A

This is Rich Stroffolino with the department of no, we're going to get started today with Chris Ray, the field CTO over at gigaom. I got to ask, what is your priority? What has been your priority this week?

B

Getting back in the development seat as we were talking about Rich, that is

A

that has it been exciting, terrifying? Like where on that spectrum are we

B

on mild amounts of both, but also I'd say moderate to high amounts of fun. It's been excellent.

A

Excellent. Yeah. Getting back in the saddle, I have to welcome on our other guest, Bruce Schneier, the chief of security architecture over at Interrupt. Bruce, I'm going to ask you, I'm going to change it up a little. What was one thing that made you happy in Cyber this week?

C

I really like seeing the Pope write about AI. He actually did a really, really good job and weirdly enough, he quotes Gandalf.

A

I saw that and I had to triple check that that wasn't an Onion

C

article like I had to go name that would. But he does like as the noted Catholic author J.R.R. tolkien wrote in one of his protagonists or something like that. He has a roundabout way of saying it, but he totally quotes Gandalf, which

A

any first for for the papacy.

C

I think reliably this is the first pope that has played D and D.

A

We're in wild, crazy times. There is there may be lights at ends of tunnels, who knows. But I do know that producer Josh, you have to run that opening. Let's get the show started. From the CISO series, it's department of no. Hello indeed. Welcome to the department of Know your virtual Friday strategy meeting. A huge thanks to our sponsor for today, which is Guard Square, helping make the show happen and keeping us on the air. Remember to get involved in our YouTube chat live. We broadcast every Friday at 4pm Eastern. If you're not catching us live, so don't try and participate now if you're listening later. But if you do catch us live at 4pm Eastern, get involved in the chat. We'd love to have you there or feedbackso series.com and if you're using POP3 protocol for your email, please let me know. I'm fascinated by you and I want to know more about you. A quick disclaimer here that all the opinions expressed by our guests are in fact their own, not necessarily those of their employers. We've got about 30 minutes here, so let's get into it with our no or no section. This is where we need to determine if these news stories are things we need to be bringing to our security teams knowing more about or if we're going to say no, thanks, I'm good. I got the deets. No need to go any deeper here. First up here, Microsoft slams GitHub zero day disclosures. Microsoft is criticizing a researcher known as Chaotic Eclipse who published proof of concept code for multiple Windows flaws bypassing Microsoft's disclosure process. The company said three of the bugs, Blue Hammer, Red sun and Undefend, which affect Defender and bitlocker, are being actively exploited and warned that releasing details before patches are available puts customers at greater risk. The dispute escalated after the researchers, GitHub Hub and GitLab accounts hosting the code were removed. Caddic Eclipse criticized Microsoft for deleting their Microsoft account used that they could use to report the bugs and ignoring attempts to overall report the issues and before warning that there was something else coming on July 14th. With some ominous language here, Bruce, I gotta say, nothing like a little security researcher drama here. Obviously the issues published by Chaotic Eclipse should be on everybody's radar here, but is there anything about this, this breakdown in the coordinated vulnerability disclosure process that you personally want to know more about?

C

Probably not here. And I guess the researchers are right and the Microsoft's archaic and how you report things, but this kind of thing is going to happen a lot. We're going to see a lot more zero days with AI and getting these processes right is important or this kind of chaotic zero day release is going to happen more and more.

A

Chris, what about you? Are you in the same zone there? Like, is this a warning to Microsoft to hey, get ready, the deluge is coming. I mean they're making the tools that are, that are allowing this stuff to happen or at least part of it.

B

Yeah, and I'm, you know, I, I try to distance myself from the drama because there's enough of that to go around. So I'm going to say this is a know it. And the takeaway is, you know, three actively exploited bugs in Defender and BitLocker. That's, that's not research or drama. It's a calendar event that your SOC needs to have on the radar before July 14th.

A

Absolutely, absolutely. All right, next up here, Netherlands blocks the sale of authentication tech to the US in November. The US firm. I've been struggling with this all week. Kyndryl announced it would acquire the Dutch company Solvinity. All of these have spellings that make no sense, which operate the Digi D app platform that citizens use to authenticate identities with public authority. In a letter to the national Parliament The Dutch government said the national authority that screens investments had advised the government to block the acquisition as it posed a possible risk to the public interest. This announcement comes a week before the European Commission releases a tech sovereignty policy proposal to reduce EU reliance on foreign technology, particularly in the cloud and AI. Chris, the idea of US ownership of a Dutch identity authentication service being a risk to public interest, that feels, I don't know, kind of like a big deal here. Obviously, we'll know more when the EC releases its full proposal in terms of broader impact here, but do you want to know more about the rationale behind the block here, or is this a no, thank you for you?

B

This is one that I'm split on. I'm going to ride the fence. I'll say. If you're a CISO with an organization that you do business in Europe, this is no more. Definitely no more. If that's not in your domain, if that's not in your scope, then why do you care? You know, it's probably something just to bookmark and kind of keep in the back of your mind, but every CISO with European Union operations needs to understand that trusted vendor is now a geopolitical determination. It's not just a security audit result.

A

I like that. Bruce, do you agree there or how did the story find you?

C

I think that's right. As the US becomes a pariah state around the world, you're going to see more other countries pulling back from US tech. Blocking a US European merger is a way for the EU to keep some tech in the eu. And as they're trying to build a sovereign tech stack, they're going to need stuff like that. Whether you care as a company, God, it really depends on how the US goes and get how much worse when we. And we just don't know.

A

And also for future acquisitions. But please use regular vowel placement to make it easier on US reporters.

C

All the good company names are taken. Just. That's the way it goes.

A

It's. Yeah, it's like three letter URLs anymore. There's. There's just none of them that are out there. All right, next up here, speaking of inexplicable spellings, here, no code comes to malware eset researchers published details on an Android remote access Trojan called BT Mob. That's what I'm going with for pronunciation. Which ships with commercial style packaging and includes an APK builder to let buyers generate a new payload and reconfigure phishing lures without any coding. No coding required, Phil Collins style. Ultimately, BT Mob is capable of full device takeover by abusing Android's accessibility services. Nothing new there. It's pretty tried and true method. This malware as a service operation is sold through Telegram channels as well as X and Instagram accounts, offering a $5,000 lifetime license plus additional monthly support fees. Chris, we've seen commodified ransomware services for over a decade now, but a no Code Android rat? I don't know, that feels pretty novel to me. Do you want to know more about BT mob or with AI developed malware already coming at us, is this maybe more of a footnote in what will be a deluge of roll your own?

B

I'm going to take your excitement and I'm going to blunt it. I'm going to put it this way, I'm going to say no thanks. You know. Okay, it's interesting trivia but your like Android security postures doesn't change based on this specific tool. The category is already a known concern. You know, BT mob, whatever you want to call it. I don't know, it's the squarespace of malware. It lowers the floor, sure, but we already had WordPress. The people who couldn't code before still can't afford the $5,000 and the serious attackers have better tools already.

A

Interesting. I like the comparison. Bruce, does that stand up to you and are you in the same boat here?

C

I mean that does sound right. I didn't think of it that way, but I think he's got a point. You know the problem of course is Android. I mean who has to worry about this is Google, right? Is to patch Android. But really what matters is what kind of phone do you have. If you have some third party phone, does that patch get to you and how fast? And if you have a pixel, it's probably pretty quick. If you've got some random Android phone, it might not be.

A

All right. Before we move on to our deep dive discussions because we want to get in there a lot of big meaty topics in there. Got to spend a few moments and thank our sponsor for today. And that of course is Guard Square. Mobile security incidents are no longer the exception. They are the norm. Last year 72% of companies suffered a mobile app security incident. As the primary gateway to your APIs and data, your mobile app requires more than just basic encryption. It needs a multi layered security strategy. Protect your brand and your bottom line with layered mobile app protection. Learn more@guard square.com all right, let's get into our discussion here. One of the big stories came out this week at Least for me. IBM and Red Hat committing to Project Lightwell. The company and its subsidiary have invested $5 billion and assigned more than 20,000 engineers, or at least committed the engineers. I'm not sure how that works. To Project Lightwell, a new initiative focused on securing open source software used across Enterpr supply chains. This centers on an AI powered enterprise clearinghouse that will identify, prioritize and validate vulnerabilities in widely used open source projects, then work with maintainers to develop and distribute secure patches through commercial subscriptions. There's some major financial institutions on board with this initiative already. Basically every major bank and payment processor. But BoA, JPMorgan Chase, Visa, some of the notables there as well. But you name it, they're probably on there. I'm just going to Repeat here that 2026 is the year that every assumption about open source is being tested all at once at scale. That's kind of my running hypothesis for this year. It seems like this is an industry response to the reality that everything is built on open source. So maybe we should work together to not let the golden goose die. I'm curious, Bruce, from your perspective, does this clearinghouse model seem like it could work? Because it definitely seems like this feels like a very natural extension of Red Hat's business model already. Right?

C

A couple of weird things about this. There's no way in the world 20,000 engineers are full time on this project. I mean, that just doesn't make sense.

A

It's a good headline.

C

And I don't even see how you can spend 5 billion unless they're talking about over 10 years. So we don't. I guess we don't know a time horizon. I like the fact that we are going to find vulnerabilities and patch open source projects. Probably going to use AI tools which should be good at finding, less good at patching. So we need to the human engineers. But I mean, what is this? We're going to patch the open source tool and then only tell people who pay what the patches are? Kind of bullshit.

A

And they're going to be working with maintainers on it. Yeah.

C

So I mean, I don't. I don't know what's going on. I mean, I think it's being reported wrong. Something different is happening.

A

Yeah, the.

C

The.

A

Chris. Yeah. Jump in here. Are you on the same boat here?

C

Yeah.

B

I hadn't thought of it the way Bruce is seeing it, but there is something that you said, Bruce. The money. Five billion. Over what time horizon?

A

We don't know.

B

In my head, I'm thinking 5,020,000 engineers they're saying hold my beer. Anthropic is going to have a great quarter, right? Like 5 billion in token spent.

C

Yeah, Be careful. It's not just Anthropic. And here is like Anthropic's marketing machine working great. They've convinced everybody that their model is better and it turns out right, the OpenAI model that's already been released is just as good. UK group release report on that last month. The open source models, the smaller models are just as good. I mean I know Anthropic gets the press, but let's not carry their water systems are good at this.

A

And we will be getting into some, some mythos news I think later in the discussion here but I get pissed

C

off all over again.

A

Bruce, Bruce, Are you saying a company that's about to IPO is trying to hype themselves up? This is, I mean think about it,

C

the best way to go your stock price. Our product is so good.

A

That's the household name.

C

I mean I wish I thought of that.

A

If so let me reframe this. If the Linux foundation came out with a similar project like this where they said we're going to we have blocks of money, we have commitments from giant tech companies that are commit X amount of man hours or whatever or human hours to to engineer this and a similar ST program does this idea like theoretically this idea of a clearinghouse, does this help solve the problems that we are seeing at least on the open source supply chain side? I'm curious.

C

I mean yes, and it's not Linux but the Open Source Security Organization has announced that like two years ago. So we already have this project and the Alpha Omega project I think is Google right? Looking at the top 10 in detail and top thousand with automatic tools. So we do see a bunch of these projects. So again, why is this another one? What's going on? I don't know. Something I think is weird in this reporting. I think there's a lot more here that we would need to know before we know how much to take this seriously. Not a care but certainly the more people looking at open source projects and fix them, the better. The fewer people looking at them, fixing them and then charging a few people for the fixes, the better.

A

The good news is that the open source community is very vocal when they feel like this is a bad deal. And so we will follow up on it on cybersecurity headlines as we kind of get more of the community reaction to this. But I think it is interesting to see a Market kind of attempt at a response from companies that are clearly invested in this. I do think that is interesting. Next up here, Glassworm botnet gets shattered. Crowdstrike says it worked with Google and the Shadow Server foundation to take down Glassworm, a self propagating credential stealing botnet targeting developers through poison software packages since early 2025. The coordinated action disrupted all four of Glassworm's command and control channels at once. Researchers say the malware spread through compromised VS code, extensions, NPM and Python packages. You're pretty much how we're doing all software supply chain attacks these days and more than 300 GitHub repos using invisible Unicode injection plus Solana, Google Calendar and BitTorrent DHT infrastructure to resist takedowns. They were using that to kind of spread out all of their C2 communications, which just I found fascinating. But hey, I guess score one for the good guys. Good things can happen. You have to check out the show notes. If you haven't checked out some of the technical details of how this botnet was working, it is fascinated. Chris, from your perspective, I'm curious. This kind of coordinated takedown seems like it required a non trivial amount of effort. Does this move the needle for you or is this just another round of Botnet whack a mole like good, but oh, oops, everything will come back. There's 9,000 other botnets. We're all screwed. Still.

B

Yeah, there's something. My feel on it is somewhere in between those two points. I think in my head, trying to get anything done at Google is probably damn near impossible, right? Imagine now coordinating that across all of these different organizations. I mean that's impressive. I'm glad that the outcome was positive. That's impressive to me. The win is real. But the lesson is the attack map. If your developers are implicitly trusting their toolchain without verification, you're obviously the next Glass Worm campaign's ideal target. There's a couple bullet points here that jump out at me. Like you said, the diversification of the C2 as a resilience strategy using Solana, using Google Calendar, BitTorrent simultaneously, it's clever. It's also deliberate. They're diffusing their attack surface, their ability to get shut down. Defenders have to simultaneously cut four completely different service dependencies to achieve this disruption. That's again, I think that's an impressive

A

milestone that we're all designed also to be insanely distributed. To resist like that to me is the most impressive part is like there's multiple things that are hard to Disrupt that. They took this. Bruce, I see a nod in your head here. What did you, what did you, what are you making of this Glassworm takedown?

C

I mean, it's good, I agree. You score one for the good guys. And it turns out this makes a big difference, that taking down these systems really sets back attackers. And we're getting better at coordinated defense, coordinating multiple countries, multiple agencies, multiple companies to do this thing at once. So, yes, it's an arms race. The defenders are getting better distributed and better at being, resisting, resisting these things. But, you know, in the end, every computer is in a country somewhere and the more we can do this, the better. So I like seeing this. I don't think this is a game changer, but it's certainly, you know, it's good to see another coordinated defensive operation.

A

I do wonder, long term, I guess, like, for me, does this do anything to change the incentive structure, right, to do these, you know, to operate these botnets. You know, like, if we see that there is more willingness to coordinate, to do that hard work, to do these types of disruptions, assuming that this sticks because we have seen, you know, I mean, talk to Mirai and endless variants that have come back, you know, zombie botnets that have come back online, can we just. Like when we disrupt the economics, that kind of changes the, the willingness to engage in this kind of stuff. Is there anything in there that this kind of coordination maybe signal, would signal to groups operating stuff like Glassworm that it's, that it's less worth it over time?

C

I don't think yet. I mean, I think it's because it

A

still is worth it.

C

It seems these things are still making a lot of money. But remember, the goal is really not to, you know, the goal is not to run. The bear goes out. Run everybody you're with. So maybe the, the criminals go elsewhere, they go to other countries and use other tools. They, they do less impressive things eventually. I hope we can, you know, make the economics bad for these criminal organizations, but I think we're a long way off that because the economics is just so good.

B

Yeah. As I'm listening to this and, and thinking about it more, it reminds me a lot of, you know, the analogy here would be the, the drug trade mo cross borders. Governments get very excited when they catch some, right? And they're like, we're really making a dent. We're inhibiting. We're, we're showing them that we're going to catch them, that we're going to stop this. And it's like a tiny fraction whatever, 1% or 2% of the total trade coming across the border. I don't know if there's an economic incentive there yet. And this is similar to that. It's like, okay, they got one, but what about the other 10?

C

Yeah, I think we're doing better though. I mean, like 1 out of 10 is, is 10% and if it's a big one, it's like 20. So we do make a dent. We see visibly the amount of this going down, it goes back up again because the, the gangs reform, they build new tools, but it does make their work harder. So, you know, we got it. This is, this is going to be the answer. We just forgot. We just have to do it more.

B

I'm gonna make a prediction. I'm gonna say I'll be disappointed if there isn't a black hat or DEFCON talk about how this was coordinated, because I think that's the real win here. I mean, bringing this down is obviously really good. Good score, one for the good guys. But if it's not repeated, if the lessons learned aren't shared, then I don't know how many more times we're gonna

A

be able to do it. Yeah, I definitely want to read the white paper about just going deep into the methodologies here because combating that level of distributed infrastructure is fascinating to me. All right, so my other theme of 2026, we haven't talked about AI enough or about Anthropic enough. So we have to, we're obl to will get taken down by some sort of agency if we don't. So our last discussion, story of the day. Claude Meos AI finds 10,000 high severity flaws in widely used software. The company disclosed that project Last Wing has helped Uncover more than 10,000 high or critical severity vulnerabilities since it went live last month looking at 1,000 open source projects. Specifically, Mythos flagged 6,200 vulnerabilities as high or critical. Researchers then looked at about 1700 of those, found that and confirmed that 62% were in fact high or critical. The other ones were still vulnerabilities, but less so commercially. Cloudflare said they found 2,000 bugs in critical path systems. About 400 of those were high or critical rated and had a better false positive rate than human testers. There were some other industry test, you know, people, companies in industry that had released some results as well. In Anthropic's report, Cloudflare just was the biggest one. The end of the report, though, gave me a little pause with Anthropic Saying at present, no company, including Anthropic, has developed develop safeguards strong enough to prevent such models from being misused and potentially causing severe harm. And Bruce, as you alluded to, it also said that models that are Mythos capable will be coming from many different AI companies, if not already here. Codec security, etc. Etc. Chris, from your perspective, how are we supposed to process that kind of statement as an industry? Here's this incredibly valuable tool. Also, we have no safeguards at all.

B

Yeah, there's so many things banging around in my head, I'd say the finding count is staggering. Of course, that's the headline, but Anthropic's own disclaimer is the story. When the creator says the safeguards aren't keeping pace with the capability. That's not a footnote. That's the entire conversation that we should be having. There's a practical implication here. Organizations that don't integrate AI assisted vulnerability research into their AppSec programs in the next year or so will be operating with a structurally inferior threat model. This isn't optional as far as the evolution goes.

A

Bruce, what about you? I mean, we were, we were starting to get into it in the other discussion story. There's some skepticism about, you know, Mythos claims here for sure, but you know, what is that warning? Just more anthropic hype.

C

Yeah, it's hard to know because again, you don't get the details. So you gave the impressive numbers. 75 of these were patched. What? Like how is that? I mean, the numbers don't make sense. So something is weird here. These are, you know, self presented. We don't see the details. So we also don't know the false positive rate problem with pretty much all these anthropic numbers. We don't know the cost. And you know, let's pretend this is good, that Mythos is really good at finding vulnerabilities. This is good for the defenders, right? I mean, I mean, everyone's saying, I don't know that this is bad. Like, why isn't this good, that we can find and fix that Firefox fixed what, 271 vulnerability? Those vulnerabilities are gone from now until the end of time. So Chris is right. I think this kind of stuff gets folded into the DevOps process. Every piece of software written from now till the end of time will go through this kind of process. Probably not with Mythos. It's too expensive, but with one of the smaller, cheaper models turned out to be just as good. If you're an experienced programmer and we'll be finding and fixing all these vulnerabilities. We're still at the point where automatic finding and exploiting is easier than finding and patching. Yeah, right. But I'm, I'm hoping automatic patching gets better. I'm, I'm imagining a self healing network where this kind of stuff happens in the background all the time. We're not there yet, we might never get there. But remember, this is in, in source code. So what we're looking at either the vendor patches their own stuff. Imagine Microsoft patching any operating system attacker doesn't have the ability to run that tool against the Microsoft source code. Now they do against open source products. And we talked about the, the move to sort of patch and look at open source. But you know, this kind of stuff benefits the defenders more. We'll see will they get good enough to look at object code? That'll be interesting and that'll be different. Again, a lot of unknowns here, but most of the big unknown is anthropic, tells a lot of stats and doesn't support anything with facts.

A

Is that when. Because I feel like a lot of CISOs are in a position right now where business leaders are coming to them and they saw this headline on Reuters and they're saying, you know, are we sol, you know, and is the, is the, is the rejoinder to that? This is actually an incredible, like an opportunity that we have never had. Like, is it to spread that message of, just to counter with that message of optimism? Is it to say we need to be working yesterday to build that already into our, our DevOps process? Like I'm curious from, from connecting those two worlds, right where you know, this is a very breathy headline that a lot of people are seeing as a security leader. Like what do you do with that? How can we translate that?

C

So I'm going to suggest something for everyone to read. It is the CSA Cloud Security alliance and the title is the AI Vulnerability Storm. Building a Myth of Ready Security Program. This is a document like a hundred of us wrote in like the first weekend after that announcement with some really good advice for companies. Right. Expect a deluge of patches coming your way from, you know, again and again. Be ready for that. Expect a lot of new zero days. Get ready for that. It's going to be a tumultuous time as this sort of churns through. But that document is full of really practical advice that kind of everybody listening to this should read. So Cloud Security alliance, easy to find.

A

We will put a link to that in our show notes as well for anybody that is interested. Bruce, thank you for the recommendation. Before we get out of here, CCL in our chat, who's one of our regulars here, I'm just very quickly here, he would love to ask you, Bruce, if there is something fundamental can be done to secure the larger population. This is just kind of a general question, say making 2fa mandatory. Is there anything that comes to your mind, Bruce, that that would, would be a fundamental up, you know, upskill for, for security here for everybody.

C

You know the thing I always point to is break up the tech monopolies. I think I do more for security than anything else we can do. So actual competition in our environment, I mean, yeah, we can talk about, you know, little things around the edges that we all can do. The problem is a structural. Right. The problems have sort of gotten out of our hands. Everything's in the cloud. Doesn't matter what you do, it's going to be the security of everybody else who has your data. So I always push to try to get some competition back in tech.

A

Well, thank you both so much. Bruce Schneier, Chief of security architecture over at inrupt and Chris Ray, Field, CTO over at gigaom. We will have links to both. Bruce will have a link to your eponymous website in the show notes and Chris will have a link to your work at GigaOM and also to your LinkedIn as well. Thank you both so so much for taking the time being here. Truly, truly appreciate it it.

C

Thanks for having us.

B

Thanks Rich.

A

Thanks also to our sponsor for today helping make the show possible. Guard square. Make sure you are giving them a look next time you are on our site and find out more information about them. Remember, you can also send us feedback anytime. Feedbacksoseries.com join us next Friday at 4pm Eastern for another edition of the Department of no. Thank you so much for joining for our Friday stand up here. Have a great week. Stay secure out there. And for myself, for Bruce, for Chris, for our wonderful producer Josh, for the big boss man David Spark and the rest of the CISO series team, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.