Poisoned at the source. [OMITB]

A

You're listening to the Cyberwire Network, powered by N2K. Okay, guys, we've had a whole month to plan our next cold open for the show. What have you come up with?

B

All right, picture this.

C

Where brave knights armored to the teeth, marching through the server room dungeon. And there's a massive malware dragon. It breathes fire, spews corrupted files, and only we can save the mainframe.

D

And I'm swinging a sword made of pure antivirus code. Every swipe deletes a Trojan. Instantly the dragon's hoard, a mountain of lost passwords and encrypted files.

A

No, absolutely not. We are not pretending to be knights.

B

Okay, what do you got then?

A

I'm so glad you asked, Dave. How about space astronauts on a mission to repair the intergalactic network core. Fishing meteors flying at us, Ransomware black holes and cosmic AI trying to trick us into clicking links.

B

Space is cool, but this isn't T minus daily.

D

T minus.

B

And we'd need a bigger budget for rocket noises.

D

Yeah, plus I get motion sickness just thinking about zero gravity. What about a zombie apocalypse in the server room? Hackers have unleashed malware zombies and we're the IT fighting them off with USB stakes and antivirus potions.

A

Yeah, every zombie could be a corrupted file. And I'm crafting a firewall barrier with my keyboard when a zombie bites a server.

B

Boom.

A

It's quarantined instantly. There's suspense, drama, maybe even a slow motion delete scene.

B

Come on, guys. No. We can't be zombies. It's not even Halloween.

C

Medieval wizards dueling with ransomware spells.

D

No.

A

Underwater divers finding a malware octopus.

B

This is hopeless.

D

We hate everyone's ideas.

A

Seems that way.

B

Great. Well, maybe we just don't have a cold open this time.

A

What, like we just sit here and talk about not having one?

B

Wait a second. What if this us arguing about the script, is the script?

A

Oh, my gosh. We're literally writing it as we're reading it.

D

A cold open about not having a cold open. It's genius.

B

Perfect.

C

Keyboard clacking, pen scratching, awkward silence. It's all there.

A

Fine. Let's roll with it. Cue the music. Hello to all our listeners. You are listening to Only Malware in the Building. I am your host, Selena, here with Dave and Keith. And first of all, Happy New Year. We're back. It's January 2026. New malware, new hacks, new fun to be had. How are you guys doing?

D

Doing great. Happy New Year to you guys, too. Great to see you again.

B

Happy New Year. I'm still going to be writing 2025 on all my checks for the next couple months at least.

A

You still use checks?

B

No, actually I don't write checks. But what I do is when I announce the date for the Cyberwire Daily, every day takes me about a week to switch over from 2025 to 2026. And so I get notes from our editors that are like, Dave, it's 2026. Can you rerecord that please?

A

I also have this problem when doing campaign data. I always forget to change the titles of campaigns to 2026 the next year.

B

The other thing I end up doing is just for the audio editors. I'll just create a file that's me saying 2026 in a bunch of different ways so they can edit it in wherever needed. So I'll just say 2026-2026-2026-2026, 2026, 2026. So they can choose whichever version to correct me and then they don't have to come back and bother me.

D

That is genius, Dave. Genius.

B

That's not my first rodeo.

A

Someone is a professional podcaster.

B

Well, I'm also self aware of my own limitations so I try to not let my shortcomings affect the rest of the staff. So I try to anticipate their needs.

A

Well, you have the whole package, Dave. And you know, I. I think that since it is 2026, brand new year, we should think about maybe what a big year for 2025 supply chain compromise was.

D

You know, last episode we talked about diversion of cargo. So that's kind of like supplies and all that. And it just always seems every year around the holidays there is some kind of big supply chain compromise, whether solar winds a couple years ago, move it vulnerability. And this year, just right before the holidays, you know, we had the big F5 compromise. So I just thought we can talk about supply chain and you know, really how more prevalent we're seeing that and just some things that our listeners should be thinking about regarding the evolution of tactics by the adversaries. So you know, the F5 breach, if you're not familiar by this time, you know it really, you know, they F5 said they learned about it in August of 2025 that a highly sophisticated nation state had long term, you know, persistent access to parts of their environment, including the big IP product development systems. So very similar, if you're thinking about, you know, going after that source code, that product development, very similar to what we saw the Russians do with SolarWinds just couple years ago. And what was Taking were portions of big IPs, source code, internal vulnerability details, including like issues not publicly disclosed. And you know, they, they were attributing this attack to Chinese nation state actors. So where SolarWinds was, Russia, now we have, you know, the other big nation state adversary kind of copying that saying, hey look, you know, we can kind of do the same thing. We can get long term persistent access and get in there and kind of see what things we're doing. And instead of trying to hack each company individually, now we get into that supply chain and now we have access to hundreds of different, you know, companies that are out there. So it was just another fascinating story that I wanted to talk about with you guys today just because we're seeing more and more of this, you know, over, over the years.

B

So just to put a fine point on that and clarify the, the, the message, the, the, the tactics that are happening here, this is as if, let's say I wanted to ruin the flavor of every brand of soda in the United States, right? I just wanted to make them all taste like vinegar or change the flavor of a dip. Dave. Oh, let's not go too far here. Let's not be hasty. So one way to do that would be to get into Coca Cola and poison their soda, to get into Pepsi and poison their soda, to get into RC and poison their soda. Or I could get into the company that makes all of the bottles and put some sort of flavoring in the bottle before it even gets to all of those manufacturers. So that's the supply chain, right? It's the, it's the suppliers to the providers getting into that line before several, maybe even several steps before it's ready to be shipped off to us. Do I have that right?

D

You're spot on on that. And you know, so when you think about like getting into the software and then that software is being used by hundreds of companies out there now, you know, you have that back door in there. Those applications have been whitelisted by, you know, all of the security teams. So when they see, you know, this software that's legit, that they have purchased the license, calling out to certain things, that is not nefarious activity. That's just the behavior of that application. So when a threat actor can get into that source code, they're really able to live off the land and be hidden from network defenders.

A

Well, and I think it's interesting too because they did steal the source code that was part of the overall campaign. And even though there's still sort of unclear what the overall Fallout of this is I think that it's interesting that they could potentially theoretically operationalize that in some way. Right. Like they could find potentially vulnerabilities within the code itself that the organization might not be aware of to further develop attacks. But I think, you know, this just continues to highlight that threat actors are targeting the tools and resources that enterprises are using every single day, as opposed to going after, like, individual enterprises, you know, targeting the supply chain, especially you know, when it comes to organizations that are having things publicly exposed. Right. You know, like. Like a lot of these things that. That also might not necessarily be aware of, that they're going to be like, externally facing or some older pieces of equipment that they don't really realize are running this type of software. So I think there's a lot of potential risk. Every time we read about a new supply chain attack, it's just like, okay, well, this was like one incident. But what is the potential fallout? Like, how. How could threat actors operationalize the information that they got or the access that they got? Like, further down the road?

B

You know, I'm reminded of a public service campaign that ran probably when Keith and I were teenagers. So, Selena, you hadn't been born yet. And of course, this was during the AIDS pandemic and that terrible tragedy. And there was a campaign that basically said, I try to keep it family friendly. Basically said, every person you've been intimate with, it's the same as being intimate with every person they've been intimate with. Right. And of how things can spread. And I think about that with supply chain vulnerabilities, particularly when we're talking about things like open source software, where we have these building blocks, these components, these things that they just work. People know they just work. So they plug them into their software. It could be a printer driver, it could be whatever. And people don't think about them, they're just there. They're benign, they've worked forever. But if somebody can get into one of those and secretly add something, just the breadth of things that they can get into is really kind of chilling.

D

Yeah. And I mean, you mentioned like, those type of, like, printers and routers. And, you know, that's one of the techniques that we're really seeing these adversaries use, like Volt, Typhoon and some of the other sophisticated APT groups where they're not necessarily going in on a piece of malware that, you know, that they're delivering through a phish, but they're getting up on a router, they're getting up on another device, they're just sucking down the passwords and seeing that stuff. And then they could go in through legitimate access so that they're not raising the flag. So you know, because you know, you're not having, you know, endpoint detection on a router. You're not, you know, on a, on a printer. You know, so these are different places that we're seeing the adversaries kind of hide because that is there are no security tools and people aren't monitoring those like you are, you know, your desktop or something or you know, another server for the activity. So we're really kind of seeing them pivot to those type of devices.

A

You know, one thing I was actually a little surprised that we don't see more of. Do you guys remember the XZ Utils backdoor in the open source data compression utility from was it last year? I think. But basically somebody put in a backdoor on XZ Utils and it would have just been like widely distributed if some guy from Microsoft just like found it.

B

Right, right. It was just luck. Yeah.

A

And I think that's so interesting because I'm like, how, how much more does this happen that we just are not aware of it or like, or, or is it being caught and it just doesn't happen that often. But I was kind of expecting like, I remember last year when we're doing like predictions or whatever, I was anticipating that we would potentially see more of that in 2025 and into 2026. So you know, maybe that's another avenue of supply chain disruption that that might, you know, continue or we'll see more of. I was a little surprised that we didn't, we don't hear more stories about that type of, of, of backdoor.

D

Yeah. And one of the things that we're seeing, and I think one of the other keys here is that, you know, these supply chain attacks aren't just limited to sophisticated nation state actors. You know, we're seeing a lot of E crime groups. A great example was the Kaseya ransomware attack that Revil did a couple years ago where they were able to get in there and then push out ransomware to say as vendors. And one of the things that we're seeing at Q Intel that's very interesting that I want to share with everybody today is this malware called triada. It's Chinese based. And what we're really seeing them do is they're, they're backdooring these Android firmware in China. So counterfeits phones, other types of Android based devices that are sold on Amazon and ship. So these could be high end counterfeit phones or just other types of Android based where they're having suppliers insert this right into the firmware that makes it very difficult to be detected. It's not in the Google Play store or anything like that. But your, you're purchasing an Android phone on Amazon that's coming from China and it's backdoored. And some of the types of things that this malware is doing is they could read the communications, they could read your text messages. These devices are being used for proxies so that criminals can bounce through these devices, whether it be your phone or maybe it's your tv, your, your Android TV or Google TV that has that firmware in it. It's really prevalent in our visibility. We saw as of just a couple days ago when I looked at our collection, 85 million devices worldwide. So you think 85 million devices worldwide that are compromised from a supply chain standpoint with this compromised firmware, you know, right at the, right at the beginning. So the breadth of these things aren't just limited to apt groups, but criminals groups are getting very sophisticated at this as well.

A

Stick around after the break.

C

And now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allowlisting, Ring fencing and network control. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the system resources they truly need to function. Network control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change, shut out cybercriminals with world class endpoint protection from Threat Locker. And we thank threatlocker for sponsoring only malware in the building.

B

How much of this is about trust? You know, it seems to me like at some point there are things in our lives that we simply trust that they are going to be the way they're described. You know, you go to the pharmacy and you buy a bottle of aspirin, you trust that there are enough things in place, enough checks and balances in place that there's not gonna be anything in that bottle of aspirin that would do you any harm. But I think even today some of the things like we buy stuff through Amazon and Amazon has a huge counterfeiting problem. You know, like things like Drill Batteries, you know, like cordless drill batteries that have all the labeling that looks like the authentic thing, but they're not and they could catch fire or they could or simply not perform as well as you want them to perform. Do you suppose that people are becoming a little more wary of things and inserting more verification into their day to day rather than simply trusting?

D

I think when I buy something on Amazon, I trust it. And I think that's the thing right now. The everyday average person, if they're going to buy an electronic device off of Amazon, they're thinking, hey, I'm getting, I'm getting a legitimate product. They're not necessarily thinking that this could be a counterfeit device and backdoor. So you know, because it's manufactured over in China, they're not thinking that way. So, so I think we're, we're a very trusting society. When, like when you said when you go to the store and you buy that good, you're not thinking, you know, I mean, I don't even have like one thought when I go and buy something that this is, this is counterfeit and this is backdoored. I'm like, my brain's not even thinking that. And that's where these threat actors, you know, they, they really prey on that trust. And that's, that's really the key.

A

I think too that, you know, if you're asking are we just too trusting, I think even within, not just from a consumer perspective, but even within the enterprise, I would say the answer is yes. Because you know, we've seen many, many years of supply chain compromises. We've seen even just, you know, in 2025 you already mentioned the F5. I think clop exploiting vulnerabilities in Oracle EBS was another example of that. You know, using zero day vulnerabilities. There's just been many, many examples of threat actors successfully compromising third parties to enable access. Certainly the Salesforce breach was another good example of that. And yet at the same time you have organizations increasingly incorporating AI tools and these chatbots and these corporate third party pieces of software applications, chatbots, whatever, what have you into their workflows. And I think that kind of in the same way that the moving to cloud opened up an entirely new attack surface for threat actors to be able to exploit. And we saw them do it very successfully. And we're finally in this era of okay, we have, we have cloud best practices, we've locked down our cloud infrastructure, so let's open a new threat vector.

B

Yeah, we can't leave well enough.

A

Yeah, let's just bolt on more stuff. And I think, you know, I think it's really interesting because, like, have we learned, like, is, is this, you know, like, like, are we making sure that organizations are doing best practices and understanding the risk before adopting new tools into the, into the enterprise and third parties that are may or may not be vetted and verified? I think with this huge surge of AI, there's tons of AI tools that are out there, and it's like, okay, are we incorporating these into our organizations in a way that is secure first and productive second? And I'm not sure that the answer would be yes for every organization right now.

D

Yeah, and I think too, when you're thinking about, like, software development, you know, there's a lot of shared code that's out there, you know, on GitHub where they're just, hey, I need to solve this. Let me go on git and let me see what's out there. Let me just pull that down. And I'm going to incorporate that right into my product. Because the software developers aren't necessarily thinking from a cybersecurity standpoint. They have a job to do is like, hey, you know, I have to develop this product and this is what it needs to do. And, you know, I got to write that. So from utilizing AI to write software that maybe there's bad things that could be poisoned into that to just pulling down things, that's a poison repository on Git. So, yeah, it's just, you got to really get that security by design, so to speak, really into that product development and making sure that they understand the threats that are out there.

B

What about SBOMs software, bills of material? I mean, how does that play into with the transparency of basically having like, you have a list of ingredients on the box of Pop Tarts that you buy, that software has to have that bill of materials as well.

D

When you're developing that software, you gotta have segmentation. You gotta verify updates using SBoM. You gotta be verifying signatures and what you can. If you can kind of reduce any kind of like a blast radius of, you know, if something's bad here, it's not going to destroy everything, you know, as well. Yes, my thoughts. I'm not a software designer, so I'm not the best on that.

A

So I do think SBOM is a very interesting. It's very interesting in theory. I think in practice it hasn't fully, like, gotten adopted to the point where it's actually incorporated. Because first of all, like, how many organizations even know what's in their network. Like, I think that, you know, some of them do it very well. Right. It's just there's a wide variety of maturity within the enterprise. And to say, oh yes, this, you know, the calorie count or the, you know, the Campbell soup label for my, my software or hardware will save me. Like, I don't think, I think that, yeah, you can put a sticker on it and say that you should be mindful about this, but it just sort of adds an additional layer of, okay, this is yet another box I have to tick. So it's, it's part like, I think it's in part due to the integrators and the supply chain entities to be able to make sure that they're making it easily, effectively communicating when things need to be updated, providing patches and being very transparent with why and how they're incorporating upgrades, and then also making sure that the default installation of a lot of these things isn't just like admin privileges everywhere. So it's not just the software and the firmware itself, but it's also how is it being deployed within the enterprise. And there are some things like where in industrial control systems, things like that, just the same, very, very old, old, old equipment just can't be updated. And so there it's like, okay, what measures can we take to have defense in depth? Are we air gapping? Are we, you know, ensuring that we have a DMZ and we're properly segmented? Like what, what steps can we take to sort of like to Keith's point, if something does explode, we're limiting the impact and the blast radius as much as possible. But I think, you know that we, we mentioned like open source a couple of times, like these tools, they're maintained by a handful of people who are doing this out of the good of their hearts. And what we see a lot of times with some of these supply chain compromises is that it's because there is something that is happening in open source software that was found by a volunteer or just some guy who was like, I'm just going to look at this code and is like, wait a second, this is really weird. And so you have this constant push and pull between, okay, these are, these are where some of these like really important flaws are being used. We have millions of companies that are relying on this software in their environments and it's being maintained by a guy in Nebraska.

D

The good thing is that we have those white hats that are doing that. You know that there are these people that are, you Know, policing, you know, the Internet and providing their knowledge. But the bad thing about that is that it's just like it's these couple people that are, that are doing that. And there's not like this organization or something that's a little bit more organized, you know, around that, that policing.

B

Well, so here's what I. Here's what I wonder when we talk about things like the S BOMs the software builds the material, and that being a requirement of the federal government, right. Like, if you want to do business with us, we're gonna require that you fill out these forms and tell us what's in your stuff. And it kind of leads me to the old chestnut about, you know, the $75 hammer that the army buys, you know, and I mean, that's funny. But if you dig down and you see, you know, why does the hammer cost $75? Sometimes it's because it has to meet a whole lot of very specific requirements. And so what I wonder is, could there be a similar thing with software where the federal government, for example, says, yeah, we're not going to accept anything that's using an open source component that's maintained by one guy in North Dakota. Like, you got to prove it. And so in order to prove it that it's secure, it's going to cost a lot more and maybe the feds can afford it. But to what degree does a regulatory environment save us from these sorts of vulnerabilities? And at what point are we over regulating past the point of being imbalanced with the risk we're willing to take on?

D

Well, I mean, I think from a government standpoint, I could see them verify, you know, making sure that things are verified and, you know, and all of that in just the commercial realm, that is just so, you know, such overreach that, that would, you know, stifle development, you know, in certain things, I think, because speed is really the essence on a lot of developments. And so to have somebody review everything and verify everything as another entity like, like that, I just think, you know, you're saying, okay, well company A right now can't release this until this is reviewed by this other. So I just don't see the practicality of that in the commercial realm. Selena, your thoughts?

A

Well, I think that there is so much of our world that is supported by open source software and that the maintainers are not given the pay, recognition or support that they deserve. And I think that basically saying, well, we can't, you can't work with us if you're using these like open source packages or whatever is just never going to happen because you know every, every company is using it. I don't. Do you guys remember log 4j? This was like oh yeah, years ago.

D

That was another, I think that was another holiday supply chain type compromise.

A

Yeah, yeah. I was like, it's been 84 years and everyone is so, everyone was so mad. And there was this guy like this guy was interviewed and he's like, I have been awake for 35 hours. I have been trying to fix this. I am but one man. You know, there was like a few people that were working on it, but like log4j everyone was using it and then people were like, hold on a second. Is software just like really just maintained by this like handful of people and this like one person who's not as full time job is in charge of like fixing this massive issue. And so I think that, you know, if we're talking about issues of the supply chain, I also think you have to talk about like ethical business practices and support of open source software and the community that's building and supporting all of these things because it could be very, very, very thankless. And especially when, you know, some of these supply chains compromises are based on these open source tools, there can be like tremendous backlash to these people that are really just doing this because they believe in open source software. And you know, I do think there should be more responsibility on companies that are using it to actually pay and support a lot of these efforts. So it's, it's an interesting sort of, interesting sort of problem. But of course it's a lot different when it's like a private company that's a third party that gets, you know, that has some sort of cyber attack impacting them and then their customers are getting, are getting impacted in the fallout by that because then you do have like additional resources to be able to support and maintain that. So it's a little bit different. But yeah, I think the, I think the, oh my gosh, open source supply chain is a really interesting topic.

D

Yeah, I mean that's, yeah, that's, that's probably a whole nother podcast. I mean because you know, when you're just thinking about, you know, there's so much open source components that are out there that could be exploited to really deliver a large scale attack. I mean, you know, from, from penetrating into there so it can get really get deeply embedded into the software environment as well.

B

Well, let me come at it from a different direction because you know, you say that'll never happen like we will never get rid of open source software because of costs and all that sort of thing. Can we imagine a big enough breach, a big enough disruption to our way of lives that would trigger that sort of change?

D

I don't know. I think it's just going to be, you got to just start verifying certain things before we release things. The company itself that's going to be affected by it is going to be a little bit gun shy and then it's going to be a little bit more diligent at reviewing the software before it's going out and tested it in the dev environment. But I just don't, I don't see that happening unless you're really affected.

A

I think that if that does happen, I will be so curious to see what actually is the straw that breaks the camel's back. Because I would have thought it would have happened by now, frankly, even if we're not even just supply chain. But if we're thinking about from the ransomware perspective, I oftentimes think of the Ohio river fire that really pushed forward the environmental protection. And so there was this big event that caused a lot of people to care about this, that introduced legislation and the EPA and there was like a lot of environmental support built off of a very serious, horrible thing that happened. And I often think, like, okay, we've had ransomware attacks hitting hospitals, we've had ransomware attacks disrupting pipelines. We've had, you know, supply chain compromises that have really crippled a lot of entities. We've had not even cyber attacks, but outages of maintenance, core components of the Internet that take down a lot of businesses. And there hasn't necessarily been this moment that's like, okay, we have to solve this problem in the same way that something like the Ohio river fire or seatbelts in cars have, have had. And so I think that, and I don't know if it's because people think of like, oh, well, cyber is just like, different. It's not, you know, it's not safety, it's not health care. It's, you know, it's not something else. But I've had multiple times in my career where I'm like, okay, this is the moment that's gonna change things.

B

You know, like if airplanes started falling out of the sky or the lights went off for more than, you know, a flicker, I could see that getting people's attention. I mean, we saw it when, with the gas pumps being turned off, you know, like, that was.

D

Yeah, yeah, I thought that would get.

B

More attention than it did, but people move on.

D

And I think though, that for the most part, cyber criminals and even APT actors, they're trying to avoid those type of things. Cyber criminals, at the end of the day, they want their money. You know, when we had, you know, that cyber criminals that hit the colonial pipeline, they were like, oops, sorry about that. We didn't mean the way, you know, the sleeping giant, you know, we'll just kind of back out of this here, you know, from an APT group, you know, they don't want to cause any kind of damage because, you know, they would think that maybe the US would do a retaliatory attack, you know, so if, you know, if the Russians or Chinese are in our power grid, you kind of hope that the, you know, our US components are in their power grid too. So there's a little bit of that, you know, back and forth that, hey, we don't, we don't want to escalate things. So, so for the most part, when we're looking at these supply chain attacks, it is financial or for an espionage standpoint, and it doesn't harm anybody from a physical standpoint, like, you know, the, you know, the, the fires or, you know, the, the pintos blowing up or, you know, things like that. So, so it is a little bit different. So I don't think that there will necessarily be some, you know, big event that would spur like a total lockdown on things. My opinion.

B

I think there might be. I don't know what it is, but.

D

I hope not too.

B

Yeah, but I think it could. We just don't know, you know, I guess what I worry is that society is a little more fragile than we like to think it is, that the breakdown could come more quickly and everything's fine right up until the moment that it isn't. Again, I hope I'm wrong, I hope I'm overthinking it, but you just turn off the electricity for an extended period of time, especially in the wintertime. That is a major stressor. So we'll see.

A

I mean, I hope you are not manifesting a 2026 prediction, Dave.

D

Exactly as we're in January right now talking about the heat for ch. Yeah. From these events, hopefully our defenders learn, you know, from these. And we evolve and we, and we become safer. You know, we've talked a lot about the negative aspects of all this stuff. A bit with, you know, each thing that, that we discover on this, we also learn and hope to make ourselves stronger and be a little bit more of a hardened target or deterrent to Some of these threat actors where then they have to then pivot their, you know, ttps as well for their next thing. So we do learn and we do get a little bit more resilience. You know, we could always be better but we do, you know, are able to strengthen ourselves based off of this stuff.

A

Yeah. And I think, you know, if thinking about the supply chain and I am hopeful that because of what we have learned from supply chain compromises, from cloud compromises, that we are thinking about risk and resilience when we're incorporating third party applications, especially when it comes to AI enabled things. You guys know how I feel about that. But I do, you know, I do hope that that that is the most critical component is no matter what you're integrating into your environment, you need to know what it is, how it's supported and who has access to it because and what access you're granting, whatever the application software firmware is too. So, you know, I' hopeful that you know, we can like to Guy's point, we can learn from these and I am curious to see if there is ever anything that, that comes down from on high that forces a little bit more resilience than currently happens.

D

I, I know the vendor, the vendor questionnaire profiles out right now are they are learning from things because they, you know, being a vendor obviously working for Q Intel, we have to fill those things out and they are burdensome. I really do hate those vendor profiles, you know, but, but you can see that, you know, just from the questions that are being asked right now. They have learned from that. They're probing about, you know, what is the software have access to. They're trying to limit their blast radius and you know, you know, what are the vet, what does the vendor have access to, you know, in the environment. So, so I do think we are progressing from that. And you know, and, and if you're not using, as much as I hate them, if you're not using a vendor profile third party questionnaire, you absolutely need to be doing that in your environment to understand what your vendors have access to.

A

We will be right back after this quick break.

B

Are we all in agreement that AI is not going to save us in this particular case?

A

Absolutely not.

B

Expressed your opinion?

A

No.

B

So we can't just throw AI at all the open source software and say hey, check and make sure this is secure. That's not going to do it.

A

I've actually seen people already complain about this exact problem where there's like AI vuln discovery looking at open source things and then just Dumping, here's all the things I found. No additional context. So, yeah, I don't think that it's going to be. There is always, always, always, always going to need to be a human in the loop no matter what. So, no, I do not. I do not think AI will be our savior. Although I am kind of curious if there are opportunities for AI to, like, potentially alert on these things so humans can deal with them.

D

I think we have to use AI really as an extension to what we're already doing. You know what I mean? To use it as a tool.

A

It.

D

To be a crutch to do our work for us. But to say, hey, I'm already doing this, how could AI kind of empower me and do things quicker for me or, you know, or scale faster? Not necessarily just to do everything. I think, you know, we were just talking about this AI today and we were talking about, well, right now, you know, we, you know, our software engineers or even us for what we're using AI for. We already know how to do the job and we use AI to kind of help us, but in five years from now, you know, so AI is learning from us that. That actually know how to do it. But in five years from now, what is AI learning from AI when they're doing, you know, it. That. So these are going to be questions going forward, for sure. We may. We may need to do a whole episode on AI here soon.

A

No, no. This makes me so sad. I like human beings.

B

All right, well, Happy New Year. All right, shall we wrap it up there? I think we've covered a lot here today.

D

Absolutely. But Happy New Year, everyone. It's great to see you again this side of the new year.

A

Absolutely. We have a lot more fun things coming and planned, so stay tuned. Yeah, thanks. And Dave, Keith, great to see you guys.

B

Great to see you, too. Happy New Year. And looking forward to everything good that's to come this year. We'll see you guys soon.

A

And that's only malware in the building. Brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever evolving world of cybersecurity. If you like the show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes, Mixing and sound design by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher.

C

Thank you to ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring only malware in the building, visit threatlocker. Com.