security of supply chain from trojans, tampering, privacy, theft and terrorism
POPULARITY
Supply chain technology is evolving rapidly, but cargo criminals are moving even faster. In this episode of Supply Chain Now, Scott W. Luton and Scott DeGroot are joined by Krenar Komoni (Founder & CEO of Tive) and Fernando Boom (Director of Transportation at Venture Metals +) to break down the massive shift from physical yard thefts to sophisticated, identity-based freight fraud. Fernando shares a thrilling firsthand account of how a family road trip turned into a real-time recovery mission for a hijacked $240,000 shipment of copper. While the driver successfully bypassed the physical bolt seals, covert tracking technology thwarted the heist and led to a first-degree felony arrest. Krenar pairs this narrative with over a decade of visibility expertise, unpacking how modern criminals leverage AI, chameleon carriers, fraudulent MC numbers, and double brokering to vanish with high-value freight. Moving past a reactive postmortem claims model, the panel outlines a definitive blueprint for proactive, layered defense. They explore how real-time telemetry, including route deviation alerts and light sensors, empowers logistics teams to stop fraud mid-transit. Scott DeGroot concludes by highlighting the critical enterprise costs of cargo loss, challenging shippers to audit their networks, tighten dock-level verifications, and eliminate the weak links that bad actors exploit. Jump into the conversation: (00:00) Intro (02:38) Meet Venture Metals and Tive leaders (03:53) Art shows and World Cup picks (06:04) Venture Metals recycling and logistics role (07:37) Tive delivers real-time shipment visibility (09:28) Fraud tactics driving cargo theft surge (16:29) Layered alerts detect theft in transit (23:03) Prepare before theft happens, not after (24:03) Light alerts trigger copper theft investigation (26:11) Telemetry exposes route diversion and deception (27:52) Alerts only matter when teams respond (30:19) Police intercept truck at Wichita Falls (31:24) Driver bypasses seal but gets caught (32:47) Trust data and involve law enforcement (36:10) Technology helps monitor risky driver behavior (38:16) Build six layers of cargo security (44:29) Use Tive before theft strikes (47:22) Resources for protecting high-value shipments Additional Links & Resources: Connect with Krenar Komoni: https://www.linkedin.com/in/komoni/ Connect with Fernando Boom: https://www.linkedin.com/in/fernando-boom-a06513372/ Connect with Scott DeGroot: https://www.linkedin.com/in/scott-degroot-4600368/ Learn more about Venture Metals +: https://venturemet.com/ Learn more about Tive: https://www.tive.com/ Learn more about our hosts: https://supplychainnow.com/about Learn more about Supply Chain Now: https://supplychainnow.com Watch and listen to more Supply Chain Now episodes here: https://supplychainnow.com/program/supply-chain-now Subscribe to Supply Chain Now on your favorite platform: https://supplychainnow.com/join Work with us! Download Supply Chain Now's NEW Media Kit: https://supplychainnow.com/media-kit/ WEBINAR- AI that moves at velocity: Cut through latency with agentic workflows: https://bit.ly/4x4626t This episode was hosted by Scott Luton and produced by Trisha Cordes, Joshua Miranda, and Amanda Luton. For additional information, please visit our dedicated show page at: https://supplychainnow.com/240k-shipment-saved-venture-metals-realtime-rescue-1599 The content in this episode, including all audio, videos, visuals, and graphics, is the property of Supply Chain Now and is protected by copyright law. Unauthorized use, reproduction, distribution, modification, or re-uploading of this content in any form is strictly prohibited without explicit written permission from Supply Chain Now.For licensing inquiries or permissions, please contact us at production@supplychainnow.com© 2026 Supply Chain Now. All rights reserved. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
⬥EPISODE NOTES⬥ From the show floor at Infosecurity Europe 2026, Sean Martin sits down with James Morris, Director of The CSBR (Centre for Cyber Security and Business Resilience) and a former UK Member of Parliament who spent fourteen years in the House of Commons and chaired the All-Party Parliamentary Group for Cyber Security. His work now lives at the intersection of cybersecurity and resilience, translating evidence and expert roundtables into policy that Parliament can actually use. The conversation opens on a hard problem: legislation moves slowly, and technology does not. The UK's Cyber Security and Resilience Bill has been working through Parliament for fifteen months and may not be operational for the better part of a year, even as AI moves from the margins to the center of national infrastructure. James Morris describes how the government has responded by giving itself powers to designate organizations and sectors as threats emerge, a top-down approach that he argues only works if business is brought along from the bottom up. What counts as resilience is changing too. For years the word pointed narrowly at critical national infrastructure such as power and rail. James Morris makes the case that resilience now means economic resilience, pointing to high-profile UK breaches at Marks and Spencer and JLR that paralyzed major businesses yet would not be captured by the very bill moving through Parliament. Sean Martin pushes the thread into the supply chain, where the legislation starts to designate critical suppliers for the first time, with new expectations around transparency, incident reporting, and hardening, though financial services sits outside under its own regime. The closing turn is the one business owners should sit with. Cyber resilience is no longer a peripheral technical task to hand to IT. It is a board-level issue tied to strategy, reputation, and the survival of the organization itself, and the leaders who treat it that way, rehearsing breaches before they happen and planning for the media scrutiny that follows, are the ones positioned to recover. Resilience, in the end, is not only technical. It is economic, managerial, and political, and getting it right is becoming inseparable from how a modern society protects itself. ⬥HOST⬥ Sean Martin, CISSP -- Co-Founder, ITSPmagazine & Studio C60 | Host, Redefining CyberSecurity Podcast & Music Evolves Podcast | https://www.seanmartin.com/ ⬥GUEST⬥ James Morris -- Director, The CSBR (Centre for Cyber Security and Business Resilience); former UK Member of Parliament; former Chair of the All-Party Parliamentary Group for Cyber Security | https://uk.linkedin.com/in/james-morris-obe-787a2b17 ⬥RESOURCES⬥ Infosecurity Europe 2026 is taking place June 2-4, 2026 | ExCeL London -- Follow our coverage: https://www.itspmagazine.com/infosecurity-europe-2026-infosec-london-cybersecurity-event-coverage The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/ Redefining CyberSecurity Podcast | https://www.seanmartin.com/redefining-cybersecurity-podcast On Location | https://www.itspmagazine.com/on-location
PODCAST EPISODE | Redefining CyberSecurity With Sean Martin — On Location at InfoSecurity Europe 2026 On Location With Sean Martin And Marco Ciappelli The UK's threats change by the day. Its laws change over years. Sean Martin sat down with James Morris — former Member of Parliament, now Director of the CSBR — to ask how a government writes cyber policy fast enough to matter, and why “resilience” has quietly stopped being a technical word.
Podcasting 2.0 June 5th 2026 Episode 262 - "Podcleanse" Dave and Adam are joined by John Spurlock and throw a big idea into the boardroom: The Podcast Data Collective Shownotes ----------------------------------------------------------------------------------------------------------------------------------------- John Spurlock - Guest The man behind op3.dev and Livewire.io - From the Great State of New Jersey! ----------------------------------------------------------------------------------------------------------------------------------------- 01 - THE IMPRESSION HEIST — AMP TASK FORCE RATIFIES 4 EXPOSURE DEFINITIONS, NO DISSENTING VOTES Podnews press release Jun 4: AMP Task Force Introduces Cross-Platform Alternative to the Podcast "Download" — "unified impression guidance for audio and video, advancing impression-based measurement as the medium's primary transaction currency." Four exposure definitions ratified. JS Jun 4 quote: "the AMP Task Force ratified a new framework with four exposure definitions, with no dissenting votes." Podcast Play: 30 seconds of content played, audio or video, once per user per session. Podcast Audience: The number of unique users who had a Podcast Play. Ad Impression: A commercial begins playing for the user. Ad Audience: The number of users exposed to an Ad Impression. They wanted to 'hasten the demand' Backstory: AMP first emerged May 29 (Podnews) — same day PC20-261 aired — "to confront podcasting's measurement dilemma." @dave reaction Jun 4 16:12: "RE: [Podnews AMP story] More secretive, back room podcast 'industry' nonsense." PNWR Jun 5 confirms the cabal-composition critique — James and Sam open the show debating AMP. James: "they also want to define what an impression is" + "we don't have a definition of podcast." Sam: "I don't think podcasting is [defined], we can measure consumption." PNWR catches the gaps [0:09:00-0:09:30]: "Spotify yes, Acast no, Art19 missing… Apple is already doing that. Apple is already being cut [out]." Same observation @dave made — who's in the room and who isn't. @js replies @dave on AMP Jun 4: "@dave Dave there were no dissenting votes" — Mastodon-thread confirmation that JS + Dave are on the same page about the consensus-by-cabal red flag. Discussion: V4V counter-thesis — No Agenda is value-for-value (no impressions, no exposures). Open standards vs industry cabals. PNWR is independent-podcaster-aligned; AMP is platform-aligned. Podnews AMP Jun 4 press release Podnews AMP origin May 29 @dave Jun 4 reaction post JS Jun 4 quote post PNWR this week (Pod News Weekly Review) ----------------------------------------------------------------------------------------------------------------------------------------- 02 - THE OPEN COUNTERPART — PODCAST INDEX ISSUE #775 (PNWR + @DAVE BOTH ON IT) ----------------------------------------------------------------------------------------------------------------------------------------- 03 - THE WHY BEHIND IMPRESSIONS — "THE FIRST FOUR AND A HALF MINUTES" ----------------------------------------------------------------------------------------------------------------------------------------- 04 - THE PODCASTING 2.0 DATA COLLECTIVE — THE OPEN ANSWER TO AMP The Podcasting 2.0 Data Collective — the open, V4V-aligned answer to the AMP cabal. Not a consortium with ratified definitions and trade-press releases. A collective of open tools and honest sentinels: OP3 for analytics, Podverse + newpodcasts.net for corpus data, Podcast Index for the namespace, Issue #775 for client identification done right. Matthew 5:6 (KJV): "Blessed are they which do hunger and thirst after righteousness: for they shall be filled." The verse that frames the work. Open data, transparent measurement, value-for-value — righteousness in podcast governance. Those who hunger for it are the ones who'll be filled. The AMP cabal trades righteousness for an ad-tech seat at the table; the Data Collective just keeps the lights on. THE CHARTER — Adam's working document, June 5 2026 We hold more power than we give ourselves credit for. Definition of a Podcast: Syndicated delivery of media files with precise consumption data for all stakeholders. What we brought in (the Podcasting 2.0 namespace contributions): Transcripts Chapters Funding (V4V) Person Location …etc. Statistical relevance: Advertising is based on percentages. Collectively we have about 10% of all apps — statistically enough to be relevant. Godcaster app tracing proves we can measure important metrics. Data to aggregate and display: Follows Plays per episode Completion rate by time Strategy: Become the authoritative source by publishing open stats Monetize We will not be loved initially by the industry, because we will have the truth. Advertisers will love us though, as will Podcasters. Monetization: Data subscriptions Resellers (DJL) Ad Networks Podcasters themselves (consideration) Podcast Index has built the trust needed to house this data. We already have a data exchange relationship with the apps. op3.dev is critical in this equation to offset the old system for correlation. OP3 full podcast support landed this week [PNWR 1:53:00-1:54:30] — OP3.dev now has full episode-level + show-level analytics support for podcasts. Spec work also moving on private feeds (insecure feeds spec). Direct relevance to V4V infrastructure. @dave → @james Jun 5 11:50: "Do you have the daily lists that show up on newpodcasts.net available anywhere as a download? I'd love the full, historical list of feed urls that have appeared there if possible." Open-data request — corpus curation theme. @dave → @mitch May 30: "Would you be able to send me a flat list of all the feed urls in Podverse which have more than X number of subscribers/followers? Let's say more than 5?" Podverse data request — corpus quality. Anchor FM RSS restoration request — Fri 11:01 email to NA inbox (Lusso Lets). Listener can't retrieve feed data from Podcast Index. Adjacent infra beat — the unsung user-facing pain of corpus indexing. Discussion: corpus curation as a steady-state job (Dave's sentinel work) vs measurement standards (the AMP cabal) — which one keeps the ecosystem honest? The Data Collective doesn't ratify, it just shows up to maintain. Hunger and thirst. They shall be filled. OP3.dev — open podcast analytics ----------------------------------------------------------------------------------------------------------------------------------------- 05 - CAPTIVATE LAUNCHES DAX US — THE IMPRESSION ECONOMY IRL ----------------------------------------------------------------------------------------------------------------------------------------- 06 - BBC GOES ALL-IN ON CROSSED WIRES YEAR 3 — IPLAYER DEAL + "EDINBURGH OF PODCASTING" ----------------------------------------------------------------------------------------------------------------------------------------- 07 - STREAMING CONSOLIDATION — YOUTUBE MUSIC + TUBI + NETFLIX ALL WANT "PODCAST" ----------------------------------------------------------------------------------------------------------------------------------------- 08 - SUPPLY CHAIN SECURITY — VS CODE DELAYS, PHP FOUNDATION, SLSA LEVEL 3 IS NOT ENOUGH ----------------------------------------------------------------------------------------------------------------------------------------- 09 - AI BUBBLE PC20-FLAVOR — TOTO CHUCKS, MOTHER COMPUTERS, "NO 'I', ONLY MATH" ----------------------------------------------------------------------------------------------------------------------------------------- 10 - QUIPS / TRANSITIONS ----------------------------------------------------------------------------------------------------------------------------------------- Last Modified 06/05/2026 14:38:09 by Freedom Controller
Podcasting 2.0 June 5th 2026 Episode 262 - "Podcleanse" Dave and Adam are joined by John Spurlock and throw a big idea into the boardroom: The Podcast Data Collective Shownotes ----------------------------------------------------------------------------------------------------------------------------------------- John Spurlock - Guest The man behind op3.dev and Livewire.io - From the Great State of New Jersey! ----------------------------------------------------------------------------------------------------------------------------------------- 01 - THE IMPRESSION HEIST — AMP TASK FORCE RATIFIES 4 EXPOSURE DEFINITIONS, NO DISSENTING VOTES Podnews press release Jun 4: AMP Task Force Introduces Cross-Platform Alternative to the Podcast "Download" — "unified impression guidance for audio and video, advancing impression-based measurement as the medium's primary transaction currency." Four exposure definitions ratified. JS Jun 4 quote: "the AMP Task Force ratified a new framework with four exposure definitions, with no dissenting votes." Podcast Play: 30 seconds of content played, audio or video, once per user per session. Podcast Audience: The number of unique users who had a Podcast Play. Ad Impression: A commercial begins playing for the user. Ad Audience: The number of users exposed to an Ad Impression. They wanted to 'hasten the demand' Backstory: AMP first emerged May 29 (Podnews) — same day PC20-261 aired — "to confront podcasting's measurement dilemma." @dave reaction Jun 4 16:12: "RE: [Podnews AMP story] More secretive, back room podcast 'industry' nonsense." PNWR Jun 5 confirms the cabal-composition critique — James and Sam open the show debating AMP. James: "they also want to define what an impression is" + "we don't have a definition of podcast." Sam: "I don't think podcasting is [defined], we can measure consumption." PNWR catches the gaps [0:09:00-0:09:30]: "Spotify yes, Acast no, Art19 missing… Apple is already doing that. Apple is already being cut [out]." Same observation @dave made — who's in the room and who isn't. @js replies @dave on AMP Jun 4: "@dave Dave there were no dissenting votes" — Mastodon-thread confirmation that JS + Dave are on the same page about the consensus-by-cabal red flag. Discussion: V4V counter-thesis — No Agenda is value-for-value (no impressions, no exposures). Open standards vs industry cabals. PNWR is independent-podcaster-aligned; AMP is platform-aligned. Podnews AMP Jun 4 press release Podnews AMP origin May 29 @dave Jun 4 reaction post JS Jun 4 quote post PNWR this week (Pod News Weekly Review) ----------------------------------------------------------------------------------------------------------------------------------------- 02 - THE OPEN COUNTERPART — PODCAST INDEX ISSUE #775 (PNWR + @DAVE BOTH ON IT) ----------------------------------------------------------------------------------------------------------------------------------------- 03 - THE WHY BEHIND IMPRESSIONS — "THE FIRST FOUR AND A HALF MINUTES" ----------------------------------------------------------------------------------------------------------------------------------------- 04 - THE PODCASTING 2.0 DATA COLLECTIVE — THE OPEN ANSWER TO AMP The Podcasting 2.0 Data Collective — the open, V4V-aligned answer to the AMP cabal. Not a consortium with ratified definitions and trade-press releases. A collective of open tools and honest sentinels: OP3 for analytics, Podverse + newpodcasts.net for corpus data, Podcast Index for the namespace, Issue #775 for client identification done right. Matthew 5:6 (KJV): "Blessed are they which do hunger and thirst after righteousness: for they shall be filled." The verse that frames the work. Open data, transparent measurement, value-for-value — righteousness in podcast governance. Those who hunger for it are the ones who'll be filled. The AMP cabal trades righteousness for an ad-tech seat at the table; the Data Collective just keeps the lights on. THE CHARTER — Adam's working document, June 5 2026 We hold more power than we give ourselves credit for. Definition of a Podcast: Syndicated delivery of media files with precise consumption data for all stakeholders. What we brought in (the Podcasting 2.0 namespace contributions): Transcripts Chapters Funding (V4V) Person Location …etc. Statistical relevance: Advertising is based on percentages. Collectively we have about 10% of all apps — statistically enough to be relevant. Godcaster app tracing proves we can measure important metrics. Data to aggregate and display: Follows Plays per episode Completion rate by time Strategy: Become the authoritative source by publishing open stats Monetize We will not be loved initially by the industry, because we will have the truth. Advertisers will love us though, as will Podcasters. Monetization: Data subscriptions Resellers (DJL) Ad Networks Podcasters themselves (consideration) Podcast Index has built the trust needed to house this data. We already have a data exchange relationship with the apps. op3.dev is critical in this equation to offset the old system for correlation. OP3 full podcast support landed this week [PNWR 1:53:00-1:54:30] — OP3.dev now has full episode-level + show-level analytics support for podcasts. Spec work also moving on private feeds (insecure feeds spec). Direct relevance to V4V infrastructure. @dave → @james Jun 5 11:50: "Do you have the daily lists that show up on newpodcasts.net available anywhere as a download? I'd love the full, historical list of feed urls that have appeared there if possible." Open-data request — corpus curation theme. @dave → @mitch May 30: "Would you be able to send me a flat list of all the feed urls in Podverse which have more than X number of subscribers/followers? Let's say more than 5?" Podverse data request — corpus quality. Anchor FM RSS restoration request — Fri 11:01 email to NA inbox (Lusso Lets). Listener can't retrieve feed data from Podcast Index. Adjacent infra beat — the unsung user-facing pain of corpus indexing. Discussion: corpus curation as a steady-state job (Dave's sentinel work) vs measurement standards (the AMP cabal) — which one keeps the ecosystem honest? The Data Collective doesn't ratify, it just shows up to maintain. Hunger and thirst. They shall be filled. OP3.dev — open podcast analytics ----------------------------------------------------------------------------------------------------------------------------------------- 05 - CAPTIVATE LAUNCHES DAX US — THE IMPRESSION ECONOMY IRL ----------------------------------------------------------------------------------------------------------------------------------------- 06 - BBC GOES ALL-IN ON CROSSED WIRES YEAR 3 — IPLAYER DEAL + "EDINBURGH OF PODCASTING" ----------------------------------------------------------------------------------------------------------------------------------------- 07 - STREAMING CONSOLIDATION — YOUTUBE MUSIC + TUBI + NETFLIX ALL WANT "PODCAST" ----------------------------------------------------------------------------------------------------------------------------------------- 08 - SUPPLY CHAIN SECURITY — VS CODE DELAYS, PHP FOUNDATION, SLSA LEVEL 3 IS NOT ENOUGH ----------------------------------------------------------------------------------------------------------------------------------------- 09 - AI BUBBLE PC20-FLAVOR — TOTO CHUCKS, MOTHER COMPUTERS, "NO 'I', ONLY MATH" ----------------------------------------------------------------------------------------------------------------------------------------- 10 - QUIPS / TRANSITIONS ----------------------------------------------------------------------------------------------------------------------------------------- Last Modified 06/05/2026 14:38:09 by Freedom Controller
Cybersecurity assurance was supposed to give boards, regulators, customers, and partners a clear answer to one question: can the security of the organizations they depend on actually be trusted? In 2026, that answer is harder than ever to come by. Supply chains are sprawling, attackers are pivoting through third parties, and too many assurance reports still rely on questionnaires, self-attestations, and frameworks that have not kept pace with the threat landscape. The 2026 HITRUST Trust Report calls that gap what it is: a Trust Crisis. In this Brand Spotlight, Vincent Bennekers, VP of Quality at HITRUST, walks through what four years of performance data across thousands of certified environments now show: 99.62% of HITRUST-certified environments remained breach-free in 2025. That stands in stark contrast to industry surveys reporting that more than 40% of organizations have experienced a breach. Vincent Bennekers is direct on why the numbers hold up: prescriptive controls, a centralized quality review, and an assurance methodology built for measurable outcomes rather than checkbox compliance. Healthcare makes the point even sharper. HITRUST examined the top fifty breaches on the HHS OCR breach portal, the public listing some in the industry refer to as the wall of shame. None of them occurred in a HITRUST-certified environment. For an industry that consistently ranks as the most breached and the most expensive to breach, that is a signal worth pausing on. Quality of the report itself matters as much as the framework behind it. Vincent Bennekers describes a layered review model with automated and manual checks, independent reviewers, and centralized HITRUST quality assurance prior to issuance. Every certification HITRUST issues goes through that same review. Stakeholders consuming any other assurance report should be asking exactly how its integrity is being ensured, and what is actually behind the stamp. Supply chain risk is the throughline. The 2025 Verizon Data Breach Investigations Report found third-party-involved breaches doubled, climbing from 15% to 30%. HITRUST requires service provider coverage, mandatory in the r2 assessment and optional but heavily adopted in the e1 and i1, where over 80% of organizations are choosing to address service provider controls thanks to a streamlined inheritance model. The report closes with a five-step roadmap for stakeholders: shift from flexible compliance to threat-intelligent assurance, verify assurance report integrity, reduce supply chain exposure, secure AI implementations through prescriptive controls, and reassess the definition of good information security assurance. Vincent Bennekers is clear that AI belongs in this conversation now, with HITRUST offering AI certification to address risks across data protection, model integrity, and automated decision-making. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Vincent Bennekers, VP of Quality at HITRUST LinkedIn: https://www.linkedin.com/in/vincent-bennekers-a0b3201/ RESOURCES Learn more about HITRUST: https://hitrustalliance.net/ Download the 2026 HITRUST Trust Report: https://hitrustalliance.net/trust-report Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Vincent Bennekers, HITRUST, Sean Martin, brand story, brand marketing, marketing podcast, brand spotlight, 2026 HITRUST Trust Report, trust crisis, cybersecurity assurance, third-party risk, supply chain security, healthcare cybersecurity, HHS OCR breach portal, HITRUST certification, r2 certification, e1 certification, i1 certification, threat-intelligent assurance, AI security certification, information risk management Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
⬥EPISODE NOTES⬥ The most dangerous sentence in cybersecurity disclosure right now is "no evidence of unauthorized access to our network." It is technically true. It is also operationally hollow. The customer whose data is on a leak site does not care which network it left from. The plaintiff in Bexar County does not care. The regulator about to receive a federal incident report under a 72-hour clock that starts at suspicion, not confirmation, will not care. In April 2026, two U.S. banks disclosed an incident at the same unnamed third-party vendor. Six class action lawsuits followed in two weeks. The vendor still has not been publicly named. The plaintiffs sued the banks anyway. In a separate situation, an alleged Adobe breach surfaced through a threat actor's claims about a third-party business process outsourcing firm -- and as of the coverage reviewed for this analysis, no public confirmation or denial from Adobe had surfaced. This is the Common Point of Failure pattern, and it is arriving with enough frequency that it deserves to be named clearly.
⬥EPISODE NOTES⬥ The most dangerous sentence in cybersecurity disclosure right now is "no evidence of unauthorized access to our network." It is technically true. It is also operationally hollow. The customer whose data is on a leak site does not care which network it left from. The plaintiff in Bexar County does not care. The regulator about to receive a federal incident report under a 72-hour clock that starts at suspicion, not confirmation, will not care. In April 2026, two U.S. banks disclosed an incident at the same unnamed third-party vendor. Six class action lawsuits followed in two weeks. The vendor still has not been publicly named. The plaintiffs sued the banks anyway. In a separate situation, an alleged Adobe breach surfaced through a threat actor's claims about a third-party business process outsourcing firm -- and as of the coverage reviewed for this analysis, no public confirmation or denial from Adobe had surfaced. This is the Common Point of Failure pattern, and it is arriving with enough frequency that it deserves to be named clearly.
In this episode, Danny Ramon from Overhaul brings another insightful conversation about staying ahead of rapidly evolving strategic cargo theft and fraudulent double-brokering schemes in a global market! Danny shares how bad actors are moving from traditional smash-and-grab tactics to complex fictitious pickups and identity theft, essentially running their criminal enterprises with the efficiency of a direct-to-consumer business, the critical need for carrier verification, the impact of broker liability, and why simply having cargo insurance isn't enough when the true cost of a loss is three to seven times the value of the freight. From the lack of a DOT equivalent in the EU to the implementation of biometric security at the dock, we're covering the high-tech hurdles and the boots-on-the-ground prevention strategies you need to protect your margins! About Danny Ramon Danny Ramon has been working in Supply Chain Security for over 15 years and specializing in Supply Chain Intelligence for the last 13. Danny studies both cargo theft and any factor that can affect the flow of cargo through the supply chain to identify how variables might interfere with the flow of global logistics. In his role as Director of Intelligence and Response at Overhaul, Danny not only presents these findings to the security and logistics teams at the world's largest technology and pharmaceutical companies, but also leads the recovery and investigations team that works closely with law enforcement and private resources across the globe to recover stolen cargo and apprehend the criminals involved. Danny spreads awareness of cargo theft and promotes supply chain visibility as a subject matter expert. He is quoted or published in several leading industry publications, including Transport Topics, Supply Chain Brain, Fleet Owner, FreightWaves, and CCJDigital and he has presented for Inland Marine Underwriters Association (IMUA), the International Supply Chain Protection Organization (ISCPO), the Transportation and Logistics Council (TLC), Miami-Dade Police Department (MDPD), Ocean Carrier Equipment Management Association (OCEMA), National Motor Freight Traffic Association (NMFTA), and the Transported Asset Protection Association (TAPA). Connect with Danny Website: https://over-haul.com/ LinkedIn: https://www.linkedin.com/in/danny-ramon-97472855/
Guest: Dan Lorenc, Founder / CEO, Chainguard Topics: We just saw a security tool (Trivy) get used to pop an AI infrastructure tool (LiteLLM) to eventually pop end users. Have we reached the point where our security tooling is actually our largest unmanaged attack surface? Why now? Software supply chain security had the perennial vibe of "not top concern" for most organizations, right? TeamPCP pushed malicious code to existing GitHub tags. We've been screaming about pinning versions to SHAs for years, but clearly, nobody is listening. Is it time to admit that 'convenience' is the primary enemy of supply chain security? The Axios incident showed a victim compromised in under two minutes. In a world of auto-updating dependencies, is the concept of a human-in-the-loop for software updates officially dead, or do we need to look very hard at version pinning and such? With XZ Utils case, we saw a long-game social engineering attack. Beyond just 'watching npm closely,' what are the realistic architectural safeguards for an org that knows they can't audit every line of an update? We've spent the last three years talking about SBOMs (Software Bill of Materials) like they were a pill for supply chain health. But if the scanner producing the SBOM is the one that's compromised, isn't the SBOM just a signed receipt for your own house being on fire? What is the one practical thing they can do to ensure their CI/CD isn't a credential-exfiltration-as-a-service platform? Resources: Video version North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack EP100 2022 Accelerate State of DevOps Report and Software Supply Chain Security EP116 SBOMs: A Step Towards a More Secure Software Supply Chain EP226 AI Supply Chain Security: Old Lessons, New Poisons, and Agentic Dreams EP24 Linking Up The Pieces: Software Supply Chain Security at Google and Beyond Matt Levine blog
“We're witnessing what I would consider the most structurally disruptive pharmaceutical moment I've seen in my career—and it's being driven by consumers.”Ryan Kelly, Interim CEO and Senior Director of Supply Chain Security and Brand Protection at Rx-360, has seen pharma's direct-to-consumer transformation from multiple angles—building pharmacy operations at Amazon during the PillPack acquisition, scaling the largest cash pharmacy in the U.S. at Chewy, and now leading supply chain security for a 130-member industry consortium. His verdict: the infrastructure isn't keeping up.In the latest PharmaSource podcast episode, Ryan explains why GLP-1 demand and the rise of direct-to-consumer platforms such as TrumpRX have become the stress test pharma's supply chain never prepared for—and what manufacturers need to do before the system breaks.
Ken Johnson and Seth Law reflect on the 2026 RSA Conference and BSidesSF, noting an industry-wide "awakening" regarding the high costs and engineering complexities of operationalizing AI security tools. A major focus is the recent "supply chain attack hell," specifically the compromise of the Axios HTTP client through dual-account breaches that allowed attackers to bypass legitimate OIDC deploy setups via a misconfigured NPM CLI. The malware used was particularly evasive, deleting itself and replacing its package.json with a clean version post-execution. The hosts also discuss the emergence of the "Agentic Development Lifecycle" (ADLC), where engineering teams are increasingly "committing on time" rather than features, creating a volume of code that traditional security gates cannot manage. They debate Thomas Ptacek's thesis that AI agents will soon "supplant" human vulnerability research for common bug classes, shifting the human role toward high-level governance and "context infusion". Economically, they highlight how Anthropic's security announcements contributed to nearly half a trillion dollars in market value loss for traditional security firms, as investors increasingly bet on frontier models to consume established security domains.
Supply Chain Security deixou de ser teoria e virou problema real. Neste episódio, destrinchamos os casos recentes envolvendo ferramentas amplamente utilizadas como Trivy, KICS e a biblioteca Axios e o que eles expõem sobre a fragilidade da cadeia de dependências.Falamos sobre o risco invisível que roda dentro do seu pipeline, como ataques em ferramentas “confiáveis” mudam completamente o jogo e por que confiar cegamente em scanners e bibliotecas populares pode ser um erro caro. Não é só sobre vulnerabilidades conhecidas, é sobre confiança quebrada. Você vai sair com uma visão prática de como esses incidentes acontecem, onde estão os pontos cegos no seu processo e o que precisa mudar agora para não virar o próximo case.Become a supporter of this podcast: https://www.spreaker.com/podcast/devsecops-podcast--4179006/support.Apoio: Nova8, Snyk, Conviso, Gold Security, Digitalwolk e PurpleBird Security.
What if one of the most critical components in modern technology — from fighter jets to smartphones — is also one of the most overlooked? In this episode of The China Desk Podcast, host Steve Yates sits down with David Schild, Executive Director of the Printed Circuit Board Association of America (PCBAA), to break down the strategic importance of printed circuit boards (PCBs) and why they have become a major vulnerability in the U.S.–China competition. Schild explains that while policymakers have focused heavily on semiconductors and rare earths, the United States has largely ignored the “middle layer” of the electronics stack — printed circuit boards — which connect and enable every advanced system in modern life. From defense systems and AI data centers to power grids and consumer electronics, virtually everything relies on PCBs. The conversation details how China came to dominate global PCB production through long-term industrial policy, subsidies, and strategic investment, while U.S. production collapsed from roughly 30% of global supply to just 4% today. This shift has created serious national security concerns, including supply chain dependence, risks to trusted and secure systems, and the loss of domestic research and development. The discussion also explores: • Why PCB dependency poses risks to defense systems and critical infrastructure • How “dual-use” and commercial off-the-shelf components create loopholes in defense procurement • What happens to U.S. supply chains in a Taiwan crisis or major disruption in Asia • The lack of surge manufacturing capacity in the United States • Policy solutions including the PCBS Act, tax incentives, and Buy America requirements • The role of tariffs, industrial policy, and strategic investment in rebuilding domestic production • Why industrial policy and national security are now inseparable Schild argues that rebuilding U.S. PCB manufacturing is not just an economic issue — it is essential to maintaining technological leadership, securing supply chains, and ensuring that the United States can compete in an era of great power competition. Watch Full-Length Interviews: https://www.youtube.com/@ChinaDeskFNW
Tony Anscombe has attended RSA Conference since 1998 -- back when it was held at the Fairmont Hotel. That long view informs everything about how ESET approaches threat intelligence. It is not about volume. It is about accuracy, speed, and putting the right signal in front of the right team at the right moment. The ESET eCrime Ecosystem Report comes in two forms: a business-facing summary outlining current risks for leadership, and a long-form technical report for analysts -- complete with IOCs, coding examples, and structured intelligence feeds covering ransomware, crypto scams, malicious email attachments, and infostealer data. These feeds are built to plug directly into SOC workflows and firewall rules, not to create more work for already stretched teams. Tony Anscombe is direct about the quality problem in threat intelligence. Open-source feeds sound appealing -- until you factor in the analyst hours required to clean out the noise. By then, the intelligence is stale. Attacks circle the globe in hours. Near-real-time, verified intelligence is not a premium -- it is the baseline requirement. The threat detection conversation has also moved well past malware. Anscombe walks through how modern attackers often skip the payload entirely -- credential theft gets them in, then slow lateral movement and data exfiltration follow, with ransomware as the final act rather than the first signal. ESET's platform focuses on behavioral anomaly detection across the full environment, with on-site, cloud, and managed deployment options for organizations that cannot or will not go all-in on cloud architecture. At RSAC Conference 2026, ESET will be at booth 5253 in Moscone North. Anscombe has two sessions on the Wednesday agenda: one on supply chain blind spots -- urging security teams to engage directly with the business side to map third-party risk fully -- and a community rant session tackling four things that need to change in cybersecurity, including the cryptocurrency regulation debate. On AI, his message is measured: the real conversation at the show is not about using AI -- it is about securing it. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Tony Anscombe, Chief Security Evangelist, ESET LinkedIn: https://www.linkedin.com/in/tonyanscombe/ RESOURCES ESET website: https://www.eset.com ESET threat research blog (WeLiveSecurity): https://www.welivesecurity.com ESET at RSAC Conference 2026 -- Booth 5253, Moscone North Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Tony Anscombe, ESET, Sean Martin, RSAC Conference 2026, eCrime, threat intelligence, eCrime Ecosystem Report, cybersecurity, endpoint protection, MDR, threat detection, supply chain security, AI security, ransomware, infostealer, brand spotlight, brand marketing, marketing podcast, brand story Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Third-party-related breaches have doubled in the last 12 months. Ryan Patrick, Executive Vice President of TPRM Customer Solutions at HITRUST, is not surprised. As organizations outsource more to stay focused on core competencies, the vendor attack surface grows -- and malicious actors are exploiting it through a pattern Patrick calls "island hopping": land on a smaller vendor, secure a foothold, then move laterally toward the real target. The Stryker attack, which unfolded in real time during HIMSS 2026, made the stakes concrete. What began as a nation-state operation quickly became a supply chain crisis. Hospitals relying on Stryker products scrambled -- not because their own environments were breached, but because a critical supplier went down. Patrick argues that availability of services deserves equal weight to confidentiality, especially when a supplier outage directly impacts patient care and revenue. AI adds a new layer of urgency to vendor risk. Vendors are quietly adding AI capabilities to existing products -- sometimes without notifying customers. An EHR platform might add a clinical decision support model as a routine feature update. The health system consuming it may lack the leverage to audit what that model does with patient data. In agentic AI scenarios, where decisions happen without a human in the loop, the consequences are clinical, not just operational. Patrick's advice for managing AI risk: stop treating it as a fundamentally different category. Layer it into existing security programs, policies, and governance frameworks. The uniqueness lies in how you assess AI risk -- not in abandoning what already works. The industry, he observes, is finally moving past the wait-and-see phase. The data on HITRUST certification outcomes is compelling. One organization has gone seven to eight years without a security incident by requiring all vendors to achieve HITRUST certification. External vulnerability platforms like SecurityScorecard and RiskRecon independently confirm the pattern: HITRUST-certified vendors score measurably higher. Certified vendors mature over time. Non-certified vendors plateau. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Ryan Patrick, Executive Vice President, TPRM Customer Solutions, HITRUSThttps://www.linkedin.com/in/ryan-patrick-3699117a/ RESOURCES HITRUST: https://hitrustalliance.net HIMSS 2026 Coverage: https://www.itspmagazine.com/cybersecurity-technology-society-events/himss-global-health-conference-amp-exhibition-2026 Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Ryan Patrick, HITRUST, Sean Martin, third-party risk management, TPRM, supply chain security, healthcare cybersecurity, HIMSS 2026, AI security, EHR security, vendor risk, HIPAA compliance, CIA triad, supply chain resilience, agentic AI, healthcare data security, brand spotlight, brand marketing, marketing podcast, brand spotlight Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Freight fraud has moved way past the old stereotype of random cargo theft.Barry Conlon, CEO of Overhaul, joins Blythe from Manifest to break down what's actually happening in the market: more sophisticated criminal networks, more pressure on shippers to own the problem, and a growing gap between how fast freight moves and how well it gets verified. He argues that prevention matters more than recovery, because by the time you're chasing freight down, the damage is already done. A few standout points from the conversation:Barry says the last 24 to 36 months have brought a level of volume and sophistication he has never seen before. He ties part of the shift back to post-COVID buyer behavior and the ease of moving stolen goods back into gray markets. He says Overhaul protects about $1.4 trillion in cargo value on its platform and focuses on identifying non-compliance before it becomes a loss. He explains how fraud varies by geography, with North American fraud tactics spreading abroad while markets like Mexico and Brazil often involve more overt hijacking risk. He makes the case that cargo risk is now a boardroom issue because lost product often cannot be replaced fast enough, which turns a theft problem into a market share problem.Links from the show: Overhaul's latest insight on cargo crimeConnect with Barry on LinkedInWatch this episode on YouTubeFeedback? Ideas for a future episode? Shoot us a text here to let us know. -----------------------------------------THANK YOU TO OUR SPONSORS! SPI Logistics has been a Day 1 supporter of this podcast which is why we're proud to promote them in every episode. During that time, we've gotten to know the team and their agents to confidently say they are the best home for freight agents in North America for 40 years and counting. Listen to past episodes to hear why. CargoRex is the search engine for the logistics industry—connecting LSPs with the right tools, services, events, and creators to explore, discover, and evolve. Digital Dispatch maximizes and manages your #1 sales tool with a website that establishes trust and builds rock-solid relationships with your leads and customers.
Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had “stopped abnormally” and prompting users to run a “scan” to remediate the threats. Upon “running the scan,” the user is presented with a fake “Security issues detected” alert and instructed to manually “fix” the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-449
Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate the threats. Upon "running the scan," the user is presented with a fake "Security issues detected" alert and instructed to manually "fix" the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-449
Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate the threats. Upon "running the scan," the user is presented with a fake "Security issues detected" alert and instructed to manually "fix" the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Show Notes: https://securityweekly.com/esw-449
Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate the threats. Upon "running the scan," the user is presented with a fake "Security issues detected" alert and instructed to manually "fix" the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Show Notes: https://securityweekly.com/esw-449
Is China competing—or executing a long-term strategy to dominate global industry? In this episode of The China Desk, legendary CEO advisor Ram Charan joins Steve Yates to break down his book China's 90% Model: China Has America by the Throat — Here's How to Fight Back and Win. Charan argues that China's strategy is deliberate: build capacity to meet 90% of global demand, sell below marginal cost, subsidize exports, and destroy competitors across entire industries. Drawing on six decades advising global executives—including more than 50 Chinese companies—Charan explains how this model has hollowed out American manufacturing in sectors like solar, pharmaceuticals, chemicals, and advanced materials. He describes why many CEOs understand the threat privately but hesitate to speak publicly, and why investors may be underestimating long-term risk. The conversation explores: How industrial dominance becomes national security leverage Why excess capacity and currency policy matter The strategic risk of supply chain choke points like magnets and critical inputs The need for a cabinet-level Department of Manufacturing and Technology Why economic security and national security are now inseparable Charan argues that America and its allies still possess overwhelming economic strength—but only if they coordinate industrial policy, rebuild manufacturing capacity, and communicate the stakes clearly to the public and business leaders alike. This is a high-level strategic conversation about economic warfare, industrial capacity, and what the next seven years could determine for the global balance of power. 00:00 — Introduction and Ram Charan's background 02:40 — What is China's 90% Model? 04:19 — Industrial dominance and strategic execution 05:18 — The origins of China's long-term strategy 08:19 — How to measure industry capture and market share 12:06 — Why CEOs stay silent and investor blind spots 14:11 — The October wake-up moment 16:22 — When companies must exit China 18:26 — Building an allied industrial coalition 21:44 — Economic security equals national security 23:17 — War-time leverage and supply chain choke points 25:21 — Proposal: Department of Manufacturing and Technology 27:35 — Seven-year strategy and public awareness 30:27 — Where to find the book and follow Ram Charan Watch Full-Length Interviews: https://www.youtube.com/@ChinaDeskFNW
In this episode of the Crazy Wisdom Podcast, host Stewart Alsop sits down with Jake Hamilton, founder of Groundwire and Nockbox, to explore zero-knowledge proofs, Bitcoin identity systems, and the intersection of privacy-preserving cryptography with AI and blockchain technology. They discuss how ZK proofs could offer an alternative to invasive identity verification systems being rolled out by governments worldwide, the potential for continual learning AI models to shift the balance between centralized and open-source development, and why building secure, auditable computing infrastructure on platforms like Urbit matters more than ever as we face an explosion of AI agents and automated systems. Jake also explains Nockchain's approach to creating a global repository of cryptographically verified facts that can power trustless programmable systems, and how these technologies might converge to solve problems around supply chain security, personal data sovereignty, and resistance to censorship.Timestamps00:00 Introduction to Groundwire and Knockbox02:48 Understanding Zero-Knowledge Proofs06:04 Government Adoption of ZK Proofs08:55 The Future of Identity Verification11:52 AI and ZK Proofs: A New Era14:54 The Role of Urbit in Technology18:03 The Impact of COVID on Trust20:51 The Evolution of AI and Data Privacy23:47 The Future of AI Models26:54 The Need for Local AI Solutions29:51 Interoperability of Knockchain and BitcoinKey Insights1. Zero-Knowledge Proofs Enable Privacy-Preserving Verification: Jake explains that ZK proofs allow you to prove computational outcomes without revealing the underlying data. For example, you could prove you're over 18 without exposing your full identity or driver's license information. The proof demonstrates that a specific program ran through certain steps and reached a particular conclusion, and validating this proof is fast and compact. This technology has profound implications for age verification, identity systems, and protecting privacy while maintaining necessary compliance, potentially offering a middle path between surveillance states and complete anonymity.2. Government Adoption of Privacy Technology Remains Uncertain: There are three competing motivations driving government identity verification systems: genuine surveillance desires, bureaucratic efficiency seeking, and legitimate child protection concerns. Jake believes these groups can be separated, with some officials potentially supporting ZK-based solutions if positioned correctly. He notes the EU is exploring ZK identity verification, and UK officials have shown interest. The key is framing privacy-preserving technology as protection against "the swamp" rather than just abstract privacy benefits, which could resonate with certain political constituencies.3. The COVID Era Destroyed Institutional Trust at Unprecedented Scale: The conversation identifies COVID as potentially the largest institutional trust-burning event in human history, with numerous institutions simultaneously losing credibility with large portions of the population. This represents a dramatic shift from the boomer generation's default trust in authority figures and mainstream media. This collapse is compounded by the incoming AI revolution, creating a perfect storm where established bureaucracies cannot adapt quickly enough to manage rapidly evolving technology, leaving society in fundamentally unmanageable territory.4. Centralized AI Models Create Dangerous Dependencies: Both speakers acknowledge growing dependence on centralized AI services like Claude, with some users spending thousands monthly on tokens. This dependency creates vulnerability to price increases and service disruptions. Jake advocates for local AI deployment using models like DeepSeek R1, running on personal hardware to maintain control and privacy. The shift toward continuous learning models will fundamentally change the AI landscape, making personal data harvesting even more valuable and raising urgent questions about compensation and consent for training data contribution.5. High-Quality Training Data Is Becoming the Primary AI Bottleneck: Stewart argues that AI development is now limited more by high-quality training data than by compute power. The industry has exhausted easily accessible internet data and body-shop-style data labeling. Companies are now using specialized boutique services with techniques like head-mounted cameras for live-streaming world model training. This scarcity is subtly driving price increases across AI services and will fundamentally reshape the economics of AI development, with implications for who controls these increasingly powerful systems.6. Urbit Offers a Foundation for Trustworthy Computing: Jake positions Urbit as essential infrastructure for the AI age because its 30,000-line codebase (versus Unix's three million lines) can be understood by individual humans. Its deterministic, purely functional, and strictly typed design aims for eventual ossification—software that doesn't require constant security patches. This "tiny and diamond perfect" approach addresses the fundamental insecurity of systems requiring monthly vulnerability patches. In an era of AI agents and potential prompt injection attacks, having verifiable, comprehensible computing infrastructure becomes existentially important rather than merely desirable.7. Nockchain Creates a Global Repository of Provable Truth: Jake's vision for Nockchain combines ZK proofs with blockchain technology to create a globally available "truth repository" where verified facts can be programmatically accessed together. This enables smart contracts or programs gated on combinations of proven facts—such as temperature readings from secure devices, supply chain events, and payment confirmations. By using Nock's abstract, simple design optimized for ZK proof generation, the system can validate complex real-world conditions without exposing underlying data, creating infrastructure for coordinating action based on verifiable private information at global scale.
Blythe and Grace Sharkey (Orderful; formerly FreightWaves) break down what everyone's been talking about coming out of Manifest: agentic AI moving into real workflows, drones/computer vision becoming more practical, freight fraud getting more coordinated, and why “end-to-end visibility” still isn't end-to-end (spoiler: carrier adoption and execution still run the show).The gist (what we cover):Agentic AI: not just demos—people are pushing it into rate negotiation and booking workflowsThe uncomfortable question: what happens to brokerage models when humans aren't the bottleneck?Drones + computer vision: still early, but moving from “cool tech” to real use casesFreight fraud: it's coordinated—and most companies still fail at the basicsVisibility: we keep selling the dream, but execution (and carrier adoption) keeps punching it in the faceQuick time-capsule: what 2016 taught us, what 2026 is repeating, and why insurance keeps winningTimestamps / chapters (approx):00:00 – Intro + Grace joins04:35 – Agentic AI: what's real vs what's marketing10:10 – What this changes for brokers and carriers15:25 – Drones + computer vision17:30 – Fraud: why basic controls still matter25:40 – Visibility + ocean integrity31:40 – 2016 vs 2026: the industry memory test39:50 – Wrap-up + Manifest Europe noteWatch this episode on YouTubeFeedback? Ideas for a future episode? Shoot us a text here to let us know. -----------------------------------------THANK YOU TO OUR SPONSORS! SPI Logistics has been a Day 1 supporter of this podcast which is why we're proud to promote them in every episode. During that time, we've gotten to know the team and their agents to confidently say they are the best home for freight agents in North America for 40 years and counting. Listen to past episodes to hear why. CargoRex is the search engine for the logistics industry—connecting LSPs with the right tools, services, events, and creators to explore, discover, and evolve. Digital Dispatch maximizes and manages your #1 sales tool with a website that establishes trust and builds rock-solid relationships with your leads and customers.
Rob Hughes — CISO at RSA and Champion of a Passwordless FutureNo Password Required Season 7: Episode 1 - Rob HughesRob Hughes, the CISO at RSA, has more than 25 years of experience leading security and cloud infrastructure teams. In this episode, he reflects on his unconventional career path, from co-founding the original Geek.com and serving as its Chief Technologist during the early days of the internet, to leading security and systems design at Philips Home Monitoring.Jack Clabby of Carlton Fields, P.A. and Kayley Melton welcome Rob for a wide-ranging conversation on identity, leadership, and the realities of modern cybersecurity. Rob currently leads RSA's Security and Risk Office, overseeing cybersecurity, information security governance, and risk across both RSA's products and corporate environment.Rob explains his dream for a passwordless future. He unpacks why passwords remain one of the largest sources of cyber risk, how real-world incidents and password-spraying attacks have accelerated change, and why phishing-resistant technologies like passkeys may finally be reaching a tipping point. The episode wraps with the Lifestyle Polygraph, where Rob lightens the conversation with stories about gaming with his kids, underrated horror films, and classic cars.Follow Rob on LinkedIn: https://www.linkedin.com/in/robert-hughes-816067a4/Chapters: 00:00 Introduction to No Password Required01:43 Meet Rob Hughes, CISO at RSA02:05 The Role of a CISO in a Security Company05:09 Transitioning to the CISO Role08:00 The Early Days of Geek.com12:14 Launching a Startup During the Dot Com Boom14:30 The Push for a Passwordless Future18:21 Tipping Point for Passwordless Adoption20:20 Ongoing Learning in Cybersecurity26:09 Managing Stress in High-Pressure Environments33:46 The Lifestyle Polygraph Begins34:15 Career Insights in Cybersecurity36:08 Dream Cars and Personal Preferences39:58 Underrated Horror Films41:19 Creating a Cybersecurity Monster
Don't miss out on this episode with Danny Ramon of Overhaul to know the real threat to your freight, what's really happening online, and how fast cargo theft is evolving! Danny breaks down how cargo theft has become a full-blown, organized industry, blending cyber attacks and coordinated physical moves that let criminals walk away with entire shipments in minutes, why everyday consumer goods are now prime targets, how social media demand is reshaping black-market trends, and why tech alone won't save you if you don't have the human oversight to back it up! No one's immune, so do simple operational changes, smarter vetting practices, nonstop vigilance carriers, brokers, and shippers need to stay ahead of this increasingly sophisticated threat, and keep supporting the show for more conversations like this! About Danny Ramon Danny Ramon has been working in Supply Chain Security for over 15 years and specializing in Supply Chain Intelligence for the last 13. Danny studies both cargo theft and any factor that can affect the flow of cargo through the supply chain to identify how variables might interfere with the flow of global logistics. In his role as Director of Intelligence and Response at Overhaul, Danny not only presents these findings to the security and logistics teams at the world's largest technology and pharmaceutical companies, but also leads the recovery and investigations team that works closely with law enforcement and private resources across the globe to recover stolen cargo and apprehend the criminals involved. Danny spreads awareness of cargo theft and promotes supply chain visibility as a subject matter expert. He is quoted or published in several leading industry publications, including Transport Topics, Supply Chain Brain, Fleet Owner, FreightWaves, and CCJDigital and he has presented for Inland Marine Underwriters Association (IMUA), the International Supply Chain Protection Organization (ISCPO), the Transportation and Logistics Council (TLC), Miami-Dade Police Department (MDPD), Ocean Carrier Equipment Management Association (OCEMA), National Motor Freight Traffic Association (NMFTA), and the Transported Asset Protection Association (TAPA). Connect with Danny Website: https://over-haul.com/ LinkedIn: https://www.linkedin.com/in/danny-ramon-97472855/
Hydrogen infrastructure requires billion-dollar cryogenic systems. That's the conventional wisdom keeping hydrogen grounded. Dr. Jalaal Hayes proved it's wrong—and the implications for expeditionary operations are immediate.Hayes developed Liquid Organic Hydrogen Carriers (LOHC) technology, which stores hydrogen at ambient temperatures using existing fuel infrastructure. No specialized equipment. No cryogenic vulnerability. Combined with biohydrogen production, delivering three times the energy density of JP-8, this isn't an incremental improvement—it's an operational paradigm shift.When you orchestrate complementary technologies instead of betting on single solutions, you eliminate infrastructure dependencies that constrain deployment. For institutions like the DoW, that means hydrogen propulsion without forward-deployed cryogenic facilities.Paradigm Shifts:→ Applied Budgetary Exhaustion: LOHC eliminates billions in cryogenic infrastructure by using existing petroleum systems—the same asymmetric strategy Ukraine uses with $10K drones vs $100M platforms. Attack the cost structure, not the capability.→ Infrastructure Independence: Biohydrogen becomes deployable when paired with ambient-temperature LOHC storage. No cryogenic vulnerability. No specialized tankers. Existing logistics networks carry hydrogen in chemical form—released on demand at the point of use.→ Regional Stack Control = Supply Chain Security: Hayes built his entire prototype with suppliers within driving distance. That's not convenience—it's strategic autonomy. When you control the full stack regionally, you eliminate foreign dependencies and supply chain vulnerabilities.Operational Impact:→ Space-to-Ground Dual-Use: Same hydrogen stack enabling Mars closed-loop life support runs ground ops at forward operating bases. One R&D investment, two critical applications. That's how you maximize constrained budgets.→ Technology Intersection > Selection: Stop forcing teams to pick biohydrogen OR storage OR production. The breakthrough lives where they integrate—each solving the other's deployment constraint. Complementary systems outperform optimized components.→ Compressed Innovation Cycles: Hayes's students solve real commercial prototypes in semesters, not years. Academic-entrepreneurial integration accelerates the transition of capabilities from the lab to the field.Strategic Reframe: Infrastructure dependencies limit operational flexibility. When you orchestrate technologies that leverage existing systems, you eliminate deployment barriers. The question isn't "which hydrogen technology wins?" It's "what combination removes infrastructure constraints from our operational calculus?"Guest: Dr. Jalaal Hayes, CEO & Founder, Evince Inc. | Associate Professor of Chemistry, Lincoln UniversityHost: Dyan Finkhousen, Founder & CEO, Shoshin WorksEcosystemic Futures is the Shoshin Works foresight series with NASA - National Aeronautics and Space Administration heritage.
In this episode we are continuing the theme of cybersecurity to talk about the Federal Acquisition Supply Chain Security Act, or FASCSA. After years of framework development, the government has finally dropped its first FASCSA order. Learn more about The Quill & Sword series of podcasts by visiting our podcast page at https://tjaglcs.army.mil/thequillandsword. The Quill & Sword show includes featured episodes from across the JAGC, plus all episodes from our four separate shows: “Criminal Law Department Presents” (Criminal Law Department), “NSL Unscripted” (National Security Law Department), “The FAR and Beyond” (Contract & Fiscal Law Department) and “Hold My Reg” (Administrative & Civil Law Department). Connect with The Judge Advocate General's Legal Center and School by visiting our website at https://tjaglcs.army.mil/ or on Facebook (tjaglcs), Instagram (tjaglcs), or LinkedIn (school/tjaglcs).
Даже если вы пишете идеальный код, это не значит, что ваш продукт в безопасности. Уязвимости может притащить кто-то другой – начиная от open source библиотек, и заканчивая уязвимостями в компиляторах, CI и VCS системах. Как научиться защищать не только код, вышедший из под ваших рук, но и всю цепочку поставки, нам рассказал Алексей Смирнов, основатель платформы CodeScoring. Партнёр команды Podlodka — наши давние друзья @AvitoTech. Это команда с крутыми процессами, культурой здравого смысла и эксперимента. Узнать про их технологии, подходы и прокачку компетенций в командах можно по ссылкам: — LLM против хаоса: как я автоматизировал ревизию прав доступа в админке Авито https://clc.to/RVjkQw — LLM в кибербезопасности https://clc.to/mvLjSA Реклама. ООО "Авито Тех”, ИНН 9710089440, erid:2SDnjdq5TKm Также ждем вас, ваши лайки, репосты и комменты в мессенджерах и соцсетях! Telegram-чат: https://t.me/podlodka Telegram-канал: https://t.me/podlodkanews Страница в Facebook: www.facebook.com/podlodkacast/ Twitter-аккаунт: https://twitter.com/PodcastPodlodka Ведущие в выпуске: Евгений Кателла, Егор Толстой Полезные ссылки: Supply-chain Levels for Software Artifacts, or SLSA https://slsa.dev/ Shai-Hulud npm vulnerability https://www.truesec.com/hub/blog/500-npm-packages-compromised-in-ongoing-supply-chain-attack-shai-hulud Таксономия атак на цепочку поставки ПО https://vkvideo.ru/video-229013285_456239031 AI-Enhanced DevTools & DevOps https://vkvideo.ru/video-22522055_456245659?t=2h34m17s Исследования от Luntry https://luntry.ru/research Исследование уязвимостей GenAI от Veracode https://www.veracode.com/wp-content/uploads/2025_GenAI_Code_Security_Report_Final.pdf О черве Shai-Hulud https://securelist.ru/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/113533/ Метод-фреймворк защиты цепочки поставки SLSA https://slsa.dev/ Доклад "Таксономия атак на цепочку поставки ПО" https://vkvideo.ru/video-229013285_456239031 Доклад "Безопасная разработка в эпоху GenAI" https://vkvideo.ru/video-229013285_456239040 Другие доклады про безопасность использования Open Source https://youtube.com/@codescoring https://vkvideo.ru/@codescoring Платформа безопасной разработки CodeScoring https://codescoring.ru/ Книга "Прозрачное программное обеспечение: Безопасность цепочек поставок ПО" https://www.piter.com/product/prozrachnoe-programmnoe-obespechenie-bezopasnost-tsepochek-postavok-po
Everyone Is Protecting My Password, But Who Is Protecting My Toilet Paper? - Interview with Amberley Brady | AISA CyberCon Melbourne 2025 Coverage | On Location with Sean Martin and Marco CiappelliAISA CyberCon Melbourne | October 15-17, 2025Empty shelves trigger something primal in us now. We've lived through the panic, the uncertainty, the realization that our food supply isn't as secure as we thought. Amberley Brady hasn't forgotten that feeling, and she's turned it into action.Speaking with her from Florence to Sydney ahead of AISA CyberCon in Melbourne, I discovered someone who came to cybersecurity through an unexpected path—studying law, working in policy, but driven by a singular passion for food security. When COVID-19 hit Australia in 2019 and grocery store shelves emptied, Amberley couldn't shake the question: what happens if this keeps happening?Her answer was to build realfoodprice.com.au, a platform tracking food pricing transparency across Australia's supply chain. It's based on the Hungarian model, which within three months saved consumers 50 million euros simply by making prices visible from farmer to wholesaler to consumer. The markup disappeared almost overnight when transparency arrived."Once you demonstrate transparency along the supply chain, you see where the markup is," Amberley explained. She gave me an example that hit home: watermelon farmers were getting paid 40 cents per kilo while their production costs ran between $1.00 to $1.50. Meanwhile, consumers paid $2.50 to $2.99 year-round. Someone in the middle was profiting while farmers lost money on every harvest.But this isn't just about fair pricing—it's about critical infrastructure that nobody's protecting. Australia produces food for 70 million people, far more than its own population needs. That food moves through systems, across borders, through supply chains that depend entirely on technology most farmers never think about in cybersecurity terms.The new autonomous tractors collecting soil data? That information goes somewhere. The sensors monitoring crop conditions? Those connect to systems someone else controls. China recognized this vulnerability years ago—with 20% of the world's population but only 7% of arable land, they understood that food security is national security.At CyberCon, Amberley is presenting two sessions that challenge the cybersecurity community to expand their thinking. "Don't Outsource Your Thinking" tackles what she calls "complacency creep"—our growing trust in AI that makes us stop questioning, stop analyzing with our gut instinct. She argues for an Essential Nine in Australia's cybersecurity framework, adding the human firewall to the technical Essential Eight.Her second talk, cheekily titled "Everyone is Protecting My Password, But No One's Protecting My Toilet Paper," addresses food security directly. It's provocative, but that's the point. We saw what happened in Japan recently with the rice crisis—the same panic buying, the same distrust, the same empty shelves that COVID taught us to fear."We will run to the store," Amberley said. "That's going to be human behavior because we've lived through that time." And here's the cybersecurity angle: those panics can be manufactured. A fake image of empty shelves, an AI-generated video, strategic disinformation—all it takes is triggering that collective memory.Amberley describes herself as an early disruptor in the agritech cybersecurity space, and she's right. Most cybersecurity professionals think about hospitals, utilities, financial systems. They don't think about the autonomous vehicles in fields, the sensor networks in soil, the supply chain software moving food across continents.But she's starting the conversation, and CyberCon's audience—increasingly diverse, including people from HR, risk management, and policy—is ready for it. Because at the end of the day, everyone has to eat. And if we don't start thinking about the cyber vulnerabilities in how we grow, move, and price food, we're leaving our most basic need unprotected.AISA CyberCon Melbourne runs October 15-17, 2025 Virtual coverage provided by ITSPmagazineGUEST:Amberley Brady, Food Security & Cybersecurity Advocate, Founder of realfoodprice.com.au | On LinkedIn: https://www.linkedin.com/in/amberley-b-a62022353/HOSTS:Sean Martin, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.marcociappelli.comCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to share an Event Briefing as part of our event coverage? Learn More
70% of critical security debt stems from third-party code - what can be done upstream?How real-time threat intelligence and policy enforcement are closing the gapWhy DORA and modern CI/CD pipelines demand pre-emptive visibility and automation Thom Langford, Host, teissTalkhttps://www.linkedin.com/in/thomlangford/Paul Holland, Cyber Capability Manager, Royal Mailhttps://www.linkedin.com/in/paulinfosec/Tiago Rosado, Chief Information Security Officer, Asitehttps://www.linkedin.com/in/tiagorosado/Jean Carlos, Information Security Lead, Trade Republichttps://www.linkedin.com/in/jeanpcarlos/John Smith, CTO of EMEA, Veracodehttps://www.linkedin.com/in/jtsmith123
When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT
When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT
When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT
When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT
When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT
When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT
When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT
In this episode of the CISO Tradecraft podcast, host G Mark Hardy speaks with Tim Brown, the CISO of SolarWinds, at the Black Hat conference in Las Vegas. They delve into the details of the infamous SolarWinds breach, discussing the timeline of events, the involvement of the Russian SVR, and the immediate and long-term responses by SolarWinds. Tim shares insights on the complexities of supply chain security, the importance of clear communication within an organization, and the evolving regulatory landscape for CISOs. Additionally, they discuss the personal and professional ramifications of dealing with such a high-profile incident, offering valuable lessons for current and future cybersecurity leaders. Chapters 00:00 Introduction and Welcome 00:59 The SolarWinds Incident Unfolds 03:13 Understanding the Attack and Response 04:04 The Role of SVR and Supply Chain Security 10:43 Technical Details of the Attack 14:56 Compliance and Reporting Challenges 19:24 Rebuilding Trust and Personal Impact 22:06 CISO Concerns and Company Support 22:14 Legal Challenges and Company Expenses 23:40 SEC Charges and Legal Proceedings 29:35 Supply Chain Security and Vendor Assurance 35:47 CISO Accountability and Industry Standards 39:41 Final Thoughts and Advice for CISOs
In this episode of the CISO Tradecraft podcast, host G Mark Hardy speaks with Tim Brown, the CISO of SolarWinds, at the Black Hat conference in Las Vegas. They delve into the details of the infamous SolarWinds breach, discussing the timeline of events, the involvement of the Russian SVR, and the immediate and long-term responses by SolarWinds. Tim shares insights on the complexities of supply chain security, the importance of clear communication within an organization, and the evolving regulatory landscape for CISOs. Additionally, they discuss the personal and professional ramifications of dealing with such a high-profile incident, offering valuable lessons for current and future cybersecurity leaders. Chapters 00:00 Introduction and Welcome 00:59 The SolarWinds Incident Unfolds 03:13 Understanding the Attack and Response 04:04 The Role of SVR and Supply Chain Security 10:43 Technical Details of the Attack 14:56 Compliance and Reporting Challenges 19:24 Rebuilding Trust and Personal Impact 22:06 CISO Concerns and Company Support 22:14 Legal Challenges and Company Expenses 23:40 SEC Charges and Legal Proceedings 29:35 Supply Chain Security and Vendor Assurance 35:47 CISO Accountability and Industry Standards 39:41 Final Thoughts and Advice for CISOs
Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most effective solutions are old techniques. Resources https://www.forrester.com/blogs/make-no-mistake-software-is-a-supply-chain-and-its-under-attack/ https://www.forrester.com/report/the-future-of-software-supply-chain-security/RES184050 Show Notes: https://securityweekly.com/asw-343
Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most effective solutions are old techniques. Resources https://www.forrester.com/blogs/make-no-mistake-software-is-a-supply-chain-and-its-under-attack/ https://www.forrester.com/report/the-future-of-software-supply-chain-security/RES184050 Show Notes: https://securityweekly.com/asw-343
Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most effective solutions are old techniques. Resources https://www.forrester.com/blogs/make-no-mistake-software-is-a-supply-chain-and-its-under-attack/ https://www.forrester.com/report/the-future-of-software-supply-chain-security/RES184050 Show Notes: https://securityweekly.com/asw-343
Welcome to another episode of Data Driven, where we delve deep into the crossroads of data, technology, and the ever-shifting world of geopolitics. In this packed episode, hosts Frank La Vigne and Bailey are joined by Christopher Nuland, AI technical marketing manager at Red Hat, for a candid, no-holds-barred discussion on the newly released America's AI Action Plan.Together, they tackle everything from the resurgence of Cold War tensions in the AI arena to the complexities of “AI sovereignty” and what it really means for the US, China, and the rest of the world. Expect spirited debates about EU's place in the global AI race, the real-world implications of chip supply chain disruptions, and the heated rhetoric around workforce security in an era when AI is starting to replace traditional jobs.The conversation weaves through existential questions—can AI ever truly reason, or are we just witnessing the rise of superpowered “spreadsheet goblins?”—and gets hands-on with the very real risks (and opportunities) of rolling out LLMs in everyday workplaces. Plus, the team touches on power-hungry data centers, potential impacts on the job market, and even finds time to swap sci-fi references from The Expanse to Ghost in the Shell to help paint a picture of what our AI-dominated future might look like.Buckle up for a dense, dynamic, and dangerously nerdy journey into the world of AI policy, technology, and what it means for all of us. Let's get into it!Timestamps00:00 AI Geopolitics & America's Action Plan08:14 EU's Role in Tech Hierarchy14:10 "US Focus: Securing AI Workforce"20:40 Supply Chain Security in Software24:24 Politicians' Technical Proficiency Limits27:19 AI Sovereignty and Cultural Values33:52 CHIPS Act: Innovation and Expansion Hopes38:11 "AI Vulnerability: Patch Attacks"47:58 Maryland Power Line Controversy50:09 "AI Impact on Jobs & UBI"55:47 Techno Feudalism Perspective01:04:41 "AI Sovereignty: A Geopolitical Chess Match"
In this episode, I sit down with Daniel Bardenstein, CTO & Co-Founder of Manifest Cyber.We discussed the AI supply chain security, including open source risks, AIBOMs, best practices for CISOs, and regulatory approaches in the U.S. and EU.We dove into:What is the same and different between the risks AI introduces across the enterprise compared to open source software, and where and how the two converge.The rise of an “AIBOM” and why it is becoming a critical part of enterprise risk management in the AI EraThe work Daniel and others are doing as part of a Tiger Team defining “SBOM-for-AI-Use Cases”.Why is it so difficult for organizations to gain visibility into their AI models' internals, especially training data, model provenance, and pipeline dependencies?Where CISOs and security teams can get started when it comes to understanding where and how AI is being used and avoiding some mistakes.Gaps among the current waves of AI security startups and how they contrast with the approach Manifest is taking when managing AI supply chain risks.Real-world insights and examples of how organizations operationalize SBOM for risk reduction.Key differences between the U.S. and EU regarding regulatory approaches to AI and supply chain security risks.
While the U.S., India, and countries in the Persian Gulf are all moving quickly to establish new critical mineral supply chains, the European Union is struggling to follow suit, particularly in Africa. The EU currently lacks a cohesive policy framework that would bolster mining companies, support partner countries, and encourage the development of a mineral processing sector that can lessen Europe's current dependence on China. To do this, the EU should follow China's model in Africa, where it paired extraction with the development of vital infrastructure, according to a new commentary from the European Centre for Development Policy Management (ECDPM). The authors, Poorva Karkare and Karim Karaki, join Eric & Géraud from Brussels to explain why the EU should strive for strategic complementarity rather than competition with China in Africa. SHOW NOTES: ECDPM: The EU's playbook for African minerals amid China's dominance by Poorva Karkare and Karim Karaki AFRICA POLICY RESEARCH INSTITUTE: The tumultuous path toward EU-China-Africa trilateral cooperation on Critical Raw Materials in Africa by C. Géraud Neema JOIN THE DISCUSSION: X: @ChinaGSProject | @eric_olander | @christiangeraud Facebook: www.facebook.com/ChinaAfricaProject YouTube: www.youtube.com/@ChinaGlobalSouth Now on Bluesky! Follow CGSP at @chinagsproject.bsky.social FOLLOW CGSP IN FRENCH AND ARABIC: Français: www.projetafriquechine.com | @AfrikChine Arabic: عربي: www.alsin-alsharqalawsat.com | @SinSharqAwsat JOIN US ON PATREON! Become a CGSP Patreon member and get all sorts of cool stuff, including our Week in Review report, an invitation to join monthly Zoom calls with Eric & Cobus, and even an awesome new CGSP Podcast mug! www.patreon.com/chinaglobalsouth
In this episode of Identity at the Center, hosts Jeff Steadman and Jim McDonald are joined by Jerome Thorstenson, IAM Architect with Salling Group, live from EIC 2025 in Berlin! Jerome shares his insights on B2B identity, the challenges of managing access for a complex supply chain, and the importance of an identity-first approach.Discover how Salling Group, operating major labels like Target and Starbucks, handles identity for thousands of employees and external partners. Jerome dives into the complexities of balancing security, user experience, and the practicalities of implementing IGA and ABAC.From navigating the challenges of data quality and high employee turnover to the nuances of transitioning between IGA systems, this episode offers valuable insights for identity practitioners.Chapter Timestamps:00:00:00 - B2B Identity Challenges00:02:14 - Welcome to Identity at the Center from EIC 202500:04:14 - Jerome's Journey into Identity00:05:19 - Salling Group Overview00:06:57 - Securing B2B - Jerome's Presentation00:10:54 - Controlling Access in B2B00:11:41 - Identity as a Product00:14:51 - The Role of the IAM Practitioner00:16:31 - ABAC as a Game Changer00:21:00 - Language Considerations in a European Context00:22:33 - Employee Turnover Challenges00:25:07 - IGA Implementation Insights00:29:28 - Identity Fabric Discussion00:31:21 - Jerome's Caribbean Background00:34:06 - Wrap-up and Contact InformationConnect with Jerome: https://www.linkedin.com/in/jetdk/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, EIC 2025, B2B Identity, Identity First Security, IAM, Identity and Access Management, Supply Chain Security, IGA, ABAC, Attribute-Based Access Control, Role-Based Access Control, Identity Fabric, Digital Identity, Cybersecurity, Data Quality, Employee Turnover, Caribbean
In this episode of Zero to CEO, I speak with Paula Paul, Founder and Distinguished Engineer at Greyshore, about how companies can drive real value from open source software. With over four decades of experience in tech, Paula shares insights on open source supply chain security, the power of community, and how organizations can adopt cloud-native technologies more efficiently. We also explore the shift from “every company is a tech company” to “every company is a SaaS company,” and Paula reflects on her remarkable journey as a woman in tech since the 1980s. This episode is a must-listen for anyone interested in software innovation, digital transformation, and the future of technology.
While America's eyes are elsewhere, a bombshell Wall Street Journal report reveals China has openly admitted to cyberattacks on critical U.S. infrastructure — water systems, ports, airports, even nuclear plants. In a secret December meeting, Chinese officials confessed to launching the series of attacks known as Volt Typhoon as punishment for U.S. support of Taiwan. The Biden administration's stunned reaction, Trump's shaky response, and the media's silence raise urgent questions: Are we already under digital siege? And can we afford to keep letting our enemy build the tech our lives depend on?