Three Buddy Problem (Episode 68): The buddies are trapped in timezone hell with cross-country travel this week.

In this special episode, we present Juan Andres Guerrero-Saade's LABScon 2025 keynote-day presentation on the state of cybersecurity and why this phase of our collective project has failed, and how to build something smarter, more sustainable, and deeply interconnected in its place.

Juanito traces the field’s evolution from chaos to consolidation, weaving in cybernetics, standardization, and the dawning coexistence of human and artificial evaluative power. The result is part philosophical sermon, part rallying cry, an invitation to reject the industry’s slave morality, rethink our tools, and steer the next era of defense with intention.

Links:

• Transcript (unedited, AI-generated)
• JAGS keynote: The intricacies of wartime cyber threat intelligence - Security Conversations
• LABScon - Security Research in Real Time
• JAGS on LinkedIn
• JAGS on Twitter
• The Consolation of Threat Intel (JAGS LABScon 2024 keynote)

Three Buddy Problem - Episode 67: We discuss the rise of automated red-teaming, Apple’s $2 million exploit chain bounties aimed at outbidding spyware brokers and the iPhone maker's focus on wireless proximity attacks and “tactical suitcase” Wi-Fi exploits. We also hit the news of Paragon spyware targeting European executives and the bizarre story of NSO Group’s supposed US investor buyout.

Plus, an update on Oracle’s zero-day ransomware fiasco, Ivanti’s endless patch delays, the ethics of journalists enabling ransomware operations on leak sites, Europe’s latest failed push for Chat Control, and VirusTotal’s new pricing tiers.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Apple's new exploit-chain bounties
• Apple Announces $2 Million Bug Bounty Reward for the Most Dangerous Exploits
• Paragon Strikes Again: UniCredit CEO Among the Targets
• NSO to be acquired by U.S. investors
• Oracle confirms exploited 0day - CVE-2025-61882
• Oracle Security Officer comms
• Oracle E-Business Suite CVE-2025-61882 Exploited in Extortion Attacks
• ZDI documents Ivanti 0days waiting for patches
• One-man spam campaign ravages EU ‘chat control’ bill
• VirusTotal new pricing tiers
• Tavis Ormandy Kaspersky 0day find

This week on Security Conversations, Ryan sits down with Chris Eng, former Chief Research Officer at Veracode, to talk about life after nearly two decades at one company and the lessons learned along the way. They dig into a career start at the NSA, the early days of @Stake and the Symantec acquisition, and the birth and ambitions of Veracode.

Plus, thoughts on how helping startups shape product strategy, what it takes to translate technical expertise into business impact, and how security culture has evolved since the early “hacker-to-enterprise” days. The conversation touches on defining your career beyond titles, how the perception of “cybersecurity” has changed over the years, and why the industry still has plenty of room for curiosity, reinvention, and good storytelling.

Links:

• Chris Eng on LinkedIn
• Chris Eng on Twitter
• Monoculture Considered Harmful
• Fired @stake CTO Says Microsoft Critique Was ‘Business as Usual’
• Microsoft Takes LSD to Test Vista Security
• Code Red (computer worm)

Three Buddy Problem - Episode 66: We discuss drone sightings that shut down airports across Europe and what they reveal about hybrid warfare and the changing nature of conflict; Oracle ransomware/extortion campaign tied to unpatched E-Business Suite vulnerabilities and the company’s muted response.

Plus, the TikTok–Oracle deal and the strange role Oracle now plays in U.S. national security; OpenAI’s Sora 2 launch and its implications for social media and human expression; Palo Alto’s “Phantom Taurus” APT report, a follow-up on Cisco’s ArcaneDoor disclosures, and the impact of the U.S. government shutdown on CISA.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Drone sightings prompt call for German police to gain shoot-down powers
• UK arrest following aerospace cyber incident
• Oracle Probes Hacks of Customers’ E-Business Suite After Extortion Campaign
• Oracle Critical Patch Update Advisory - July 2025
• Here is the email Clop attackers sent to Oracle customers
• Oracle statement from Chief Security Officer
• TikTok’s Algorithm to Be Secured by Oracle in Trump-Backed Deal
• Phantom Taurus: A New Chinese Nexus APT
• China Hackers Breached Foreign Ministers’ Emails
• Cisco Statement on Attacks Against Cisco Firewalls
• GreyNoise: 25,000 IPs Scanned Cisco ASA Devices in Early Sept
• KeyDrop.io

Three Buddy Problem - Episode 65: We zero in on one of the biggest security stories of the year: the discovery of a persistent multi-stage bootkit implanting malware on Cisco ASA firewalls. Details on a new campaign, tied to the same threat actors behind ArcaneDoor, exploiting zero-days in Cisco’s 5500-X series appliances, devices that sit at the heart of government and enterprise networks worldwide.

Plus, Cisco’s controversial handling of these disclosures, CISA's emergency deadlines for patching, the absence of IOCs and samples, and China’s long-term positioning. Plus, thoughts on the Secret Service SIM farm discovery in New York and evidence of Russians APTs Turla and Gamaredon collaborating to hit Ukraine targets.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
• Mandiant Brickstorm Scanner
• Cisco advisory: Continued Attacks Against Cisco Firewalls
• NCSC report on Cisco ASA bootkit in the wild
• U.S. government scrambles to stop new hacking campaign blamed on China
• US Secret Service Statement on SIM Farm Discovery
• NYTimes: Cache of Devices Capable of Crashing Cell Network Is Found Near U.N.
• Airport chaos: Ransomware hits airport check-in systems
• NCSC statement: Incident impacting Collins Aerospace
• Gamaredon X Turla collab

Three Buddy Problem - Episode 64: SpyCloud Labs researchers Aurora Johnson and Trevor Hilligoss discuss the world of “internet toilets," the toxic online communities in China where harassment, stalking, and sextortion thrive. We explore how these groups operate, from doxing ex-lovers and enemies to running coordinated campaigns of cyberbullying that often spill into real-world harm. (Recorded at LABScon 2025).

Cast: Aurora Johnson, Trevor Hilligoss, Ryan Naraine and Juan Andres Guerrero-Saade.

Links:

• Plunging China's internet toilets (LABScon)
• SpyCloud Labs

Three Buddy Problem - Episode 63: Co-founder of the Vertex Project Visi Stark joins the buddies to reminisce about his work writing Mandiant's famous APT1 report, the China-nexus threat landscape, the value of cyber threat intelligence, APT-naming schemes, and more... (Recorded at LABScon 2025)

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Visi Stark.

Links:

• How the Infamous APT-1 Report Exposing China’s PLA Hackers Came to Be
• Mandiant APT1 Report
• A guide to U.S. allegations of China cyberspying
• The Vertex Project
• LABScon 2025
• Visi Stark on LinkedIn
• LABScon 2025: Plunging the Internet Toilets in China
• Aurora Johnson on Twitter
• Trevor Hilligoss

Three Buddy Problem - Episode 62: Lindsay Freeman, Director of the Technology, Law & Policy program at the Human Rights Center, UC Berkeley School of Law, joins the show to discuss her team's meticulous work to document the Wagner Group's chain of command, military operations in parts of Africa, and the broadcasting of war crimes on social media platforms like Telegram. (Recorded at LABScon 2025)

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Lindsay Freeman.

Links:

• LABScon Speaker 2025: Lindsay Freeman
• War Crimes for Fun and Profit (Lawfare)
• Mali: Army, Wagner Group Atrocities Against Civilians
• The Wagner Group’s Atrocities in Africa: Lies and Truth
• Massacres, Executions, and Falsified Graves: The Wagner Group’s Mounting Humanitarian Cost in Mali

Three Buddy Problem - Episode 61: We cover a pair of software supply chain breaches (Salesforce Salesloft Drift and NPM/GitHub) that raises big questions about SaaS integrations and the ripple effects across major security vendors.

Plus, Apple’s new Memory Integrity Enforcement in iPhone 17 and discussion on commercial spyware infections and the value of Apple notifications; concerns around Chinese hardware and surveillance equipment in US infrastructure; Silicon Valley profiting from China’s surveillance ecosystem; and controversy around a Huntress disclosure of an attacker’s operations after an EDR agent was mistakenly installed.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• Salesforce advisory on Salesloft Drift hack
• Salesloft Drift Breach Tracker
• Mandiant Drift and Salesloft Application Investigations
• Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
• Large-Scale NPM Attack
• NPM attack failed, with almost no victims
• Chinese Hackers Pretended to Be a Top U.S. Lawmaker
• Czech cyber agency warns against using services and products that send data to China
• Apple Debuts Memory Integrity Enforcement (MIE)
• Huntress: An Attacker’s Blunder Gave Us a Look Into Their Operations
• LABScon 2025 Agenda

Three Buddy Problem - Episode 60: We dissect a fresh multi-agency Salt Typhoon advisory (with IOCs and YARA rules!), why it landed late, why the wall of logos matters (and doesn’t), and what’s actually usable for defenders: new YARA, tool hashes, naming ambiguity across reports, the mention of Chinese vendors, and a Dutch note that smaller ISPs were hit.

Plus, Costin details his hunting stack and philosophy (historic IOC/malware hoarding, fast pivots, and AI as analyst “wingman”) and a new Chinese APT report that may intersect with LightBasin and the murky PSOA world.

We also debate Google’s proposed “cyber disruption unit” versus Microsoft’s DCU (legal vs. “ethical” takedowns, PR, and business models); react to Anthropic’s report on real attacker use of Claude; note Amazon’s APT29 watering-hole disruption; and close on a fresh WhatsApp-to-ImageIO zero-click chain and practical phone OPSEC.

Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

Links:

• Transcript (unedited, AI-generated)
• NSA, Allies Report on Salt Typhoon
• UK and allies expose China tech companies
• Joint Advisory on Salt Typhoon (IOCs)
• Dutch providers targeted by Salt Typhoon
• Silent Control: The Hidden Penetration of MystRodX
• Google previews cyber ‘disruption unit'
• Anthropic report on misuse of Claude AI
• WhatsApp 0day exploited (iOS attack chain)
• RationalEdge - Intelligence Meets Accuracy
• LABScon Speakers 2025