We discuss the disruption caused by political changes and the potential implications for cybersecurity policies, impact from the Supreme Court Chevron ruling, security regulations and the challenges of writing laws for future technology, the role of CISA and its accomplishments, the debate around offensive cyber operations and the responsibility of companies like Google in addressing vulnerabilities.

The need for clear separation between counterterrorism and espionage operations is highlighted, as well as the importance of understanding both defensive and offensive perspectives.

• Costin Raiu is on vacation.

Links:

• Transcript (unedited, AI-generated)
• Qualys: Remote Unauthenticated Code Execution in OpenSSH
• CSRB report on Microsoft hack
• CISA secure-by-design pledge
• CCC Talk: Operation Triangulation
• Lawfare: Responsible Cyber Offense
• Google: Stop Burning Counterterrorism Operations
• Follow Dave Aitel on Twitter
• J. A. Guerrero-Saade on Twitter
• Costin Raiu on Twitter
• Follow Ryan Naraine (@ryanaraine) on Twitter
• LABScon - Security Research in Real Time

A deep dive on disruption vs exposure, the effects of US government sanctions on private mercenary hacking companies, hypocricy and the tricky relationship between malware researchers are the intelligence community, and the lack of 'success stories' from so-called benevolent malware.

We also discuss the implications of the TeamViewer breach by a skilled Russian APT, new Microsoft notifications to Midnight Blizzard victims and share thoughts on the Polyfill.io supply chain compromise.

Links:

• Episode transcript (Unedited, AI-generated)
• Google: Stop Burning Counterterrorism Operations
• Russian hackers sanctioned by European Council
• TeamViewer statement on APT29 breach
• Polyfill supply chain attack
• Request a LABScon invite
• Follow Costin Raiu on Twitter
• Follow JAG-S on Twitter
• Follow Ryan Naraine on Twitter

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB.

In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software supply chains.

Links:

• Abhishek Arya on LinkedIn
• OSS-Fuzz: Continuous fuzzing for open source software
• Google Brings AI Magic to Fuzz Testing
• AI-Powered Fuzzing: Breaking the Bug Hunting Barrier
• AI Cyber Challenge

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Peculiar Ventures chief executive Ryan Hurst joins the show to talk about a career that spanned 20 years at Microsoft and Google, his work building the plumbing for encryption on the web, unsolved problems in BGP security, the hype and promise of AI, and Microsoft's ongoing cloud security hiccups.

Links:

• Projects - Peculiar Ventures
• Ryan Hurst on LinkedIn
• Binarly - AI-powered firmware security
• SandboxAQ

Links:

• A Year in Review of 0-days Used In-the-Wild in 2021
• Maddie Stone on LinkedIn
• 0day "In the Wild" Spreadsheet
• Maddie Stone on Twitter

Links:

• Shane Huntley on LinkedIn
• Twitter: @ShaneHuntley
• Project Zero: FORCEDENTRY Sandbox Escape
• Google and Operation Aurora
• A walk through Google Project Zero metrics
• Project Zero: 0day "In the Wild" Database

Sponsored by Eclypsium:
Eclypsium ships an enterprise device platform that provides visibility and mitigation for malicious activity all the way down to the firmware and hardware level. Think of it as one platform to discover, inventory, assess risk, patch, and detect compromises and supply chain breaches across your entire fleet of devices. Request a demo at Eclypsium.com.