← All podcasts
Risky Business

Risky Business

Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.

All episodes(57)

  • StandardSummaries only
    Risky Business #844 -- China closes AI vulndev gap as USA lifts Fable ban

    Published Jul 1, 2026

    On this week’s show Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover: Anthropic’s Fable 5 returning while OpenAI’s GPT-5.6 gets thrown in model jail Distillation, cheap tokens, and AI chat harvesting is an industry in China Edge becomes a lolbin via a new malicious extension An Iranian APT boss’s vacation in a beautiful place goes wrong Much, much more! In this week’s sponsor interview Daf Stuttard and Katie Warren from Portswigger pop along to talk a

  • StandardSummaries only
    Risky Business #843 -- Fortibleed is kinda awesome, actually

    Published Jun 24, 2026

    On this week’s show special guest co-host Rob Joyce joins Patrick Gray and James Wilson to discuss the week’s cybersecurity news. Rob served as an advisor to Donald Trump during his first term as president and also served at NSA for 34 years. While at the agency, Joyce led Tailored Access Operations (TAO), and later became NSA’s Director of Cybersecurity. They cover: The surprisingly well done Fortibleed campaign Stolen Klue OAuth tokens lead to Salesforce data theft OpenAI wants to patch the pl

  • StandardSummaries only
    Risky Business #842 -- Anthropic needs an adult in the C suite

    Published Jun 17, 2026

    On this week’s show Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover: Anthropic’s Fable 5 and Mythos 5 get nuked by the US government four days after launch “because security” Why “guardrails” won’t keep the world safe from your AI doomsday machine The FISA 702 statute expired, but the spying can (probably) continue! NPM v12 delivers some protection against supply chain attacks, but not enough. Microsoft has a series of bugs that prevent Windows Updat

  • StandardSummaries only
    Risky Business #841 -- Microsoft gets owned and 0day'd

    Published Jun 10, 2026

    On this week’s show special guest co-host Chris Wade, the founder of Corellium turned Cellebrite CTO, joins Patrick Gray and James Wilson to discuss the week’s cybersecurity news. They cover: Microsoft has repos owned, GitHub tokens popped, and a new 0day dropped on them Meanwhile, researchers are choosing full disclosure instead of engaging MSRC Meta’s AI support agent allowed a staggering 20,000 accounts to be stolen! Apple pulls Russia’s MAX messenger from the App Store and disables notificat

  • StandardSummaries only
    Soap Box: Detection and response in the AI age

    Published Jun 5, 2026

    Soap Box

    In this sponsored Soap Box edition of the Risky Business podcast Patrick Gray chats with Edward Wu, founder of Dropzone, about what AI is doing to detection, response and the SOC more generally. Dropzone makes AI agents that conduct alert investigations in your SOC, but will the SOC as we know it even exist in the future? Ed has a deep expertise in SOC tech, having previously led AI/ML detection engineering at Extrahop. This interview is a fantastic look at what the future may bring for detectio

  • StandardSummaries only
    Risky Business #840 -- Microsoft walks back researcher threats

    Published Jun 3, 2026

    On this week’s show special guest co-host Andy Boyd joins Patrick Gray and James Wilson to discuss the week’s cybersecurity news. Andy is the CEO of REDLattice, which makes the Paragon “intelligence collection and reconnaissance” solution. They cover: Adversaries are tracking US troop locations with commercially available location data A new Signal phishing campaign is going after message backups 404 Media is suing ICE to get its spyware contract with REDLattice (lol) Microsoft’s tone-deaf respo

  • StandardSummaries only
    Risky Business #839 -- TeamPCP stole GitHub's internal repos

    Published May 27, 2026

    On this week’s show Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover: TeamPCP breached GitHub’s internal repos. Now what? Some absolute plonker glued Coruna to a hijacked npm package CISA is worried about about open source and wants third party submissions for KEV AI infrastructure is “systemically” insecure Much, much more This week’s episode is sponsored by allowlisting vendor Airlock Digital. Airlock’s founders David Cottingham and Daniel Schell jo

  • StandardSummaries only
    Risky Business #838 -- GitHub investigates possible breach

    Published May 20, 2026

    On this week’s show Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover: GitHub announced a possible breach CISA leaks important creds, keys in public repo Awful vulnerability in Bitlocker renders it useless without a PIN So. Many. Patches. Polish Government urges officials to ditch Signal for mSzyfr Much, much more This week’s show is brought to you by Thinkst Canary. Thinkst’s founder, Haroon Meer, is this week’s sponsor guest. He joined James Wilson t

  • StandardSummaries only
    Soap Box: Where does AI fit into cloud security?

    Published May 15, 2026

    Soap Box

    In this sponsored soap box edition of the Risky Business podcast Patrick Gray chats with Toni de la Fuente, the founder of Prowler. Prowler started off as a bunch of scripts in a trenchcoat, then became an open source cloud security tool, and it’s now a venture-funded cloud security business. In this interview Toni talks us through how AI is changing the game for him as an open source project owner, and as a vendor. In short, reports of the death of IT and security tooling at the hands of fronti

  • StandardSummaries only
    Risky Business #837 -- GitHub Actions footgun claims TanStack

    Published May 13, 2026

    On this week’s show Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover: Mini Shai-Hulud and the TanStack compromise using Github Actions Instructure pays Canvas elearning platform data extortionists More Linux privilege escalation 0days! CISA helping critical infrastructure operators rearchitect their networks so they work offline This week’s episode is sponsored by email security platform Sublime Security. Bobby Filar chats with Patrick about how agent

  • StandardSummaries only
    Risky Business #836 -- You can't patch the bugpocalypse

    Published May 6, 2026

    On this week’s show, Patrick Gray and James Wilson are joined by special guest co-host Brad Arkin. They discuss the week’s cybersecurity news, including: The US Government says we just have to patch faster, but… Bugs in cPanel, MoveIt and all Linux distributions this week show that patching alone isn’t enough James gets mad about lame AI Agent adoption advice from the US and Australian Governments James Kettle and Niels Provos both showed us that any model can find 0day like Mythos And the cyber

  • StandardSummaries only
    Snake Oilers: Ent AI, Spacewalk and Mondoo

    Published May 1, 2026

    Snake Oilers

    In this edition of the Snake Oilers podcast three vendors stop by to pitch the audience on their products: Ent AI: Co-founder Brandon Dixon pitched Ent, an intent-aware, AI-powered endpoint security control. Spacewalk AI: Founders Chris Fuller and Tim Wenzlau pitch Spacewalk, an AI-powered incident response platform. Mondoo: Co-founder Dominik Richter pitches Mondoo, an AI-powered “service as software” in the vulnerability management space. This episode is also available on YouTube. Show notes

  • StandardSummaries only
    Risky Business #835 -- Why the Fast16 malware is badass

    Published Apr 29, 2026

    On this week’s show, Patrick Gray and James Wilson are joined by special guest-host Dmitri Alperovitch. They discuss the week’s cybersecurity news, including: The US government is mad as hell about Chinese firms stealing American AI technology Dmitri has an opinion or two about the US selling Nvidia chips to China Speaking of Chinese AI, Kimi’s new 2.6 is very interesting The US sanctions a Cambodian senator for earning mega bucks through scam compounds And a ransomware family is promoting itsel

  • StandardSummaries only
    Risky Business #834 -- Vercel gets owned, Mozilla dumps hundreds of Mythos bugs

    Published Apr 22, 2026

    On this week’s show, Patrick Gray and James Wilson are joined by special guest The Grugq. They discuss the week’s cybersecurity news, including: Vercel got owned, and there’s a few infostealer and compromised employee dots to connect Mozilla used Mythos to find 271 bugs, which feels like a sign of the bug-pocalypse Speaking of the bug-pocalypse, is that why NIST is noping out of enriching a bunch of bugs? The NSA is using Mythos even though the government did that whole Anthropic blacklisting th

  • StandardSummaries only
    Risky Business #833 -- The Great Mythos Freakout of 2026

    Published Apr 15, 2026

    On this week’s show, Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover: Everyone has an opinion about Claude Mythos… even though almost nobody has used it yet CISA adds a 2009 Excel bug to the KEV list, u wot? Adobe also parties like it’s the 2000s, and fixes an Acrobat Reader bug Disgraced former Trenchant exec Peter Williams’ sob story fails to resonate with … anyone Remember those crosswalk buttons hacked to play audio mocking Trump and Zuck? They w

  • StandardSummaries only
    Snake Oilers: Burp AI, Sondera and Truffle Security

    Published Apr 9, 2026

    Snake Oilers

    In this edition of the Snake Oilers podcast three vendors stop by to pitch the audience on their products: Burp AI and DAST: The founder of PortSwigger and creator of legendary security software Burp Suite, Dafydd Stuttard, drops by to pitch listeners on Burp AI and Burp Suite DAST. Sondera: Josh Devon talks about Sondera, a technology designed to intervene when AI models start doing the wrong thing by statefully tracking their trajectories. This isn’t a permissions suite for AI agents, it’s a w

  • StandardSummaries only
    Risky Business #832 -- Anthropic unveils magical 0day computer God

    Published Apr 8, 2026

    On this week’s show, Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover: Anthropic’s new Mythos model hunts bugs and chains exploits together so well that… you cant have it… …Unless you’re one of their Project Glasswing partners The world isn’t short on bugs, though. F5, Fortinet, Progress ShareFile, and TrueConf are all getting rekt by humans GPU Rowhammering goes in the GPU, past the IOMMU and back into the host-side Nvidia driver North Korea is spend

  • StandardSummaries only
    How the World Got Owned Episode 2: The 1990s, Part One

    Published Apr 3, 2026

    In this special documentary episode, Patrick Gray and Amberleigh Jack take a look back at hacking throughout the 1990s, from the feel-good vibes of the early hacking communities to the antics of young hackers who wound up on the run from the FBI. Part one features recollections from: Jeff Moss (The Dark Tangent), DefCon and Black Hat founder Chris Wysopal (Weld Pond), L0pht member, co-founder, @Stake Kevin Poulsen (Dark Dante), 1990s hacker turned journalist Elias Levy (Aleph One), author of Sma

  • StandardSummaries only
    Risky Business #831 -- The AI bugpocalypse begins

    Published Apr 1, 2026

    On this week’s show, Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover: Those pesky North Koreans shim a backdoor into a 100M-downloads-a-week npm package TeamPCP appear to have ransacked Cisco’s source and cloud environments AI is getting legitimately good at being told to “just go find some 0day in this” Kaspersky says Coruna and Triangulation do share code lineage Iranian hackers dump Kash Patel’s gmail spool Oh, and of course there’s a Citrix Netsc

  • StandardSummaries only
    Soap Box: Red teaming AI systems with SpecterOps

    Published Mar 27, 2026

    Soap Box

    In this sponsored Soap Box edition of the show, Patrick Gray and James Wilson talk about red teaming AI systems with Russel Van Tuyl, Vice President of Services at elite penetration testing firm SpecterOps. SpecterOps is the company behind attack path enumeration tool Bloodhound and Bloodhound Enterprise, but they’re also a pentest and red teaming shop with world class expertise in popping shells on all sorts of interesting systems in all sorts of interesting places. This episode is also availab

  • StandardSummaries only
    Risky Business #830 -- LiteLLM and security scanner supply chains compromised

    Published Mar 25, 2026

    On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They talk through: TeamPCP’s supply chain attack on Github, and they threw in an anti-Iran wiper, because why not?! Anthropic hooks up its models to just… use your whole computer After Stryker’s Very Bad Day, CISA says maybe add some more controls around your Intune? Another iOS exploit kit shows up in the cyber bargain-bin The FTC decides to ban… all new home routers?! U wot m8?! Supermicro f

  • StandardSummaries only
    Risky Business #829 -- Sneaky lobsters: Why AI is the new insider threat

    Published Mar 18, 2026

    On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They discuss: Iran’s Intune-based wiper attack on medical device maker Stryker Qihoo 360’s AI publishes its own wildcard TLS cert private key Instagram is canning its end-to-end encrypted messaging What’s going on with mobile internet access in Moscow? The Xbox One’s bootloader gets voltage glitched into submission Oh Qualys! We love you! (At least, whoever is in the basement writing these bea

  • StandardSummaries only
    Risky Biz Soap Box: It took a decade, but allowlisting is cool again

    Published Mar 12, 2026

    Risky Biz Soap Box

    In this Soap Box edition of the Risky Business podcast Patrick Gray sits down with Airlock Digital co-founders Daniel Schell and David Cottingham to talk about the role AI models could play in managing enterprise allowlists. They also talk about the durability of allowlisting as a control. After 12 years in business, the Airlock product hasn’t really changed all that much. That’s a good thing! It also means the Airlock team have been able to spend some time doing deep engineering instead of chas

  • StandardSummaries only
    Risky Business #828 -- The Coruna exploits are truly exquisite

    Published Mar 11, 2026

    On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They cover: The Coruna exploits were L3 Harris, but it seems Triangulation… was not! Iran’s cyber HQ hit by Israeli (kinetic) strikes Trump’s cyber “strategy” is … well, all we’ve got is jokes cause there’s no serious content NSA and CyberCom finally get a leader after Lt Gen Joshua Rudd gets Senate nod DOGE (remember them?!) employee walked a social security database out on a USB stick This e

  • StandardSummaries only
    Risky Business #827 -- Iranian cyber threat actors are down but not out

    Published Mar 4, 2026

    On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They cover: The US-Israeli attack on Iran had a whole lot of cyber. It’s clearly in the playbook now! The NSA Triangulation / L3 Harris Trenchant iOS exploit kit is on the loose, and being used by Chinese crypto scammers So long Maddhu Gottumukkala, but CISA’s annus horribilis continues Adam “humbug” Boileau complains about the Airsnitch wifi attack just being three ethernets in a trenchcoat A

  • StandardSummaries only
    Risky Business #826 -- A week of AI mishaps and skulduggery

    Published Feb 25, 2026

    On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They cover: Low skill actors compromise 600 Fortinets with AI-generated playbooks Anthropic calls out Chinese AI firms over model distillation Meta’s director of AI safety tells her ClawdBot not to delete her mail… so of course it does Peter Williams cops 7 years in jail for selling L3 Harris Trenchant’s exploits to Russia Ivanti got hacked in 2021 via… bugs in Ivanti This episode is sponsored

  • StandardSummaries only
    Risky Biz Soap Box: The lethal trifecta of AI risks

    Published Feb 19, 2026

    Risky Biz Soap Box

    There’s a lethal trifecta of AI risks: access to private data, exposure to untrusted content, and external communication. In this conversation, Risky Business host Patrick Gray chats with Josh Devon, the co-founder of Sondera, about how to best address these risks. There is no magic solution to this problem. AI models mix code and data, are non-deterministic, and are crawling around all over your enterprise data and APIs as you read this. But in this sponsored interview, Josh outlines how we can

  • StandardSummaries only
    Risky Business #825 -- Palo Alto Networks blames it on the boogie

    Published Feb 18, 2026

    On this week’s show, Patrick Gray, Adam Boileau and James WIlson discuss the week’s cybersecurity news. They cover: Palo Alto threat researchers want to attribute to China, but management says shush An increasing proportion of ransomware is data extortion. Is this good? Cambodia says it’s going to dismantle scam compounds CISA sufferers through yet another shutdown Google Gemini’s training secrets are being systematically harvested to improve other LLMs Academics assess SaaS password managers’ r

  • StandardSummaries only
    Risky Business #824 -- Microsoft's Secure Future is looking a bit wobbly

    Published Feb 11, 2026

    On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Microsoft reshuffles security leadership. It doesn’t spark joy. Russia is hacking the Winter Olympics. Again. But y tho? China-linked groups are keeping busy, hacking telcos in Norway, Singapore and dozens of others Campaigns underway targeting Ivanti, BeyondTrust and SolarWinds products An unknown hero blocks 23/tcp on the US internet backbone And James Wilson pops into talk about Claude’s go at

  • StandardSummaries only
    Risky Business #823 -- Humans impersonate clawdbots impersonating humans

    Published Feb 4, 2026

    Patrick Gray and Adam Boileau are joined by the newest guy on the Risky Business Media team, James WIlson. They discuss the week’s cybersecurity news, including: Notepad++ update supply chain attack has been attributed to China The AI agent future is even more stupid than expected; behold the OpenClaw/Clawdbot/Moltbook mess The Epstein files claim he had a personal hacker? Microsoft is finally getting ready to (think about starting to begin to) disable NTLM by default The usual bugs in the usual

  • StandardSummaries only
    Risky Business #822 -- France will ditch American tech over security risks

    Published Jan 28, 2026

    In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. They discuss: La France is tres sérieux about ditching US productivity software China’s Salt Typhoon was snooping on Downing Street Trump wields the mighty DISCOMBOBULATOR ESET says the Polish power grid wiper was Russia’s GRU Sandworm crew US cyber institutions CISA and NIST are struggling Voice phishing for MFA bypass is getting even more polished This episode is sponsored by Sublime Security. Brian Baskin

  • StandardSummaries only
    Risky Business #821 -- Wiz researchers could have owned every AWS customer

    Published Jan 21, 2026

    In this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, joined by a special guest. BBC World Cyber Correspondent Joe Tidy is a long time listener and he pops in for a ride-along in the news segment plus a chat about his new book. This week news includes: Did the US cyber Venezuela’s power grid, or do they just want us to think they coulda? US govt might boycott the RSAC Conference ‘cause Jen Easterly being CEO makes them mad MS Patch Tuesday fixes CVSS5.5 bug an

  • StandardSummaries only
    Risky Business #820 -- Asian fraud kingpin will face Chinese justice (pew pew!)

    Published Jan 14, 2026

    Risky Business returns for 2026! Patrick Gray and Adam Boileau talk through the week’s cybersecurity news, including: Santa brings hackers MongoDB memory leaks for Christmas Vercel pays out a million bucks to improve its React2Shell WAF defences 39C3 delivers; the pink Power Ranger deletes nazis, while a catgirl ruins GnuPG Cambodian scam compound kingpin gets extradited to China, and we don’t think it’ll go well for him Krebs picks apart the Kimwolf botnet and residential proxy networks So many

  • StandardSummaries only
    How the World Got Owned Episode 1: The 1980s

    Published Jan 6, 2026

    In this special documentary episode, Patrick Gray and Amberleigh Jack take a historical dive into hacking in the 1980s. Through the words of those that were there, they discuss life on the ARPANET, the 414s hacking group, the Morris Worm, the vibe inside the NSA and a parallel hunt for German hackers happening at a similar time to Cliff Stoll’s famous Cuckoo’s Egg story. This podcast features the memories of: Jon Callas, former principal software engineer at Digital Equipment Corporation Mark Ra

  • StandardSummaries only
    Risky Business #819 -- Venezuela (credibly?!) blames USA for wiper attack

    Published Dec 17, 2025

    In the final show of 2025, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: React2Shell attacks continue, surprising no one The unholy combination of OAuth consent phishing, social engineering and Azure CLI Venezuela’s state oil firm gets ransomware’d, blames US… but what if it really is a US cyber op?! Russian junk-hacktivist gets indicted for cybering critical… err… a car wash and a fountain Microsoft finally turns RC4 off by default in Active Directory Kerberos

  • StandardSummaries only
    Risky Biz Soap Box: Graph the planet!

    Published Dec 11, 2025

    Risky Biz Soap Box

    In this sponsored Soap Box edition of the Risky Business podcast, Patrick Gray chats with Jared Atkinson, CTO of SpecterOps, about BloodHound OpenGraph. OpenGraph enumerates attack paths across platforms and services, not just your primary directories. A compromised GitHub account to on-prem AD compromise attack path? It’s a thing, and OpenGraph will find it. Cross-platform attack path enumeration! So good! This episode is also available on Youtube. Show notes

  • StandardSummaries only
    Risky Business #818 -- React2Shell is a fun one

    Published Dec 10, 2025

    In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: There’s a CVSS 10/10 remote code exec in the React javascript server. JS server? U wot mate? China is out popping shells with it Linux adds support for PCIe bus encryption Amnesty International says Intellexa can just TeamViewer into its customers’ surveillance systems …and a Belgian murder suspect complains that GrapheneOS’s duress wipe feature failed him? This week’s episode is sponsored by Krol

  • StandardSummaries only
    Risky Business #817 -- Less carnage than your usual Thanksgiving

    Published Dec 3, 2025

    In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news. It’s a quiet week with Thanksgiving in the US, but there’s always some cyber to talk about: Airbus rolls out software updates after a cosmic ray bitflips an A320 into a dive Krebs tracks down a Scattered Lapsus$ Hunters teen through the usual poor opsec… … as Wired publishes an opsec guide for teens. Microsoft decides its login portal is worth a Content Security Policy South Korean online retailer data breac

  • StandardSummaries only
    Risky Business #816 -- Copilot Actions for Windows is extremely dicey

    Published Nov 26, 2025

    In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Salesforce partner Gainsight has customer data stolen Crowdstrike fires insider who gave hackers screenshots of internal systems Australian Parliament turns off wifi and bluetooth in fear of of visiting Chinese bigwigs Shai-Hulud npm/Github worm is back, and rm -rf’ier than ever SEC gives up on Solarwinds lawsuit Dog eats cryptographer’s key material This week’s episode is sponsored by runZero. HD

  • StandardSummaries only
    Risky Biz Soap Box: Greynoise knows when bad bugs are coming

    Published Nov 20, 2025

    Risky Biz Soap Box

    In this sponsored Soap Box edition of the podcast, Andrew Morris joins Patrick Gray to talk about how Greynoise can often get a 90 day heads up on serious vulnerabilities. Whether it’s malicious actors doing reconnaissance or the affected vendors trying to understand the scope of the problem, it seems that mass scanning activity lines up pretty nicely with typical 90-day disclosure timelines. A fascinating chat with Andrew, as always. This episode is also available on Youtube. Show notes

  • StandardSummaries only
    Risky Business #815 -- Anthropic's AI APT report is a big deal

    Published Nov 19, 2025

    In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Anthropic says a Chinese APT orchestrated attacks using its AI It’s a day ending in -y, so of course there are shamefully bad Fortinet exploits in the wild Turns out slashing CISA was a bad idea, now it’s time for a hiring spree Researchers brute force entire phone number space against Whatsapp contact discovery API DOJ figures out how to make SpaceX turn off scam compounds’ Starlink service This

  • StandardSummaries only
    Risky Business #814 -- It's a bad time to be a scam compound operator

    Published Nov 12, 2025

    In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: The KK Park scam compound in Myanmar gets blasted with actual dynamite China sentences more scammers TO DEATH While Singapore is opting to lash them with the cane Chinese security firm KnownSec leaks a bunch of documents Necromancy continues on NSO Group, with a Trump associate in charge OWASP freshens up the Top 10, you won’t believe what’s number three! This week’s episode is sponsored by Thinks

  • StandardSummaries only
    Risky Business #813 -- FFmpeg has a point

    Published Nov 5, 2025

    In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: We love some good vulnerability reporting drama, this time FFmpeg’s got beef with Google OpenAI announces its Aardvark bug-gobbling system Two US ransomware responders get arrested for… ransomware Memento (nee HackingTeam) CEO says: Sì, those are totally our tools getting snapped in Russia Hackers help freight theft gangs steal shipments to resell A second Jabber Zeus mastermind gets his comeuppan

  • StandardSummaries only
    Risky Business #812 -- Alleged Trenchant exploit mole is ex-ASD

    Published Oct 29, 2025

    In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: L3Harris Trenchant boss accused of selling exploits to Russia once worked at the Australian Signals Directorate Microsoft WSUS bug being exploited in the wild Dan Kaminsky DNS cache poisoning comes back because of a bad PRNG SpaceX finally starts disabling Starlink terminals used by scammers Garbage HP update deletes certificates that authed Windows systems to Entra This week’s episode is sponsore

  • StandardSummaries only
    Risky Business #811 -- F5 is the tip of the crap software iceberg

    Published Oct 22, 2025

    In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: China has been rummaging in F5’s networks for a couple of years Meanwhile China tries to deflect by accusing the NSA of hacking its national timing system Salesforce hackers use their stolen data trove to dox NSA, ICE employees Crypto stealing, proxy-deploying, blockchain-C2-ing VS Code worm charms us with its chutzpah Adam gets humbled by new Linux-capabilities backdoor trick Microsoft ignores it

  • StandardSummaries only
    Wide World of Cyber: A deep dive on the F5 hack

    Published Oct 21, 2025

    In this edition of the Wide World of Cyber podcast Patrick Gray talks to Chris Krebs and Alex Stamos about the F5 incident. They talk about what happened, whether it’s a big deal, and why private equity ownership of mid-tier cybersecurity companies is often a red flag. Show notes

  • StandardSummaries only
    Risky Biz Soap Box: Why Mastercard is scaling its cybersecurity business

    Published Oct 16, 2025

    Risky Biz Soap Box

    In this sponsored Soap Box edition of the Risky Business podcast, host Patrick Gray chats with Mastercard’s Executive Vice President and Head of Security Solutions, Johan Gerber, about how the card brand thinks about cybersecurity and why it’s aggressively investing in the space. After listening to this interview you’ll understand why the credit card company spent $2.65b on threat intelligence vendor Recorded Future! This episode is also available on Youtube. Show notes

  • StandardSummaries only
    Risky Business #810 -- Data extortion attacks have a silver lining

    Published Oct 15, 2025

    In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: FBI intervenes in Scattered Spider Salesforce leaksite Clop loots Oracle E-Biz deployments Plus so much more data extortion.. At least it’s not ransomware … we guess? The US still can’t decide who’s gonna be in charge of NSA & Cybercom Cambodian scam compounds get sanctioned and $15b in crypto is seized NSO gets sold for pocket-lint-grade money Bugs! Redis CVSS 10, Ivanti, Crowdstrike and… Interne

  • StandardSummaries only
    Snake Oilers: Realm Security, Horizon3 and Persona

    Published Oct 7, 2025

    Snake Oilers

    In this edition of the Snake Oilers podcast, three vendors pop in to pitch you all on their wares: Realm Security: A security focussed, AI-first data pipeline platform Horizon3: AI hackers! Pentesting robots!! They’re coming fer yur jerbs! Persona: Verify customer and staff identities with live capture This episode is also available on Youtube. Show notes

  • StandardSummaries only
    Risky Business #809 -- Hackers try to pay a journalist for access to the BBC

    Published Oct 1, 2025

    On this week’s show Patrick Gray is on holiday so Amberleigh Jack and Adam Boileau hijack the studio to discuss the week’s cybersecurity news, including: Hackers learn that trying to coerce a journalist just makes for … a great story? A man in his 40s gets arrested over the European airport chaos. Yep, we’re surprised, too. Adam fanboys over Watchtowr Labs while bemoaning Fortra. Academics pick apart Tile trackers and find them lacking CISA tells agencies to patch their damn Cisco gear This epis

  • StandardSummaries only
    Risky Business #808 -- Insane megabug in Entra left all tenants exposed

    Published Sep 24, 2025

    On this week’s show Patrick Gray and special guest Rob Joyce discuss the week’s cybersecurity news, including: Secret Service raids a SIM farm in New York MI6 launches a dark web portal Are the 2023 Scattered Spider kids finally getting their comeuppance? Production halt continues for Jaguar Land Rover GitHub tightens its security after Shai-Hulud worm This week’s episode is sponsored by Sublime Security. In this week’s sponsor interview, Sublime founder and CEO Josh Kamdjou joins host Patrick G

  • StandardSummaries only
    Risky Business #807 -- Shai-Hulud npm worm wreaks old-school havoc

    Published Sep 17, 2025

    On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Shai-Hulud worm propagates via npm and steals credentials Jaguar Land Rover attack may put smaller suppliers out of business Leaked data emerges from the vendor behind the Great Firewall of China Vastaamo hacker walks free while appeal is underway Why is a senator so mad about Kerberos? This week’s episode is sponsored by Knocknoc. Chief exec Adam Pointon joins to talk through the surprising numbe

  • StandardSummaries only
    Risky Biz Soap Box: runZero shakes up vulnerability management

    Published Sep 15, 2025

    Risky Biz Soap Box

    In this sponsored Soap Box edition of the Risky Business podcast, industry legend HD Moore joins the show to talk about runZero’s major push into vulnerability management. With its new Nuclei integration, runZero is now able to get a very accurate picture of what’s vulnerable in your environment, without spraying highly privileged credentials at attackers on your network. It can also integrate with your EDR platform, and other data sources, to give you powerful visibility into the true state of

  • StandardSummaries only
    Risky Business #806 -- Apple's Memory Integrity Enforcement is a big deal

    Published Sep 10, 2025

    On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Apple ruins exploit developers’ week with fresh memory corruption mitigations Feross Aboukhadijeh drops by to talk about the big, dumb npm supply chain attack Salesloft says its GitHub was the initial entry point for its compromise Sitecore says people should “patch” its using-the-keymat-from-the-documentation “zero day” Rogue certs for 1.1.1.1 appear to be just (stupid) testing Jaguar Land Rover

  • StandardSummaries only
    Snake Oilers: Nebulock, Vali Cyber and Cape

    Published Sep 8, 2025

    Snake Oilers

    In this edition of the Snake Oilers podcasts, three vendors pop in to pitch you all on their wares: Automated, AI-powered threat hunting with Nebulock Damien Lewke from Nebulock joins the show to talk about how its agentic AI platform can surface attacker activity out of all those “low” and “informational” findings your detection team doesn’t have time to look at. Runtime security for hypervisors from Vali Cyber Austin Gadient from Vali Cyber stops by to talk about ZeroLock, its hypervisor secur

  • StandardSummaries only
    Risky Business #805 -- On the Salesloft Drift breach and "OAuth soup"

    Published Sep 3, 2025

    On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: The Salesloft breach and why OAuth soup is a problem The Salt Typhoon telco hackers turn out to be Chinese private sector, but state-directed Google says it will stand up a “disruption unit” Microsoft writes up a ransomware gang that’s all-in on the cloud future Aussie firm hot-mics its work-from-home employees’ laptops Youtube scam baiters help the feds take down a fraud ring This episode is spon

  • StandardSummaries only
    Risky Business #804 -- Phrack's DPRK hacker is probably a Chinese APT guy

    Published Aug 27, 2025

    On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: Australia expels Iranian ambassador Hackers sabotage Iranian shipping satcoms APT hacker got doxxed in Phrack. Kind of. They’re probably Chinese, not DPRK? Trail of Bits uses image-downscaling to sneak prompts into Google Gemini The Com’s King Bob gets ten years in the slammer It’s a day that ends in -y, so of course there’s a new Citrix Netscaler RCE being used in the wild. This week’s episode is