Podcasts about OAuth

In episode 307 of Absolute AppSec, hosts Ken and Seth conduct a retrospective on the application security landscape of 2025. They conclude that their previous predictions were largely accurate, particularly regarding the rise of prompt injection, AI-backed attacks, and the industry-wide shift toward per-token billing models. A major theme of the year was the solidification of supply chain security as a critical pillar of AppSec, driven by notable incidents such as Shai Hulud and React for Shell. The hosts also share insights from their four-day training course on utilizing LLMs for secure code review, noting that while AI development is becoming more prevalent, most practitioners are still in the nascent stages of building custom tooling. Much of the discussion focuses on the Model Context Protocol (MCP); while it offers significant value for agentic workflows, the hosts criticize its current lack of robust security controls, specifically highlighting issues with OAuth implementations and short timeouts in existing clients. Finally, they discuss how the industry is moving toward a more nuanced balance between deterministic tools like Semgrep and the probabilistic creativity of LLMs to increase efficiency in security consulting.

In this annual Security Squawk tradition, we do two things most people avoid: accountability and predictions. First, we break down the top cyber-attacks of 2025 and translate them into what actually matters for business owners, IT pros, and MSPs. Then we grade our predictions from last year using real outcomes. No excuses. No hand waving. No “well technically.” Why does this episode matter? Because 2025 made one thing painfully clear. Most cyber damage does not come from genius hackers. It comes from predictable failures. Unpatched systems. Over-trusted third parties. Tokens and sessions that live too long. Help desks that can be socially engineered. And organizations that still treat cybersecurity like an IT issue instead of a business survival issue. We start with the Top 10 Cyber-Attacks of 2025 and pull out the patterns hiding behind the headlines. This year's list includes ransomware and extortion campaigns, software supply chain failures, identity and OAuth token abuse, and attacks that caused real operational disruption, not just data exposure. These stories show how attackers scale impact by targeting widely deployed platforms and trusted business tools, then turning that access into downtime, data theft, and brand damage. One of the biggest lessons of 2025 is simple: identity is the new perimeter. Many of the most important incidents were not break-in stories. They were log-in stories. Stolen sessions and OAuth tokens keep working because they let attackers bypass MFA, move quickly, and blend in as legitimate users. If your security strategy is focused only on blocking failed logins, you are watching the wrong signal. 2025 also reinforced how fragile third-party trust has become. Integrations are everywhere. They make businesses faster and more efficient, but they also expand the blast radius. When a third-party tool or service account is compromised, it can become a shortcut into systems that were never directly attacked. In this episode, we talk about practical steps like minimizing access scopes, eliminating unnecessary integrations, shortening token lifetimes, and having a real plan to revoke access when something looks off. We also dig into why on-prem enterprise tools continue to get hammered. Many organizations still run internet-facing platforms that are patched slowly and monitored poorly. Attackers love that combination. In 2025, we saw repeated exploitation of high-value enterprise software where a single weakness led to widespread compromise across industries. If your patching strategy is “we will get to it,” attackers already have. Another major theme this year was operational disruption. Some of the costliest incidents were not just about stolen data. They shut down production, halted sales, broke customer service systems, and created ripple effects across supply chains. That is where executives feel cyber risk the hardest. Data loss hurts. Downtime is a business emergency. Then we grade last year's predictions. Did AI take our jobs? Not even close. What it did do was raise the baseline for both attackers and defenders. AI improved phishing quality, accelerated scams, and forced organizations to confront the risks of adopting new tools without clear controls. We also review our call on token and session-based attacks. That prediction aged well. Identity-layer abuse dominated 2025. The issue was not a lack of MFA. The issue was that attackers did not need to defeat MFA if they could steal what comes after it. We also revisit regulation. It did not arrive all at once. It crept forward. Agencies and lawmakers continued tightening expectations, especially in sectors that keep getting hit. Businesses that wait for mandates before improving controls will pay more later, either through recovery costs, insurance pressure, or lost trust. Finally, we look ahead to 2026 with new predictions that are probable, not obvious. We discuss what is likely to change around identity, help desk security, SaaS governance, and how leaders measure cyber readiness. The short version is this: 2026 will reward companies that treat access as a living system and punish those that treat it like a one-time setup. If you like the show, help us grow it. Subscribe, leave a review, and share this episode with someone who still thinks cybersecurity is just antivirus and a firewall. And if you want to support the podcast directly, buy me a coffee at buymeacoffee.com/securitysquawk.

Der INNOQ Security Podcast meldet sich mit einer neuen Folge zurück: Christoph spricht mit Dominik über die Sicherheit von MCP-Servern. Die beiden diskutieren über die Bedrohungen und Sicherheitsfallstricke, die beim Einsatz von MCP-Servern lauern. Sie fragen sich: welche Schutzmaßnahmen gibt es eigentlich? Helfen Sandboxing und Guardrails wirklich? Und wo liegen die Schwierigkeiten bei der Implementierung von OAuth für MCP? Außerdem: Was Unternehmen vor dem Einsatz wissen sollten und warum das Fundament stimmen muss.

Parce que… c'est l'épisode 0x683! Shameless plug 25 et 26 février 2026 - SéQCure 2026 CfP 14 au 17 avril 2026 - Botconf 2026 28 et 29 avril 2026 - Cybereco Cyberconférence 2026 9 au 17 mai 2026 - NorthSec 2026 3 au 5 juin 2026 - SSTIC 2026 Notes IA It Only Takes A Handful Of Samples To Poison Any Size LLM, Anthropic Finds Chinese Surveillance and AI LLMs are Accelerating the Ransomware Operations with Functional Tools and RaaS Microsoft confirms Windows 11 will ask for consent before AI agents can access your personal files, after outrage Automatically Remove AI Features From Windows 11 In Cybersecurity, Claude Leaves Other LLMs in the Dust AI-authored code needs more attention, contains worse bugs Privacy Privacy is Marketing. Anonymity is Architecture Chrome, Edge privacy extensions quietly snarf AI chats UK surveillance law still full of holes, watchdog warns Pa. high court rules that police can access Google searches without a warrant Souveraineté Nutanix pushes sovereign cloud in another swipe at VMware ‘It's surreal': US sanctions lock International Criminal Court judge out of daily life NATO's battle for cloud sovereignty: Speed is existential Airbus to migrate critical apps to a sovereign Euro cloud Red Deepfake Deception: How I Hacked Biometric Authentication with $ and a YouTube Video

In the final show of 2025, Patrick Gray and Adam Boileau discuss the week's cybersecurity news, including: React2Shell attacks continue, surprising no one The unholy combination of OAuth consent phishing, social engineering and Azure CLI Venezuela's state oil firm gets ransomware'd, blames US… but what if it really is a US cyber op?! Russian junk-hacktivist gets indicted for cybering critical… err… a car wash and a fountain Microsoft finally turns RC4 off by default in Active Directory Kerberos Traefik's TLS verify=on … turns it off, whoopsie

In this episode of Cybersecurity Today, host Jim Love discusses a range of pressing cybersecurity threats. The show covers the escalating React2Shell vulnerability, which has led to widespread automated exploitation campaigns involving crypto miners and back doors. Additionally, Jim reports on the Black Force phishing kit, which bypasses multifactor authentication and is gaining traction among cybercriminals. Microsoft OAuth consent attacks are also highlighted, with users being tricked into granting access to their accounts. Finally, the episode touches on PornHub's data breach involving the Shiny Hunters cybercrime group and the importance of patching vulnerabilities and being cautious during the holiday season. 00:00 Introduction and Sponsor Message 00:22 React2Shell Vulnerability Deep Dive 03:46 Black Force Phishing Toolkit 05:44 Microsoft OAuth Consent Phishing 07:29 PornHub Data Breach by Shiny Hunters 10:21 Holiday Cybersecurity Tips and Final Thoughts

Interview Segment: Tony Kelly Illuminating Data Blind Spots As data sprawls across clouds and collaboration tools, shadow data and fragmented controls have become some of the biggest blind spots in enterprise security. In this segment, we'll unpack how Data Security Posture Management (DSPM) helps organizations regain visibility and control over their most sensitive assets. Our guest will break down how DSPM differs from adjacent technologies like DLP, CSPM, and DSP, and how it integrates into broader Zero Trust and cloud security strategies. We'll also explore how compliance and regulatory pressures are shaping the next evolution of the DSPM market—and what security leaders should be doing now to prepare. Segment Resources: https://static.fortra.com/corporate/pdfs/brochure/fta-corp-fortra-dspm-br.pdf This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them! Topic Segment: We've got passkeys, now what? Over this year on this podcast, we've talked a lot about infostealers. Passkeys are a clear solution to implementing phishing and theft-resistant authentication, but what about all these infostealers stealing OAuth keys and refresh tokens? As long as session hijacking is as simple as moving a cookie from one machine to another, securing authentication seems like solving only half the problem. Locking the front door, but leaving a side door unlocked. After doing some research, it appears that there has been some work on this front, including a few standards that have been introduced: DBSC (Device Bound Session Credentials) for browsers DPoP (Demonstrating Proof of Possession) for OAuth applications We'll address a few key questions in this segment: 1. how do these new standards help stop token theft? 2. how broadly have they been adopted? Segment Resources: FIDO Alliance White Paper: DBSC/DPOP as Complementary Technologies to FIDO Authentication News Segment Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-437

Interview Segment: Tony Kelly Illuminating Data Blind Spots As data sprawls across clouds and collaboration tools, shadow data and fragmented controls have become some of the biggest blind spots in enterprise security. In this segment, we'll unpack how Data Security Posture Management (DSPM) helps organizations regain visibility and control over their most sensitive assets. Our guest will break down how DSPM differs from adjacent technologies like DLP, CSPM, and DSP, and how it integrates into broader Zero Trust and cloud security strategies. We'll also explore how compliance and regulatory pressures are shaping the next evolution of the DSPM market—and what security leaders should be doing now to prepare. Segment Resources: https://static.fortra.com/corporate/pdfs/brochure/fta-corp-fortra-dspm-br.pdf This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them! Topic Segment: We've got passkeys, now what? Over this year on this podcast, we've talked a lot about infostealers. Passkeys are a clear solution to implementing phishing and theft-resistant authentication, but what about all these infostealers stealing OAuth keys and refresh tokens? As long as session hijacking is as simple as moving a cookie from one machine to another, securing authentication seems like solving only half the problem. Locking the front door, but leaving a side door unlocked. After doing some research, it appears that there has been some work on this front, including a few standards that have been introduced: DBSC (Device Bound Session Credentials) for browsers DPoP (Demonstrating Proof of Possession) for OAuth applications We'll address a few key questions in this segment: 1. how do these new standards help stop token theft? 2. how broadly have they been adopted? Segment Resources: FIDO Alliance White Paper: DBSC/DPOP as Complementary Technologies to FIDO Authentication News Segment Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-437

Interview Segment: Tony Kelly Illuminating Data Blind Spots As data sprawls across clouds and collaboration tools, shadow data and fragmented controls have become some of the biggest blind spots in enterprise security. In this segment, we'll unpack how Data Security Posture Management (DSPM) helps organizations regain visibility and control over their most sensitive assets. Our guest will break down how DSPM differs from adjacent technologies like DLP, CSPM, and DSP, and how it integrates into broader Zero Trust and cloud security strategies. We'll also explore how compliance and regulatory pressures are shaping the next evolution of the DSPM market—and what security leaders should be doing now to prepare. Segment Resources: https://static.fortra.com/corporate/pdfs/brochure/fta-corp-fortra-dspm-br.pdf This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them! Topic Segment: We've got passkeys, now what? Over this year on this podcast, we've talked a lot about infostealers. Passkeys are a clear solution to implementing phishing and theft-resistant authentication, but what about all these infostealers stealing OAuth keys and refresh tokens? As long as session hijacking is as simple as moving a cookie from one machine to another, securing authentication seems like solving only half the problem. Locking the front door, but leaving a side door unlocked. After doing some research, it appears that there has been some work on this front, including a few standards that have been introduced: DBSC (Device Bound Session Credentials) for browsers DPoP (Demonstrating Proof of Possession) for OAuth applications We'll address a few key questions in this segment: 1. how do these new standards help stop token theft? 2. how broadly have they been adopted? Segment Resources: FIDO Alliance White Paper: DBSC/DPOP as Complementary Technologies to FIDO Authentication News Segment Show Notes: https://securityweekly.com/esw-437

Interview Segment: Tony Kelly Illuminating Data Blind Spots As data sprawls across clouds and collaboration tools, shadow data and fragmented controls have become some of the biggest blind spots in enterprise security. In this segment, we'll unpack how Data Security Posture Management (DSPM) helps organizations regain visibility and control over their most sensitive assets. Our guest will break down how DSPM differs from adjacent technologies like DLP, CSPM, and DSP, and how it integrates into broader Zero Trust and cloud security strategies. We'll also explore how compliance and regulatory pressures are shaping the next evolution of the DSPM market—and what security leaders should be doing now to prepare. Segment Resources: https://static.fortra.com/corporate/pdfs/brochure/fta-corp-fortra-dspm-br.pdf This segment is sponsored by Fortra. Visit https://securityweekly.com/fortra to learn more about them! Topic Segment: We've got passkeys, now what? Over this year on this podcast, we've talked a lot about infostealers. Passkeys are a clear solution to implementing phishing and theft-resistant authentication, but what about all these infostealers stealing OAuth keys and refresh tokens? As long as session hijacking is as simple as moving a cookie from one machine to another, securing authentication seems like solving only half the problem. Locking the front door, but leaving a side door unlocked. After doing some research, it appears that there has been some work on this front, including a few standards that have been introduced: DBSC (Device Bound Session Credentials) for browsers DPoP (Demonstrating Proof of Possession) for OAuth applications We'll address a few key questions in this segment: 1. how do these new standards help stop token theft? 2. how broadly have they been adopted? Segment Resources: FIDO Alliance White Paper: DBSC/DPOP as Complementary Technologies to FIDO Authentication News Segment Show Notes: https://securityweekly.com/esw-437

We dig into how AI changes the risk surface for banks and fintechs and why identity must be designed from the start. Sutton Maxwell of Curity shares how to set API guardrails, balance friction with trust, and choose hybrid architectures that meet regulation without killing speed.• What Curity does for API security and identity• Why AI pilots fail without early security design• Common mistakes when teams bolt on controls late• How to balance UX with risk‑based friction• US speed vs EU regulation on AI adoption• Hybrid, multi‑cloud, and cloud exit strategies• Practical advice for fintech founders on KYC, OAuth, OIDC• Turning compliance into a growth advantageTo connect and keep up to date with all the latest, head over to www.jointheconnector.com or hit subscribe via your podcast streaming platformThank you for tuning into our podcast about global trends in the FinTech industry.Check out our podcast channel.Learn more about The Connector. Follow us on LinkedIn.CheersKoen Vanderhoydonkkoen.vanderhoydonk@jointheconnector.com#FinTech #RegTech #Scaleup #WealthTech

In this sponsored interview Casey Ellis is joined by Push Security's Field CTO, Mark Orlando. They chat about the ways that browser-based attacks are evolving and how Push Security is finding and cataloging them. Show notes ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants Introducing our guide to phishing detection evasion techniques

Referências do EpisódioHunting for Mythic in network trafficHamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware SuiteSHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like TacticsGogs 0-Day Exploited in the WildHow to find Gogs installations on your network - Latest Gogs vulnerability: CVE-2025-8110CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The WildConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grantsRoteiro e apresentação: Carlos CabralEdição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia

The MCP standard gave rise to dreams of interconnected agents and nightmares of what those interconnected agents would do with unfettered access to APIs, data, and local systems. Aaron Parecki explains how OAuth's new Client ID Metadata Documents spec provides more security for MCPs and the reasons why the behavior and design of MCPs required a new spec like this. Segment resources: https://aaronparecki.com/2025/11/25/1/mcp-authorization-spec-update https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html https://oauth.net/cross-app-access/ https://oauth.net/2/oauth-best-practice/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-360

The MCP standard gave rise to dreams of interconnected agents and nightmares of what those interconnected agents would do with unfettered access to APIs, data, and local systems. Aaron Parecki explains how OAuth's new Client ID Metadata Documents spec provides more security for MCPs and the reasons why the behavior and design of MCPs required a new spec like this. Segment resources: https://aaronparecki.com/2025/11/25/1/mcp-authorization-spec-update https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html https://oauth.net/cross-app-access/ https://oauth.net/2/oauth-best-practice/ Show Notes: https://securityweekly.com/asw-360

The MCP standard gave rise to dreams of interconnected agents and nightmares of what those interconnected agents would do with unfettered access to APIs, data, and local systems. Aaron Parecki explains how OAuth's new Client ID Metadata Documents spec provides more security for MCPs and the reasons why the behavior and design of MCPs required a new spec like this. Segment resources: https://aaronparecki.com/2025/11/25/1/mcp-authorization-spec-update https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html https://oauth.net/cross-app-access/ https://oauth.net/2/oauth-best-practice/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-360

The MCP standard gave rise to dreams of interconnected agents and nightmares of what those interconnected agents would do with unfettered access to APIs, data, and local systems. Aaron Parecki explains how OAuth's new Client ID Metadata Documents spec provides more security for MCPs and the reasons why the behavior and design of MCPs required a new spec like this. Segment resources: https://aaronparecki.com/2025/11/25/1/mcp-authorization-spec-update https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html https://oauth.net/cross-app-access/ https://oauth.net/2/oauth-best-practice/ Show Notes: https://securityweekly.com/asw-360

In this episode of Cybersecurity Today, host Jim Love discusses several major cybersecurity events. CloudFlare faced significant outages affecting major platforms like Amazon and YouTube, along with continued issues for Microsoft 365 users. NordVPN warned of a surge in fake shopping websites as Black Friday approaches, with phishing attempts climbing 36% between August and October. An AI transcription tool caused a privacy breach at an Ontario hospital, leading to a privacy probe. Finally, Salesforce is investigating a data theft wave linked to Gainsight, illustrating the risks of OAuth token misuse. The episode is supported by Meter, a network infrastructure provider. 00:00 Introduction and Sponsor Message 00:44 CloudFlare Outages and Their Impact 02:34 Surge in Fake Shopping Websites 04:56 AI Privacy Breach at Ontario Hospital 08:41 Salesforce Data Theft Investigation 11:26 Conclusion and Sponsor Message

Curious about OAuth, MCP servers, and building cool ChatGPT apps? Hear from Max of Stytch as we dive deep, break down the tech, and build a Tamagotchi together! Drop your thoughts and share if you enjoyed it.https://codingcat.dev/podcast/how-oauth-mcp-and-the-openai-apps-sdk-power-the-next-generation-of-interactive-ai-experiences00:00 Meet Stytch & Max01:20 Consumer Identity07:04 Deep Dive OAuth09:37 MCP Explained17:59 Security Risks19:59 Next-Gen Apps24:37 Building Chatagotchi34:09 MCP Code Walkthrough51:52 Future Predictions53:02 Closing Thoughts

You were promised safe SaaS - but got silent data loss.In Inside the Salesloft Breach, Rob Maas and Luca Cipriano expose how trusted integrations became the attack vector.They trace how vishing calls, trojanized Salesforce tools, and GitHub-to-AWS pivots gave attackers OAuth access and drained CRMs without a single alert. You'll hear how Drift integrations and bulk SOQL queries quietly moved data out of sight, while audit trails and API metadata disappeared.If you need provable control over data exfiltration and a narrative your board will understand, this is your playbook.Turn Zero Trust from slogan to stop - with IP allowlists, app inventories, token telemetry, and shared responsibility that actually blocks abuse at the source.(00:00) - Cloud first did not mean data safe. (00:45) - What Salesforce is and why attackers target it. (02:00) - Campaign one. Vishing and a trojanized data loader to OAuth access. (04:15) - Campaign two. Salesloft and Drift path from GitHub to AWS to Salesforce tokens. (07:00) - Impact and cover up. 700 plus orgs hit and API job metadata removed. (09:10) - Who was involved. ShinyHunters, Scattered Spider, Lapsus, and legal fallout. (11:00) - Zero Trust actions. IP allowlisting, app inventory, token monitoring, staff education, shared responsibility. Key Topics Covered:•  How one sign-in token became a master key for your CRM.•  The attacker's route: from code repo → cloud → Salesforce → data exfiltration.•  What shared responsibility means in SaaS — and what's actually on you.•  What truly stops it: trusted apps only, IP allowlists, short-lived tokens, and continuous monitoring.Found value and want outcome focused guidance every week? Subscribe to Threat Talks, turn on notifications and add your questions for the next deep diveGuest and Host Links: Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/ Luca Cipriano (Cyber Threat Intelligence Program Lead, ON2IT): https://www.linkedin.com/in/luca-c-914973124/Click here to view the episode transcript. Additional resources:Threat Talks https://threat-talks.com/ON2IT https://on2it.net/?AMS IX https://www.ams-ix.net/amsSalesforce https://www.salesforce.com/Salesloft https://www.salesloft.com/Drift https://www.drift.com/Okta https://www.okta.com/Have I Been Pwned https://haveibeenpwned.com/

Microsoft WSUS vulnerability could allow for remote code execution Fake LastPass death claims used to breach password vaults New CoPhish attack steals OAuth tokens via Copilot Studio agents Huge thanks to our sponsor, Conveyor If security questionnaires make you feel like you're drowning in chaos, you're not alone. Endless spreadsheets, portals, and questions—always when you least expect them. Conveyor brings calm to the storm. With AI that auto-fills questionnaires and a trust center that shares all your docs in one place, you'll feel peace where there used to be panic. Find your security review zen at www.conveyor.com. Find the stories behind the headlines at CISOseries.com.

In this episode of Hashtag Trending, host Jim Love discusses the Canadian CIO of the Year Awards and recognizes several winners. Highlights include OpenAI entering the browser market with ChatGPT-integrated Atlas, posing a serious threat to Google Chrome's dominance. Security concerns with Atlas storing OAuth tokens are mentioned, urging caution while experimenting with new AI browsers. Additionally, the Glassworm malware hiding in Visual Studio Code extensions is detailed, highlighting the importance of auditing extensions. Finally, an AI model collaboration between Google and Yale University shows promising results in cancer treatment by making tumors more visible to the immune system. Tune in for these updates and more! 00:00 Shoutout to CIO Achievements 01:56 Introducing Hashtag Trending 02:02 OpenAI's New Browser: Atlas 04:14 Security Alert: Glass Worm in VS Code 06:37 AI Breakthrough in Cancer Treatment 08:25 Closing Remarks and How to Support Us

JD Fiscus (nerding.io) shares how a late-night hack connecting MCP to n8n exploded to ~1M downloads, then demos practical MCP workflows: indexing YouTube channels for Q&A, and auto-building n8n flows from natural language. We dig into the Agentic Commerce Protocol, real security pitfalls (like destructive commands), and how to turn MCPs into products with OAuth and Stripe for authentication and metered billing. He closes with how he teaches this hands-on at the Vibe Coding Retreat.Timestamps1:00 Why build it: “MCP shouldn't be Claude-only”—bridging MCP into n8n early (Dec/Jan)2:09 Shipping under the pseudonym nerding.io; surprise seeing creators use it2:25 n8n later ships its own MCP server/client; they nod to nerding.io & Simon3:59 “N8n is useful, but so much more useful with MCP”5:12 What MCP means for software: every smart company is exposing an MCP; new login/usage patterns6:27 Agentic Commerce Protocol (ACP): Stripe + OpenAI; agents checkout across the web8:02 Marketing to agents not humans? SEO shifts as agents comparison-shop9:10 Early “agent mode” attempts vs protocol-based purchases (less hacky)10:58 Likely adopters: platforms (Shopify) & big retailers; echoes of early MCP evolution14:11 Security realities: token passing evolved to OAuth; hallucination + destructive actions risk16:04 Personal mishap: agent ran supabase reset on a dev DB—imagine prod! Guardrails matter17:03 Designing MCP servers: don't just “wrap your API”; use resources/prompts for agentic UX19:04 Demo 1—Influencer MCP: index a YouTube channel, embed transcripts, ask questions in Claude20:54 Storage: embeddings into Postgres; per-channel tables24:46 Keeping it fresh: daily cron to ingest new videos25:18 Demo 2—Build n8n workflows from chat using N8N MCP (by Ramullet); live docs + API27:00 “Create a webhook → send leads to Sheets” built conversationally, with allow/deny prompts31:02 Zapier, Gumloop: agents that build automations via natural-language steps34:00 Next frontier: custom connectors (Claude/Cursor/OpenAI), OAuth auth flows for MCPs39:03 Turning MCPs into products: login with Twitter → Stripe subscription → metered billing41:12 Paid tool call demo: “paid echo” → Stripe usage event logged per user43:41 How to learn this fast: vibecodingretreat.com (small cohorts, hands-on builds)Tools & Technologies Mentioned (quick guide)MCP (Model Context Protocol) — Standard for connecting models to tools/data; supports tools, resources, prompts.n8n — Open-source automation platform; JD wrote an MCP node that went viral; also has native MCP server/client now.Claude / Cursor / OpenAI (custom connectors) — LLM IDEs/chats that can load MCPs; custom connectors enable OAuth + productized access.Agentic Commerce Protocol (ACP) — Early protocol (Stripe + OpenAI) for agent-initiated purchases with confirmations.Web MCP (W3C-oriented idea) — Emerging patterns for agent↔︎website interactions beyond human UI flows.OAuth — Secure, user-consented authentication for MCPs (vs passing raw tokens).Stripe (subscriptions + metered billing) — Attach billing/usage limits to MCP calls; track per-user consumption.YouTube API + Transcripts — Source data for the “Influencer MCP” indexing pipeline.Embeddings + Postgres — Store vectorized transcript chunks in Postgres for retrieval (JD self-hosts).Cron — Schedules daily ingestion of new content.Google Sheets — Target destination in demo for simple lead funnels.Zapier / Gumloop — Natural-language automation builders; early NLA/agent patterns.Git / CLI commands — Cautionary tale: agents running destructive commands (e.g., resets).Do Browser / Comet Browser — Agentic browsing tools referenced for web actions.Fellow.ai — AI meeting assistant with security-first design; generates precise summaries/action items.Subscribe at⁠ thisnewway.com⁠ to get the step-by-step playbooks, tools, and workflows.

This show has been flagged as Explicit by the host. Part I - Lee talks about: Cyber - Capture the flag, providing OAuth, Secure design and static typing Databases - SQL Server, MySQL and SQLite Test Frameworks Generative AI for coding Hardware (as in IoT, not as in computers) Part II - A ramble about neurdivergence In academia and work Accommodation vs Encouraging work styles that fit the task Remote working Unusual career paths Technical communication Some personal code projects Url to Markdown Konsole extension Epub in a terminal Markdown table generator MySQL output formatter Resources of note Report on Changing the Workplace (2022) - about disability and remote working Model Context Protocol - A way to give AI chat bots access to software systems to increase their relevant knowledge and abilities Secure by Design book No chatbots were harmed in the making of this episode Provide feedback on this episode.

China-Linked Group Hits Governments With Stealth Malware Chinese hackers exploit VMware zero-day since October 2024 Apple's iOS fixes a bevy of glitches Huge thanks to our sponsor, Nudge Security The SaaS supply chain is a hot mesh. As your workforce introduces new SaaS apps and integrations, hidden pathways are created that attackers can exploit to gain access to core business systems. That's exactly what happened in the Drift breach, and it will happen again. But, all is not lost. Nudge Security gives you the visibility and control you need to stop these attacks. Within minutes of starting a free trial, you'll discover every SaaS app and integration in your environment, map your SaaS supply chain, and identify risky OAuth grants that could be exploited.  The best part? Nudge Security alerts you of breaches impacting your 3rd and 4th party SaaS providers. That's right, even 4th party! So, you can take action quickly to limit the ripple effects. Learn how Nudge can help you secure your entire SaaS ecosystem at nudgesecurity.com/supplychain  

Topics covered in this episode: * PostgreSQL 18 Released* * Testing is better than DSA (Data Structures and Algorithms)* * Pyrefly in Cursor/PyCharm/VSCode/etc* * Playwright & pytest techniques that bring me joy* Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Michael #1: PostgreSQL 18 Released PostgreSQL 18 is out (Sep 25, 2025) with a focus on faster text handling, async I/O, and easier upgrades. New async I/O subsystem speeds sequential scans, bitmap heap scans, and vacuum by issuing concurrent reads instead of blocking on each request. Major-version upgrades are smoother: pg_upgrade retains planner stats, adds parallel checks via -jobs, and supports faster cutovers with -swap. Smarter query performance lands with skip scans on multicolumn B-tree indexes, better OR optimization, incremental-sort merge joins, and parallel GIN index builds. Dev quality-of-life: virtual generated columns enabled by default, a uuidv7() generator for time-ordered IDs, and RETURNING can expose both OLD and NEW. Security gets an upgrade with native OAuth 2.0 authentication; MD5 password auth is deprecated and TLS controls expand. Text operations get a boost via the new PG_UNICODE_FAST collation, faster upper/lower, a casefold() helper, and clearer collation behavior for LIKE/FTS. Brian #2: Testing is better than DSA (Data Structures and Algorithms) Ned Batchelder If you need to grind through DSA problems to get your first job, then of course, do that, but if you want to prepare yourself for a career, and also stand out in job interviews, learn how to write tests. Testing is a skill you'll use constantly, will make you stand out in job interviews, and isn't taught well in school (usually). Testing code well is not obvious. It's a puzzle and a problem to solve. It gives you confidence and helps you write better code. Applies everywhere, at all levels. Notes from Brian Most devs suck at testing, so being good at it helps you stand out very quickly. Thinking about a system and how to test it often very quickly shines a spotlight on problem areas, parts with not enough specification, and fuzzy requirements. This is a good thing, and bringing up these topics helps you to become a super valuable team member. High level tests need to be understood by key engineers on a project. Even if tons of the code is AI generated. Even if many of the tests are, the people understanding the requirements and the high level tests are quite valuable. Michael #3: Pyrefly in Cursor/PyCharm/VSCode/etc Install the VSCode/Cursor extension or PyCharm plugin, see https://pyrefly.org/en/docs/IDE/ Brian spoke about Pyrefly in #433: Dev in the Arena I've subsequently had the team on Talk Python: #523: Pyrefly: Fast, IDE-friendly typing for Python (podcast version coming in a few weeks, see video for now.) My experience has been Pyrefly changes the feel of the editor, give it a try. But disable the regular language server extension. Brian #4: Playwright & pytest techniques that bring me joy Tim Shilling “I've been working with playwright more often to do end to end tests. As a project grows to do more with HTMX and Alpine in the markup, there's less unit and integration test coverage and a greater need for end to end tests.” Tim covers some cool E2E techniques Open new pages / tabs to be tested Using a pytest marker to identify playwright tests Using a pytest marker in place of fixtures Using page.pause() and Playwright's debugging tool Using assert_axe_violations to prevent accessibility regressions Using page.expect_response() to confirm a background request occurred From Brian Again, with more and more lower level code being generated, and many unit tests being generated (shakes head in sadness), there's an increased need for high level tests. Don't forget API tests, obviously, but if there's a web interface, it's gotta be tested. Especially if the primary user experience is the web interface, building your Playwright testing chops helps you stand out and let's you test a whole lot of your system with not very many tests. Extras Brian: Big O - By Sam Who Yes, take Ned's advice and don't focus so much on DSA, focus also on learning to test. However, one topic you should be comfortable with in algortithm-land is Big O, at least enough to have a gut feel for it. And this article is really good enough for most people. Great graphics, demos, visuals. As usual, great content from Sam Who, and a must read for all serious devs. Python 3.14.0rc3 has been available since Sept 18. Python 3.14.0 final scheduled for Oct 7 Django 6.0 alpha 1 released Django 6.0 final scheduled for Dec 3 Python Test Static hosting update Some interesting discussions around setting up my own server, but this seems like it might be yak shaving procrastination research when I really should be writing or coding. So I'm holding off until I get some writing projects and a couple SaaS projects further along. Joke: Always be backing up

Most lenders are still treating bank data like a second-look tool. That's a missed opportunity.Open banking has changed, and so has the way lenders can use cashflow data to make smarter, faster credit decisions. But with so many different aggregators, confusing connections, and news from the CFPB and JPMorgan, it can be tough to figure out what really matters.That's where this conversation comes in.GDS Link and Quiltt teamed up for an open, straightforward discussion about what lenders should be doing with bank data right now. We'll talk about:What the shift from screen scraping to OAuth really means for your teamHigh-impact use cases that go beyond second-look and drive real ROIHow to get started when you've got limited resources and no room for trial and errorWhat small lenders can learn from big players, even without a large budgetA straightforward look at the CFPB and Chase news, without the hype

Episode SummaryCan multi-factor authentication really “solve” security, or are attackers already two steps ahead? In this episode of The Secure Developer, we sit down with Paul Querna, CTO and co-founder at ConductorOne, to unpack the evolving landscape between authentication and authorisation. In our conversation, Paul delves into the difference between authorisation and authentication, why authorisation issues have only been solved for organisations that invest properly, and why that progress has pushed attackers toward session theft and abusing standing privilege.Show NotesIn this episode of The Secure Developer, host Danny Allan sits down with Paul Querna, CTO and co-founder of ConductorOne, to discuss the evolving landscape of identity and access management (IAM). The conversation begins by challenging the traditional assumption that multi-factor authentication (MFA) is a complete solution, with Paul explaining that while authentication is "solved-ish," attackers are now moving to steal sessions and exploit authorization weaknesses. He shares his journey into the identity space, which began with a realization that old security models based on firewalls and network-based trust were fundamentally broken.The discussion delves into the critical concept of least privilege, a core pillar of the zero-trust movement. Paul highlights that standing privilege—where employees accumulate access rights over time—is a significant risk that attackers are increasingly targeting, as evidenced by reports like the Verizon Data Breach Investigations Report. This is even more critical with the rise of AI, where agents could potentially have overly broad access to sensitive data. They explore the idea of just-in-time authorization and dynamic access control, where privileges are granted for a specific use case and then revoked, a more mature approach to security.Paul and Danny then tackle the provocative topic of using AI to control authorization. While they agree that AI-driven decisions are necessary to maintain user experience and business speed, they acknowledge that culturally, we are not yet ready to fully trust AI with such critical governance decisions. They discuss how AI could act as an orchestrator, making recommendations for low-risk entitlements while high-risk ones remain policy-controlled. Paul also touches on the complexity of this new world, with non-human identities, personal productivity agents, and the need for new standards like extensions to OAuth. The episode concludes with Paul sharing his biggest worries and hopes for the future. He is concerned about the speed of AI adoption outpacing security preparedness, but is excited by the potential for AI to automate away human toil, empowering IAM and security teams to focus on strategic, high-impact work that truly secures the organization.LinksConductorOneVerizon Data Breach Investigations ReportAWS CloudWatchSnyk - The Developer Security Company Follow UsOur WebsiteOur LinkedIn

“You can have the best program in the world, but if nobody knows about it, it won't make a difference,” says Todd Jordan, who leads United Way of Greater Kansas City's 2-1-1. “That's why we run a 24/7/365 contact center—to guide people to real help with a kind, empathetic voice.” In this special Technology Reseller News podcast, Publisher Doug Green brings together Todd Jordan (United Way 2-1-1, Kansas City), Jill Blankenship (CEO, Frontline Group), and Thomas McCarthy-Howe (CTO, VCONIC) to explore Empathy at Scale: how vCon (styled vCon) data and AI—implemented with strict privacy and security—are transforming community helplines and complex, multi-agency referrals. The Scale - and the Strain United Way's 2-1-1 covers 23 counties and roughly 2.5 million people across the Greater Kansas City region. Demand has surged since the pandemic: 155,000+ calls last year and nearly 500,000 total contacts (calls, web, email, even USPS), with average call times around 7.5 minutes—well over a million minutes of conversations. The mix spans urban, suburban, and rural needs, multiple languages, and highly sensitive situations (from rent and utilities to domestic violence and mental health crises). Protecting privacy is paramount. From Corridor Conversation to Pilot Blankenship describes how a hallway conversation about vCon—a new IETF-developed file format for conversations—sparked a collaboration. Frontline Group packaged the idea inside Frontline Quest, their agent-enablement and professional services program, while VCONIC, a spin-out dedicated to vCon technology, provided the protocol and secure data handling. The trio launched a live pilot with United Way 2-1-1 to transcribe calls, structure insights, and surface actionable “signals” for quality, safety, and service improvement—without compromising caller confidentiality. “vCon is designed to feed AI and protect people,” says Thomas McCarthy-Howe. “Bringing IETF-grade security and openness to conversational data lets us see the dark operational signals—safely—and use them to help people faster.” What Changed for 2-1-1 Quality & Care Signals: Real-time indicators help supervisors coach empathy, spotting where agents can lean in—and where secondary trauma support is needed for frontline staff. Searchable Conversations (Not Just Dispositions): Instead of relying on boxes and notes, leaders can now query full conversations to answer urgent policy questions. Jordan asked the system to compare eviction-prevention resources across Kansas vs. Missouri; the synthesized, data-grounded view matched the team's lived experience and revealed precise gaps. Multilingual & Multichannel Reality: With 70–80 languages in some school districts, vCon-backed transcription and analysis improve consistency across interpreters and channels—phone, web, email, and more. Why It Matters For a nonprofit with finite resources, the team needed technology that is secure, lean, and humane—helping callers in crisis without forcing agents to split attention between empathy and note-taking. The pilot is doing exactly that: safeguarding sensitive data while unlocking insights that mobilize funding, target interventions, and strengthen outcomes. “We're at the tip of something transformative,” Jordan says. “Real-time data from our community voices helps us advocate better—and care better.” About the participants: United Way of Greater Kansas City 2-1-1 serves 23 counties and ~2.5M people, fielding 155k+ calls annually. 2-1-1 is a North American network covering ~99% of the U.S. and much of Canada. Frontline Group is a contact center BPO and professional services firm; its Frontline Quest program integrates vCon to enhance agent experience and operational insight. VCONIC specializes in vCon technology—a conversation file format being developed in the IETF, the internet standards body behind protocols like TLS and OAuth. Learn more: United Way 2-1-1 (Kansas City),

Send us a textReady to master the critical domain of Identity and Access Management for your CISSP exam? This comprehensive rapid review demystifies Domain 5, which accounts for 13% of all exam questions—knowledge you absolutely cannot skip.Dive deep into the fundamentals as we explore controlling physical and logical access to assets—from information systems to facilities. Discover how properly implemented controls protect your most sensitive data through classification, encryption, and permissions. As one cybersecurity veteran wisely notes, "It's all about the data," and this episode equips you with the frameworks to protect it.The podcast meticulously unpacks identity management implementation, breaking down authentication types, session management, and credential systems. You'll grasp the differences between single-factor and multi-factor authentication and understand why accountability through proper logging and auditing is non-negotiable in today's security landscape.We explore deployment models that fit various organizational needs—from on-premise solutions offering complete control to cloud-based options providing scalability, along with the increasingly popular hybrid approach. The episode clarifies authorization mechanisms including role-based access control (RBAC), rule-based access control, mandatory access controls (MAC), and discretionary access controls (DAC)—essential knowledge for implementing proper security boundaries.Particularly valuable is our breakdown of authentication systems and protocols—OAuth, OpenID Connect, SAML, Kerberos, RADIUS, and TACACS+—demystifying their purposes and applications in real-world scenarios. Whether you're a seasoned security professional or preparing for your certification, this episode delivers the practical knowledge you need.Ready to accelerate your CISSP journey? Visit CISSPcybertraining.com for free resources including podcasts, study plans, and 360 practice questions—plus premium content with over 50 hours of focused training. This episode isn't just exam prep; it's a masterclass in identity and access management principles you'll apply throughout your cybersecurity career.Support the showGain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Alex Salazar, co-founder and CEO of Arcade.dev, joins the show to unpack the realities of building enterprise agents. Conceptually simple but technically hard, agents are reshaping how companies think about workflow automation, security, and human-in-the-loop design. Alex shares why moving from proof-of-concept to production is so challenging, what playbooks actually work, and how enterprises can avoid wasting time and money as this technology accelerates faster than any previous wave.Key TakeawaysEnterprise agents aren't chatbots—they're workflow systems that can take secure, authorized actions.The real challenge isn't just building demos but getting to production-grade consistency and accuracy.Mid-market companies face the steepest climb: limited budgets, limited ML expertise, but the same competitive pressure.Success starts with finding low-risk, high-impact opportunities and narrowing scope as much as possible.Authorization is the biggest blocker today; delegated OAuth models are key to unlocking real agent functionality.Timestamped Highlights02:02 — Why agents are “just advanced workflow software” but harder to trust than traditional apps04:53 — The gap between glorified chatbots and real enterprise agents that take action09:58 — From cloud mistrust to wire transfers: how comfort with automation evolves14:00 — Chaos at every tier: startups, enterprises, and why the mid-market struggles most26:21 — The playbook: how to pick use cases, narrow scope, and carry pilots all the way to prod34:38 — Breaking down agent authorization and why most RAG systems fail in practice42:09 — Adoption at double speed: what makes this AI wave different from internet and cloudA Thought That Stuck“An agent isn't an agent until it can take action. If all it does is talk, it's just a chatbot.” — Alex SalazarCall to ActionIf this episode gave you a clearer lens on enterprise agents, share it with a colleague who needs to hear it. And don't miss future conversations—follow The Tech Trek on Apple Podcasts, Spotify, or wherever you listen.

- One of the biggest SaaS security incidents recently of course is the Salesloft Drive/Salesforce incident, which impacted hundreds of organizations and involved compromised OAuth tokens. Can you tell us a bit about the incident and the fallout?- In an AppOmni blog on the incident, you all discuss attackers taking advantage of persistent OAuth access, over-permissive access, limited monitoring, and unsecured secrets. Why do these problems continue to plague organizations despite incidents like this?This is part of a broader trend of increased SaaS supply chain attacks. What makes these attacks so enticing for malicious actors and challenging for organizations to prevent entirely?You recently published your State of SaaS Security Report, which projects SaaS to grow 20% YoY between 2025 and 2032. This is despite 75% of organizations reporting a SaaS security incident in the past year. Why do you think we're seeing continued growth in adoption but still lagging in SaaS security to accompany the adoption?The report discusses the rise of NHIs and GenAI and how this will exacerbate problems around SaaS Access and incidents. Can you unpack that for us?I was shocked to see the report find that just 13% of organizations use SSPM tooling despite SaaS's widespread adoption. When you talk to enterprises, for example, nearly everyone is doing some CSPM activity for IaaS. Why are so many neglecting hygiene and posture for their SaaS footprint?

Microsoft MVP Emanuel Palm joins The PowerShell Podcast to share his journey from managing printers in Sweden to being a Microsoft MVP who is automating the cloud with PowerShell and Azure. He talks about building the AZAuth module for OAuth authentication, using GitHub Actions for CI/CD, and the importance of blogging and community involvement. Plus, Emanuel reveals his unique side hobby... roasting coffee!   Key Takeaways From printers to the cloud: Emanuel's career shows how PowerShell can open doors, from automating IT tasks to driving cloud automation and DevOps practices. Community and sharing matter: Blogging, presenting, and contributing help you grow your own understanding while creating opportunities for others. Automation and authentication: With tools like GitHub Actions and his AZAuth module, Emanuel demonstrates how to simplify workflows and securely interact with APIs. Guest Bio Emanuel Palm is a Microsoft MVP based in Sweden, where he is a consultant focused on Microsoft technologies and is active in the PowerShell community. Emanuel is the creator of the AZAuth module, a lightweight solution for handling OAuth authentication in PowerShell, and a frequent speaker at events like PowerShell Conference Europe. Beyond tech, Emanuel is a coffee enthusiast who even roasts his own beans as a side hobby.   Resource Links Emanuel's Blog: https://pipe.how GitHub – Emanuel Palm: https://github.com/palmemanuel X / BlueSky: @palmemanuel AZAuth Module on GitHub: https://github.com/PalmEmanuel/AzAuth Emanuel's PS Wednesday: https://www.youtube.com/watch?v=trP2LLDynA0 Arkanum Coffee (Emanuel's hobby project): https://arkanum.coffee PDQ Discord: https://discord.gg/pdq Connect with Andrew: https://andrewpla.tech/links The PowerShell Podcast on YouTube: https://youtu.be/-uHHGVH1Kcc The PowerShell Podcast hub: https://pdq.com/the-powershell-podcast 

Register for FREE Infosec Webcasts, Anti-casts & Summits – https://poweredbybhis.com00:00 - PreShow Banter™ — It's 8ft skeleton season.02:18 - BHIS - Talkin' Bout [infosec] News 2025-09-0203:07 - Story # 1: Salesloft breached to steal OAuth tokens for Salesforce data-theft attacks07:35 - Story # 2: DSLRoot, Proxies, and the Threat of ‘Legal Botnets'13:46 - Story # 3: Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling17:44 - Story # 4: Ransomware crooks knock Swedish municipalities offline for measly sum of $168K19:39 - Story # 5: As crippling cyberattack against Nevada continues, Lombardo says ‘we're working through it.'20:56 - Story # 6: Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 202522:43 - Story # 7: NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-842425:20 - Story # 8: First known AI-powered ransomware uncovered by ESET Research30:00 - Story # 9: In the rush to adopt hot new tech, security is often forgotten. AI is no exception32:06 - Story # 10: TransUnion suffers data breach impacting over 4.4 million people34:17 - Story # 11: ChickenSec FollowUp: Artificial Intelligence: The other AI35:20 - Story # 12: They weren't lovin' it - hacker cracks McDonald's security in quest for free nuggets, and it was apparently not too tricky39:29 - Identify the birds you see or hear with Merlin Bird ID40:04 - Story # 13: Detecting and countering misuse of AI: August 202551:31 - Story # 14: I'm a Stanford student. A Chinese agent tried to recruit me as a spy

In this episode of Cybersecurity Today, host Jim Love covers the latest and most critical stories in the world of cyber threats and digital defense: • Cloudflare fends off a record-breaking 11.5 Tbps DDoS attack, highlighting the relentless scale and sophistication of modern cyber assaults. • WhatsApp patches a dangerous zero-click exploit targeting Apple users, with advice for high-risk individuals to stay protected. • Frostbite 10: Ten critical vulnerabilities in supermarket refrigeration systems could threaten food safety nationwide. • Over 1,100 Ollama AI servers found exposed online, raising alarms about the risks of self-hosted AI and poor security practices. • Hacker group issues an ultimatum to Google, but so far, no evidence of a breach—reminding us to stay vigilant against social engineering. • Palo Alto Networks becomes the latest victim in a supply chain breach involving stolen OAuth tokens, with lessons for all organizations on token hygiene and monitoring. Stay informed, stay secure! For tips, feedback, or more info, visit technewsday.com or .ca. Cybersecurity #DDoS #ZeroClick #AI #DataBreach #Infosec

On this week's show Patrick Gray and Adam Boileau discuss the week's cybersecurity news, including: The Salesloft breach and why OAuth soup is a problem The Salt Typhoon telco hackers turn out to be Chinese private sector, but state-directed Google says it will stand up a “disruption unit” Microsoft writes up a ransomware gang that's all-in on the cloud future Aussie firm hot-mics its work-from-home employees' laptops Youtube scam baiters help the feds take down a fraud ring This episode is sponsored by Dropzone.AI. Founder and CEO Edward Wu joins the show to talk about how AI driven SOC tools can help smaller organisations claw their way above the “security poverty line”. A dedicated monitoring team, threat hunting and alert triage, in a company that only has a couple of part time infosec people? Yes please! This episode is also available on Youtube. Show notes The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft – Krebs on Security Salesloft: The Leading AI Revenue Orchestration Platform Palo Alto Networks, Zscaler customers impacted by supply chain attacks | Cybersecurity Dive The impact of the Salesloft Drift breach on Cloudflare and our customers China used three private companies to hack global telecoms, U.S. says CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF Google previews cyber ‘disruption unit' as U.S. government, industry weigh going heavier on offense | CyberScoop Ransomware gang takedowns causing explosion of new, smaller groups | The Record from Recorded Future News Hundreds of Swedish municipalities impacted by suspected ransomware attack on IT supplier | The Record from Recorded Future News Storm-0501's evolving techniques lead to cloud-based ransomware | Microsoft Security Blog The Era of AI-Generated Ransomware Has Arrived | WIRED Between Two Nerds: How threat actors are using AI to run wild - YouTube Affiliates Flock to ‘Soulless' Scam Gambling Machine – Krebs on Security UK sought broad access to Apple customers' data, court filing suggests ICE reactivates contract with spyware maker Paragon | TechCrunch WhatsApp fixes 'zero-click' bug used to hack Apple users with spyware | TechCrunch Safetrac turned staff laptops into covert recording devices to monitor WFH Risky Bulletin: YouTubers unmask and help dismantle giant Chinese scam ring - Risky Business Media

John Capobianco is back! Just months after our first Model Context Protocol (MCP) discussion, John returns to showcase how this “USB-C of software” has transformed from experimental technology to an enterprise-ready solutions. We explore the game-changing OAuth 2.1 security updates, witness live demonstrations of packet analysis through natural language with Gemini CLI, and discover how... Read more »

This interview was recorded for GOTO Unscripted.https://gotopia.techRead the full transcription of this interview hereBrooklyn Zelenka - Author of Numerous Libraries Including Witchcraft & Founded the Vancouver Functional Programming MeetupJulian Wood - Serverless Developer Advocate at AWSRESOURCESBrooklynhttps://bsky.app/profile/expede.wtfhttps://octodon.social/@expede@types.plhttps://github.com/expedehttps://www.linkedin.com/in/brooklynzelenkahttps://notes.brooklynzelenka.comJulianhttps://bsky.app/profile/julianwood.comhttps://twitter.com/julian_woodhttp://www.wooditwork.comhttps://www.linkedin.com/in/julianrwoodLinkshttps://automerge.orghttps://discord.com/invite/zKGe4DCfgRhttps://www.robinsloan.com/notes/home-cooked-apphttps://github.com/ipvm-wghttps://www.localfirst.fmhttps://localfirstweb.devDESCRIPTIONDistributed systems researcher Brooklyn Zelenka unpacks the paradigm shift of local-first computing, where applications primarily run on users' devices and synchronize seamlessly without central servers.In a conversation with Julian Wood, she explains how this approach reduces latency, enables offline functionality, improves privacy through encryption, and democratizes app development—all while using sophisticated data structures. Perfect for collaborative tools and "cozy web" applications serving smaller communities, local-first software represents a fundamental rethinking of how we've built software for the past 30 years.RECOMMENDED BOOKSFord, Parsons, Kua & Sadalage • Building Evolutionary Architectures 2nd EditionFord, Richards, Sadalage & Dehghani • Software Architecture: The Hard PartsMark Richards & Neal Ford • Fundamentals of Software ArchitectureFord, Parsons & Kua • Building Evolutionary ArchitecturesNeal Ford • Functional ThinkingMichael Feathers • Working Effectively with Legacy CodeBlueskyTwitterInstagramLinkedInFacebookCHANNEL MEMBERSHIP BONUSJoin this channel to get early access to videos & other perks:https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/joinLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted daily!

In this episode of Cybersecurity Today, host Jim Love discusses recent developments in cybersecurity, including a method to bypass GPT5 model safeguards, malware issues in the Google Play Store, NIST's new AI-specific security controls, and a cyber attack that led to a government shutdown in Nevada. The episode also covers a CRM-related breach linked to the Shiny Hunters collective, who used OAuth tokens to gain unauthorized access. Key takeaways emphasize the need for stronger security frameworks and vigilance against evolving cyber threats. 00:00 Introduction and Overview 00:27 Exploiting GPT-5: A Simple Prompt Attack 02:20 Google Play Store's Malware Struggles 04:11 NIST's New AI Security Controls 06:06 Nevada Government Cyber Attack 08:23 Shiny Hunters' CRM Breach 10:41 Conclusion and Contact Information

If you like what you hear, please subscribe, leave us a review and tell a friend!

Send us a textToday's explores the impact of agentic AI on security landscapes, particularly concerning identity management. It begins by defining AI agents as digital workers that independently pursue goals, outlining their components like perception, reasoning, and learning, and their multi-layered infrastructure. The discussion then transitions to the new attack surfaces introduced by AI agents, such as identity spoofing, privilege creep, and prompt injection, highlighting how agents' dynamic and ephemeral nature poses unique security challenges. I have critically examined the limitations of current human-centric identity solutions like OAuth and SAML in accommodating machine identities, advocating for a machine-first approach in identity security. Finally, the episode details how the industry is evolving to address these shortfalls through zero trust for agents, policy as code, and enhanced auditability, citing examples from major cloud providers and dedicated identity management companies.LinkedIn Profile: https://www.linkedin.com/in/thecyberman/Substack: https://thecyberman.substack.com/Support the showGoogle Drive link for Podcast content:https://drive.google.com/drive/folders/10vmcQ-oqqFDPojywrfYousPcqhvisnkoMy Profile on LinkedIn: https://www.linkedin.com/in/prashantmishra11/Youtube Channnel : https://www.youtube.com/@TheCybermanShow Twitter handle https://twitter.com/prashant_cyber PS: The views are my own and dont reflect any views from my employer.

Got a question or comment? Message us here!This week, we're unpacking the phishing wave hitting SaaS platforms ... from social engineering to OAuth abuse and AI voice spoofing. Learn why people remain the #1 attack vector and how to stay one step ahead.Support the showWatch full episodes at youtube.com/@aliascybersecurity.Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

In this episode of Eye on AI, host Craig Smith sits down with Alex Salazar, co-founder and CEO of Arcade.dev, to explore what it really takes to build secure, scalable AI agents that can take real-world actions. While everyone's talking about the future of autonomous agents, most never make it past the demo stage. Why? Because agents today lack secure infrastructure to connect with real tools like Gmail, Slack, Notion, GitHub—and do so on behalf of users without breaking authentication protocols. Alex shares how Arcade solves the missing layer in AI agent development: secure tool execution, user-specific authorization, OAuth flows, and production-ready consistency. Whether you're building with GPT‑4, Claude, or open-source models, Arcade handles the hard part—making agent actions actually work. Stay Updated: Craig Smith on X:https://x.com/craigss Eye on A.I. on X: https://x.com/EyeOn_AI (00:00) Why AI Agents Can't Take Action (Yet) (01:27) Meet Alex Salazar: From Okta to Arcade (03:39) What Arcade.dev Actually Does (05:16) Agent Protocols: MCP, ACP & Where Arcade Fits (07:36) Arcade Demo: Building a Multi-Tool AI Agent (11:16) Handling Secure Authentication with OAuth (14:40) Why Agents Need User-Tied Authorization (19:25) Tools vs APIs: The Real Interface for LLMs (23:41) How Arcade Ensures Agents Go Beyond Demos (25:48) Why Arcade Focuses on Developers, Not Consumers (27:55) The Roadblocks to Production-Ready Agents (31:15) How Arcade Integrates Into Agent Workflows (33:16) Tool Calling & Model Compatibility Challenges (34:49) Arcade's Pricing Model Explained (36:20) Competing with Big Tech: IBM, AWS & Others (38:38) Future of Agents: From Hype to Workflow Automation (41:58) Real Use Cases: Email Agents, Slack Bots, Finance & More (46:17) Agent Marketplaces & The Arcade Origin Story

From SAML to OAuth to FIDO2 to passwordless promises, we unpack what's working—and what's broken—in the world of identity and authentication. Today on the Packet Protector podcast, we're joined by the always thoughtful and occasionally provocative Wolf Goerlich, former Duo advisor, and now a practicing CISO in the public sector. We also talk about authorization... Read more »

From SAML to OAuth to FIDO2 to passwordless promises, we unpack what's working—and what's broken—in the world of identity and authentication. Today on the Packet Protector podcast, we're joined by the always thoughtful and occasionally provocative Wolf Goerlich, former Duo advisor, and now a practicing CISO in the public sector. We also talk about authorization... Read more »

In this episode of 'Cybersecurity Today,' host David Chipley discusses several major security incidents and threats. Hamilton, Ontario faces a $5 million insurance denial following a ransomware attack due to incomplete deployment of Multi-Factor Authentication (MFA). The episode also highlights a severe vulnerability, CVE-2025-54135, in the AI-powered Code Editor 'Cursor', which could allow prompt injection attacks. Further topics include a new ransomware attack exploiting Microsoft SharePoint vulnerabilities investigated by Palo Alto Networks, and a campaign leveraging fake OAuth apps to compromise Microsoft 365 accounts. The episode underscores the importance of robust security measures, emphasizing MFA, OAuth hygiene, and prompt patching. 00:00 Introduction and Headlines 00:38 Hamilton's Ransomware Attack and Insurance Denial 02:52 AI-Powered Code Editor Vulnerability 04:57 Palo Alto Networks Investigates SharePoint Exploitation 06:51 Fake OAuth Apps and Microsoft 365 Breaches 08:48 Conclusion and Upcoming Events

If you like what you hear, please subscribe, leave us a review and tell a friend!

Microsoft links Sharepoint ToolShell attacks to Chinese hackers Russian threat actors target NGOs with new OAuth phishing tactics Silicon Valley engineer admits theft of US missile tech secrets Huge thanks to our sponsor, Nudge Security Nudge Security discovers every SaaS app used in your org, secures configurations, enforces MFA, and manages app-to-app access so you can prevent identity based attacks. Start a free 14-day trial today at NudgeSecurity.com

The Model Context Protocol (MCP) specification has helped to accelerate access to a wide range of data sources for AI applications. But there are questions about the security and trust implications around a protocol that is still in its infancy. Scott Crawford and Justin Lam return to the podcast to examine the concerns that have been raised and changes that are underway in the specification with host Eric Hanselman. The previous episode introduced MCP and some of the market forces that are in play. Security considerations didn't appear to be fully sorted out in the first version of the specification, but more work is being done to move beyond the OAuth-based approach. Automating the data access process can be powerful, but also fraught with the potential for abuse.  The larger questions in MCP revolve around understanding risk and establishing trust. Data exposure has been a constant concern in AI, but the more complex issues exist in the integrity of the data that's being used. AI technology is moving forward rapidly and adversaries that are looking to compromise it and moving right along with these advances. More S&P Global Content: The 2025 Generative AI Outlook Next in Tech | Ep. 224: Context Around MCP For S&P Global Subscribers: Technology Primer: Model Context Protocol explained Databases and analytic services get the agentic AI treatment at Google Cloud Next 2025 IT Insider 3: A roundup for IT decision-makers Credits: Host/Author: Eric Hanselman  Guests: Scott Crawford, Justin Lam Producer/Editor: Adam Kovalsky Published With Assistance From: Sophie Carr, Feranmi Adeoshun, Kyra Smith

What if your AI agent could send emails, check your calendar, and even text people on your behalf—all securely and with your permission? In this episode, Aydin and guest co-host Alexandra from Fellow talk with Sam Partee, co-founder of Arcade, about how AI agents are actually becoming useful in the real world.Sam breaks down how Arcade enables LLM-powered agents to act on your behalf across tools like Gmail, Slack, Salesforce, and more, without sacrificing security. He also shows us how he automates his own workflows, from email triage to iMessage replies, and shares how tools like Cursor and Claude are reshaping how engineers work day-to-day.Whether you're technical or not, this episode is packed with actionable insights on what it means to work in an AI-native company—and how to start doing it yourself.Timestamps0:00 – The future of agents impersonating people01:20 – Meet Sam Partee and his background in high-performance computing02:50 – What Arcade is and how it powers AI agents05:10 – Use case: ambient social media agents06:50 – “YOLO mode” vs. human-in-the-loop agent workflows07:30 – Building a lean AI-native company08:00 – Engineers are now 1.5x more productive—with caveats12:00 – Why the whole team (PMs, QA, etc.) should use tools like Cursor14:00 – How Markdown became the LLM-native format17:00 – Sam's iMessage agent and calendar automation18:45 – His AI-powered inbox (email triage + drafting)21:00 – Live demo: using Slack assistant “Archer” built with Arcade24:00 – How non-technical people can use these tools too27:00 – Cursor vs. Copilot: What's better?30:00 – Cursor agent mode and example developer workflows34:00 – Vector databases and prompt design35:00 – Using LLMs to redesign error handling and generate docs38:00 – Advice for teams adopting AI: start by buildingTools and Technologies:Arcade – Let AI agents act on your behalf (email, Slack, calendar, etc.) with secure OAuth.Cursor – LLM-native IDE with full-codebase context. Ideal for AI-assisted development.Claude – Chat interface + agent orchestration, paired with Arcade.LangGraph – Multi-agent orchestration framework with human-in-the-loop support.TailScale – Secure remote networking; enables Sam to access agents from anywhere.Twilio – Used for SMS reminders and notifications.Obsidian + Markdown – Sam uses Markdown + AI for personal notes and research.GitHub Copilot – Used in tandem with Cursor for inline suggestions and PR reviews.Subscribe to the channel for more behind-the-scenes looks at how top teams are rethinking work with AI.Subscribe at thisnewway.com to get the step-by-step playbooks, tools, and workflows.