to the Department of Commerce, where she served as chief of staff for the CHIPS R&D office at NIST. She helped stand up the $50 billion CHIPS for America program — essentially from scratch. Earlier this year she moved to DLA Piper, where she now helps tech companies navigate the government landscape she used to sit inside.This conversation covers a lot of ground. We talked about the origin story of the Chips and Science Act — passed bipartisan under Biden, now being implemented differently under Trump — and what Kathryn is watching to gauge whether the U.S. is actually getting this right. (She says we won't know for a decade or two. But she knows exactly what signals to track right now.)We also got into something I find genuinely fascinating: the role of relationship-building in Washington. Before you can change a policy, before you can land a government contract, before your innovation can make it out of the garage and into a lab — you build the relationships. That's what Kathryn does every day for her clients, and she explains why it's the foundation of everything else.A few things I'm still thinking about from this conversation:Her point that AI and semiconductors are “inexplicably tied” — but that AI won't solve the physical-world challenges of building fabs, navigating permitting, or standing up domestic production. That nuance matters a lot right now.Her career advice: “Wear your honors lightly.” Don't aim to be the smartest person in the room. Aim to be the one who keeps learning. I'm going to borrow that one.And her lightning round answer on Washington: “It is both a marathon and a sprint every day.” That about sums it up.This episode drops today — wherever you listen to podcasts. I hope you enjoy it as much as I did recording it.— Lisa Get full access to Authentically Speaking at thefridayreporter.substack.com/subscribe

In this Command Control Power episode, host Joe and guests discuss standards, policies, certification, and compliance with Michael Thomsen of Origin 84 in Sydney, continuing an ISO 27001 deep dive. Michael explains how policies are written to solve specific control problems (e.g., MFA) and can be reusable, while areas like data classification require tailoring based on a client's industry, legislation, contracts, and workflows; key discovery questions include where data is stored and shared, and what obligations contracts impose. The conversation contrasts frameworks (NIST, Essential Eight) and notes auditors verify that policies drive processes and are followed, emphasizing continual improvement through audits, risk/incident tracking, and iterative remediation. Jerry and Sam share healthcare/SOC 2 experiences and discuss shifting solo consultants from tactical support to higher-value strategic advisory/account management, using fractional roles and partners. Michael outlines Origin 84's fractional model (financial controller, HR, strategy officer, plus legal/CFO) and sourcing via professional networks, LinkedIn, and conferences like ACEs, where Michael will present on account management

Guest: Grant Dasher, ex-CISA, ex-Google, Distinguished Engineer, Google (again) Topics: Why is the  "Secure-by-Design" movement gaining so much momentum now, and is it a response to the failure of "bolted-on" security, or just a natural evolution of cloud maturity? In a future Secure-by-Design world, is identity the only perimeter that actually matters anymore? Or is this a cliche? As we move toward a world of autonomous agents, how does our approach to machine identity need to change? Are we just talking about more complex Service Accounts, or do we need a fundamental shift in how we authorize "intent" What is your  advice  to people who want to move fast and cannot wait for Secure by Design / Default  AI to be decided by consensus or IETF, NIST or OASIS committee? We love the argument that modern AI agents are effectively repeating the mistakes of 1960s payphones - mixing the data plane and the control plane. What is your rebuttal? How do we build "Agentic Security" that doesn't fall for 60-year-old traps? Customers are torn between their Zero Trust implementations and their AI adoption. Is Zero Trust now "legacy," or is it the prerequisite for everything we're trying to do with AI agents?   Is there Zero Trust for AI? Is this a fake buzzword or technical reality? Resources: Video version EP256 Rewiring Democracy & Hacking Trust: Bruce Schneier on the AI Offense-Defense Balance EP133 The Shared Problem of Alerting: More SRE Lessons for Security EP85 Deploy Security Capabilities at Scale: SRE Explains How Google SRE books "Atomic Accidents" book (yes, really)

Foundations of Amateur Radio The other day I went for a walk around the block for the first time in a while. It's something I did for a time and then for several reasons, mostly to do with health, didn't. For me it's the mental equivalent of having a shower with the added benefit of not having to dry my hair, in other words, it's a place I go to with the intent of generating shower thoughts. During my walk, away from the forces pulling me in all manner of directions, none of which have anything to do with amateur radio, away from my keyboard, away from my screen, away from technology challenges, although I'll admit that my phone was in my pocket, I took about twenty minutes to walk and daydream, to follow my thoughts and to see where they'd end up. I got to this point because sitting at my desk I was getting nowhere trying to put together my thoughts in any sequence at least resembling coherence. While it's happened before, it's not something that occurs often. The day before I'd started writing, almost as-if possessed, about what amateur radio means to me, but during my walk I started wondering about the people who leave this hobby and the community embracing it. I've often said that F-troop is a weekly net for new and returning amateurs, both people who have a license that's still hot off the printer, and others who have one typed up on an IBM Selectric, signed with a quill, ink faded with age, paper yellowed by sunlight, potentially with coffee mug rings on it, stashed somewhere in a drawer. I wondered about those returning amateurs and asked myself about the nature of leaving a hobby. It occurred to me that people leave for many different reasons, and it would be foolhardy to consider that all of those reasons are controllable by our community. While bullying and arguments exist, each responsible for their share of people leaving, it seems to me that some amateurs leave because there's too much other stuff going on in their lives, things that actively or passively prevent amateurs from participating. This is difficult for me to relate to because for me, amateur radio is an intrinsic part of my life, in that it often quietly shapes how I view the world and learn from it. I see it when I notice a television antenna pointing in the wrong direction, when I install a new Wi-Fi router somewhere, when a signal is lost to a manned mission around the Moon, when I open the garage door and when I read that researchers at the National Institute for Standards and Technology, better known as NIST, have developed a new method for creating chips that process photons similarly to how traditional chips process electrons which can generate a rainbow of colours, though they didn't use the letter "u" to describe them. While those examples might be somewhat obvious, amateur radio is also there when I see someone share a tiny electronic paper screen on social media and I consider how I might use that when I go portable. It's there when I'm walking in a park and when I'm looking at a beach, it's there when I see metal artworks or painters poles at the local hardware store and when I watch a movie with radios anywhere on screen. It's there when the topic of physics arises and when some electromagnetic phenomenon occurs. Like radio waves and air, it's pretty much part of my daily existence. I will add that this same depth of connection exists between me and computers. Watching "Flight of the Conchords" I cannot help but notice that Murray's computer keeps changing and that I miss the Commodore Vic 20 sitting behind him surrounded by ever changing New Zealand tourism posters. In other words, I cannot imagine ever not having radio or computers in my life. I'm mentioning all this because my experience isn't universal. While I'm sure that I'm not alone in this deep affinity, the community as a whole invariably ranges between people who could take or leave the hobby at a moment's notice and those who couldn't live without it and beyond our community there are people who are, depending on your perspective, blissfully or woefully, unaware of our existence. All this to say, your experience of this hobby is not the same as that for everyone else, neither is your experience of life. This is revealed more clearly in what we think the hobby means, whether or not FT8 is a blessing or a curse, contesting is ridiculous or amazing, why 40m is better than 20m or vice-versa and if the hobby died when the ITU stopped requiring Morse code, or saw a rebirth. It should be obvious by now, but I think it's important to be explicit. Amateur radio is your hobby. It's what it means for you. Not for your mate, not for me, not for the people in your club, the local email list or social media. Just you. So, use this as an opportunity to think about this, in my not so humble opinion, absolutely amazing hobby and what place it has in your life. I'm Onno VK6FLAB

Locked Shields wraps another year. Open models challenge Mythos. CISA tracks FIRESTARTER inside a federal agency. The White House targets foreign AI model extraction. Microsoft lets admins remove Copilot. Treasury sanctions a Cambodian scam-compound senator. Breeze Cache rushes a patch. Researchers downplay OT malware hype, while NIST pushes for better OT visibility. Our guest is Eric Russo, Director, SOC Defensive Security at Barracuda, discussing the risks posed by employees downloading pirated software. Con artists charge crypto for counterfeit clearance. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Eric Russo, Director, SOC Defensive Security at Barracuda, discussing the risks posed by employees downloading pirated or cracked software onto corporate devices. You can learn more here. Selected Reading Locked Shields 2026: 41 Nations Strengthen Cyber Resilience in World's Biggest Exercise (SecurityWeek) Open source models can find bugs as well as Mythos (The Register) CISA: US agency breached through Cisco vulnerability, FIRESTARTER backdoor allowed access through March (The Record) Trump Administration Vows Crackdown on Chinese Companies 'Exploiting' AI Models Made in US (SecurityWeek) Microsoft now lets admins uninstall Copilot on enterprise devices (Bleeping Computer) US sanctions Cambodian senator for millions earned through scam compounds (The Record) Cloudways Patches Actively Exploited File Upload Flaw in Breeze Cache Plugin (Beyond Machines) Dragos: Despite AI use, new malware targeting water plants is ‘hype' (CyberScoop) NIST cyber center to launch OT ‘visibility' project (Federal News Network) Crypto scam lures ships into Strait of Hormuz, falsely promising safe passage (Ars Technica) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry's most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

On this week's show, Patrick Gray and James Wilson are joined by special guest The Grugq. They discuss the week's cybersecurity news, including: Vercel got owned, and there's a few infostealer and compromised employee dots to connect Mozilla used Mythos to find 271 bugs, which feels like a sign of the bug-pocalypse Speaking of the bug-pocalypse, is that why NIST is noping out of enriching a bunch of bugs? The NSA is using Mythos even though the government did that whole Anthropic blacklisting thing And DDos attacks hit a couple of smaller-player socials This week's episode is sponsored by Permiso. Ian Ahl chats to Pat about the subtle signals Permiso uses to detect ShinyHunters-style activity in cloud and on-prem environments. This episode is also available on Youtube. Show notes Vercel April 2026 Security incident Vercel breach linked to infostealer infection at Context.ai Vercel confirms breach as hackers claim to be selling stolen data Matt Johansen: “This is not a good look” | X NIST limits vulnerability analysis as CVE backlog swells | Cybersecurity Dive CISA Cyber on X Ransomware attack continues to disrupt healthcare in London nearly two years later | The Record from Recorded Future News Lawmakers ponder terrorism designations, homicide charges over hospital ransomware attacks | CyberScoop In defeat for Trump, House extends electronic spying program for just 10 days | The Record from Recorded Future News Crypto infrastructure company blames $290 million theft on North Korean hackers | The Record from Recorded Future News US-sanctioned currency exchange says $15 million heist done by "unfriendly states" - Ars Technica Hackers are abusing unpatched Windows security flaws to hack into organizations | TechCrunch Mozilla Used Anthropic's Mythos to Find and Fix 271 Bugs in Firefox | WIRED NSA using Anthropic's Mythos despite Defense Department blacklist Beyond the breach: inside a cargo theft actor's post-compromise playbook | Proofpoint US Beware scam messages offering ships safe transit through Hormuz Strait, says security firm | The Straits Times New Jersey men given lengthy sentences for running North Korean laptop farms | The Record from Recorded Future News Turns Out We're Not Alone - Volodymyr Styran US joins nearly two dozen other countries in striking back against DDoS-for-hire platforms | Cybersecurity Dive Bluesky blames app outage on ‘sophisticated' DDoS attack | The Record from Recorded Future News Mastodon says its flagship server was hit by a DDoS attack | TechCrunch An IT expert explained under what conditions using a VPN can cause a smartphone to explode

SummaryIn this episode, Andy and Adam discuss significant changes in cybersecurity, focusing on NIST's new policy for handling CVEs, the alarming statistics from the FBI's 2025 Cybercrime Report, and the introduction of a new password protection feature in Defender for Identity. They explore the implications of these developments, including the increasing effectiveness of AI-driven scams and the challenges faced by organizations in managing vulnerabilities and protecting sensitive information.----------------------------------------------------YouTube Video Link: https://youtu.be/ZKQQkOF85z0----------------------------------------------------Documentation: https://www.bleepingcomputer.com/news/security/nist-to-stop-rating-non-priority-flaws-due-to-volume-increase/https://www.pcgamer.com/software/security/us-victims-lost-nearly-usd21-billion-to-cybercrime-last-year-says-fbi-with-crypto-and-ai-complaints-among-the-costliest/https://learn.microsoft.com/en-us/defender-for-identity/password-protection----------------------------------------------------Contact Us:Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://bluesecuritypod.comBluesky: https://bsky.app/profile/bluesecuritypod.comLinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/company/bluesecpodYouTube: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/c/BlueSecurityPodcast-----------------------------------------------------------Andy JawBluesky: https://bsky.app/profile/ajawzero.comLinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/andyjaw/Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠andy@bluesecuritypod.com⁠----------------------------------------------------Adam BrewerTwitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/ajbrewerLinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/adamjbrewer/Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠adam@bluesecuritypod.com

SummaryIn this episode, Andy and Adam discuss significant changes in cybersecurity, focusing on NIST's new policy for handling CVEs, the alarming statistics from the FBI's 2025 Cybercrime Report, and the introduction of a new password protection feature in Defender for Identity. They explore the implications of these developments, including the increasing effectiveness of AI-driven scams and the challenges faced by organizations in managing vulnerabilities and protecting sensitive information.----------------------------------------------------YouTube Video Link: https://youtu.be/ZKQQkOF85z0----------------------------------------------------Documentation: https://www.bleepingcomputer.com/news/security/nist-to-stop-rating-non-priority-flaws-due-to-volume-increase/https://www.pcgamer.com/software/security/us-victims-lost-nearly-usd21-billion-to-cybercrime-last-year-says-fbi-with-crypto-and-ai-complaints-among-the-costliest/https://learn.microsoft.com/en-us/defender-for-identity/password-protection----------------------------------------------------Contact Us:Website: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://bluesecuritypod.comBluesky: https://bsky.app/profile/bluesecuritypod.comLinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/company/bluesecpodYouTube: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.youtube.com/c/BlueSecurityPodcast-----------------------------------------------------------Andy JawBluesky: https://bsky.app/profile/ajawzero.comLinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/andyjaw/Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠andy@bluesecuritypod.com⁠----------------------------------------------------Adam BrewerTwitter: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://twitter.com/ajbrewerLinkedIn: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/adamjbrewer/Email: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠adam@bluesecuritypod.com

Term 2.0 is trending imperial as the US flexes financial and military muscle across the globe, from the Strait of Hormuz to the Panama Canal. While ceasefire headlines whipsaw market sentiment, Bitcoin is quietly decoupling from tech stocks and showing resilience against a backdrop of great power competition with China.

Lumma Stealer infection with Sectop RAT (ArechClient2) https://isc.sans.edu/diary/Lumma%20Stealer%20infection%20with%20Sectop%20RAT%20%28ArechClient2%29/32904 Three Recent Windows Defender Vulnerabilities Exploited (one 0-day) https://x.com/HuntressLabs/status/2044882115574091960 FortiSandbox PoC Exploit CVE-2026-39808 https://github.com/samu-delucas/CVE-2026-39808?tab=readme-ov-file NIST Updates NVD Operations to Address Record CVE Growth https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth

Microsoft Under Fire, NIST Scales Back NVD, FortiSandbox Critical Bugs, Vercel Breach Claims, Scattered Spider Member Pleads Guilty Host David Shipley covers five major stories: researcher "Chaotic Eclipse" publicly released Windows exploits—first "Blue Hammer," then "Red Sun," a Microsoft Defender flaw enabling privilege escalation on fully patched Windows 10/11 and Server—amid claims Microsoft mistreated them, highlighting strain on responsible disclosure as vendors face mounting vulnerability volume and AI-driven bug discovery. NIST announced it can no longer fully enrich all CVEs in the National Vulnerability Database, prioritizing only exploited-in-the-wild issues, federal software, and critical software, leaving the rest backlogged. In "FortiWatch," two critical FortiSandbox flaws allow auth bypass and remote command execution; patches are available. Vercel confirmed attackers accessed internal systems and urges customers to review and rotate environment variables amid unverified ShinyHunters ransom claims. Finally, alleged Scattered Spider member Tyler Buchanan pled guilty to an $8M crypto theft case, with reporting describing the group's social engineering tactics and escalating real-world violence tied to cybercrime. Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst 00:00 Headlines And Sponsor 00:49 Microsoft Bug Drop 03:00 Disclosure System Strain 05:59 NVD Backlog Crisis 08:47 FortiWatch FortiSandbox 11:43 Vercel Breach Fallout 14:43 Scattered Spider Guilty Plea 18:54 Wrap Up And Thanks

(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.) Three Buddy Problem - Episode 94: We discuss a mysterious, VM-obfuscated backdoor that lived undetected on a single U.K. machine for a year before disappearing, finding clues pointing to an elite-level APT intrusion that still evades broader industry coverage. Plus, connecting the dots across AI-driven vulnerability discovery, Microsoft's massive Patch Tuesday, Jensen Huang talks cybersecurity, Mythos dangers and Chinese chips, and the quiet erosion of CVE enrichment at NIST. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu. Timestamps: 0:00 – Intros + AI news whiplash 5:10 – Patch Tuesday breakdown: Microsoft's second-largest CVE release ever 7:32 – AI accelerating vulnerability discovery at record pace 10:00 – Frontier lab cyber models, fine-tuning, guardrail removal & KYC 12:37 – FreeBSD NFS bug: Opus 4.6 was already finding critical vulns 14:26 – Anthropic's infrastructure strain: Is Opus being nerfed? 21:05 – OpenAI's Trusted Access for Cyber vs. Anthropic's Mythos cabal 28:45 – SharePoint zero-day CVE-2026-32201: The endless Microsoft tax 34:36 – Adobe Acrobat zero-day: A rare, real, Russia-linked exploit in the wild 41:36 – VirusTotal mining: The golden age of threat intel hunting 50:03 – ZionSiphon: Vibe-coded OT malware targeting Israeli water infrastructure 55:04 – Paleontology of threat research: When do you publish? Who do you trust? 1:13:53 – Angry Spark: A one-machine, one-year backdoor raises eyebrows 1:49:25 – Jensen Huang vs. Dwarkesh Patel on Mythos, China and chips 2:14:32 – Chinese AI distillation: 24,000 fake Anthropic accounts, DeepSeek & the catch-up question

A structural shift is occurring as artificial intelligence transitions from being a tool for generating output to one that executes tasks across IT environments, significantly increasing the demand for robust governance and infrastructure controls. This mechanism is illustrated by the rapid integration of agentic automation into operational platforms, with vendors such as Kyndryl (Agentic Service Management) and SolarWinds (SW1) positioning their AI systems as operational teammates capable of autonomous action. Analysts from firms like Omnia and AvePoint highlight that the product focus is no longer the agent or AI capability itself, but the enforcement layer—encompassing identity management, permissions, logging, quota enforcement, tenant boundaries, and approval workflows. A consequential development is the increased operational burden on networks, as agentic automation increases background and automated traffic. According to Imperial's Bad Bot report, automated traffic now exceeds 51% of all internet activity. Analyst firm Omnia and Lumen CEO Kate Johnson stress that the capacity of underlying networks, and not just compute resources, is becoming a hard constraint for scaling AI-driven operations. For MSPs, this manifests as tangible increases in bandwidth contention, authentication events, and noise in security tooling, leading to resource constraints and increased pressure on triage and incident response. Complementary developments reinforce this shift. Enable is rolling out direct AI operational integration in N-Central and Insight through a custom context protocol, while OpenAI is updating its agents' SDK to include sandboxing and distribution harnesses for stricter boundaries. The New Stack underscores NIST's recommendation for layered controls, least privilege, network segmentation, and tamper-resistant, replayable logging to contain the risks associated with agentic automation. Research cited by the AI Journal finds that governance and compliance, rather than technical skills, are currently the top barriers to reliable AI adoption among MSPs, driven by the complexity of multi-tenant environments and the requirement to prove control and recoverability. For MSPs and IT providers, these shifts introduce direct operational and contractual risks. Relying on default vendor models without explicit policy ownership or proof-of-execution effectively transfers liability without control. Practical considerations now require MSPs to define approval models, enforce least privilege, audit agent actions, establish recovery playbooks, forecast network and compute demand, and clarify quotas and overage terms in service contracts. Unbounded and unaudited automation is becoming a commercially unacceptable risk, comparable to operating critical systems without proper backups. 00:00 AI Tax: Networks 04:35 Scaffolding Over Models 07:45 Agents Eat Margins 10:05 Why Do We Care?  Supported by:  ScalePadTimezest

NIST struggles with an NVD backlog. Cisco and Splunk ship critical patches. Researchers flag a systemic flaw in Anthropic's MCP. ShinyHunters leak 13.5 million McGraw Hill accounts. Cargo theft goes cyber. A Tennessee hospital breach hits 337,000 patients. Two Americans are sentenced in a North Korean fake-IT-worker scheme. Our guest is Rob Allen, Chief Product Officer at ThreatLocker, describing security gaps addressed by zero trust. OpenAI lets security teams take off the training wheels.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today's Industry Voices segment we are joined by Rob Allen, Chief Product Officer at ThreatLocker, security gaps addressed by zero trust. If you enjoyed this conversation check out the full interview here. Selected Reading NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities (Infosecurity Magazine) Cisco says critical Webex Services flaw requires customer action (Bleeping Computer) Splunk Enterprise Update Patches Code Execution Vulnerability (SecurityWeek) Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads (Infosecurity Magazine) Data breach at edtech giant McGraw Hill affects 13.5 million accounts (Bleeping Computer) Freight Hacker Wields Code-Signing Service to Evade Defenses (GovInfo Security) Data Breach at Tennessee Hospital Affects 337,000 (SecurityWeek) US nationals behind DPRK IT worker 'laptop farm' sent to prison (Bleeping Computer) OpenAI Launches GPT-5.4 Cyber And It's Built Specifically for Defenders (TechGlow) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry's most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

When Anthropic announced Project Glasswing, the headline was the capability: an AI model that found a 27-year-old flaw in OpenBSD and a 17-year-old remote code execution vulnerability in FreeBSD — fully autonomously, no human in the loop after the initial prompt. But the story underneath the capability is a structural one about who gets early intelligence, who sets the disclosure timeline, and what happens to every organization that wasn't in the room. In this edition of Lens Four, Sean Martin examines Project Glasswing through three lenses: the intelligence asymmetry it creates for security programs, what it reveals about the broken assumptions underneath CVE, CVSS, and NIST, and why the equity framing in Glasswing's messaging doesn't survive contact with the data.