Podcast Summary: Cybersecurity Headlines – "Department of Know: CISA's Cryptography Categories, Gottumukkala's ChatGPT Gotcha, NTLM Says Goodbye"

Date: February 2, 2026
Host: Rich Stroffolino, CISO Series
Co-Hosts: Steve Zalewski (Defense in Depth), Nick Espinosa (Deep Dive Radio Show)

Episode Overview

This episode delivers a rapid-fire, analyst-focused review of major recent cybersecurity stories, aimed at infosec professionals who need to separate key developments from distractions. The hosts dissect practical impacts around policy, technology evolution, and emerging threats, with a signature blend of frankness, expertise, and dark humor.

Key topics include:

• CISA's new cryptography categories for post-quantum readiness
• A high-profile AI data handling blunder by the Acting US Cyber Chief
• The risks and revelations of poorly written ransomware (Sicari)
• The privacy implications of widespread surveillance via license plate readers
• Microsoft's plan to finally retire NTLM authentication
• The rapid emergence and vulnerabilities of autonomous AI agent infrastructures (Moltbot/Multbook)

Main Discussion Points & Insights

1. CISA’s Post-Quantum Cryptography Categories

[02:10–05:30]

• Context: CISA, in conjunction with the NSA, released product categories supporting or migrating to post-quantum cryptography (PQC), signaling the move from research to procurement as a result of a 2025 executive order.
• Nick Espinosa:
  • "[CISA] is clearly indicating a shift from just being like a research topic to actual procurement reality. ... post quantum readiness has to be the baseline." [03:09]
  • Emphasizes this as a defensive measure against long-term encrypted data theft.
• Steve Zalewski: Downplays the urgency, calling quantum a "yawn" and likening the hype to "another chocolate chip cookie recipe" repeatedly recycled to sell solutions.
  • "The problem exists in that we have a bunch of old cryptographic algorithms ... that we can't upgrade." [04:50]
  • Asserts real blockers are legacy applications, not new cryptographic standards.

2. ChatGPT Data Handling Scandal – US Acting Cyber Chief

[06:14–10:01]

• Summary: US Acting Cyber Chief Madhu Gottumukkala improperly uploaded sensitive, “For Official Use Only” government documents into public ChatGPT.
• Steve Zalewski: Compares the incident to hypocritical parenting: "Do as I say, not as I do."
  • Suggests executive exceptions and mishaps will persist, even with policies.
• Nick Espinosa:
  • "[This is] Governance 101, man. ... You're telling me the Department of Homeland Security doesn't have an AI acceptable use policy this guy signed? I question his credentials." [07:22]
  • Stresses the danger of leaders violating the same protocols they expect others to follow and calls it a major teachable moment.
  • "If it's a publicly used system, you should know better, especially as a government employee." [09:01]
• Rich Stroffolino: Acknowledges the pace of change in AI tools as a confounding factor, but ultimately sees no excuse for the lapse.

3. Sicari Ransomware: Ransomware Failures & Unintended Consequences

[10:01–13:50]

• Summary: New "Sicari" ransomware is so shoddily written that paying the ransom will not decrypt data; it discards the private RSA key entirely.
• Nick Espinosa:
  • "AI really is a tool for lazy ... it's going to basically ... inject a wild card into this. ... If you can't pay to recover ... that's the assumption we run on." [10:46]
  • Sees this as evidence that not all attackers are sophisticated, and unpredictability increases risk for victims.
• Steve Zalewski:
  • "The bad guys are not omnipotent ... the consequence to the business is actually worse because it's unrecoverable." [11:52]
  • Draws an analogy to poorly-coded internal apps: both can cause more harm than “competent” adversaries or developers.

4. Privacy, Surveillance & Automated License Plate Readers

[15:29–25:00]

• Case: Federal judge upholds Norfolk, VA’s deployment of license plate reader cameras, ruling the network too sparse to constitute warrantless surveillance.
• Nick Espinosa: Furious at the ruling’s implications, considers it a precedent for future aggregation and mass surveillance risk.
  • "The long term of this is that aggregation... is the real risk multiplier here." [16:48]
  • Warns that small data points become dangerous when integrated—especially as camera density increases.
• Steve Zalewski: Frames debate as a "greater good" dilemma—balancing public safety (e.g., finding abducted children) versus privacy.
  • "The key is we don't trust the government with our data, rightly or wrongly." [18:50]
  • Argues neither extreme is correct; explicit discussion and oversight are needed.
• Both: Agree on the critical need for real oversight and clear trade-offs, not binary “all or nothing” approaches.

5. Microsoft to Retire NTLM – Lessons in Legacy Tech

[26:00–30:51]

• Summary: Microsoft will deprecate the 30-year-old NTLM authentication protocol, pushing for Kerberos and passwordless alternatives.
• Steve Zalewski:
  • Mocks longevity of "New Technology": "Given the number of systems out there still running Windows 95, it's amazing how long new technology can actually be new." [26:37]
  • Welcomes deprecation as a lever for IT to remove obsolete, vulnerable systems: "Thank you Microsoft for forcing the issue." [28:04]
• Nick Espinosa:
  • "Well, it's about damn time." [28:24]
  • Urges CISOs to inventory and systematically replace or isolate apps dependent on legacy authentication. Warns not to repeat delays from previous deprecations (e.g., TLS 1.2).
• Humorous Tip: Hosts mock industry trends and suggest simply invoking "quantum" to get any security measure greenlit. [30:49]

6. AI Agents, Multbook, and the Dangers of Vibe Coding

[31:34–39:20]

• Background: "Moltbot"/Multbook is an AI agents platform where bots autonomously interact—with humans theoretically locked out. Researchers found major security lapses, including exposed production databases.
• Steve Zalewski:
  • Compares deploying autonomous agents without guardrails to “letting a child run with scissors.” [33:06]
  • Praises the exercise for exposing the state of AI readiness, but warns industry must mature security and auditability rapidly.
• Nick Espinosa:
  • "Do you know how moody teenagers are? And then you let them talk and coordinate..." [35:05]
  • Sees Multbook as an early but significant signpost for persistent, self-directed AI systems, and stresses that auditability/governance is paramount as such platforms scale.
• Rich Stroffolino: Observes that rapid, community-driven development ("vibe coding") makes immature, highly-exposed infrastructure more likely—mirroring earlier AI/image gen chaos.

Notable Quotes & Moments

• Nick Espinosa on CISA's PQC Push:
  • “This is like signaling, like an early market standard that post quantum readiness has to be the baseline.” [03:09]
• Steve Zalewski on Quantum Fatigue:
  • “Great, another chocolate chip cookie recipe. Awesome.” [04:25]
• Steve Zalewski on Executive Exceptions:
  • “Do as I say, not as I do, okay?” [06:31]
• Nick Espinosa on Data Handling in ChatGPT:
  • “This is Governance 101, man...I question his credentials.” [07:22]
• Kevin Farrell (audience, quoted by host):
  • “[Sicari ransomware is] actually brickware.” [13:50]
• Steve Zalewski on Legacy Tech:
  • “Given the number of systems out there still running Windows 95, it's amazing how long new technology can actually be new.” [26:37]
• Nick Espinosa on NTLM Retirement:
  • “My very first thought…was, well, it's about damn time.” [28:24]
• Steve Zalewski (joking on buzzwords):
  • “Microsoft to disable NTLM by default in future Windows releases to secure against quantum attacks.” [30:49]
• Nick Espinosa on AI Agents:
  • "This is how Skynet starts, man, I'm telling you." [35:06]
• Steve Zalewski on AI’s Trustworthiness:
  • “The way we evaluate models is not on is it trustable... but...how we train a model without actually saying, is it telling the truth or can I trust it?” [39:20]

Timestamps for Key Segments

• CISA Cryptography Categories: 02:10 – 05:30
• US Acting Cyber Chief's ChatGPT Error: 06:14 – 10:01
• Sicari Ransomware ("Brickware"): 10:01 – 13:50
• License Plate Reader Surveillance Debate: 15:29 – 25:00
• NTLM Retirement & Legacy Risk: 26:00 – 30:51
• AI Agents, Multbook & Security Lessons: 31:34 – 39:20
• Closing Words of Advice: 41:24 – 43:13

Closing Advice & Takeaways

• Nick Espinosa: "Take a good hard look at where the world is going and plan accordingly. Understand the risk of everything that we've just talked about and quantify that to the best of your ability. ... Prepare for post quantum. Prepare for all of these other things, whether Steve yawns about them or not." [41:24]
• Steve Zalewski: “Audio and video social engineering attacks...are escalating now...Spend a little time with your organizations and figure out what you’re doing before you get hurt.” [41:57]

Overall Tone & Language

• Candid, irreverent, and at times acerbically humorous.
• Host and guests blend relatable analogies (chocolate chip cookies, moody teenagers, running with scissors) with experienced technical insight.
• Debate is encouraged, with mutual respect for "agree to disagree" moments; audience is welcomed into the conversation.

For More Information

• Visit CISOseries.com for daily cybersecurity news and featured topic deep dives.

This summary captures the high-level insights, quotable moments, and actionable themes of the episode—suitable for any infosec professional or executive looking to quickly digest the latest security discourse.