FortiBleed is the antidote to vague “AI-powered attacker” talk.
AI was wired into reconnaissance, credential processing, prioritisation, tooling, and workflow. They didn't prompt the agent, the agents prompted them. *That* is AI adoption for cyber.
🎧 New Podcast Episode: https://t.co/ECMTM0kCSG
Mythos on your desk. Source-local code reviews with frontier-like capabilities. @SecReLabs founder Karsten Nohl and I talked for an hour about this in the latest Risky Business Features episode that's available now on YouTube as well as on your favourite Podcast app.
This episode is based on Karsten's recent research and blog post "Beyond Fable: Can a Local LLM Replace Cloud AI for Security Code Reviews". As we got talking though, it became clear to me that this is not just for code reviews. It's equally as useful as a way to construct pen test, patch review, and coding agent harnesses that address cost, privacy, and sovereignty concerns.
Use the larger LLM for tasks best suited to it, keep the specific code-level tasks running locally on a smaller LLM. How small? Karsten got great results with a MacBook Air with 32GB of RAM. That's crazy. And, it's also the future with increasingly capable open-weight models.
AI jailbreaks are not magic incantations.
They exploit context, framing, classifier gaps, long transcripts, decomposition, and the fact that different models classify intent differently.
This episode is a technical explainer on the Fable 5 / Mythos 5 saga:
🎧 https://t.co/VwHCuTRlqN
npm v12 takes some steps toward making it harder for supply chain attacks and worms to spread… but, for many reasons, it won’t actually stop these attacks.
Paul McCarty from Open Source Malware Security and I discussed this at length on the latest Risky Business Features episode.
We covered the history of how we got here, the specific elements of npm that make it vulnerable, what the npm v12 changes will and won’t achieve, and most importantly… what can defenders do to ward off these increasingly frequent supply chain attacks?
Enjoy!
New solo ep: a deep dive on TeamPCP.
Not a recap. A profile of how they went from clumsy Kubernetes/Docker abuse to GitHub Actions, npm, PyPI, TanStack and signed malicious artifactsuper villains. And, what can we learn from this?
https://t.co/Ew71j5e0be
Hate to break it to you, but a supply chain attack is going to get you. It's going to get me. The whole package ecosystem is too much of a dumpster fire to call this anything other than inevitable -- and entirely foreseeable 🤦🏻♂️
Check out my episode of Risky Business Features this week for some practical advice on how to survive this new reality.
🎧 https://t.co/VbhUPy4nUK
Brad Arkin (former CISO at Adobe, Cisco and Salesforce) joins me to talk through the history, the confronting reality, the massively expanded attack surface (lookin' at you, agents!), and what to do now.
Nicholas Carlini gets Claude to write exploits by feeding it context files with his kernel commits and security mailing list emails so it trusts he's a legit researcher.
He immediately pointed out this could become a black market for fake security researcher context packs.
Great interview. https://t.co/P8JjQ4tn1w
Mythos.. what does it really mean for a startup? Is it the end of secure software, a new SaaSpocalypse, time to give up integrating with enterprises? @ybernstein and I covered all this and more on today's Risky Business Features. https://t.co/pmTjYpfk0a
Mythos and 0day: a hackers perspective. 🎧 https://t.co/YiB7QJGsJ6 … I wanted to hear what Anthropic’s #Mythos means for someone who does hacking for a living. @theonejvo from DVULN and Aether AI joined me to share some ground truths about what’s already possible, and what Mythos might bring to the table. Enjoy!
Everyone covers North Korea getting the job. Geoff White (BBC's Lazarus Heist and Cyber Hack) and I spent an hour on what happens after. Logic bombs. Military units doing your Jira tickets. A woman running 72 laptops. A Chinese middleman who boarded a private jet with $30M and was never seen again. And sometimes, damn good coding! It's a lot: https://t.co/u1Ehsec7E7
We've got to let go of some things that might've previously been a hard-no. Now's the time to make it easy to do the right thing, not even harder to do the wrong thing.
Join me for a chat with Brad Arkin (former CISO of Cisco, Salesforce and Adobe) about the latest epic supply chain hacks, and the conversations going on at RSAC recently... on the latest episode of Risky Business Features at Risky Business Media
We're on the cusp of something huge. Buckle up! Link in the comments below.
🧵 Just published: I ran an incident review of the Stryker cyberattack with @bradarkin. Here's what every security leader should take away.
1/ Attackers phished a single Intune admin credential. No malware. No zero-day. They used Microsoft's own device management to wipe 200K+ devices and 12PB of data. Every system worked exactly as intended.
2/ Brad's first question in any incident review: "What do we have that's like Intune?" Not just Intune. SCCM, Jamf, SaltStack, your DevOps orchestration tools. What can be weaponized?
3/ The real tragedy: there was probably a project team at Stryker that celebrated getting everything onto Intune. Migration complete! 🎂 And that consolidation became a single point of catastrophic failure.
4/ Brad: "The Intune super admin needs to do super adminy things, but what we consider proper super admin permission set is a tiny subset of the total capabilities." Shrink-wrap permissions to actual use cases.
5/ BYOD made this worse. Personal devices enrolled in MDM got wiped too. Employees lost everything. Photos, contacts, everything. Some had no way to reach anyone at all.
6/ Brad's advice: Call your highest-titled Microsoft sales rep. Lay Stryker at their feet. Cancel their building badge. "Whatever happened to Stryker, the second company won't get the same pass from customers and regulators."
Full episode 🎧 https://t.co/SoCT8dO5kf
Model Context Protocol is Dead. Killed by the shell. MCP showed us that LLM + Tools = real utility and productivity. Then AI Agents showed us they just want a shell. That has serious security implications.
🎧 https://t.co/L5KgphHNbh
A CTO asked me how to get their CEO to prioritise paying down technical debt. My answer: stop calling it that. Technical debt triggers an unpredictable response and the pitch is always net-negative.
Reframe: call it a velocity tax.
https://t.co/TGkMMls8Yo