Risky Business #822 -- France will ditch American tech over security risks

Risky Business #822 — France Will Ditch American Tech Over Security Risks
January 28, 2026
Host: Patrick Gray | Guest: Adam Boileau | Interview: Brian Baskin (Sublime Security)

Episode Overview

This episode examines escalating moves by governments to reduce reliance on US tech for reasons of digital sovereignty—focusing on France’s plan to replace American collaboration software. The hosts also cover major security incidents including state-backed hacking, controversial government actions, and shifts in offensive and defensive AI in cybercrime. The episode concludes with threat research from Brian Baskin of Sublime Security, highlighting the rapid rise and arms race in generative AI-powered impersonation attacks.

Key Topics & Insights

1. France’s Plan to Drop American Tech for Digital Sovereignty

[00:40-06:15]

France is set to replace US-made video conferencing tools (Zoom, Teams) with a local alternative (“Vizio”) by 2027 as part of its "Suite Numérique" (Digital Suite) initiative.
The move is motivated by a desire for digital sovereignty, mirroring trends seen earlier in China and now growing in Europe.
The French government is considering open source, self-hosted, or locally developed alternatives for its office productivity and communication needs (e.g., Tchap for messaging, Grist for spreadsheets).
While ambitions to rival Microsoft Office seem daunting, advancements in application development and AI may make this more feasible than in the past.
Interoperability with global partners and the maturity of replacements remain significant challenges.
Notable Quote:
“It was really easy…10 years ago when someone said, hey, we’re gonna do this, it was really easy to say, no you’re not, it’s just not gonna work. But the key components of this French plan? It starts looking a little bit realistic, we’d say.” (Patrick Gray, [02:48])
The hosts debate security implications—will new systems be as robust as well-worn incumbents? Probably not at first.

2. State-Backed Cyber Espionage and Intrusions

A. UK Government Hacking ([06:16-08:53])

Reporting that “Salt Typhoon” (China-attributed threat) managed to eavesdrop on Downing Street phone calls and texts, potentially including senior UK government advisors and maybe prime ministers.
Sensitivity and value of intercepted info unclear; underscores risks of conducting sensitive conversations over mobile networks.
Ongoing concerns over physical cable proximity to embassies; mostly viewed as a distraction compared to actual cyber means of espionage.

B. Russian Wiper Malware Attack in Poland ([08:54-10:27])

Polish energy sector fends off a destructive wiper attack attributed to Russia’s Sandworm/GRU group.
Attack echoes previous campaigns against Ukraine’s infrastructure.
“Having someone else’s military intelligence up in your power system with destructive malware does not feel good…” (Adam Boileau, [09:18])

3. US Security News & Agency Challenges

A. CISA Upheaval & Data Mishandling ([14:59-18:14])

Acting head of CISA, Madhu Gotta McCalla, under scrutiny after failing a polygraph and uploading official-use files to public ChatGPT.
Internal leaks suggest organizational dysfunction and plummeting morale; CISA staffing dropped by 30%.
“He does not spark joy, apparently.” (Patrick Gray, [18:11])

B. NIST & NVD — Vulnerability Disclosure Fatigue ([18:17-21:42])

NIST signaled it will scale back enrichment of vulnerability details in the National Vulnerability Database to only the most critical ones (KEV list).
Community fears quality and usefulness of NVD will drop; shifting workload to CNAs (product vendors) lacks incentives.
“The net conclusion is they are probably cooked.” (Adam, [21:42])

4. Security Attacks with Physical Real-World Impact

A. Trump’s “Discombobulator” Device (Satire/Serious? [10:31-13:05])

Donald Trump boasts in a NY Post interview of a mysterious “Discombobulator” weapon supposedly used to foil Venezuelan air defense—hosts jest whether it actually exists or was made up to simplify explanations for the president.

B. Car Alarm Company Attack in Russia ([13:06-14:58])

Russian smart car/home alarm company reportedly suffered a cyberattack leading to customers’ cars being immobilized or their alarms disabled—potential Ukrainian hacktivist involvement plausible.

5. Social Engineering Innovation: ShinyHunters’ Vishing Campaigns

[22:41-24:44]

ShinyHunters group uses advanced vishing (voice phishing) with live phishing kits that adapt in real-time by recognizing the MFA (multi-factor authentication) method in use and tailoring their attack.
Non-phishing-resistant MFA now considered “next to useless.”
Real-time, human-in-the-loop social engineering is the new norm.

6. AI & Offensive Security: Generative Exploit Development

Sean Heelan’s Experiment ([24:45-31:12])

Sean Heelan demonstrates that modern LLMs (GPT-4.5, 5.2) can generate functional exploits for real vulnerabilities (in this case, QuickJS).
Heelan’s public framework tests exploit scenario variations, showing cost-effective, scalable offensive research.
“Seeing a concrete implementation of a system like this by an expert is just super useful… good to understand.” (Adam, [28:29])

AI Arms Race and Business Risks ([31:13-32:41])

AI-powered attacks and defenses are advancing rapidly, with immense investments and ensuing instability—will the rapid pace lead to innovation or a bubble?

Impact on Bug Bounties ([32:42-34:14])

Open-source projects (e.g., cURL) overwhelmed by AI-generated, low-quality bug reports; maintainers suspending bounties for mental health.

7. Technical Research Catch-Up

A. Bypassing Windows 11 Admin Protection ([35:14-37:42])

James Forshaw’s new research (Project Zero) explores bypasses for Windows’ upcoming “Administrator Protection” (replacement for UAC).

B. Retirement of Microsoft Deployment Toolkit ([37:43-40:24])

SpectreOps’ research exposes auth flaws in MDT, leading Microsoft to discontinue the product.

C. Kubernetes Flaw — Privilege Escalation ([40:25-42:39])

Weak API authentication lets low-privileged users escalate to code execution; remediation delayed until new auth system is ready. Companies advised to check their deployment.

8. News in Brief & Security Hygiene

WhatsApp’s “Strict Account Settings” ([43:09-45:12])
Feature mimics Apple’s lockdown mode, blocks unsolicited media/PDFs from non-contacts—response to fake news and malicious attacks.

Microsoft BitLocker Keys Provided to FBI ([45:13-46:18])
Not sensational: keys only given if users chose to back them up to Microsoft, in line with legal warrants. “You gave your key to somebody else… expect they're gonna hand over your key.” (Adam, [46:11])

9. Feature Interview: Brian Baskin, Sublime Security

[50:57-63:28]

The Growing Threat of AI-Driven Impersonation Attacks

Generative AI in Email Impersonation
GenAI now powers about 20% of email impersonation attacks (up from 4% last year).

Attackers:
- Use GenAI for recon (e.g., crawling LinkedIn to build org charts and determine high-value targets).
- Mimic “voice” and tone of executives in emails, making attacks vastly more context-aware and hard to spot.
- Move beyond simplistic CEO scams to deeply contextual thread hijacking—i.e., generating or jumping into active business threads.
“Now we’re actually starting to see this trend of brand new threads being generated on the fly with context, with the actual key personnel involved. But it’s all AI generated…” (Brian Baskin, [54:31])

Defensive Challenges

Impersonation detection requires social and technical layers—training staff to spot abnormal communication, but AI-generated messages narrow those clues.
Even video-based confirmation (FaceTime, deepfakes) may become unreliable in the near term.
“Prompt is the new script…” (Patrick Gray, [57:46])

The Arms Race in Evasion

Attackers scale phishing/evasion by abusing smaller, lesser-known SaaS platforms for phishing and malware delivery (Canva, Piktochart, Airtable, etc.).
Email security must quickly adapt to these shifting TTPs (tactics, techniques, and procedures).
“The line between…what is malicious and what is legit now is so blurry, and it hurt my head.” (Patrick Gray, [62:57])

10. Human Stories: Scam Compounds in Myanmar (Andy Greenberg, WIRED)

[46:19-48:53]

Wired feature chronicles the experience of an Indian worker trapped in a Southeast Asian scam compound; the story explores both technological and deeply human elements.
“It’s a hell of a ride of a story…if you want a lunchtime read, very strong recommend.” (Adam, [48:01])

Notable Quotes

Patrick Gray [02:48]: “If you look at the key components of this French plan, it starts looking a little bit realistic, we’d say.”
Adam Boileau [05:12]: “Maybe there is something to be said for a cleaner break, but it's just like this has to work in reality.”
Patrick Gray [24:44]: “I think it's just, you know, one more data point to suggest that non-phishing-resistant MFA is just next to useless.”
Adam Boileau [28:29]: “Seeing a concrete implementation of a system like this by an expert is just super useful… good to understand.”
Patrick Gray [62:57]: “The line between…what is malicious and what is legit now is so blurry, and it hurt my head.”

Timestamps by Segment

[00:40] France and Digital Sovereignty
[06:16] UK Downing Street hack
[08:54] Russian Sandworm attacks on Poland
[10:31] Trump and the “Discombobulator”
[13:06] Car alarm cyberattack in Russia
[14:59] CISA leadership drama
[18:17] NIST/NVD bows out of full vuln enrichment
[22:41] ShinyHunters’ vishing/MFA campaigns
[24:45] Sean Heelan’s exploit dev research with LLMs
[31:13] AI business risks
[32:42] cURL bug bounties canceled over AI slop
[35:14] Windows 11 Admin Protection bypass
[37:43] Microsoft MDT discontinued
[40:25] Kubernetes privilege escalation bug
[43:09] WhatsApp lockdown mode
[45:13] Microsoft handing over BitLocker keys
[46:19] Andy Greenberg’s scam compound story
[50:57] Interview: Brian Baskin (Sublime Security, GenAI in impersonation attacks)

Takeaways

Digital sovereignty is now a serious policy goal in Europe, with France leading a tangible move away from US tech.
State-backed cyber intrusions continue at scale; responding to evolving, increasingly destructive threat actors remains imperative.
US cyber agencies (CISA, NIST) are hamstrung by leadership, morale, and resourcing problems; foundational security infrastructure like the NVD may not be reliable going forward.
Offensive and defensive AI capabilities are leaping forward, with GenAI-driven phishing/impersonation now a mainstream risk. Technical and social defenses must rapidly adapt.
The boundary between legitimate service use and abuse for cybercrime is blurring, making both detection and attribution harder.
The podcast maintains its signature fast, irreverent, professional tone—balancing technical detail with witty banter.

End of summary

Risky Business #822 — France Will Ditch American Tech Over Security Risks
January 28, 2026
Host: Patrick Gray | Guest: Adam Boileau | Interview: Brian Baskin (Sublime Security)

Episode Overview

Key Topics & Insights

1. France’s Plan to Drop American Tech for Digital Sovereignty

[00:40-06:15]

France is set to replace US-made video conferencing tools (Zoom, Teams) with a local alternative (“Vizio”) by 2027 as part of its "Suite Numérique" (Digital Suite) initiative.
The move is motivated by a desire for digital sovereignty, mirroring trends seen earlier in China and now growing in Europe.
The French government is considering open source, self-hosted, or locally developed alternatives for its office productivity and communication needs (e.g., Tchap for messaging, Grist for spreadsheets).
While ambitions to rival Microsoft Office seem daunting, advancements in application development and AI may make this more feasible than in the past.
Interoperability with global partners and the maturity of replacements remain significant challenges.
Notable Quote:
“It was really easy…10 years ago when someone said, hey, we’re gonna do this, it was really easy to say, no you’re not, it’s just not gonna work. But the key components of this French plan? It starts looking a little bit realistic, we’d say.” (Patrick Gray, [02:48])
The hosts debate security implications—will new systems be as robust as well-worn incumbents? Probably not at first.

2. State-Backed Cyber Espionage and Intrusions

A. UK Government Hacking ([06:16-08:53])

Reporting that “Salt Typhoon” (China-attributed threat) managed to eavesdrop on Downing Street phone calls and texts, potentially including senior UK government advisors and maybe prime ministers.
Sensitivity and value of intercepted info unclear; underscores risks of conducting sensitive conversations over mobile networks.
Ongoing concerns over physical cable proximity to embassies; mostly viewed as a distraction compared to actual cyber means of espionage.

B. Russian Wiper Malware Attack in Poland ([08:54-10:27])

Polish energy sector fends off a destructive wiper attack attributed to Russia’s Sandworm/GRU group.
Attack echoes previous campaigns against Ukraine’s infrastructure.
“Having someone else’s military intelligence up in your power system with destructive malware does not feel good…” (Adam Boileau, [09:18])

3. US Security News & Agency Challenges

A. CISA Upheaval & Data Mishandling ([14:59-18:14])

Acting head of CISA, Madhu Gotta McCalla, under scrutiny after failing a polygraph and uploading official-use files to public ChatGPT.
Internal leaks suggest organizational dysfunction and plummeting morale; CISA staffing dropped by 30%.
“He does not spark joy, apparently.” (Patrick Gray, [18:11])

B. NIST & NVD — Vulnerability Disclosure Fatigue ([18:17-21:42])

NIST signaled it will scale back enrichment of vulnerability details in the National Vulnerability Database to only the most critical ones (KEV list).
Community fears quality and usefulness of NVD will drop; shifting workload to CNAs (product vendors) lacks incentives.
“The net conclusion is they are probably cooked.” (Adam, [21:42])

4. Security Attacks with Physical Real-World Impact

A. Trump’s “Discombobulator” Device (Satire/Serious? [10:31-13:05])

Donald Trump boasts in a NY Post interview of a mysterious “Discombobulator” weapon supposedly used to foil Venezuelan air defense—hosts jest whether it actually exists or was made up to simplify explanations for the president.

B. Car Alarm Company Attack in Russia ([13:06-14:58])

Russian smart car/home alarm company reportedly suffered a cyberattack leading to customers’ cars being immobilized or their alarms disabled—potential Ukrainian hacktivist involvement plausible.

5. Social Engineering Innovation: ShinyHunters’ Vishing Campaigns

[22:41-24:44]

ShinyHunters group uses advanced vishing (voice phishing) with live phishing kits that adapt in real-time by recognizing the MFA (multi-factor authentication) method in use and tailoring their attack.
Non-phishing-resistant MFA now considered “next to useless.”
Real-time, human-in-the-loop social engineering is the new norm.

6. AI & Offensive Security: Generative Exploit Development

Sean Heelan’s Experiment ([24:45-31:12])

Sean Heelan demonstrates that modern LLMs (GPT-4.5, 5.2) can generate functional exploits for real vulnerabilities (in this case, QuickJS).
Heelan’s public framework tests exploit scenario variations, showing cost-effective, scalable offensive research.
“Seeing a concrete implementation of a system like this by an expert is just super useful… good to understand.” (Adam, [28:29])

AI Arms Race and Business Risks ([31:13-32:41])

AI-powered attacks and defenses are advancing rapidly, with immense investments and ensuing instability—will the rapid pace lead to innovation or a bubble?

Impact on Bug Bounties ([32:42-34:14])

Open-source projects (e.g., cURL) overwhelmed by AI-generated, low-quality bug reports; maintainers suspending bounties for mental health.

7. Technical Research Catch-Up

A. Bypassing Windows 11 Admin Protection ([35:14-37:42])

James Forshaw’s new research (Project Zero) explores bypasses for Windows’ upcoming “Administrator Protection” (replacement for UAC).

B. Retirement of Microsoft Deployment Toolkit ([37:43-40:24])

SpectreOps’ research exposes auth flaws in MDT, leading Microsoft to discontinue the product.

C. Kubernetes Flaw — Privilege Escalation ([40:25-42:39])

Weak API authentication lets low-privileged users escalate to code execution; remediation delayed until new auth system is ready. Companies advised to check their deployment.

8. News in Brief & Security Hygiene

WhatsApp’s “Strict Account Settings” ([43:09-45:12])
Feature mimics Apple’s lockdown mode, blocks unsolicited media/PDFs from non-contacts—response to fake news and malicious attacks.

9. Feature Interview: Brian Baskin, Sublime Security

[50:57-63:28]

The Growing Threat of AI-Driven Impersonation Attacks

Generative AI in Email Impersonation
GenAI now powers about 20% of email impersonation attacks (up from 4% last year).

Attackers:
- Use GenAI for recon (e.g., crawling LinkedIn to build org charts and determine high-value targets).
- Mimic “voice” and tone of executives in emails, making attacks vastly more context-aware and hard to spot.
- Move beyond simplistic CEO scams to deeply contextual thread hijacking—i.e., generating or jumping into active business threads.
“Now we’re actually starting to see this trend of brand new threads being generated on the fly with context, with the actual key personnel involved. But it’s all AI generated…” (Brian Baskin, [54:31])

Defensive Challenges

Impersonation detection requires social and technical layers—training staff to spot abnormal communication, but AI-generated messages narrow those clues.
Even video-based confirmation (FaceTime, deepfakes) may become unreliable in the near term.
“Prompt is the new script…” (Patrick Gray, [57:46])

The Arms Race in Evasion

Attackers scale phishing/evasion by abusing smaller, lesser-known SaaS platforms for phishing and malware delivery (Canva, Piktochart, Airtable, etc.).
Email security must quickly adapt to these shifting TTPs (tactics, techniques, and procedures).
“The line between…what is malicious and what is legit now is so blurry, and it hurt my head.” (Patrick Gray, [62:57])

10. Human Stories: Scam Compounds in Myanmar (Andy Greenberg, WIRED)

[46:19-48:53]

Wired feature chronicles the experience of an Indian worker trapped in a Southeast Asian scam compound; the story explores both technological and deeply human elements.
“It’s a hell of a ride of a story…if you want a lunchtime read, very strong recommend.” (Adam, [48:01])

Notable Quotes

Patrick Gray [02:48]: “If you look at the key components of this French plan, it starts looking a little bit realistic, we’d say.”
Adam Boileau [05:12]: “Maybe there is something to be said for a cleaner break, but it's just like this has to work in reality.”
Patrick Gray [24:44]: “I think it's just, you know, one more data point to suggest that non-phishing-resistant MFA is just next to useless.”
Adam Boileau [28:29]: “Seeing a concrete implementation of a system like this by an expert is just super useful… good to understand.”
Patrick Gray [62:57]: “The line between…what is malicious and what is legit now is so blurry, and it hurt my head.”

Timestamps by Segment

[00:40] France and Digital Sovereignty
[06:16] UK Downing Street hack
[08:54] Russian Sandworm attacks on Poland
[10:31] Trump and the “Discombobulator”
[13:06] Car alarm cyberattack in Russia
[14:59] CISA leadership drama
[18:17] NIST/NVD bows out of full vuln enrichment
[22:41] ShinyHunters’ vishing/MFA campaigns
[24:45] Sean Heelan’s exploit dev research with LLMs
[31:13] AI business risks
[32:42] cURL bug bounties canceled over AI slop
[35:14] Windows 11 Admin Protection bypass
[37:43] Microsoft MDT discontinued
[40:25] Kubernetes privilege escalation bug
[43:09] WhatsApp lockdown mode
[45:13] Microsoft handing over BitLocker keys
[46:19] Andy Greenberg’s scam compound story
[50:57] Interview: Brian Baskin (Sublime Security, GenAI in impersonation attacks)

Takeaways

Digital sovereignty is now a serious policy goal in Europe, with France leading a tangible move away from US tech.
State-backed cyber intrusions continue at scale; responding to evolving, increasingly destructive threat actors remains imperative.
US cyber agencies (CISA, NIST) are hamstrung by leadership, morale, and resourcing problems; foundational security infrastructure like the NVD may not be reliable going forward.
Offensive and defensive AI capabilities are leaping forward, with GenAI-driven phishing/impersonation now a mainstream risk. Technical and social defenses must rapidly adapt.
The boundary between legitimate service use and abuse for cybercrime is blurring, making both detection and attribution harder.
The podcast maintains its signature fast, irreverent, professional tone—balancing technical detail with witty banter.

End of summary

wavePod

Powered by Wave AI

Summary

Episode Overview

Key Topics & Insights

1. France’s Plan to Drop American Tech for Digital Sovereignty

2. State-Backed Cyber Espionage and Intrusions

3. US Security News & Agency Challenges

4. Security Attacks with Physical Real-World Impact

5. Social Engineering Innovation: ShinyHunters’ Vishing Campaigns

6. AI & Offensive Security: Generative Exploit Development

7. Technical Research Catch-Up

8. News in Brief & Security Hygiene

9. Feature Interview: Brian Baskin, Sublime Security

The Growing Threat of AI-Driven Impersonation Attacks

10. Human Stories: Scam Compounds in Myanmar (Andy Greenberg, WIRED)

Notable Quotes

Timestamps by Segment

Takeaways

Summary

Episode Overview

Key Topics & Insights

1. France’s Plan to Drop American Tech for Digital Sovereignty

2. State-Backed Cyber Espionage and Intrusions

3. US Security News & Agency Challenges

4. Security Attacks with Physical Real-World Impact

5. Social Engineering Innovation: ShinyHunters’ Vishing Campaigns

6. AI & Offensive Security: Generative Exploit Development

7. Technical Research Catch-Up

8. News in Brief & Security Hygiene

9. Feature Interview: Brian Baskin, Sublime Security

The Growing Threat of AI-Driven Impersonation Attacks

10. Human Stories: Scam Compounds in Myanmar (Andy Greenberg, WIRED)

Notable Quotes

Timestamps by Segment

Takeaways