Cybersecurity Today

Host Jim Love and panelists David Shipley, Laura Payne, and Jeff Williams discuss a researcher ("Chaotic/Nightmare Eclipse") publicly disclosing multiple Windows zero-days affecting components including Defender and BitLocker, frustration with Microsoft's vulnerability disclosure process, and backlash to Microsoft's initially threatening tone before it was partially walked back; the panel debates responsible disclosure, the need for researcher support/organization, transparency vs liability, and how vulnerability reporting is straining under volume. They then examine a White House AI executive order focused on voluntary measures and 30-day model access, criticizing the lack of basic safety and cybersecurity protections amid FOMO about losing to China and an AI investment bubble. The conversation covers AI-driven harms and studies on reduced brain activity and "cognitive surrender," while noting benefits when AI is used as a tutor. Shipley highlights Canada's Senate passing Bill C-8 on critical infrastructure cybersecurity, and the group urges outcome-focused security, architecture/risk prioritization, and critical thinking against AI-enabled social engineering.
Cybersecurity Today would like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365. You can contact them at material[dot]security.

00:00 Sponsor Message
00:24 Show Welcome Panel
01:17 Microsoft Zero Day Fallout
04:19 Researcher Backlash Drama
06:46 Unionizing Bug Hunters
13:10 Product Liability Debate
23:23 Regulation vs Transparency
26:00 AI Bubble Investor Risk
28:01 White House AI Order
32:24 Cybersecurity Gaps Telecom
33:19 Telecom Trust Breakdown
34:32 AI Harms and Exploitation
35:36 Studies on Cognitive Surrender
38:13 Markets Regulation and Politics
40:13 Canada Cyber Law Win
42:33 Adoption Hype and Subsidy Bubble
48:50 Patch Deluge and AppSec Strain
52:10 Defenses Beyond Patching
54:17 Outcomes Critical Thinking and CIA
01:01:49 Education Disruption and Closing
01:04:14 Sponsor Message Material Security

A newly disclosed attack called HTTP/2 Bomb can crash major web servers in seconds using a single computer and a modest internet connection. Researchers say the attack combines two known techniques into a powerful memory-exhaustion exploit affecting widely used platforms including Apache, NGINX, Microsoft IIS, and Envoy. The attack also highlights a growing trend in cybersecurity research: the use of artificial intelligence to uncover dangerous combinations of existing vulnerabilities.
The episode also examines President Trump's new executive order creating a voluntary framework for reviewing advanced AI models before public release. The administration says the goal is to improve cybersecurity and national security visibility while avoiding mandatory regulation or licensing requirements.
Next, a new Cloud Security Alliance report warns that organizations are struggling to keep up with the growing volume of vulnerabilities. Security teams increasingly face difficult choices about which flaws to patch first as cloud environments, containers, APIs, and third-party software continue to expand the attack surface.
Finally, CISA warns that attackers are actively exploiting both a newly patched Android vulnerability and a years-old Linux flaw. The contrast highlights a simple reality: cybercriminals do not care whether a vulnerability is new or old. They care whether it remains exploitable.
Stories in this episode
HTTP/2 Bomb Can Crash Web Servers in Seconds
Researchers disclose a denial-of-service technique capable of exhausting server memory in under a minute, while OpenAI's Codex helps uncover a novel attack chain.
Trump Creates Voluntary AI Security Reviews as Government Seeks Visibility Into Frontier Models
A new executive order establishes voluntary reviews of advanced AI systems before public release, raising questions about visibility, oversight, and national security.
The Cybersecurity Industry's Patch-Everything Strategy May Be Breaking Down
A Cloud Security Alliance report suggests organizations are overwhelmed by vulnerability volume and increasingly forced to choose which risks to address.
CISA Warning Shows Attackers Don't Care Whether a Vulnerability Is New or Old
Active exploitation of both a newly patched Android flaw and an older Linux vulnerability demonstrates that attackers focus on opportunities, not disclosure dates.
Cybersecurity Today brings you the latest cybersecurity news, threat intelligence, breach reports, vulnerability disclosures, ransomware developments, cybercrime investigations, and security research affecting organizations around the world.
#Cybersecurity #CyberSecurityToday #InfoSec #CyberNews #Ransomware #ThreatIntelligence #VulnerabilityManagement #AndroidSecurity #LinuxSecurity #ArtificialIntelligence #HTTP2 #CISA #CloudSecurity #OpenAI #PatchManagement

Cybersecurity Today for June 2, 2026.
Microsoft has backed away from its hard-line stance against vulnerability researchers after widespread criticism from the security community. The dispute began after independent researcher Nightmare Eclipse published proof-of-concept code for unpatched Microsoft vulnerabilities, triggering a public debate over responsible disclosure, zero-days, and researcher relations.
Cybersecurity Today would like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365. You can contact them at material[dot]security.
Carnival Corporation disclosed a social-engineering attack that led to the theft of sensitive personal information affecting nearly six million people. Exposed data includes names, contact information, dates of birth, and government identification details. The ShinyHunters cybercrime group has claimed responsibility and alleges the breach involved even more records.
Password manager provider Dashlane temporarily locked some customers out of their accounts after large-scale password-guessing attacks triggered automated security protections. Access was later restored, although some users reported lingering issues.
The episode also examines a software supply-chain attack uncovered by Wiz involving 32 Red Hat Cloud Services NPM packages. Attackers compromised a Red Hat employee's GitHub account and inserted Miasma malware designed to steal Google Cloud and Microsoft Azure credentials.
Timestamps:
00:00 Sponsor Message
00:28 Headlines And Intro
00:55 Microsoft Researcher Dispute
02:58 Carnival Cruise Data Breach
04:48 Dashlane Lockouts Explained
06:09 Miasma Malware Supply-Chain Attack
08:10 Wrap Up And Sign Off
08:31 Sponsor Deep Dive
#Cybersecurity #DataBreach #Carnival #Microsoft #Dashlane #RedHat #SupplyChainAttack #CyberSecurityToday

Microsoft's dispute with a former security researcher takes a dramatic turn as the company raises the possibility of criminal action over the publication of proof-of-concept code for unpatched zero-day vulnerabilities. David Shipley examines the escalating conflict between Microsoft and "Nightmare Eclipse," the criticism from prominent security researchers including Kevin Beaumont and Katie Moussouris, and what the controversy could mean for the future of vulnerability disclosure.
Cybersecurity Today would like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365. You can contact them at material[dot]security.
The episode also explores a new category of insider risk after U.S. prosecutors charged Google security engineer Michael Spagnuolo with allegedly using confidential Google search trend data to earn more than $1.2 million on the prediction market Polymarket. The case highlights how prediction markets may create unexpected incentives around non-financial corporate information.
Also covered: active exploitation of Palo Alto Networks' GlobalProtect VPN authentication bypass vulnerability CVE-2026-0257, now added to CISA's Known Exploited Vulnerabilities (KEV) catalogue, and a malware campaign that abuses legitimate ChatGPT sharing pages and Google Ads to trick users into downloading malicious software. Researchers also report similar abuse of Anthropic's Claude Artifacts feature.
Chapters
00:00 Top Headlines Rundown
00:26 Microsoft vs Zero-Day Researcher
01:28 Responsible Disclosure Fallout
03:32 Why This Dispute Matters
04:32 Polymarket Insider Trading Case
06:07 Prediction Markets Create New Insider Risks
06:55 Palo Alto VPN Authentication Bypass
08:25 ChatGPT Pages Used to Deliver Malware
09:51 Wrap Up and Sign Off
Cybersecurity Today is Canada's leading daily cybersecurity news podcast, covering ransomware, vulnerabilities, nation-state threats, cybercrime, security research, privacy, and critical infrastructure security.
#Cybersecurity #Microsoft #PaloAltoNetworks #ChatGPT #OpenAI #Google #Polymarket #ThreatIntelligence #InfoSec #CyberSecurityToday

As concerns about artificial intelligence move from theory to reality, a growing public backlash is beginning to take shape.
In this episode of Project Synapse, Jim Love, Marcel Gagné, and John Pinard explore the rise of the AI "techlash" and the growing fears around job displacement, economic inequality, data centre expansion, and AI-driven cybersecurity risks.
The discussion covers warnings from AI researchers about workforce disruption, public resistance to AI adoption, the economics behind massive AI infrastructure investments, and emerging concerns around AI-powered vulnerability discovery and critical infrastructure security.
The panel also examines Canada's encryption backdoor debate, the future of decentralized communications, Google's new Omni avatar technology, and Marcel's experiment building a personal AI assistant using local Gemma models.
Whether you're optimistic about AI or increasingly skeptical, this conversation explores the opportunities, risks, and difficult questions shaping the next phase of the AI era.
CHAPTERS
00:00 Cold Open and Credits
00:55 The AI Techlash Begins
03:05 Yann LeCun on the Limits of LLMs
05:26 Could 30% of Jobs Disappear?
07:56 Youth Employment and Economic Risk
10:18 Universal Basic Income and Social Supports
11:59 The Myth of Replacement Jobs
14:12 Is AI Dumbing Down Culture?
17:33 Wealth Concentration and AI Power
19:20 The Work Humans Still Do Best
21:45 Greed, Incentives, and Reality
22:33 Pope Leo on Human-Centred AI
26:03 Celebrity Backlash Against AI
27:22 Data Centres, Costs, and AI Economics
30:41 Climate Change Parallels and AI Growth
33:04 Blame Technology or Leadership?
33:52 Solar-Powered Homes and Energy Policy
34:48 The AI Cover Art Controversy
37:29 Fighting AI Slop Online
38:58 AI-Powered Vulnerability Discovery
41:33 The Maple Syrup Cyberattack Story
46:36 Canada's Encryption Backdoor Debate
51:13 The Future of Smartphone Mesh Networks
52:53 Google's Omni Avatar Video Demo
01:03:51 Building a Personal Nexus Agent
01:08:27 Small AI Models Running Locally
01:09:49 Wrap Up and Discord
#ProjectSynapse #ArtificialIntelligence #AIJobs #DataCentres #Cybersecurity #GenerativeAI #MachineLearning #TechPodcast #TechNews #ChatGPT #Gemma #AIBacklash