Cybersecurity Today Month In Review: August 9, 2025

Jim Love

Welcome to Cybersecurity Today, the month in review. In this show, our expert panel reviews some of the key stories from the previous month and we get to have a bit of a deeper discussion. As always, I let the panel introduce themselves. David Shipley. Welcome, David. We're going to actually let you go off first. How's that?

David Shipley

I appreciate the privilege. It's great to be back. And I'm here in ridiculously hot Las Vegas for Hacker Summer Camp. So my first time out again. I'm the CEO of Boseron Security and the Monday morning host for Cybersecurity Today.

Jim Love

Wonderful. And Antoine Levia is back with us.

Antoine Levia

Thanks for having me back again. I had a great time last time, so I was excited to come back here. I'm a security engineer and the co founder of Distrust and Caution, two firms that specialize in security. We do a lot of consulting, we do a lot of open source development, and we like to do security research as well. So great. Thanks for having me back.

Jim Love

And my, my new friend, Tammy Harper. Welcome back.

Tammy Harper

Thank you very much for having me back. And so, a little bit about me. I'm a senior threat intelligence researcher at Flare and I'm also one of the core members of the Ransom look team. And I am very, very happy to be here. Excited.

Jim Love

Great. We still have a show you Owe Me on the psychology of these ransomware groups. Tammy does a lot of research into that. He's one of the most knowledgeable people in that. Looking forward to that show as well. But for today, we have the news.

David Shipley

David, reflecting back on July, there are now two court cases that are going to shape cybersecurity for the next decade. We have Delta versus CrowdStrike because July was the one year anniversary of Crowdstrike apocalypse. And then what we saw in July was a huge lawsuit between cleaning product maker Clorox and IT firm Cognizant. Clorox a couple of years ago suffered a massive ransomware attack allegedly at the hands of Scattered Spider. Where this gets interesting is Cognizant was their outsourced IT help desk. And as a result of the investigation, the folks at Clorox have the detailed transcripts of the IT help desk hijack process. So what they're saying in their lawsuit, which has yet to be proven in court, is that Cognizant did not follow any of the documented processes for challenging identity. And not only did the attackers get one account reset, including mfa, they also got an IT security credential revoked and reset and MFA reset, which allowed them to, as one can imagine, really amp up the chaos. Now. This lawsuit is huge. It's $380 million. And so this is that big sort of Godzilla, Mothra kind of scale legal fight. And what's interesting is Cognizant's not having any of it. Their response back to media was spicy, to put it at a minimum. Basically, to paraphrase saying, can't believe Clorox's cybersecurity was so inept that this could happen. We were only contracted for a narrow scope of help desk procedures, which we provided. So now we get to see how this all plays out. But this is one of the few cases where, thanks to discovery and the claims that are being made, we're walking through a detailed breach and just seeing how this all plays out.

Jim Love

Well, that's interesting. This is a $380 million lawsuit, and basically based around the fact that someone was sloppy. It's the ultimate in finger pointing. Right. We've all been through this, where you come into a meeting, and if you can't spot the scapegoat, you're it. Those great finger pointing. You were terrible. You didn't check this. You didn't do. But there's a lot at stake in this. This is going to be a big thing. In terms of outsourcing. I've negotiated a number of outsourcing contracts, and you look at the amount of risk that for outsourcing versus your fees, if this lawsuit goes in favor of either party, it's going to be a major shakeup.

David Shipley

Absolutely. The only way that this sort of disappears for everybody is that if they settle it. So if somebody blinks along the way, they settle it out and away they go. Where we may not see any kind of a precedent set by this, but based on the acrimonious claims and response in media to the claim, like, Cognizant made an interesting choice. Right. Typically, when you. When you don't necessarily want to go down the aggressive route, you do things like, we can't comment. It's before the courts, yada, yada, yada. But that's not how they played this. They played it like, bam, punch back. And it's a move, it's a choice. And it says a lot about, you know, how they may be feeling about this.

Jim Love

I've never seen somebody come back punching that hard from. From a service provider.

David Shipley

Right. And what's interesting is they're punching back hard. But Clorox has the receipts, They've got the transcripts. It's like, this is really. I used to be a court reporter Right. So I've seen a lot in terms of civil cases and criminal cases and I think this is really interesting. But again, we're still in the very slow process of delta versus CrowdStrike. Delta versus CrowdStrike could nullify that giant all cap section that every software maker relies on that says we accept no liability. This product mini, I mean work is designed, yada, yada, yada. It's this big comforting black blanket of indemnity that you wrap yourself in. And if that gets blown up, two things are going to happen. Software prices are going to rise like you have never seen before. And if we think inflation is bad because of trade chaos, wait till AI terms of services, software terms of services explode and away we go. So, and again, like, I don't know who's going to turn in this legal game of check in at that scale either.

Jim Love

There's no good outcome on this for.

David Shipley

The, oh, I mean the good, good news for lawyers, like whatever law firms are behind this, it'll make in bank.

Jim Love

But they will settle. I'm my prediction they will settle. You're never going to, you're not going to take a $380 million lawsuit to court. Somebody's going to blink, somebody's going to settle. That's my prediction. But no matter what happens and this, you get back to this indemnity clause, I don't actually know how that applies to cybersecurity services, but in every services agreement you do have that, you've explained that this whole clause that says we're not liable for anything, anything more than our fees as a consultant, I wouldn't work on anything without that clause. It's been ironclad, it's survived court before. If it gets blown apart in cybersecurity, fees have to go out. You cannot operate with the profit margins people have and have that liability or insurance premiums are going to go crazy. Like I said, there's no good outcome from this one for us, for those guys, I mean. And the lawyers are going to do well.

David Shipley

Yeah, they did. You know, at the end of the day, law firms are going to do real, real well. But that's my opening story is just sort of, I'm watching these moves and you know, they're not the biggest headline of the day, but they're the things that it's like, it's like the Jaws, which is what? It's 40th or 50th anniversary this year and you just hear it behind the water, you know, just kind of waiting to see that legal shark Pop up and see what chaos comes next.

Jim Love

Wow. Tammy, any comments on the story here?

Tammy Harper

Yeah, this is going to be a really interesting development and I'm looking very close to it. Your point saying that software prices are going to go up way high if now they have way more liability on their hands. That was a very good comment and we're going to see. But the thing is also like, lawyers are really, really crafty and there's just going to be another way around and like exempting themselves with liability. So I want to see both sides, like how they're going to be creative and we'll see.

David Shipley

The only thing more clever than a software engineer is a legal engineer.

Jim Love

You're a consultant and you regularly go in there and touch these systems. Is this, this giving you a bit of a chill?

Antoine Levia

I mean, this is pretty par for the course. We've seen a lot of external third party service providers fail with basic authentication or identification aspects of their work. I've seen this happen in the crypto industry a lot where marketing teams like to have access to a lot of data and they like to outsource their work. A lot of the time you end up adopting a bunch of, whether it's just emails, but often it's a lot more than that. Third party systems that you don't fully vet, you don't really know how they work, even if they're under your control through some ui. Like you're not really controlling the infrastructure and the data access. So I'm not super surprised. But the scale of this is pretty interesting. It's also kind of funny that it's a Clorox versus a huge tech company. Just that juxtaposition and the imagery that comes up in my head of a big Clorox tablet punching at a big tech firm or the other way around, both ways, I guess is kind of funny. But yeah, the scale is the most impressive thing here, so that'll be very interesting. On the crowdstrike thing, I thought it was hilarious how upset people were, but to me, it's kind of like if you give a third party direct access to push anything they want to update their systems, you kind of set yourself up for failure. That was the biggest lesson for me. Don't let a third party just freely push whatever they like to your systems. And that didn't seem to be the lesson that most took away from that. And I have yet to write a little blog about that. But I think I should because, yeah, in my books, if you haven't verified the code for yourself, it doesn't matter who's pushing it to, you shouldn't trust it blindly.

David Shipley

And I think if you're running any kind of a company that pushes code to other people's endpoints and you're still yoloing it without ring deployments, the evidence is pretty clear. It's pretty good idea. But the other part that's really interesting about.

Jim Love

Hang on, hang on. Just ring deployments.

David Shipley

Yeah. So the idea is if you're going to make a change, you do a small group and you see how that change goes, and then you go a slightly larger group, and then you go a larger group. So you do it in phased waves. Right. So rings of deployment. And, you know, if you notice early on that, you know, your AI powered quality assurance process went sideways and this is now bricking a bunch of Windows PCs, you stop the deployment. You don't hit millions of machines simultaneously in, you know, one of the greatest IT outages we've seen so far. This reminds me of that Simpsons meme where people like, this is the hottest summer ever. And it's like, this is the coolest summer of the rest of your life.

Jim Love

Give me a second. I need to send off an email to Microsoft. This is ring deployment. So launch everything out to all people at once.

David Shipley

In fairness, Microsoft actually has really good ring deployments. CrowdStrike now has really good wing deployments. So that's fantastic. I think the other side is interesting is, you know, we think back about all the talk about booting antivirus, anti malware, edr, mdr. I can't keep up all the acronyms, but the things that are supposed to stop the malware out of the Windows kernel. And so macOS did this a long time ago, much to the frustration of many providers. There's lots of deep technical arguments. Sure, Tammy can get into this much better than I can, but there are moves afoot now. Microsoft moves at the speed of, well, Microsoft. So it's been a year, but they're starting to make moves to boot people out. And remember, the really interesting thing about all this is Microsoft provides the OS, but it also provides a competitive product to CrowdStrike and everybody else. And it was mandated by the EU not to. Oh, you have to give everyone this highly privileged access to the Windows kernel so you can make it massively unstable. No, the regulation was you can't enjoy some kind of a market benefit that others can't use as well because that would be monopolistic power. So it'll be interesting to see how they pull off this booting everybody out. Of the kernel, which, again, malware folks say is really, really important to be as, as close to that source of truth as possible and how that, how that deployment goes, what chaos comes from there and what that means for malware for the next 20 years.

Jim Love

I think you snuck in two stories.

David Shipley

I think I do, yeah.

Jim Love

Yeah. Okay. So Tammy, what impressed you over the past month?

Tammy Harper

So one of the big news that just actually recently happened on July 22 was the seizure of the absolutely notorious XSS website or forum. And this is huge news because in the cybercrime underground there are really two websites that are like king and queen. There's Exploit, there's XSS breach forums a little bit. But like, XSS has always been one of the top three forums for over a decade. And it's. Even though it did not allow, it was still notorious for manuals of teaching how to code malware or selling leaks or selling initial access to infrastructure and things like that. And how these forums made a lot of their money was through their escrow or their guarantor service. So for example, and advertisements, of course, but their guarantor service was pulling in so much money. Let's say you wanted to make a deal on this forum and you needed to make sure that you can trust the buyer or the seller. You would use a middleman or a guarantor. And that was admin of the website. They would charge a 10% commission to make that happen. They would basically not release the goods until the funds were transferred, and they wouldn't release the funds until the goods were verified. And that's what an escrow is. At the time of the Seizure, XSS had 55 Bitcoin on their wallet. Like that was the escrow account, so which was roughly like 5 million euros. And that's just what they had access to. And the admin has said that that is what he feels responsible, the current admin, because the previous admin was arrested and we'll get to that in a second. But the current admin is basically saying, like, look, that's what I feel responsible for and that's what we're going to get. We have a very good team now to make this happen and we're going to get there. It's going to take a while, but we're going to get there. Essentially, the previous admin Toga was estimated to have made and profited 7 million euro from this forum. And he was arrested in Kiev, Ukraine. And at the time of his arrest, like, XSS had around 50,000 registered users. And not only did they arrest, seize, like the XSS website and the domain like xss, they also were able to seize control of the Jabber server. It's called the Secure biz. And the Secure Biz, you've seen a lot of threat actors with that handle, and that was like a way to contact them. Secure Biz works similar like an email and an instance and Messenger. And so they basically seized that server. And what they did is that they redirected traffic to sinkholes that they controlled. And then there was a lot of allegations saying that this is weird, that the onion was not seized, but the clear web was seized. And now there's like a split in the faction of the underground saying that xss, even though it's been like revived, is currently under law enforcement control. And essentially they're saying that it's a honeypot. Now, a honeypot is. We've heard about that a lot, where it's like a decoy that is controlled by law enforcement that is made to be super attractive so that criminals or users can go into believing that it's the real deal. And so when it's not. In fact, there was a new forum that was split off from this, and it's called Damage Lab. This is essentially a hat tip to the old name of xss, because XSS was originally called Damage Lab. So now they're going back to its roots. So, yeah, it's been a crazy month in terms of seizures. Black suit also got seized. So it's a lot of really good law enforcement work this month.

Jim Love

Now, when they get this, have they. Do they know everybody who is now been in contact with that site?

Tammy Harper

So that's a very good question. They're really interested, not in the visitors, they're really interested in the users, the power users of these forums, the ones that were making millions or even hundreds of thousands of dollars in selling specific exploits or selling initial access. And those are the ones that they're going to go after first. And because they have access to the databases and because they're essentially putting a lot of pressure on the admin, they can basically get access to the direct messages, the logs, everything, right? So it's not going to be hard for them to figure out who is who. Unless you have exceptional opsec, which some of them do, most of them don't. This is going to be a huge break and we're going to see a lot more chain arrests and seizures coming from this because a lot of these groups are related and they work closely together. And when a big farm like this falls, it doesn't take long for more to fall.

David Shipley

What I love about this is the destruction of trust, right? You can recreate the technological infrastructure, the Onion sites, but it is so hard to rebuild the trust and the network effect of these king and queen size sites. And then let's say scenario A, they just got the clearweb website and the Onion was running. And then they had some compromised identities inside the forum and they planted the seeds of doubt that they were the ones that drove people. And maybe they are running damage as the actual police one, who knows? That's what's so beautiful about this, is that they can sow the fear and the paranoia. And Jim, to your point, we've seen some really interesting things with the RCMP in Quebec, here in Canada, with other previous busts like Genesis, I think it was Genesis Marketplace. And they actually got enough information on folks that while they didn't have enough to necessarily prosecute or they didn't have the desire to, they did a really interesting door knocking campaign. And we're like, this is you. We know who you are. Knock it off. And I absolutely love what they're doing now.

Jim Love

I've been trying to set up a totally throwaway environment where I actually could go do some research, but I haven't had time to do that. And I have no desire to go to these sites using my own equipment. If you're sitting in an office right now and you're curious about this, don't go. We'll do a show on this stuff and we'll show you some screenshots. But I'm just amazed at how brazen they are. I'm amazed that they stayed out for so long. I mean, if you can find them, I can find them. Law enforcement can find them. How is it that they can operate at this level, Anton? They seem to always be able to get access to crypto. I find this just incredible.

Antoine Levia

Oh, that's a really juicy target. So it makes sense. But there's a lot of money in this and it's a very interesting type of economy that they've built where there's so many different subgroups to this that specialize in different aspects of this. Some are just figuring out what platform people are on and then they'll go and repackage and sell that data to the next group that will go and do stem swapping attacks or something like that and like get further access. The complexity and the scale of these organizations is fascinating. The ones that are most public are visible. We see them, they're top of mind. But There's a lot more of that kind of like underneath the iceberg. It's really interesting what kind of economy actually grew out of this. The dark economy. Right. To say, do not go there if you're listening. Don't go poking around if you don't know what you're doing. Or you could get easily compromised. It's enough to visit the wrong, wrong website and you could end up with malware on your computer. So leave it to the pros.

David Shipley

Yeah. And speaking of pros, Tam, Tammy is. It's interesting. I almost feel like she's that guide now to cross the river sticks to go into these places. And so actually she gave me a real solid and guided us into one of the phishing as a service platforms, as a team, and Holy fascinating. And number one, like, criminal scaling and building these phishing as a service. And their UI is really good. Their business models, Jim, are incredibly well thought out. Like incentivized sales programs, like, you know, stuff that could be ripped from the pages of the old Xerox sort of marketing and sales playbook, but for the crimes. And this one was particularly brazen because it's out on the clear web. It's not like an Onion site. You got to know the secret handshake and nod to get an invite and get in. Some people are really clever, like Tammy, and they can get in and figure these things out. It was fascinating. And the organizations they were targeting, they were just like a SaaS. If you took away the criminal nature of it, it looks just like every other SaaS you've ever seen. They're putting new releases out, rolling out new features. They have tiered plans. Then, of course, all payments conveniently done in crypto.

Jim Love

So, Tammy, these groups get busted all the time, and somehow they resurface and they come back. Has this been irreparable damage or is it just the calm before the next storm?

Tammy Harper

So law enforcement has been changing their tactics, and as David said, they're really going after the reputation now and sowing distress. They did the exact same psychological operation with Lockbit, where they seized the original site and then they doxxed the admin of Lockbit. And essentially they're doing that more and more now. They're trying to make it impossible for you to conduct business because they know that a lot of these people are in countries with no extradition, and so they can't necessarily arrest them, but they want to make it impossible for them to. They want to destroy the brand now. So, like, if no one's going to trust XSS or Lockbit or anything like that, they're going to have to recreate a new platform or a new forum or a new brand. And that takes time because you need to build trust and build and that it slows things down. So that's one of the approaches that law enforcement has been doing recently and I think it's working very, very effectively. Absolutely, yes.

David Shipley

Fab and, and Timmy won't do this because like, you know, it's self promotion. But I will say this flare does amazing work in this space and we, we use their technology. So I can say that. And I got to tell you, like, as a proud Canadian, what every conference I've gone to, where they have been out there, they are getting swarmed by people just asking tons of questions. And they're not just there to like raid the, the swag at the booth. So they're doing some really, really cool things.

Jim Love

Oh yeah, okay, well, I'm there for the swag.

David Shipley

Sorry, I mean, they do have good swag.

Jim Love

It's good, Good to talk to you too, Anton. So what's, what's news with you? And I've got, I've got a bone to be after that.

Antoine Levia

I mean, a lot is always happening. One thing I'm paying attention to closely, always the supply chain attacked. And of course there's no shortage of those. So recently we saw a bunch of packages get compromised in the NPM ecosystem. One of them had about 3 million weekly downloads. And it's just a funny thing because it keeps happening and people aren't changing their strategies to defend from it. And it keeps happening and it's a cycle and somehow everyone seems surprised every time that, you know, it happens. But it won't really end until people seriously start, you know, looking at what they're putting into their applications. There's this weird idea that, you know, first party code that your colleagues write should be reviewed, but third party code that someone, some unknown stranger on the Internet wrote is fine because a lot of people downloaded it.

Jim Love

So can you just give us a little context on the NPM thing? Just tell us what the story was.

Antoine Levia

Yeah, for sure. It's basically another supply chain attack. There was breach of Toptal, which is a talent sourcing agency, a really big one, and they have a bunch of packages that they publish to NPM and their GitHub was compromised. And so in GitHub actions, often there's a lot of access that allows you to deploy packages or upload packages to npm. It may also allow you to go and deploy infrastructure on AWS or deploy applications to different cloud service providers. I actually found a injection vulnerability and a penetration test I did recently that allowed me to take over the GitHub action and do whatever basically arbitrary code execution. And so it's unclear exactly what happened to their repo. But often if it's a public repo and you don't write your GitHub action correctly, you can use, for example, the branch name to inject a script to the GitHub action, thereby gaining full control of whatever's in there, including, like, secrets. So basically the attacker somehow got access and then used the NPM token to upload their own malicious code to the packages that they published. And so inadvertently, a bunch of people downloaded this and basically put malware on their computers, which was exfiltrating data as well as deleting data from their computers.

Jim Love

This makes me crazy because this is one of five stories we might have done on supply chain. And every time I look at it and I go, smarter people than me find ways to inject malware into things in ways I couldn't even imagine. But one thing that stumps me even more is the hell would I do about it? As pitiful as my Linux development career was, I wouldn't be able to do anything without being able to download stuff that other people had written.

Antoine Levia

The issues that if you're running a system that is protecting data that's of value, or anything else of value, I think it's the responsibility of the person building that platform to actually review the code. And the counter argument is always, ah, that's too much code to review, we can't do it, it's just not doable. Then, you know, you should cut down the amount of code that you're pulling in. Oftentimes I see people pull in, you know, a million lines of code and they're only using one of the functions and it makes no sense to do that. And it's fair that some users can't actually don't have the ability to go and review this code. So one of the ideas on how to approach this is like, let's go and crowdsource reviewing the most widely used libraries, right, where it matters for the most critical software and kind of bear the burden of that together. Like, let's combine our powers and if I review some code, I can go and publish, you know, a report that's signed by me saying, I actually looked at this code and as far as I'm concerned, I went this deep on it and it's safe to use that would be a step in the right direction. But right now the default state is it's on install, it runs all its install post install scripts and you just pray and hope that something bad didn't happen. That's where we're at right now.

Jim Love

We sit here and tell our users, don't download malicious apps, don't download this on your phone unless you're absolutely sure. And then in our development shops, we're banging away saying, I'll bring it on. This is absolutely nuts. But we talked about this earlier and you had a great idea of doing a bit for bit comparison of things and being able to certify that this was the version of software. Why isn't that getting more traction?

Antoine Levia

It's starting to, yeah, definitely. Reproducibility and full source bootstrapping closes off a lot of attack vectors. You still have to review the source code. It doesn't solve that part of the problem, but it does solve the problem.

Jim Love

Of, I'm sorry, if you had done a review and you could actually say, as of this point, this is the code, wouldn't that make a major difference?

Antoine Levia

Yeah, absolutely. And then you can do incremental reviews from that point on where you just look at the diff for every version.

Jim Love

This supply chain, this is going to lead me to my story. And that was the story of the month. Had to be that we'd finally, finally it's happened. And I've predicted this for some time because we're really stupid about implementing technology. Sorry. But as a world, we really are. Here's how we do it. You come up with something new, somebody in marketing puts together a brochure, we oversell the hell out of it and then we come out, everybody says this is really cool because we buy it every time. And then we all implement it into our dev shops and we go, oh, my God. As you're sitting there, I still remember my friend Joe Accardo in four GL languages and him and I sitting looking over the desk after months of development, realizing this thing wasn't going to work. It wasn't as good as the demo. Right. This is. And then eventually everybody gets together and we fix stuff up and we, you know, after the disasters and some careers have been damaged, when projects have gone, we go back and we somehow get something that is now working and gets better and better. That seems to be the only way we know how to implement. And the scary thing is, we've done that with AI. We have ramped up development of IDEs and development environments and tools and these things the last week, I can't list the number of stories where the AI just decided it would nuke the data from some developer. Google had the same thing, at least Replit, when they went, they. Somebody was using this development environment. Comes from, from, I think Replit, they came in. It just. The AI wiped the guy's code, wiped the guy's backups of his code because he was, he was dutifully replicating his backup. There's another story about that. I'm not sure that that's a really good idea. You know, if you're gonna have a mistake in your code, let's pop that into the backups. That's another piece. And then the AI says I didn't do anything. It really did it. Denied that it had done it. But in fairness, the CEO of Replit came in and he got their team together, they fixed it. And we've always been through. There's no blame, no shame, you know, admit and fix. And they did that. And they got this, they got them up and going again. But in the meantime, somebody else is working with one of Google's new tools in Gemini and wipe their code. Now anybody who's ever tried to get any customer service from Google, if you actually found a way to talk to Google, I salute you. But they're, they're just, you know, sucks to be you. Is. Is sort of what, what, what happens. So these people lost code, you know, the, the amount of. And then you get into the, the security issues of this mcp, which is model control protocol. Protocol, great idea.

Antoine Levia

Possibly go wrong with it, possibly wrong with that between multiple agents. It'll be great.

Jim Love

Except maybe things like once you implement something to mcp, it trusts everything else after that. So your guys up there, you know, putting bad code into some sort of module and MCP's going, I've seen this one before. Good. Pop it in. The amateurism of these development environments is just astonishing.

David Shipley

So I've got some thoughts, but first, I think, Kimmy, you had your hand up earlier, so I don't know if you wanted to circle back on that or if you want to jump into the hot AI agentic code mess.

Tammy Harper

Well, it sort of ties into this. So you were mentioning Anton, that like we have to go back and like review all of these libraries theories. Can't an AI do that?

Antoine Levia

It could help. It could help. But honestly, at this point, I don't trust an AI yet. For me, it's like additional input and especially because of this whole idea of a lot of garbage code being fed into it and so it thinking that's the right thing. For example, one common thing I see often is people using the current timestamp as a source of entropy. And that's even written in computer science books. I've seen it multiple times in books and like, wow, this is insane. And so on a fundamental level like what we're teaching the AI is wrong. Maybe if we took the time to properly train a model that's just. People are working on that right now, right then maybe. But right now, like my confidence threshold for just like letting, letting sas, even if it's AI powered, look at my code, it's just too low.

Jim Love

So I will rip my face off on this. But this is not an AI problem. This is the same stupid way we implement software. And that's the problem. This stuff will eventually work, but do you think you might want to test it a little before you start putting it out into production usage?

David Shipley

So I asked my CTO about this and he had a really good take on this. I don't let our developers have access to prod. I am not going to allow a half baked agentic AI direct access to produce. Like the rules are still the rules now. You know what's interesting, Jim? Like the amount of stories and I like, it's almost to the point now where I don't know if you've seen that Simpson memes where you know, it's like stop beating it, it's already dead. But you know, as the guy that's usually the guy beating on AI, even I had to like just stop this month and go, this is bad. Like, you know, there was a study that just dropped that said 45% of AI generated code has an OAS top 10 vulnerability. And it goes to what Anton was just. They went across the Internet, they scarfed up every example they could, which, dear friends, garbage in, garbage out has been around a long time.

Antoine Levia

We're running garbage.

David Shipley

So it's not like we had pristine, beautiful English lit poetry quality code that it could learn from and become the next Shakespeare. There was a lot of crap, right? Like a lot. Like we've essentially trained AI from a literature's perspective on soap operas and we're shocked that we're not getting Academy Award winning movies. Like really? No kidding. But it's interesting. This model context protocol itself feels a lot like it was vibe coded to begin with. And it's like vibe code begets vibe code. It's like vibe code squared. And it's like, maybe we need less of this. And I'm Seeing a lot of T shirts here in Vegas that have I and the old Netscape Navigator broken image icon, you know, for agentic AI, right? Like or I blank vibe coding. And it's like yeah, for real. But I want to circle back on something here. This goes back to what Anton was saying. We are gutting young technology career positions at an unprecedented pace and they are not getting the opportunities to learn fundamental skills so that they could do things like real honest to God human review of code. And Jim, no joke aside, so they could read a diff. We are creating a massive problem in technology with our over rotation on AI to replace entry level skills and it is going to hurt. So true a future standpoint. But also dear listeners, when you have double digit unemployment in people under 30, bad things happen at a societal level. So this is really, this is like that red indicator light going, this is a problem.

Jim Love

Yeah. And I don't want to take away from this. I still maintain this is not an AI problem, this is a stupid implementation problem. And we've been good at those for decades. Because Tammy, you're right and I'll disagree with you Anton at one point, not yet, but eventually we are going to need to replace enormous COBOL systems that are so big and so monstrous that nobody, no person, no project, no government could tackle those. And they are going to implode at some time in the next decade. The only way to convert that amount of code is going to be with some sort of artificial intelligence tools. But don't do it today. Let's, let's make sure they work first. This is what it's just, it's like buying a Tesla and trusting in the automatic driving and then you say take your hands off the wheel, hit the gas and we'll just see how well Elon delivers. You wouldn't do that, but you'll do it with code.

David Shipley

But do you know what? Your Tesla analogy is spot on. And here's why. Just like you were talking how we overhype a new technology and over market the hell out of it. You know, full self driving was the brand name for this technology. They advertise it. They just got a huge lawsuit against them that was found against them into the hundreds of millions of dollars that basically claims that their cars are fundamentally unsafe. It's like a 200 million plus lawsuit for one of the first civil lawsuits for an autopilot death. Like the overhyping of these immature technolog technologies that the. And it gets back to your point about something. It's the choices we make with how we deploy technology. Tesla made the choice not to use lidar for business and ideological reasons that made their cars fundamentally less safe than competitors that are using lidar as well as optical sensors. And so, you know, it's never just the tech, right? It's the business decisions around the tech. Boeing Max 8s were a series of business decisions to improve competitiveness, to have more fuel efficient planes. And they created an aerodynamically unstable design which by the way, the only other things that are intentionally designed that way are fighter jets. And as my friend says, at least they come with ejection seats. And they took a military design, stripped down the, the extra sensors and then added it like a typical SaaS provider. It's like, oh, you wanted the safety feature, that's the add on. But dear listeners, we do that as SaaS because you demand the lowest possible price and then we have to initially make money, so we have to do that. Well, Boeing did the same thing, but it's the choices we make with technology. To your point, AI itself, and here's me going, middle ground is not fundamentally good or bad. It's the stupid decisions that we make along the way when we ought to have known better. Because to your point, we've been doing software a long time. None of these things are new. And I feel like I'll end with my culture critic quote, battlestar Galactica reboot. All this has happened before, all of this will happen again.

Jim Love

Yeah, it's only a lesson learned if you have the two words together, lesson and learned. But let's go back to.

Antoine Levia

So Nick Bostrom wrote this really good paper called the Vulnerable World Hypothesis. And if you make the wrong decision with the wrong technology, that adds up to potentially worst case scenario like existential threat to humanity. Nuclear was one of those. AI is now maybe one of those things. And every so often we pull out a new marble out of this jar of possible ideas that we could discover and it's like, what are we going to do with this? Are we going to be responsible? And the default is no, we're going to move fast and break things. And I would invoke we should move thoughtfully and improve things because we've done the fast thing for long enough, I swear.

Jim Love

And it's not corporately politically correct. If someone came into my office today and I was still running a company and they said move fast and break things, I'd smack them. Yes, I had, I worked for the CEO of, of a financial institution and he people would say things like that, well you got to take some Risks he go, no, you don't. Said that's other people's money, you know. And I think we've gotten this idea move fast and break things. Yeah, that's what you want to do. Really great until you bring down the eastern seaboard or something like that.

David Shipley

Which brings us to SharePoint, right? So Microsoft, like this is one of those, Microsoft is one of those too big to fail kind of living institutions now, as big as a financial institution. And so we had SharePoint Apocalypse. Now where this ties back to our other thread is business decisions. Microsoft does not want you running SharePoint or Exchange or anything else for that matter on prem they want you running it in the cloud because they make money off the compute. They have that lovely annuity SaaS revenue stream. So they have been underinvesting in these things. And it's not just the, the fact that they had a vulnerability that came out of a PWN to own or one of those competitions. They get to Europe, the patch didn't work. And dear listeners, geez, what are the cumulative effects of all of these cuts that Microsoft has been making to fund its AI projects in cutting people across the board? You have more mistakes happen like this. And then you have hundreds of organizations who for budget reasons were still running SharePoint on prem that were vulnerable, including organizations responsible for the nuclear weapons program in the United States, not the launch codes that still runs on giant floppy disks and is not connected to the Internet. Thank the Lord this was not a small body count of organizations hit by this. And again, it goes back to business choices and it's been interesting to see how that played out. And Tammy, I'm dying to know if you what your thoughts were on SharePoint Pocalypse and what you saw in the world.

Tammy Harper

So I did see at first. It started off like a wave. I saw a lot of chatter saying like, hey, anybody have a POC proof concept? Anybody have this? Anybody have this? And then all of a sudden people weren't asking that anymore. And then you started to see the news of okay, what's like I saw like, cause I'm in a lot of trust groups. And then you started to see like, okay, I have a client now getting hit. And it was SharePoint and it was SharePoint and it was sharePoint. And people then started to say, but I'm not seeing encryption. All I'm seeing is massive exfiltration. And so now you start looking at ttps of groups that are known to do this. And then it is just a web of incidence, response and forensics. Of who could be doing this. And then you look back at the chatter, you start connecting the dots of, okay, this account might be related to this group. It's a really fascinating world when you're doing threat intelligence and you're starting to see the wave of things coming in and when it stops is even more telling.

David Shipley

So there's a subtext of this story and it didn't make all the headlines like the initial stuff did. And this is one, Jim, that I'm watching very closely. So, as part of the Post investigation, Microsoft is investigating whether news of its patch needing to get fixed, leaked from a trusted community ahead of time, which set off the feeding frenzy about this particular vulnerability. That's why it sort of peaked as a wave is one theory that I've heard. And it would not be the first time that as we have these concentric circles of trust and you're trying to communicate out because change is complicated. You need multi stakeholders, et cetera, et cetera, that somehow, either intentionally or unintentionally, it leaked out or someone is listening to those conversations. So that's one that I find deeply fascinating because that would be a high priority target for intelligence agencies and others to be sitting there waiting to find out when the door is about to be closed on their favorite tool so that they can get maximum value out of it. I mean, these things are now worth. Microsoft just announced like last week, it's like 5 million is the latest thing for particular. Certain O days these are expensive and you want to use them judiciously so you don't burn it. But then when you find out it's about to get burned, you roll the whole team and you try and get as much as you can, which is so. So I've heard it called both. I typically like oday, but that's me.

Jim Love

We got, we actually got an email said that's zero days. And I went, oh, days.

Antoine Levia

Yeah, yeah, it's both.

Jim Love

It's both, yeah. Cool.

David Shipley

Yeah, I think it's Z and Zed, right? Like.

Jim Love

Yeah, well, no, no, Z is correct. Z is not. That's. It's. It's really simple. Tammy, you were going to say something actually intelligent, I'm sure.

Tammy Harper

Wouldn't it be technically an end day? Like an end day is known as a security witness in software or hardware where the vulnerability has been publicly disclosed at the CVE and there's a patch for it that is represented by the amount of Danes. So wouldn't this SharePoint incident be an end date?

David Shipley

Well, yeah, yeah. No, this share you Are you are as, as Jim said, listen to Tammy, folks. She is the smarter of the bunch. And Anton. But so, so at one point an O day becomes an end day and it's, it's, you know, becomes known, there's a patch out, et cetera. And so, you know, you, you. And this is an interesting case actually. We may even up with a new term for this because normally in a sane world you have an O day. I didn't know this was a vulnerability and people were actually exploiting it. And then you patch it and it becomes an end day or your patch doesn't work and what does that become? It becomes a mayday. No, I'm kidding. There needs to be a new, a new O and M near future.

Jim Love

So can we just go back to this though? And this is, this is again, I'll go back and say maybe I'm just, I'm getting jaded in my old age possibly. But we have this thing about, oh, you, you may have leaked this early and that caused a frenzy. But any estimates from you guys about how many of those SharePoint sites still aren't patched?

David Shipley

It's, it's, the number is not zero.

Antoine Levia

But it's definitely a non zero number, that's for sure. I mean there are servers patched in decades. I don't know, like, not particularly for like SharePoint but I mean in general there are, there are servers that, you know, sit there forgotten for years.

David Shipley

Yeah. And I can tell you where you're going to find them. They're going to be in municipal governments, they're going to be at state level in western countries and then it'll be national levels in the global south or other areas that can't afford the licensing costs for the most recent stuff. And some of these are exploits that apply to end of life software. So Microsoft advice is first you got to upgrade to the supported software and then you can patch it. Well, what if you can't afford this upgraded software?

Jim Love

Well, to that hospitals and other places that. And not for profits and other vulnerable places that can't afford to, to.

David Shipley

Well, and, and actually speaking of hospitals, to bring this full circle, there's a very interesting and, and somewhat controversial research paper that dropped from the University of California, San Diego. What it is alleging is that during the crowdstrike outage they observed 750 hospitals also went offline via an API specific to the healthcare industry. And so they made some pretty bold claims about the dramatic health impact of the crowdstrike outage. Now, it's not without its Critics Crowdstrike in particular came out very vehemently saying it's irresponsible and the Journal of American Medicine, Shajama should pull it because it didn't do things like actually interview the hospitals and say were you a CrowdStrike customer? And so there's some interesting challenges around that. It kind of brings full circle what the impact a year ago was. And we know there was an impact and whether that was critical on healthcare or not, just where you brought up hospitals and patch stuff and everything else.

Jim Love

I've watched a couple of stories about businesses that have gone under. The follow on story that people don't watch very often is, you know, a huge business in the UK went under about six months after a ransomware attack. They just folded. They couldn't. And that's the stuff we don't see. We see the explosion and we don't see the long term impact of it. Just to wrap up here because we've got, we're about the hour here. What are the stories you guys are following this month? What are you going to be watching for this month? Anton?

Antoine Levia

I've been watching Europe closely. Europe's doing a lot of interesting legal work and compliance on a lot of different fronts. The thing that's being talked about right now is private messaging. There was a lot of stalling around this for a few years now, but they're basically trying to bring a regulation that forces scanning of everyone's devices, preventing end to end encryption. The European Commission is still pushing for this, but the European Parliament is insisting that it should only apply to unencrypted messages. So this is a big privacy discussion that's happening in Europe right now. It's going to have a very wide reaching impact depending on what the outcome here is. And so I'll be watching that and then kind of within that same kind of adjacent to that. What I also noticed this week is that Denmark brought a law where that says basically that all your likeness so your appearance and voice and everything is automatically copyrighted as your own. Which is a very positive law that's been brought here in Europe, but it's not on the European Union level.

Tammy Harper

So there's a lot of movement right now online regarding Scattered Spider and what they're up to specifically. There's been a few arrests around their gang and or actually their community. It's more of a community than a specific gang. And so I'm interested to see where this goes and who they end up affiliating with next because we've seen them do Killing. We've seen them do Dragon Force, so I want to see what happens next.

Jim Love

Wow. Yeah. And this is, you pointed out, scattered spiders is really like a big co op of some sort of. I don't know how else to describe it. It's there. They really are trying to get outreach to everybody, I think, and be that sort of link. They might be your successors to some of these other people who are dropping out now that their sites are getting killed. Yeah. David, what are you watching next week?

David Shipley

I'm watching over the next. Next month or so is, of course, the fallout from the WestJet breach. So for those following, WestJet was one of the airlines hit in June and their initial communications were fast, but they were lacking in detail. And then they put a release out July 18, saying, hey, we've done some more in depth forensics, like, which I get. This stuff takes time. They didn't kind of get into the scope of like, well, how many people's data got nicked. But don't worry your credit cards. I'm not worried about my credit card. My dudes, Visa, MasterCard, they got this like, stop. Stop telling me like, we're good. We didn't give your credit card away. Like, I'm good anyway from that. But what did you give away? Is my passport out there? Hey, other things. So you know how. How much you know and how you have it. Canada's privacy commissioner is investigating. I mean, which is about as scary as, like a talking to from the homeroom teacher because they're toothless and I'm not beating on them. They. They admit that as well. They can't actually do anything to you like Stern, sort of. You need to do better. What they should have is, here's your $5 million fine. And then the board goes, we need a better program for securing our stuff because we don't like paying $5 million fines. Crazy.

Antoine Levia

That's it. The fines need that. It doesn't make sense for you to not do the. The right thing is to do. I mean, apply this anywhere, even in Europe.

Jim Love

Some of the fines sound extreme, but they're the cost of doing business.

Antoine Levia

They need to be.

Jim Love

But in Canada, you could have a bake sale and pay a fine if.

David Shipley

We had them, pretty much. And the other thing to follow is, you know, what Anton's talking about in Europe is also, you know, we Forget that the C2 legislation here in Canada is trying to sneak in state surveillance, state regulation here in Canada. So the Crypto wars version 3 are back. And for those kids, Gen Z sit around the fire crypto before it meant making the monies, meant encryption and the whole thing. You can go and look it up. Crypto War 1.0 as they wanted to cripple encryption and everything. So because protect the children. Canada tried to do this a few years ago under the Harper government. Again, protect the children. And what everyone forgets is that government agencies can't be trusted to A, not abuse the access and B, keep these secrets secret because EternalBlue, which was their windows golden key into everybody's computer, they lost it to the Russians. Like, come on, like, if the NSA and the CIA can't keep these kinds of secrets, you think the Canadian government can? You think some other government can? No, like either you have encryption and security or you don't. And the don't ain't so good for all of us.

Jim Love

And we talk about, you know, move fast and break things legislation. I'm depressed about the fact that we don't develop legislation more quickly, but I'm watching just the number of stupid moves that people are making. The UK has done this thing and it's a wonderful thing, protect children. So what we're going to do is we make every website register people. They're going to put their picture and their identity and they're going to do that. Now some little website in the middle of England is going to have a group of women who may very well be not wanting their partners to find them or not wanting to give up this. We saw a huge site and it's hacked and people think that they're being private. We have to solve this. Safety encryption and safety of the people question and that at least that conversation is coming up now. And I'm happy that that's at least being raised.

David Shipley

So you can cut this if you want, Jim, but I think I'd be remiss if we didn't talk about T. And also because men can't be left out of anything technologically, T for men was also breached. So amazing. But for the love of God, vibe coding. Leaving your Amazon S3 or other buckets wide friggin open. Leaving driver's license.

Jim Love

David, when those S3 buckets open for.

David Shipley

Months years ago again, all this has happened before. All this will happen again. But telling people. And this is where I think I really got pissed about this story. Oh, you just upload your photo? We deleted after we verify it and then they didn't. Which goes back to your point about these age verification systems. The Texas Supreme Court means the Supreme Court and the state of Texas law this is now the law of the land increasingly in the United States. And what's going to happen, dear listeners, is it's going to get some people killed. Like we saw with the breach of Ashley Madison, when people's intimate information becomes breach regardless of your moral judgments one way or the other. By the way, most people on that site trying to cheat were talking to chatbots. Ironic, but. But is what it is. But, but there were people that took their own lives from that.

Jim Love

Yeah, and.

David Shipley

And this is going to have a not inconsequential account on that. So, you know, when we talk about the impact of these things, we often talk about the loss of reputation, businesses closing, money being stolen, North Korea's nuclear program getting billions from crypto. Sorry, Anton, I had to get that in there as well. But there's a body count too. And there are consequences to these modern day digital witch hunts. And it sucks the oxygen and resources out of other more pressing problems. And it creates an interesting balance of equities here that people think, oh, this is nothing but net. Good. And dear Canadian listeners, that lovely senator who introduced in our Senate the same idiocy legislation, but with claims of. We're not going to tell you how to figure it out technologically, but you must do it securely. FYI, you can. It's coming here too. Even though the UK tried to figure this out, abandon it, and then now screwed it up again. It's. Yeah, it's. It's consequences.

Jim Love

Yeah, we, well, and politicians who don't understand security is one of our biggest issues. I mean they just sadly not very smart.

David Shipley

And the worst part is they don't want to know. I've become convinced over the course of this time that like only if we provided them the education, they would magically create very policies. They don't care. We made a choice in our parliament to filibuster about car thefts versus making sure that our power plants, phone companies, banks and airlines stayed online because that was more popular this month.

Jim Love

I don't want you to hold back. I want you to tell us what you really think. Okay.

Antoine Levia

Yeah, in there.

Jim Love

That's our show. Thank you so much guys. And I'll. I think one of the things that I learned this month was this is supposed to be the dog days of summer. This is supposed to be slow news time. So I can't wait to see what happens when we get back in September. But I, I don't think so. August is going to be. Gonna be something. Thank you so much to my guest, Tammy Harper. Thank you very much, Anton Lavaya, thank you from Croatia. And David Shipley, our panel. And thanks to you, the listeners who are listening to this. If you've stayed this long, then we've either entertained you or you can't reach the off button, one of the two. But thanks for hanging out with us. You had other things you could have been doing with your time, and you spent it with us. And we thank you for it. I'm your host, Jim Love. Thanks a lot for listening.