🎙️ New runZero Hour: Open Source Meets Exposure Management

We sat down with @Rishiraj Sharma & @sandeep Singh from ProjectDiscovery to talk Nuclei: how it grew, where it’s headed, and what open source means for security.

💥 Plus: runZero’s Nuclei integration now checks for default creds across IT, OT, IoT & cloud without disruption.

📺 Register: https://www.runzero.com/research/runzero-hour/
🔗 Read: https://www.runzero.com/blog/integrating-nuclei/

@adamhotep you alias ls with -h ? you madman what if you need to know EXACTLY HOW MANY BYTES ARE THERE (which it turns out is almost never)

I've been computering for... a while now, but it took @TomSellers telling me during a pairing exercise, "just use lord of the rings, huh."

ls -lotrh

is way better than ls -lah and now I'll remember it forever.

AI voice clones have hit the White House AGAIN, now impersonating the Secretary of State, Marco Rubio, to other Government officials to try to steal secrets and access. Here is a video of me live demoing how quick and easy it is to clone a voice to hack and how to catch AI voice clone attacks in action!

It takes me 2 minutes total to set up a AI voice clone social engineering attack.
I need about 10-15 seconds of a person’s voice to clone it well, spoof a phone call (change caller ID to display another number -- available on the App Store!) and initiate a voice clone attack via call.

Governments, organizations and individuals need to know how to verify identity of caller outside of caller ID and voice match, now!

Gone are the days of trusting caller ID. We can no longer rely on “knowing someone’s voice” or “knowing someone’s face on video call”, I can clone those in minutes in a live audio call or video call.

Verify identity using another method of communication before providing sensitive data, codes, money, etc.

If they call, you can chat, email, DM -- any other method of communication to verify that person is who they say they are FIRST.

Stay politely paranoid, folks.

@bontchev @campuscodi It’s a perfectly acceptable way to refer to a female AT-AT.

Oh, speaking of tshark/WireShark, https://github.com/0xKoda/WireMCP is a great tshark MCP server (that has given me some ideas for a fusion of a tshark + DuckDB MCP server specifically designed for PCAP processing).

@rk IOW I would hold off on the classic 80s/90s slashers until closer to Halloween, then curate a viewing order for those over like 4 weeks.

@rk Silence of the Lambs won pretty much all the Oscars and a undoubtedly among the greatest movies ever made.

Sixth Sense is probably more age appropriate, and hopefully he’s not spoiled since the whole thing is the twist, but slower going (and was nominated for all the Oscars but won none, thanks American Beauty and The Matrix).

Which should 14yo and I watch tonight (last horror movie night was John Carpenter’s The Thing, for reference):

#horror #film

@FritzAdalis @kajer @jerry @lcamtuf “and before the linux kernel,” thought I, smugly.

But it turns out Linux was extant for one quarter of 1991.

The joke stands.

Help a journalist out? I'm looking to talk to researchers, engineers, students or entrepreneurs who are considering leaving the U.S. because they lost funding or are worried about visas or anything like that. I'm at mimsical.94 on Signal

Another static, unchangable root password in Cisco gear. In 2025.

https://www.cve.org/cverecord?id=CVE-2025-20309

#SecureByDesign

@rk maybe French defaults to octal?

This post fully captures why I 💙 MCP servers so much (as noted, it has nothing to do with "AI").

https://worksonmymachine.substack.com/p/mcp-an-accidentally-universal-plugin

How Foreign Scammers Use U.S. Banks to Fleece Americans
—

Online scams conducted by Asian crime syndicates have reached industrial proportions, cheating victims around the world out of more than $44 billion a year. U.S. banks have been unable to stop them.
https://www.propublica.org/article/pig-butchering-scam-cybercrime-us-banks-money-laundering?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon-post

#News #Scam #Fraud #Banks #Crime #Cybercrime #MoneyLaundering

For those going to DEF CON who want to see me spin for the first time in a decade, I have a schedule up on my website that I'll be publishing the latest details at.

https://mvh.dev/dj.html

#DEFCON #DEFCON33

Edited and published episode 68 of this here #Lovecraft podcast, just barely squeaking in in time for #Pride month. It's all about He, which takes place, appropriately enough, in Greenwich Village, the Pridest place in NYC! Check it out below:

https://podsothoth.buzzsprout.com/1078223/episodes/17415060-68-he-discussion

Does anyone in the Seattle area have after-hours access to a cool rooftop, or some other visually distinctive, interstitialy industrial zone of some kind? Somewhere a keyboard cowboy could be doing k-rad hacks in the shadows? I want to film a very silly cold open for the cyberdeck video, and I can't figure out a good location for it.

🎙️ Just dropped! Our own @hdm joins the amazingly entertaining and talented crew on Paul's Security Weekly to discuss finding all the things and why vulnerability management is dead as we know it.

Tune in for hot takes on why we need better ways to find and manage risky things, spicy opinions on AI in security, fun methods for fingerprinting devices, external scanning strategies, and way more.

Plus, hear how the PSW crew uses runZero's free Community Edition to track down random devices everywhere, and how you can now use runZero to discover devices using default credentials (eek!).

Shout out to @paulasadoorian, Mandy Logan, @haxorthematrix, @joshuamarpet, Lee Neely, @sambowne and Bill Swearingen for an awesome episode!

📺 Watch the full show (#880) here or stream it on your favorite service:
https://www.runzero.com/resources/is-vuln-management-dead-psw-880/

👉 Get the much discussed Community Edition here: https://www.runzero.com/platform/community-edition/

💡 Learn more about our new Nuclei integration and finding default creds here: https://www.runzero.com/blog/integrating-nuclei/

I'm excited to announce our "Out-of-Band" series; these articles focus on the security risks of management devices like BMCs, serial servers, and IP-enabled KVMs. "Out-of-Band, Part 1: The new generation of IP KVMs and how to find them" is now live at:
https://www.runzero.com/blog/oob-p1-ip-kvm/