Risky Business #813 -- FFmpeg has a point - Risky Business

Summary8 min read

Risky Business #813 – FFmpeg Has a Point
Release Date: November 5, 2025
Host: Patrick Gray
Guest: Adam Boileau

Episode Overview

This week’s Risky Business dives into the evolving challenges of vulnerability disclosure in open-source projects—spotlighting the recent AI-fueled fuzzing drama between Google and the FFmpeg project. Patrick Gray and Adam Boileau discuss not only the cultural tensions at play, but also the implications for AI in security testing, vulnerability management, and the future of SAST and bug bounties. The episode wraps up with news on malicious insiders, cyber-enabled freight theft, the latest developments in malware law enforcement, and insights into vulnerability triage and remediation with Scott Kufa from Nucleus Security.

Key Discussion Points & Insights

1. The FFmpeg Disclosure Drama (00:00–12:58)

Background: Google’s DeepMind found and reported bugs in FFmpeg, leading to FFmpeg pushing back—requesting patches rather than just reports.
Open Source & Security Culture Clash:
- Adam observes the tensions:
  “Other projects just … are there for community, they have other priorities … interacting with the modern security research community … probably could be a little frustrating.” (02:24)
- Patrick’s take: “If you want to do security research that's helpful, just grabbing a bunch of bugs out of an AI model and dumping them onto busy people who don’t get paid to fix them I think is just not helpful.” (04:39)
Debate on Responsibilities: Should big players like Google be expected to do more than just report bugs to resource-strapped projects?
On Rigid Disclosure Timelines:
- Adam: “If you show up and start making demands, then that’s just kind of rude. And these communities are ultimately about good neighborliness, right?” (06:08)
- Patrick: “Giving FFmpeg the same disclosure terms as Fortinet … just feels a little bit dumb.” (08:38)
Notable Quote:
- “The current drama is plucky security researcher Google takes on volunteer open source behemoth ffmpeg.” (Patrick, quoting Grok, 08:38)
Positive Example:
- Rob Graham patches the bug himself—Patrick calls this “the boss move” (11:53).

2. AI’s Disruption in Security Testing (12:04–22:53)

OpenAI’s ‘Aardvark’:
- OpenAI introduces a reasoning-driven AI agent for vulnerability discovery, reportedly more collaborative with projects than Google’s approach.
- Patrick quotes OpenAI’s disclosure policy: “We recently updated our outbound coordinated disclosure policy which takes a developer friendly stance focused on collaboration and scalable impact rather than rigid disclosure timelines …” (14:51)
SAST is ‘Over’?:
- Both hosts discuss the diminishing value proposition for static analysis tools compared to AI-driven bug discovery.
- Patrick relays an industry founder’s verdict:
  “He’s like, I’m not going to bother trying to raise or build anything around this because it took me a couple days … existing models … worked so unbelievably well … SAST is over.” (13:55)
Bug Bounties Threatened by AI:
- Recent Bugcrowd acquisition of Mayhem Security prompts reflections on the existential risk to bounty platforms.
- “Most of bug bounties ... is, I mean, a lot of it ... labor arbitrage ... and AI does scale.” (Patrick, 18:03)
Wild AI Valuations and Shortcomings:
- Both hosts share skepticism about current overhype despite clear real-world impact (“AI shares are at infinity valuations.” – Patrick, 23:22)

3. Insider Threats and Cybercrime (24:16–36:37)

Ransomware Negotiator Indicted:
- DOJ indicts an incident responder for facilitating ransomware, echoing the Peter Williams espionage/leak case.
- Adam: “People who work in this industry … you would kind of hope, understand that ecosystem a little better than average.” (24:16)
Peter Williams/Trenchant Updates:
- Further reporting on Williams’ persistent bug-selling after discovery and his massive access as GM.
- Adam: “You can't reasonably expect a place like that to protect against ... the general manager ... you just got to trust people.” (26:54)
Public Sector vs. Private Sector Security Tensions:
- Patrick recaps a conversation with Citizen Lab’s John Scott Railton about the risks of rapidly scaling up the private sector’s offensive security capacity.
- On the effectiveness of regulation vs. market pressure (i.e., NSO being punished by the Biden administration).

4. Spyware Vendor Transparency and Operator Controls (36:37–38:31)

Memento Labs Admits Attribution:
- The Italian spyware vendor publicly confirms Kaspersky’s findings that its tools hit Russian targets, blames clients for misuse.
- Adam: “It’s kind of a bold move to come out and … out yourself as a vendor that's selling tooling to an adversary ... I can't imagine he ran this past Corp comms.” (35:59)
Vendor Policing and Norms:
- Discussion on the spectrum of responsible sales, and where oversight is entirely lacking.

5. Technical Vulnerabilities and Research (36:53–40:30)

Teams Social Engineering Bugs (Checkpoint Research):
- Vulnerabilities in Microsoft Teams allowed impersonation, editing messages without trace, and chat titling/social engineering vectors.
- Adam: “Teams is a nasty, thickety, thorny mess and I’m glad I don’t have to use it every day now.” (36:53)
Proofpoint – Cyber-Enabled Freight Theft:
- Hackers infiltrate logistics software to hijack real-world shipments, blurring cyber and traditional crime.
- Adam: “Anytime we see a new mechanism for turning cyber into money ... that’s always an interesting time.” (40:30)

6. Law Enforcement and Malware Developments (41:35–47:04)

Ransomware & Infostealer Busts:
- Court appearance for Conti affiliate in the US; rare Russian police operation against Medusa Stealer authors.
Krebs on Jabba’s Zeus Coder Arrest: (42:59)
- Brian Krebs details the extradition/arrest of a Ukrainian developer behind early two-factor authentication bypass malware.
- Connection to Russia-Ukraine war shifting Eastern European cybercriminals into range of Western law enforcement.
WSUS (Windows Server Update Services) Fallout:
- Around 50 victims compromised due to lingering use of deprecated WSUS, despite Microsoft guidance.
- Adam critiques the difficulty of adopting Intune and other modern update mechanisms.

7. DNSSEC, TLS, and the Reality of Security Hygiene (47:04–50:59)

Listener Corrections & Real-World Churn:
- A listener writes in about the Kaminsky DNS bug, advocating DNSSEC as the true fix.
- Irony: Risky Biz had to disable DNSSEC to enable modern TLS certificate automation—highlighting persistent practical friction.
- Adam: “Linux on the desktop is actually usable, whereas dnssec honestly is mostly just about causing outages.” (50:54)

Sponsor Interview Highlights: Scott Kufa, Nucleus Security (52:46–64:21)

Main Theme: Vulnerability management can no longer be solved by just better prioritization—volume and complexity mean even the “top 5%” of issues can’t be managed.

Quote: “What we're seeing is ... more data that's being presented ... it's really more of a volume issue ... We're getting worse in aggregate at fixing the new numbers of vulnerabilities that are coming.” (Scott Kufa, 52:46)
Historic Approach Has Peaked:
- “...the approach has been how do we just whittle that down to the point where we only look at the 5% that matter. And that works ... until the 5% that matter are more than what you can actually physically fix.” (54:41)
AI’s Uncertain Role in Patch Automation:
- Patrick: “Why do you need AI for that part? ... It doesn’t seem … the missing piece is going to be filled with AI. … It’s just a fiddly, horrible, unpredictable thing, which is why it’s hard.” (58:46)
- Scott: “Everybody is super excited right now about the AI hype train ... but most of what you're trying to automate is declarative automation …” (59:04)
On AI Replacing SAST and Code Audits:
- Patrick relays a founder’s insight: “It is over. This is a market segment that won’t exist in a couple of years.” (61:02)
- Scott concurs: “I would agree that within a few years, we will see ... super widespread adoption of this because it’s going to end up being more efficient and effective to do that ... we’re hitting upper limits with some of these traditional tools …” (62:46)

Notable Quotes & Memorable Moments

“If you want to do security research that's helpful ... just grabbing a bunch of bugs out of an AI model and dumping them onto busy people who don't get paid to fix them I think is just not helpful.”
— Patrick Gray, 04:39
“OpenAI are not publicizing the bugs that they are finding other than cherry picking a few here and there. They did find apparently an off by one in OpenSSH, which, that's a codebase that has had a lot of eyes on it over the years.”
— Adam Boileau, 13:55
“It must just be wild to not be cost constrained and to see what the possibilities of [these AI models] are. And the rest of us are stuck out here using the … pennies models and seeing trash results.”
— Adam Boileau, 23:03
“Linux on the desktop is actually usable, whereas dnssec honestly is mostly just about causing outages.”
— Adam Boileau, 50:54
“It's the volume game over, the super precise precision game. And I think the reality is we need to do both.”
— Scott Kufa, 60:26

Timestamps for Key Segments

[00:00–12:58] FFmpeg, AI, and the changing norms of disclosure
[12:58–22:53] AI transforms bug hunting, SAST, and bug bounties
[22:53–36:37] Insider threats, ransomware operator busts, and leaker updates
[36:37–38:31] Spyware vendor transparency and controls
[36:53–40:30] Teams vulnerabilities and logistics/freight crime
[41:35–47:04] Law enforcement in cybercrime and WSUS update issues
[47:04–50:59] DNSSEC, TLS certificates, and real-world operational friction
[52:46–64:21] Sponsor interview: Scott Kufa (Nucleus Security) on vulnerability management’s future

Tone & Style

Engaged, fast-paced, straight-talking, skeptical of hype, and culturally aware
Willingness to challenge prevailing cybersecurity dogmas while appreciating the realities of operational work
Wry humor and industry insider banter throughout

For risk professionals, engineers, and managers, this episode presents a timely snapshot of infosec’s multifaceted challenges: technical, cultural, and operational. It’s a must-listen to understand not just what’s happening—but why—and where the cracks are forming as AI reshapes the landscape.

Loading summary

Transcript91 lines

[00:00]
Patrick Gray
Foreign and welcome to Risky Business. My name's Patrick Gray. We're going to be hearing from Adam Boileau and we'll be talking through all the week's news in just a moment. And then we'll be hearing from this week's sponsor. And this week's show is brought to you by Nucleus Security, who you have heard on the show over the last sort of six or seven years. They make a platform that helps you ingest, normalize, triage vulnerability information in your organization that can be in anything that's coming out of your SaaS right through to like stuff that's coming out of tenable and whatnot, like a master console for vulnerability information. And Nucleus's co founder Scott Kufa is joining us for this week's sponsor interview. And we're talking about how the whole approach of the last five years, which is to like just prioritize which bugs are you going to fix, how that is sort of becoming insufficient these days because, you know, we did that in the in response to too many bugs being present in our environment. So we just focused on the high priority ones. He's going to come along and argue that now there's too many high priority ones to really keep up with as well. And we kind of need to rethink that approach. We'll also talk about how AI is changing SAS and whatnot, which is something we're going to touch on in the news as well. That one's coming up later. But first up, yeah, Adam, let's get into it and look a bit of terrific. It felt really old school. Old school. Twitter Infosec drama on X FFMPEG kicked off this huge debate in the what's left of the infosec community on Twitter. When Google reported a bug or some bugs to ffmpeg that they discovered with their sort of DeepMind AI bug finding stuff and FFMPEG were like, hey, submit a patch instead. Like, what are you doing? You know what I mean? We're a small volunteer led organization. Why are you doing this to us? Can't you be more helpful? And you know, the response from a lot of people in the security field was predictable where they were saying, it's not our job to patch your software. But then other people were saying, well, hang on, you know, Google is a absolutely gigantic, you know, hundreds of billions. What is a trillion dollar company or something? You know, maybe they could be a little bit more helpful here. My question for you is, have you been following it? And which side of the debate did you land on?
[02:25]
Adam Boileau
I have Seen it spilled out beyond Twitter and into some of the other, you know, into Blue sky and other places. So I have been following along with the drama and we do love a good disclosure drama like that's always fun, you know, vuln drama. Good times. I guess my feeling is there are many, many ways to do open source software and many different communities with different priorities and you know, some open source projects, security is really important to them I'm thinking, you know, like stuff that came out of the OpenBSD world, for example, like open SSA choice, OpenSSL. You know, for them, security, super important, they take that real seriously. It's kind of part of their deal. You know, other projects just kind of like you're there having a good time there for fun, you're there for community, they have other priorities and for them I can imagine that, you know, interacting with the modern security research community or the security world, especially in the AI environment, you know, probably could be a little frustrating. And I think in the end where I land was, you know, it's just a kind of like you do you thing like you know, if you don't want to receive bug reports for your open source software that's fine, you can just say that on your bug, you know, on your how to report security issues page you'd be like eh, just stick them in the bug tracker like everything else. And there's some projects that have done that and others you know, take it a bit more seriously. And you know, FFMPEG I think is an interesting case just because of, you know, they are such a ubiquitous bit of video software and Google has such a long history as a user of.
[03:50]
Patrick Gray
Well, I mean this is, this is kind of what you were saying which is that like oh well you know for projects where security is important like FFMPEG is absolutely everywhere and baked into all sorts of stuff. So. So bugs in it are a big deal. But we're in this situation where the people who are creating and maintaining this software, as you say, it's not like open SSH or something where they're thinking of security as being a key requirement.
[04:13]
Adam Boileau
Yeah, exactly right. And we are talking about in this case really obscure video codecs and other stuff that Google's finding bugs in because Google's fuzzing infrastructure and AI vuln hunting whatever is capable of looking at the entire code base and trying to find bugs and you know it's going to improve the quality of everything. And you know, as to whether security researchers are good at writing patches like that's a whole other Kind of conversation?
[04:40]
Patrick Gray
Well, yeah, look, look, that's. And that's been the response from a lot of people on the sort of security camp side of this, which is that, well, you know, if you're a security researcher, you don't understand the context of everything in a project. And look, that's a fair argument. But look, I, in broad terms, and this might surprise some people listening to this, actually, I think this is the first interesting disclosure debate we've had in like 10 years, like, if I'm honest, but I think broadly, I kind of fall on the FFmpeg side of this a little bit more, which is, you know, if you want to do security research, that's helpful, you know, just grabbing a bunch of bugs out of an AI model and dumping them onto busy people who don't get paid to fix them I think is just not helpful. Right. Like now, does this mean that, you know, you would expect Google to write patches for, you know, huge companies that have open source components? Like, no, of course not. Right. But I think in this case they could have done a little bit more to be helpful. Now does that mean they need to write the patch? Maybe not. Does that mean they could, you know, work with them, grow some resources there? I don't know, man. And you'd surely think given the focus of like the DARPA AI challenge and whatever, which is not just about finding bugs but about patching them, you would think, hey, maybe if you Google, you wait until that part of it is working properly before you push the button and start spitting out bugs. You know, wait till it can spit out patches as well. You know, surely that's coming soon.
[06:08]
Adam Boileau
I mean, that is absolutely an avenue of research that people are going down. And I guess, you know, the argument against that is like those bugs are there already. People are already finding them. Like even just by reporting them, you are improving the situation, even if you're not providing a fully fix or patch or whatever else. And you know, I don't, you know, quite a bit of this I feel like, is, you know, open source communities are communities, Right. And when an outsider comes in, in this case, you know, Google is somewhat the outsider here and starts, you know, doing things in a way that's outside of the norm for that community, then of course they, you know, they get rejected. They, you know, there's this tension, there's friction in those communities and you know, it's not necessarily the place for security researchers to have to understand all of those community dynamics. Right. I mean, just showing up saying, look, here's A bug we found. You know, I think if you show up and say Here is a 90 day disclosure timeline, which is what they do. Which is what they do, right? That's kind of a different because you're making demands of them and you have no relationship with them on which to base those demands. Modulo Google's relationship with ffmpic. But I mean like in the general sense, if you show up and start making demands, then that's just kind of rude. And these communities are ultimately about good neighborness, like good neighborliness. Right. And that's what open source is for. And so when you show up and disrespect the community by not following their guidelines, by not if they expect you to provide patches, not just bug reports or whatever else, like you kind of show up at their house, you got to play by their rules a little bit. And you know, I think there's a lot of people in Google in Deep Sleep and DeepMind and Big Sleep, the Bug Research EBIT Project 0. Google understands the cultural context of this, but they're just trying to do it at scale and that has some rough edges. And I think ultimately the people at Google doing this work, it's absolutely good faith work. It's not a lot of open source projects have been burnt by really low value AI slope bug submissions and things by people who are trying to make a name for themselves. You know, just start.
[08:11]
Patrick Gray
Look, I'm going to just stop you there because, because I think just because someone thinks they're acting in good faith doesn't necessarily mean they are acting in good faith. And I think that's the problem here, is that too many people on the security side of this say, well look, we're helping. We're helping because we're pointing out your bad dirty mistakes and we're going to rub your nose in your bad dirty mistakes because we're so smart and we're helping. And I think is that helping? We are not very helpful.
[08:37]
Adam Boileau
We are not very help.
[08:38]
Patrick Gray
You know, now I also think every time this spills into a debate, people want to come up with hard and fast rules. And you and I were actually chatting about this yesterday, just, just on a call we had where it sort of breaks our little antipodean brains somewhat that the Americans want to turn everything into a flowchart and a rigid policy. Now in certain circumstances you want to have a crack at that. Like the vulnerabilities equities process within the intelligence community is a great example of where you do want a flowchart and a bit of a rigid policy. But when it comes to stuff like this, you know, I think giving FFMPEG the same disclosure terms as like Fortinet, I don't know, it just feels a little bit dumb. I mean, Grok put it best, I think in a tweet that he posted that said the current drama is plucky security researcher Google takes on volunteer open source behemoth ffmpeg. Right. I think we would all benefit if we just used our brains and common sense a little bit when it comes to this stuff. And I would urge, you know, a lot of the AI companies now to really focus on that patching part. Right. Because one of the, one of the beautiful things about AI is it should be possible to get AI to at least suggest some patches or come up with some guidance on how to fix these issues. Like that's one of the magical things about it. So why don't we just take a beat, try to get the technology to a point where we're not just deluging people in bugs. And I'm not saying that's what Google's done to FFmpeg in this case. I think a lot of this is just grumpy. Ffmpeg Twitter account manager. Right. Like I think a lot of that, there's a lot of that to this. But I do think there's something here where, you know, maybe we need to move on from some of these, you know, rigidly held beliefs about what does and does not constitute helping.
[10:23]
Adam Boileau
Yeah, yeah, no, no, I agree. This is not a one size fits all thing. And if you're reporting a bug to say curl like, you know that Badger does an amazing job of managing that project and has done an amazing job of documenting its security properties and take security really, you know, seriously. If you're reporting a bug to him, you're going to handle it differently than if you're reporting it to some, you know, someone's hobbyist. 1990s Dakota from obscure video format. Right. And yeah, you know, that nuance, you know, does kind of get lost at scale. Unfortunately those nuances are super important to communities. And I think you're right that you know, the like, you know, Google's 90 day, like we are going to disclose bugs after 90 days, like that had some very good reasons why they went down that road. But those reasons are not about little open source projects, Right. They are about big corpse. They are about people whose incentives to bury bugs are different than open source projects where it is ultimately about showing up and being a good neighbor and a good community. Member?
[11:17]
Patrick Gray
Yeah. I mean, I think the funniest one was Tavis Ormandy, like, coming out of retirement, basically to say, oh, well, you know, FFmpeg better fix this, or they'll have to explain why one of their developers got owned with this bug. And it's just like, come on, man, come on. You know, and full props, actually, to Rob Graham Erada. Rob, who is who I don't agree with on everything. Right. But he's. He's a wonderful contrarian. It's good to have those people around. And he's currently rolling his sleeves up right now and working on a patch for the FFMPEG issue, which I think is just a great example of, like, someone just going, okay, you know what? I'll do it. That's fine. Yeah, I'll do it.
[11:53]
Adam Boileau
I mean, that's. That's kind of the boss move, right? It's like, you see this debate on Twitter, like, fine, I'm a go patch this stuff for you. You know, I'll see you in a, you know, in a week with a, you know, a pull request, which, yeah, I can't argue with that. Good job.
[12:05]
Patrick Gray
Yeah. I mean, there's a time to argue and there's a time just to fire up a debugger. Right. And Rob also managed to get into a. It managed to get featured by Menswear guy on. On X this week as well. So. Hell of a week for Rob Graham. Hello to you, too, if you're listening. And look, you know, staying on the theme of AI and bug hunting, OpenAI has launched. I think it's a beta at this point point, but they've got their agentic security researcher that they've called Aardvark, Dave Vital is involved in that. It looks like it's pretty promising stuff. A different approach to the way Google's doing it, where they're sort of using, you know, AI to drive other approaches like fuzzing and whatever, where OpenAI say that their model is much more a reasoning model that is capable of sort of understanding software rather than just throwing existing sort of fuzzing harnesses and whatnot at it. I don't know which is the better approach. I got no idea. But the point is there's a lot of work happening in this space and it is extremely promising. I. It's something that I mentioned in this week's sponsor interview as well, but I think it was around six months ago. A founder who I've worked with, I won't name him because I just haven't checked if I can name him and I told you about this at the time, he was playing around with open source models and trying to get them to substitute for sast. Right. And it worked so well. He's like, I'm not going to bother trying to raise or build anything around this because it took me a couple days to put something together with existing models that worked so unbelievably well and so much better than the existing SAST stuff, you know. So his thoughts were twofold. First of all, there's no money to be made here for anyone outside the AI companies. And his second thought was SAST is over. Right. Which I mean you look at what these guys are doing and you sort of think there might be something to that.
[13:56]
Adam Boileau
Yeah, I mean OpenAI obviously is kind of a giant in terms of research into difficult AI problems and AI bug hunting and fixing and so on. There's very real research to be done there. And I know when Dave Eitel, who I used to work for, said he was signing up to go work at OpenAI, I was curious to see what he was working on. And now in the last few days we've seen that I believe it's in a private beta, so you have to ask nicely and they will pick. So we haven't really seen other people outside of OpenAI using it. They're also their approach to reporting about the sorts of bugs they're finding is different than say Google where Google is tagging bugs and bug reports they found with Big Sleep or whatever it's called. OpenAI are not publicizing the bugs that they are finding other than cherry picking a few here and there. They did find apparently an off by one an SSH open ssh which, that's a code base that they had a lot of eyes on it over the years. Years.
[14:51]
Patrick Gray
Well, I'll just say too, I did notice a conspicuous paragraph in there in light of what's of this FFMPEG drama, which is, I'll just read it here. It said, it says, we recently updated our outbound coordinated disclosure policy which takes a developer friendly stance focused on collaboration and scalable impact rather than rigid disclosure timelines that can pressure developers. And this is, you know, this is something that I think is interesting. I feel like we do need to move on from the idea, you know, from the days where you would sort of disclose things in a punitive way. Right. Especially to open source projects. Look, when it comes to like you know, your bigger companies, Microsoft and Palo Alto's and whatever, fair enough. But I think, yeah, as I say I think, I don't think we can flowchart this anymore. And we've got to start using our heads. And it looks like this is actually what our OpenAI is doing.
[15:43]
Adam Boileau
Yeah. And it's great to see. And there are people involved there that do understand the social dynamics and all of the kind of complexities. And there are so many weird incentives around vulnerability, disclosure. It's why we have these disclosure arguments so often. I mean not so often on the show, but on the Internet generally because there are so many people's equities and feelings and careers and all those kinds of things involved. But yeah, this is really interesting. I'm curious to see what people do with this model. I'm curious to see where OpenAI, you know, kind of takes the work on it. And Dave et al has been doing a little bit of publicity around it. He was talking about, you know, the difference between, you know, Google's quite fuzzing heavy, like sort of historical kind of approach to bug hunting. Like Google had all the computer in the world, they had all of the PDF files in the world and they had all of the PDF reading software. Why not, you know, permute all of those? And they had this long history of fuzzing as a successful approach. Whereas. And I think their AI models build on that legacy. Whereas OpenAI kind of starting from a clean slate. And Dave in particular has a very long, you know, he has a track record of building good hackers at immunity, obviously the NSA before that. Like he knows how to turn, you know, aspiring punk kids into great security researchers. And that's kind of, I imagine, what the process feels like a little bit at OpenAI. Right. They've got, as you say, a bunch of midwits and turning them into legitimate hackers who can find interesting bugs and novel bug classes and all that kind of thing. It's just super cool research.
[17:12]
Patrick Gray
I have infinity work experience. Kids now teach them how to do static analysis. Right?
[17:16]
Adam Boileau
Yeah. And also we only ever see the models kind of on the outside with cost constraints in front of them. Like you and I are not going to go spend $100,000 on OpenAI compute time to ask questions. Right. So we get the, you know, the dollar grade answer. Whereas Dave et al is like, we want to have a model where you can just like I want to spend half a million dollars worth of computer and I will get a half a million dollar bug out of it. Like that kind of like linear amount of brain you put in is amount of quality you get out and it must be amazing. Being on the inside of some of these research projects where you don't have that dollar constraint quite. So, you know, it's not your personal credit card, so you're not. You're a little bit more YOLO with it, and that must be quite a fun process. So anyway, I'm looking forward to seeing what people do once, you know, some people get into the beta and start to play with it and talk about what they're finding.
[18:03]
Patrick Gray
Yeah, And I'll just say, too, for those who aren't of a sast, when I was talking about SAST being dead earlier, that static application security testing, you know, basically software where you put your code in and it tries to find bugs where, you know, the tools. Now, like, honestly, the coverage isn't perfect. I mean, it's pretty good. Some of these tools are pretty good, but I think the AI stuff is going to be a lot better. Now, staying with the AI theme, we've actually just seen bugcrowd acquire a company called Mayhem Security. And this is a company that won the 2016 DARPA Cyber Grand Challenge. Now, it's interesting though, because they're like, yeah, they've acquired this company and all 11 employees are coming over to Bugcrowd. Then you look at the numbers and you realize that these guys have raised $36 million prior to their acquisition and have 11 employees. So there was a $21 million B round in 2022 and a series A 15 million series A in 2019. So clearly things have not gone well for this company. Had a bit of a poke around. You can see if you looked at like LinkedIn trends and whatever, the number of people reporting to work there has just been in decline for years. However, the reason I find it interesting to talk about this is I think not only is AI an existential threat to the SAST companies, I would be very nervous as the shareholder of a bug bounty company right now. And the reason I say that is because when you look at the types of bugs that are most often reported through bug bounties, it's the sort of stuff that that AI is really good at finding. Now, there's obviously the exceptions there. There's like the top 20 people who work across the bug bounty platforms and find exotic, hard stuff. Right. Like you and I know people who do that, make a killing, do that, and I don't think I will necessarily replace them. But that's not most of the. That's not most of bug bounties. Right. Most of bug bounties is, I mean, a lot of it. Frankly is labor arbitrage where you can get people in lower cost locations like India, you know, ripping through code, having a look at websites for simple issues. It's a scale thing and AI does scale. So I think I absolutely understand why it's appealing for Bug Crowd to buy what is essentially a distressed asset here with expertise in this sort of AI stuff. But geez, I'm real curious to see how the next few years pan out for companies like bug crowd and HackerOne because I think they're up against the wall at this point and maybe they'll be able to bring it back by pivoting into AI. But then are they bug bounty companies or are they competing with, you know, others like Horizon 3 is a good example. We had them in a snake oil as recently where they're the sort of AI based pen testing. So you get this really crazy situation where you've got pen testing, vulnerabilities, scanning, you know, recon, sort of like census Shodan style recon and bug bounty is all sort of collapsing I think into a single type of, you know, exposure detection product that's AI driven. It's amazing. It's really cool where a few years into this AI stuff now you're starting to see how it's unfolding and it is, it is going to change so much. It really is. I think people need to stop being as skeptical as they are.
[21:10]
Adam Boileau
Yeah. And the more we start to see, you know, legitimate in a security industry, specific uses really start to be, you know, deployed. Why are they valued widely? Because like there's so much experimental stuff, so many people kind of working out in the research spaces that, you know, there's a lot of stuff that's, you know, trying fast and failing fast. But as that kind of settles down, and I think you're right, the you know, the sorts of work that you get out of bug bounty platforms probably is a pretty good candidate for being replaced by small machines. So yeah, it's going to be interesting to see what happens. And you know, I'm sure there are also a great many other problems inside bugcrowd as a company that a team of AI people could probably help them with. Everybody's got interesting problems to solve there, so yeah, we're going to see how it turns out for them.
[21:56]
Patrick Gray
Yeah, I mean, I will say too that this doesn't mean, I think that AI valuations at the moment are at all sane and I think a lot of the predictions around exactly how useful it's going to be everywhere, all the time. We are way Too early to know how they're going to bear out. But I'll give you an example. I told you earlier, I was just really curious. I'm a car guy. Right. So you might Google a car fact. And I was trying to look at the lap time around the Nurburgring of one car versus another car, and it told me car A was the fastest with a time of 7 minutes 25.5, and car B was the slowest with a lap time of 725, which is a faster lap time. So it can't, you know, and this is just a Google Gemini result and whatever, but, you know, it's not impressive. I think I may have mentioned on the show once, but I was googling for to solve a problem with my EV and, you know, the Google AI told me to check the fuel pump, you know, and I just sort of.
[22:53]
Adam Boileau
Think, yeah, you know, that's. You're getting the, you know, the answer that is proportional to the amount of money you paid for those Gemini results, which is nothing.
[23:03]
Patrick Gray
Yeah, right.
[23:04]
Adam Boileau
You looked at some Adam put your eyeballs on some ad and that's how much value you got out of it. So, you know, I think, you know, it must just be wild to not be cost constrained and to see what the possibilities of the stuff are. And the rest of us are stuck out here using the like, you know, pennies models and seeing trash results.
[23:23]
Patrick Gray
Yeah, I mean, I think it's just, it's got so much potential to do so much cool stuff. I just don't know that it's that whole AGI, generic artificial intelligence. Like, will we get there? I don't know. Maybe. Who knows, right? Who can say? But are we there yet? Are we going to get there in six months? Like, no, that's. That ain't happening. And meanwhile, you know, AI shares are at infinity valuations. So it's going to be an interesting few months. Let's just leave it at that. Now let's talk about malicious insiders. We're going to have a bit of an update on the Peter Williams situation. We spoke about that last week, but wow, there's been a new DOJ indictment drop where like a incident responder and like a ransomware negotiator in the United States have been arrested for doing ransomware. And it looks like they're facing up to 50 years in federal prison, which, I mean, play stupid games, win stupid prizes.
[24:16]
Adam Boileau
Yeah, exactly. And, you know, people who work in this industry like, work and, you know, dealing with instant response and dealing with, you know, ransomware. And stuff like you would kind of hope, understand that ecosystem a little better than average. And the amount of, you know, of finding out that you're going to do if you'd play this game, especially when you're in the U.S. like, it just does not seem well thought through. And I guess it probably wasn't. But yeah, these guys are certainly not, you know, they're certainly looking some pretty serious time. And I think it was. There's another unnamed, there was two employees and there's another third one that we haven't seen a name or other details of. But there was another conspirator involved who was the one that actually set them up with like affiliate accounts with Alfie Black hat ransomware crew. But like, I can't, I just can't imagine going to work working on a ransomware case and thinking, you know what? I really wish I was in this game making that money too. Like instant responders get paid. Well, like, what are you doing? What are you doing?
[25:11]
Patrick Gray
Yeah, the total take here is like 1.3 mil because they got one payment across three victims, which, you know, 1.3 between two. I mean, like it's not worth 50 years, you know, like that risk, it's just, you know, 1.3 mil seems to be the magic number too because that's how much Peter Williams got paid. It's just like a curse. Just go to work into criminality number. Anyway, so look, we've got subsequent, you know, we got some follow up reporting too on Peter Williams, the trenchant leaker or you know, the spy mole, whatever you want to call him. Kim Zeta has written up a piece here saying that apparently he was still selling stuff after he knew that stuff that he'd passed on to this broker was being on salt by a broker in South Korea, which is pretty crazy. We do know too. I think I was just sort of being discussed at the time. We recorded last week that the company that he sold these bugs to was OP0, which is a Russian broker, which like, it's one of those ones that like advertisers on Twitter saying, we'll give you half a million dollars for these sort of bugs. And it really does look like he just emailed these guys and said, yeah, okay, I got some bugs for you. Which is just insane. Like, I do wonder to 2022 stock market did badly. Crypto got wiped out. I wonder if he hit money trouble. Like that's my personal pet theory is that he hit some sort of absolutely colossal money trouble and needed cash quickly. But still nuts. Lorenzo Also has a write up here at TechCrunch about how Peter Williams was able to steal this stuff. I mean there's absolutely nothing surprising here. He was the general manager, which meant he had super user access to everything, which is what a general manager does. I mean, you know, you would have also been completely unsurprised by this, I'm guessing.
[26:55]
Adam Boileau
Yeah, yeah, yeah, I was totally unsurprised. I mean, and the specific details of, you know, like using USB storage devices to move stuff in and out of air gapped environments in there, that's, that's, I mean that's how it's done. And so, yeah, you can't, you know, you can't reasonably expect a place like that to protect against, as you say, the general manager who's got access to everything, putting controls in place that can manage that is not necessarily realistic. You just got to trust people and assume that they're not going to go and you know, sell your stuff out for pennies on the dollar. And I think we saw some numbers here on like what the value of the bugs that he sold were was something like $35 million worth.
[27:31]
Patrick Gray
Well they say that's a loss. So I don't know if that's the development cost of the exploits or the development cost plus the replacement cost or you know, legal impairments, like you've got no idea. But yeah, that is the number that's been thrown around.
[27:43]
Adam Boileau
Yeah. And that, you know, at least it's a number you can compare to the mill and change he actually managed to get out of the Russian export broker, although apparently they had promised him more and he hadn't managed to get it, you know, actually get that through or maybe we're not seeing the full extent of the funds.
[27:57]
Patrick Gray
He got shortchanged by some shady Russian brokers. Say it a shocking. So I mean that's, that's unbelievable. Now look, I also wanted to update you all because, you know, last week I said that John Scott Railton from Citizen Lab was questioning the utility of the private sector in this ecosystem, which I think I called it brain dead at the time. John actually got in touch and we wound up having a very long phone conversation. Actually on my Friday evening we spoke for something like an hour and a half. Very pleasant conversation. He says that's not his opinion. Forgive my confusion though Adam, because I sent you a post of his and asked you do you think it's saying that and you agree with me, which is it says I'll just read it. His post says there's a push to scale up America's offensive industry right now. But this alleged betrayal raises an urgent question. Can these profit maximisers reliably act as trusted stewards of long term national security? And just how well are they overseen and vetted? So look, I think, you know, there's an implication there that, you know, you know, a regular person reading that would say this guy doesn't think the private sector should be involved in developing these exploits. But he says, no, that's not what he means. So we did chat for a while. It was an interesting conversation, actually. He does seem really skeptical that this could have happened in the, you know, from a government agency, which I, I, you know, I don't see that at all. We've seen this happen in government agencies. Vault 7. Yeah, yeah, was exactly this. You know, we saw it with shadow brokers as well. We saw it with Edward Snowden. Now, of course, you know things. I'm guessing it's a little bit trickier to do that sort of thing now. But are you telling me if, like Rob Joyce, you know, being a GM equivalent when he ran Tao wanted to walk out with some exploits he could. Like, he absolutely could. And there's only so far you can go with securing a workforce in those sorts of environments before people start to resign. You know, if you're going to be cavity searching them every time they want to leave to go to the car park, they're going to quit, they're not going to stick around. Right. And I've heard of situations where people have quit in, in, in response to these sorts of changes in security environments at various places. Like, I really do see this trenchant leak as something more akin to a leak out of the intelligence community because they really do sort of operate as an extension of the ic. They're not like a paragon, they're not like some little shop. They are really a trusted player. You know, John expressed to me a lot of concern about, you know, a lot of rhetoric in the US at the moment about rapidly expanding the, the offsec space. I think there's, there's going to be tricky to do that, to be honest, because there's already a pretty hard limit on the number of people who can do this work. I also think there's some pretty good controls in there already. A lot of them are contractual. Like, these companies sign pretty onerous contracts. Should those terms be moved into a regulation for the purposes of transparency? You know, should there be generic terms? I mean, maybe. I don't think there's anything that's going to drive that to happen. I don't think people are, I don't think governments are going to do it to make Citizen Lab feel better. Like it's just not something that's going to do that, that's going to happen. And I don't know, I sort of feel like the offsec sector now, you know, the real problem is, you know, an agency, say an agency like ICE in the US goes rogue, they can already do infinity damage just with the tools that are currently available. I don't know that expansion of the sector is really a huge risk there. John thinks that there's a proliferation risk there. I think that's a reasonable thing to think. But then you look at what happened to NSO when they behaved badly. Here's one thing John and I both agree on, which is that the Biden White House actually handled this quite well by taking a bad actor and just singling them out and absolutely going to town on them. And in fact John has this terrific chart of the value of NSO bonds of their debt over time marked with like each event along the timeline and you just saw it crater. So I think, you know, it would be a brave investor who would pump money into a company that's going to be loosey goosey with, with who it sells to. So as I say, it was an, it was an interesting conversation. I think he and I agree on most of this stuff, but I don't, I, yeah, I don't see them making much progress under the current admin, let's put it that way.
[32:23]
Adam Boileau
That does seem pretty, pretty unlikely. I mean, you know, if they want more, they're absolutely, if anything they're going to have to relax. Who does, you know, who can do business in this kind of space and the kind of controls they face and you know, adding more vetting and more oversight, like that's not really what this administration is going to be all about. So you know, if they want more, they're going to have to loosen it up and buy elsewhere and you know, accept more collateral damage and more leaks, more proliferation, you know, more bad stuff happening if you want just because like it's a volume game. Right. I mean there's always going to be people who, for whatever personal reason, you know, ideological money, whatever it is, you know, go off the rails. And that's happened, you know, before Cyber. Right. I mean ultra chains and all of the other kind of like spycraft era stories, you know, same thing can happen here and you know, trying to control that, it's kind of a mug. There is A degree of, you just have to build this stuff, trust that people are going to do, everyone's going to do a good job, you know, put some sensible controls in. But, yeah, they're not ever going to be 100.
[33:24]
Patrick Gray
No. No. When it comes to leaks, no. When it comes to them proliferating this stuff into places where it shouldn't go, I mean, that's a thornier problem. And again, the Biden approach, the Biden White House approach seemed. Seemed like a pretty good one because it didn't so much rely on regulation as setting norms. I think it will be an enduring thing, at least for a while, I think, even under this administration. You know, are you going to go and invest a bunch of money into a spyware company that's going to sell to everyone in the world like you?
[33:50]
Adam Boileau
Probably not, no.
[33:51]
Patrick Gray
No. Because the government will change eventually, you would think, and you may as well be lighting your money on fire. So I think, I think we're in a. In a better place now, honestly. But, you know, it's. It's always good that there are people out there who are concerned about this, like Citizen Lab and who are doing the work. I think that they serve a very important role, even if I'm not in lockstep with them, on absolutely everything.
[34:13]
Adam Boileau
Yeah. You've got to have people out on the edges of the debate to kind of move the center point around, you know, and I think they do amazing work at Citizen Lab, so, you know, we don't have to see eye to eye on absolutely everything.
[34:23]
Patrick Gray
Yeah. Now, meanwhile, Memento Labs, which is the company born of the ashes of, like, hacking team. We spoke about how Kaspersky published a report where some of their stuff got snapped on Russian targets. They've come out now and confirmed that that was the case, which I think is kind of an odd step from a spyware company. But they've also blamed the customer for using, like, some of their own old Windows mal, which they're like, we don't even support that stuff anymore. We don't make that. We do mobile. It's kind of funny.
[34:49]
Adam Boileau
I mean, it's such a wild story because, like, so much of this kind of world is so secretive and so quiet normally, and for the CEO, just come in and go, yeah, actually, yeah, that's totally. Our stuff is kind of unusual. And then the other little bits, like, we asked our customers to stop using this. You mean you don't have good controls over, like, licensing and, you know, like, you don't know who's got this particular version of it. Like, you don't have that kind of level of oversight of your customers. Like, that seems a little, you know, a little YOLO as well.
[35:19]
Patrick Gray
Well, this is. This is where guys like John have a point, isn't it? You know, this is where they have a point where you've got, like, you know, you've got your top tier operators who are in really restrictive government. Government contracts with like, US Agencies and whatever, and every. Everybody knows where they can and can't sell. And like, it's all very controlled and, you know, they need to be very rigorous security requirements in place. And, you know, again, this isn't transparent stuff, but people who are, you know, proximate to people in that business kind of know that this is how it works. And then you got these other guys on the edge who don't have those sort of contracts who are just like, selling it everywhere, you know, whatever, like licensing, you know, are these the next. The next Cobalt strike beacon? You know, guys like. Who can say.
[35:59]
Adam Boileau
I also did think, like, it's kind of a bold move to come out and say to out yourself as a vendor that's selling tooling to an adversary of Russia at the moment. Right. So there's, you know, your stuff's popped up all over Russia, and then to come out and say, hey, that's ours. You kind of draw in a big arrow to yourself at a time when, you know, Russia's going around, you know, Nova chalking people or whatever else. Like, it just. I. I can't imagine he ran this past Corp comms or, you know, past anyone else before he was like, hey, yeah, that was us. Because, like, I wouldn't do that if it was my bugs being used against Russia successfully. I don't know that I would come out and say, hey, yeah, that was totally me.
[36:38]
Patrick Gray
Corre. Crazy. Anyway, let's move on to some bread and butter Infosec. Now we have some research out of Checkpoint, which looks at some impersonation and spoofing vulnerabilities in teams. I didn't really go over this one too closely, Adam, but I figured you did, so you can tell us all about it.
[36:54]
Adam Boileau
Yeah, so this is some research check we're going to be doing, like, into teams and just kind of looking for the sorts of bugs that you would use if you were going to do fraud on teams or if you're going to do other, like, social engineering kinds of things on teams. And we've seen plenty of examples of teams as a vector for social engineering people into like, wire transfers or resetting creds or whatever else. So you can communicate from outside a company into their teams environment and kind of confuse people as the fact that you're not an internal, you know, not an internal user. Anyway, they were looking for bugs where you can make it look like your name is different or make it look like the particular message has been one of the ones they had. You can edit a message and by like fudging the timestamps in the post request, you can edit the message without the edited little tag coming up so people know that their messages have been changed. They had another one where like if you're in a direct message chat with someone, it's the same code base as if you have a group chat. And group chats have kind of titles, you know, subjects or whatever else that you can put in the top of the, you know, of the chat. Those also exist for direct chats but you can kind of change the title. So at that point you can make a chat that looks like it's with somebody else and then you can use that to impersonate your, you know, your confuse your victim with impersonation. Anyway, they reported some of these bugs to Microsoft middle of last year. Microsoft has now patched some of them out and it's, you know, I'm glad that someone is doing this research because Teams is a nasty, thickety, thorny mess and I'm glad I don't have to use it every day now. But yeah, that those kinds of things are legitimately useful in quite certain circumstances. So I'm glad someone's looking.
[38:32]
Patrick Gray
Well, I mean this is just the world, isn't it, as it is today where Microsoft Azure is just a big mainframe and Teams is just a big instance of IRC that everybody uses and it's all the same server kind of, you know, it's just.
[38:46]
Adam Boileau
Yeah, yeah, it's pretty wild. Like the corpse of Skype, you know, reincarnated, necromanced back to life in teams with a bit of SharePoint bolt on the back. It's just, do not want.
[38:56]
Patrick Gray
Oh my God, that's just so horrible.
[38:58]
Adam Boileau
I know.
[38:59]
Patrick Gray
A reanimated corpse of, you know, pieces limbs reanimated limbs of Skype glued to SharePoint. Woof. Very nasty. Now moving on, we're going to chat about some research out of proofpoint which looks at cyber enabled freight theft. It's very interesting stuff. So basically the idea here is that hackers are getting into some of these, you know, freight brokerage logistics systems and really just offering to transport cargo, figuring out where they can get a bid, what's in what's in containers or whatever, and figuring out how they can, you know, put themselves forward as a broker and then just turn up in a truck and pick up the container and then take it wherever they want, which is pretty interesting. So funnily enough, though, the write up here, it's by Ula Viladsen and Selena Larson. I actually contacted Selena because it wasn't really clear that last mile of this whole thing, it wasn't really clear how the attackers were getting their hands on the actual cargo. And Selena told me, look, this is actually what they. How they think it's happening, right? So all of these Trojans and, you know, remote access tools are sort of popping up through these logistics systems. And meanwhile, fraud is sort of skyrocketing and there's been various Reddit threads and even some congressional testimony that make proofpoint think that that's actually what's happening, is they're infiltrating this system, figuring out how they can be the ones to pick up a certain amount of cargo then turning up, you know, load it back on the truck and disappear into the night. So very interesting.
[40:30]
Adam Boileau
Yeah, yeah. Anytime we see a new mechanism for turning cyber into money, like, that's always, you know, that's always a good time because. Well, not a good time. It's always an interesting time because, you know, turning hacker skills into money is a thing that, you know, there's only so many ways to do it. And once you figure out one that you can scale up and use, then, you know, it tends to drive, you know, the economics then tends to drive the, you know, the cybercrime and the regular crime around it. So, yeah, the idea that you can just like break into these particular organizations and that there is some way to end up getting valuable goods using a computer which you can then sell. Yeah, it's good. It's good thinking. And it reminded me of back in 2016, we reported on some pirates around the Horn of Africa that had broken into the management system for like a container shipping. Shipping container management firms. And we're using that to identify which ships had interesting cargo, where in the manifest, where on the ship it was loaded, and use that to kind of target their piracy more effectively. So, yeah, I'm always here for innovation and crime.
[41:36]
Patrick Gray
Cyber enabled freight hijacking. Let's go. We're so back now. A bit of law and order news. John Greig reports that a Conti ransomware gang affiliate, he's appeared in court in Tennessee after being extradited from Ireland. He's a Ukrainian national facing up to 25 years in prison, which I man, I just think it's so crazy that Williams might get away with like 10 years ish for stealing 8 exploit chains from Trenchant. By the way, the rumor is too, that the, that the exposures there of like various things that how those bugs were being used, like, it's a disaster and he might get 10 years. And meanwhile this ransomware, you know, junior is looking at 25. Just. It's a funny old world. We've also got a story as a reporting out of Russia. Dorina Antoniok, who's based in Ukraine, has written up this operation where the Russian police detained three hackers who are suspected of developing and selling the Medusa Stealer malware. It's just sort of unusual to see this sort of law enforcement action in Russia, which I guess is why it's noteworthy. But the law and order story we're going to dive into this week is one, we're diving into it because Brian Krebs did it. And it's always fun to go through his stories where he just lays everything out in such meticulous detail. Talk to us about this. Jabba's use coder, Mr. I ICQ, who is now in US.
[42:59]
Adam Boileau
Custom that kind of puts a timeline on it because ICQ is. That's a name I haven't heard in a long time. So this was one of the guys behind Jabba's use, which was a botnet like Trojan, I suppose you'd call it like an in the browser Trojan from the early 2010s. And it was one of the real innovators in its world because it was the first. They were the first group to really do like man in the browser multi factor auth hijack. And they built some plumbing based on the Zeus original Zeus Trojan. Then they use Jabba the communications protocol to kind of deliver these two factor auth tokens into, you know, back to the criminals fast enough that they could then use them. And this is one of the guys that develop that particular piece of plumbing. So given how like it's about 15 years ago now, finally seeing some justice, I guess, you know, of all the things that have come out of the, you know, of Russia's war in Ukraine, one of them has been pushing a bunch of Ukrainian cyber criminals out to within reach of of law enforcement. And this particular guy was picked up in Italy, now in the US but was previously in Donetsk in Ukraine, which of course is in Russian hands at the moment. So, you know, the war has pushed, you know, a whole bunch of people who were previously insulated by that kind of Commonwealth of Independent States bubble out into, into the West. And yeah, I mean, Krebs has history with this crew. One of his contacts had infiltrated their jabber system and was reading their chats. And then Krebs would go around and like notify people that they were about to have their banking details stolen or their accounts broken into by this crew. And he was spending hours a day back in, back in those days notifying people. And so I think, yeah, it's a pretty personal thing for Brian to see, you know, this guy actually, you know, behind bars. And, you know, that's a fun, a fun story. And I bet Brian's, you know, probably feels pretty good about it, man.
[44:58]
Patrick Gray
Yeah, I do think too that we could see the Russians get their own one day. Like if that's. Look, Russia is a, is a country that blows up every now and then politically, right? You know, from the revolution to the collapse of the, you know, the end of communism there and like Putin's rise and whatever. Like it is constantly in a state of change. And you do wonder, like, okay, say five, ten years from now there's an economic collapse. Fifteen years from now, say there's some sort of bailout required, man, that's going to come with some strings and these guys are going to be in a lot of trouble, I think. But that's a long time from now, I think. Well, but who knows? That's the wonderful thing. Who knows? Now I just wanted to update everyone on the widows, the WSUS stuff. Apparently there's up to 50 victims of that, according to some work out of Sophos. We've linked through to a cybersecurity dive piece written by David Jones on that. I did have some feedback from a listener, Paul Schnack on B Sky, on Blue sky who said love the show. Quick update. A lot of business networks, most question mark use Intune or third party MDM for Windows updates, not wsus. I think, Paul, that's probably a little bit optimistic. Like I think they probably should be using Intune for those sort of patches. But you know, and then there's, yeah, Win Update for business now autopatch lets you create rings and groups with the binaries coming from Microsoft, not wsus. Hey, that's the right way to do it. I don't think it is the way that everybody's doing it. He also pointed out that WSUS was deprecated by Microsoft a year ago. I Didn't know that. So thanks for letting us know. But you know, we are seeing a bit of carnage out there with wsus.
[46:40]
Adam Boileau
Yeah, yeah, exactly. I mean, the proof is kind of somewhat in the pudding there, right, that there are people getting, getting owned and, you know, having a quick rummage around. You know, we talked when the story originally broke about, you know, some of the things we're seeing on Census. Like there is quite a lot of stuff out there on the Internet that really does look like it's still wsus. And yeah, people are having a bad time. But yeah, intune, a lot of people struggle with deploying that, even though it's hard.
[47:05]
Patrick Gray
That's why Device exists, which is an Australian company that sort of helps people manage it. Right. Because like it's, it's, it's hard, it's good plumbing, but, you know, they put in the pipes, they didn't put in the taps, I think is the best way you can, you can kind of describe it. Intune. I'm sure it's better. And I'm sure that for some of these, you know, Microsoft super admins, they find it pretty easy, but most people don't, as you point out. So. Yeah, we also had a YouTube comment from Mikal Fear feh e r. So I don't know if that's the correct pronunciation there. Hope it is. Cal he says, I think your recollection of the Kaminsky bug is a little off. UDP source port randomization was most certainly already available and was the default in bind at that time. Cal, that's actually what we said, mate. We said that there was some source port randomization, but it was insufficient. He continues, however, the port range was limited and it was a common configuration to actually fix the source port to a single value. Didn't know that. You probably did, Adam. The limited variable range was an oopsie from isc. The dodgy config was simply evidence that people do dumb things. The true fix even back then was dnssec. This was also reflected in the comms from ISC at the time. But back then DNSSEC was hard and not considered a reasonable mitigation in a short timeframe, not letting the crisis go to waste. There was finally some energy in the DNS community to improve DNS DNS SEC usability and improve the protocol as a whole. Thanks, Dan. He said. Now, the reason I'm talking about this comment is it is hysterical that we received this comment that the true fix was DNS SEC a few days after. Look, some people listening to this might have noticed that we had a very, very brief outage over the weekend. Was a planned outage. Adam, why did we have an outage over the weekend?
[48:43]
Adam Boileau
Well, I'm going to go ahead and tell you that it was a dnssec.
[48:48]
Patrick Gray
Well, it was that we disabled dnssec. We had to disable dnssec. And why did you tell people why we have to disable dnssec?
[48:56]
Adam Boileau
We have to disable DNSSEC because in order to be able to issue let's encrypt certs or other dynamically rolled domain validated certs, we need to be able to have our zone file exposed to changes from inside our infrastructure provider, which is DigitalOcean. DigitalOcean doesn't support DNSSEC. We had to move our zone from another provider, which does support DNSSEC into DigitalOcean so that we can do automated certificate renewal because browsers are going to, we're not going to be able to roll assert once a year by hand anymore. We have to do it automatically as is best practice. But to do that, of course, we had to turn off DNS. And the process of turning off DNS SEC resulted in a, you know, couple two to three hour outage of our DNS.
[49:41]
Patrick Gray
But only in some places, only if.
[49:43]
Adam Boileau
You were the sort of person that's going through a resolver that does actually validate the DNS sec, which is not very many people. Numbers are something like 3% of the Internet resolves DNS in a way that actually validates DNS sec. So in whatever time this bind, you know, the Kaminsky cache poisoning bug was, which is what, like mid-2000s, it was certainly a lot less than 3%. And now in 2025, there are very, very, very few people who actually will have their DNS lookups fail because the DNSSEC has misconfigured key material or there's something wrong with it.
[50:19]
Patrick Gray
So it's the only way we can get a let's encrypt certificate into our CDN then is to be doing this like it is the only way. We went around and around on ways to do it. So it's just real funny that we get this comment about how the true solution and the future is dnssec. Like literally like the day or a day after, like we had to disable dnssec, we had to disable our encryption so that we could get encryption basically. And you know, I think really we're in a let's encrypt TLS based world. And you know, I don't know, man, dnssec, it sort of feels like Linux on the desktop, you know what I mean? Like it's coming next year. It's coming next year.
[50:54]
Adam Boileau
Except that Linux on desktop is actually usable, whereas dnssec honestly is mostly just about causing outages.
[51:00]
Patrick Gray
So, yeah, yeah. Well, mate, that is actually it for the week's news. Thank you so much for joining me for a fascinating discussion as always. And yeah, look forward to doing it again next week.
[51:09]
Adam Boileau
Yeah, thanks much, Pat. I will see you then.
[51:14]
Claire Ed / Amberley Jack
Hello, I'm Claire Ed and three times a week I deliver the biggest and best cybersecurity news from around the world in one snappy bulletin. The Risky Bulletin podcast runs every Monday, Wednesday and Friday in the Risky Bulletin podcast feed. You can subscribe by searching for Risky Bulletin in your podcatcher and stay one step ahead. Catch you there.
[51:41]
Patrick Gray
That was Adam Boileau there with a check of the week week's security news. Big thanks to him for that. It was a good one this week. So we are going to hear from Scott Kufa now, who is the chief executive and co founder of Nucleus Security, which makes a vulnerability management platform. As I mentioned at the intro, you can get it to ingest all of the vulnerability scan information from your scanners. Even if you're using lots of different scanners, you can pull in information from run zero from all of your SAST stuff. Like it all comes into one place, it gets normalized, you can start slicing and dicing that data, sending it off to the correct teams. There's slack integrations, all that sort of stuff. But what I wanted to talk to Scott about today, a couple of things really, but the first thing we started speaking about was this idea that prioritizing bug fixes will save us, right? That will take this unmanageable problem and make it a manageable problem. It's not panning out that way. People are now at the point where they can no longer keep up with even the high priority bugs in their organization. And, you know, he thinks we need to start thinking of some different approaches and he makes some good points. So here's Scott Kufa from Nucleus Security.
[52:46]
Scott Kufa
What we're seeing is that there's actually just been a shift in how organizations talk about vulnerabilities and there's more data that's being presented all of the time. And so it's really more of a volume issue. It's not necessarily that we're getting worse at fixing individual vulnerabilities. We're getting worse in aggregate at fixing the new numbers of vulnerabilities that are coming, if that makes sense. Right. So it's really like just the deluge.
[53:10]
Patrick Gray
Is just getting bigger and like the ability to respond is not keeping up. Is that kind of the vibe?
[53:16]
Scott Kufa
That's correct. And then the variety is also getting bigger. Right. So 10 years ago, the only remediation that a vulnerability analyst had to worry about was really patch management and all those pesky certificate vulnerabilities that came out of your tenable console. And now, well then you spun up the cloud security teams and you spun up the DevOps team and development, and we're seeing a convergence of all of those. And so now individual vulnerability teams are responsible for the entire cloud stack, not just individual IT stacks. And so you're really seeing a lot of friction in the process related to the volume of just vulnerabilities in general. I mean, everybody talks all the time about how we're having seen more new vulnerabilities discovered all the time than we've ever seen. So that is increasing. But I think the bigger issue is actually that we're seeing that across all of the different categories of vulnerabilities.
[54:04]
Patrick Gray
Yeah. So I guess we shouldn't be surprised that scale in vulnerability remediation is a problem. Right. Because we've just got like this deluge more and more and more and more in everything all the time. You know what, what has been the approach over the last five years in terms of trying to speed that up? Right. Because it feels like for the past five years the approach has really been about trying, you know, trying to just figure out where your exposure is instead of trying to fix everything. But like, it almost feels like that can only get you so far as well, because even those genuine exposure numbers are kind of ballooning. Is that roughly like kind of where we, where we are?
[54:42]
Scott Kufa
I would say so. It's, it's, what's interesting about it is that when you think about, we call it the remediation economy. Right. So there's basically this optimization from economics that occurs where you're trying to think about, well, what is the optimal amount of risk for me to fix in my business? And we don't really put a lot of stock into that as a operational concept. Right. So we generally look at vulnerabilities in terms of lists. Right. Here's my giant number of things that I need to look at. And the approach has been how do we just whittle that down to the point where we only look at the 5% that matter. And that works really well until the 5% that matter are more than what you can actually physically fix. Right. And so that's kind of what I mean. Right.
[55:25]
Patrick Gray
Is because for a long time people have said, ah, the solution is just forget about these ones where there's no path for someone to exploit them, you know, and just patch the ones that are genuine exposures. And it's like that works really well until that number also gets unmanageable.
[55:40]
Scott Kufa
Absolutely. And I would say that that's the point that we're approaching, especially when we look at the amount of just. I hate to do this, but to talk about how AI is starting to change the game of what we're seeing with some of these things. Right. It's become a bigger and bigger topic that we're seeing to the point where folks are even asking questions about how do you audit your AI models. Right. And so eventually those are going to turn into vulnerabilities and exposures that you then have to manage as a vulnerability team. Right. And so even it's a whole new category, brave new world of where we're at with the types of things that we have to manage and nobody knows how to deal with that right now.
[56:14]
Patrick Gray
Well, that was going to be. My next question is how do we deal with that? Right. Because as I say, it's been the way. Right. Is to whittle down, you know, the number of bugs that you actually remediate. Now we're starting to hit some limits there. I mean, obviously there's going to be people proposing like AI as a solution to this. Somehow I think that's going to be tough, to be honest. Like right now I think, excuse me, patching is just, you know, it's just one of those things that's very, very hard. I think it's difficult to automate, it's difficult to instrument. So, you know, what are some possible directions here that you might see happening over the next few years?
[56:50]
Scott Kufa
Yeah, one concept that was pitched to me not that long ago, there was this other startup that was really trying to sell me on the idea of like a CIS benchmarking concept, but for like AI prompts so effectively, like looking at how your AI coding agents are basically set up, especially with the new OpenAI coding agent and basically being able to say how can we audit that the thing has been optimized to put out the most high quality and structured code that we can, that we can be comfortable with.
[57:18]
Patrick Gray
Well, hang on, when I say, by the way, when I say that AI Won't fix patching. I mean, in that I'm very much speaking about operating systems and applications on a desktop and, you know, server infrastructure. You know, when it comes to actually in house apps, like, I do think AI is probably going to solve that problem. Right. So that, that, yeah, that vibes with what you're saying there.
[57:37]
Scott Kufa
I look forward to the day that would be. That would be great for everybody for sure. But yeah, it's a good question as far as it relates to operating systems. That one thing that folks are starting to get really bullish on, which I'm still hesitant to be bullish, by the way. So I'm saying this as basically just delivering the message versus being a proponent of this.
[57:55]
Patrick Gray
Yeah, here's what people are saying. Don't agree, but that's what they're saying.
[57:59]
Scott Kufa
Right. So I'm starting to see a bigger push towards. Well, before we couldn't patch everything because we didn't want to automate patches. Right. Because it was risky. We needed a change management process, all of these things. And so there is a lot of optimism in the IT space, from what I can see, that maybe we can make better decisions about what patches to push out automatically because they're low risk and we can use these AI agents to basically make those decisions for us to start to decrease. Basically the amount that it costs to fix every single vulnerability is kind of the idea that folks are really pushing towards how do we make it cheaper and faster to fix vulnerabilities and without having to have humans in the loop. And there's probably some validity to that, but as somebody who worked in the federal government and in large enterprises, I hear that. And folks just start to cringe internally. Right. Because change management.
[58:47]
Patrick Gray
Here's my issue with that. Right. Which is why do you need AI for that part? It doesn't seem to me that the missing piece from what you just described is going to be filled with AI. I mean, it's just a fiddly, horrible, unpredictable thing, which is why it's hard.
[59:03]
Scott Kufa
100%.
[59:04]
Patrick Gray
Yeah.
[59:04]
Scott Kufa
No, 100%. Yeah. I view it very much as everybody is super excited right now about the AI hype train, but the reality is most of what you're trying to automate is declarative automation. Right. Like you want that pipeline to just be basically spinning out 50 widgets a minute and you don't want to have to think about it and look, look at it. Right. And so I view it as very high risk realistically to try to use this thing that's using probabilities to guess what you're trying to do all the time. And so what I think we're going to start to see is these kind of separate models of pipelines and we're starting to see this in the software development life cycle as well, which is basically like there are some bugs that we just auto fix, right? And they're like lower risk, lower effort, easier things and systems that already exist versus like hey, we actually have a whole separate SDLC to have humans look at it. But they're both assessed, right? So how do you set up those pipelines to audit what's actually happening? And I imagine that IT teams are looking at something very similar to that in certain scenarios, but I don't think there's a good answer.
[60:03]
Patrick Gray
No, it's interesting, it's interesting what you say because we were really looking at just well, where are the exposures, high impact exposures, let's deal with them. And I suppose another way to measure another measurement you should apply or a metric you should apply to a bug is like how easy and trivial is it to fix? And if it is easy and trivial to fix, you should just go ahead and auto do it.
[60:27]
Scott Kufa
Right. And those that have worked in engineering before know that that is a really hard question to answer, right? And so I mean that entire estimation process is built around that and we get it wrong, you know, five times out of, out of, out of 10. So I mean just solving that itself is really challenging. But, but yeah, conceivably you could get to a point where it's a, oh, it's a, you know, super easy to fix, super low risk. Just do it right. And it's the volume game over, the super precise precision game. And I think the reality is we need to do both. And how do we optimize a larger program for both is going to be really the name of the game going forward.
[61:03]
Patrick Gray
Now. It would be crazy of me to have you here and not ask you what you think of what is happening in the sort of code sec space with all of these AI models. You know, OpenAI made big waves with its aardvark stuff. You know, we've just talked about that in the, in the news. But I wanted to get your, your opinion, I guess on these, on how much of a solved problem a lot of these, you know, you know, application vulnerabilities are because I think this stuff is amazing. I think people do underestimate it. I mean, I say that because a guy I know, a founder, said to me six months ago, he started playing around with using some of the models to do code audits. And he said it's over. Like, those were his words. He's like, I'm not even going to try to build a business on this. I'm not going to try to raise on this. It is over. This is a market segment that won't exist in a couple of years. What I mean, you would be seeing, you know, basically because you're doing all this vulnerability aggregation and stuff in large organizations. Do you see them yet starting to use these models in their applications development and then just bugs disappearing. Like, what are you seeing from your perspective in terms of how these AI models are playing out, doing code audits and stuff and fixing bugs?
[62:16]
Scott Kufa
Yeah, I would say, I mean, we see it, but not at a super widespread scale. I do think that, I mean, anybody, again, like, if you've historically worked in the AppSec space and you've tried to discover vulnerabilities, like even just business logic vulnerabilities using sas, everybody knows that was a really challenging space because there's so many false positives. It was really hard to understand what's really going on in the code base. And so.
[62:38]
Patrick Gray
Well, I don't think the AI stuff is very good at logic vulnerabilities either. But certainly in terms of like cleanness of code and whatever, those sort of bugs, like, very good.
[62:47]
Scott Kufa
It's. Yeah, it's really good at certain things and I think, you know, it's only going to get better. Right? I mean, our CTO is really, is really bullish on AI coding agents as well. But I would agree that, that within a few years we will see a wide, super widespread adoption of this because it's going to end up being more efficient and effective to do that and these things will get better. And I just feel like we're hitting upper limits with some of these traditional tools and specifically around discovering and assessing the risk of vulnerabilities and exposures in code versus, like how does this thing trace through the app? Right. I mean, we looked at Nucleus at building like tracing information through like how code is executing for ourselves so that we could help to try to build some of that intelligence layer around these different and distinct code bases coming together and microservices and all that. And it's like just for us to be able to be able to now build a capability to do that, I mean, it's super easy for us to do something like that now and a lot more accessible to other companies that aren't just like SaaS companies or SCA companies. So I think we're going to see a lot more capabilities become available to broader sets of organizations. Like, for all we know, we could see Fortinet dropping some new, new products to do stuff like that. Like, that's how, that's how much easier it's gotten to make that happen. And I, and I would be very, it would be very dumb not to say that that's going to make a huge impact in the market kind of over the long term. Right. So I would agree with your founder friend who would say the same.
[64:09]
Patrick Gray
Yeah, yeah. He's just like, I'm not going, I'm not raising on this. This is like, there's no moat here. All right, Scott Kufa, thank you so much for joining me for this interview. A pleasure to chat to you. Cheers.
[64:22]
Scott Kufa
Cheers. Thanks, man.
[64:24]
Patrick Gray
That was Scott Kufa there from Nuclear Security. Big thanks to them for that. And that is it for this week's show. I do hope you enjoyed it. I will be back next week with more security news and analysis, but until then, I've been Patrick Gray. Thanks for listening.
[64:42]
Claire Ed / Amberley Jack
Hello, I'm Amberley Jack, and every Thursday I host the Seriously Risky Business podcast, a podcast all about big picture cyber shenanigans like intelligence and cyber policy. You can find that podcast and more in the Risky Bulletins podcast feed. Subscribe today by searching for Risky Bulletin in your podcatcher.