Truth in IT

SSH access is easy to set up on a one-off basis, but it gets harder to keep things tidy as more machines and users are added. Bastion hosts help to some extent, but long-lived keys tend to leak, manual user offboarding is painful, and compromised sessions are virtually impossible to revoke. One way to fix this is identity-aware SSH with short-lived certificates. Users authenticate with the company's IdP, obtain a session-wide SSH certificate, and continue using the plain "ssh" command for the rest of the process. This tutorial by Nick Taylor shows how to build such a solution with Pomerium - an open source identity-aware access proxy: labs.iximiuz.com/tutorials/nati… And the best part of it - you can actually follow all the steps right in your browser and get the setup work end-to-end.

Check out my latest article: AI Has Capabilities We Need linkedin.com/pulse/ai-has-c…

It's great that AI can quickly find a ton of vulnerabilities. Terrific! Want to truly impress me and have me believe in all the supposed super-intelligent AI hype you are selling? Have AI discover a new type of vulnerability that humans haven't already discovered.

This is big... Anthropic just announced a model so powerful they won't release it to the public out of fear over the damage it will cause 😨 Claude Mythos Preview found thousands of zero-day exploits in every major operating system and web browser... The numbers are hard to believe: > $50 to find a 27-year-old bug in OpenBSD, one of the most security-hardened operating systems ever built > Under $1,000 to find AND build a fully working remote code execution exploit on FreeBSD that grants unauthenticated root access from anywhere on the internet > Under $2,000 to chain together multiple Linux kernel vulnerabilities into a complete privilege escalation exploit For context: these are the kinds of findings that previously required elite security researchers working for weeks. Anthropic engineers with no formal security training asked Mythos to find exploits overnight. They woke up to working code the next morning. The results were so impressive Anthropic assembled Apple, Google, Microsoft, Amazon, NVIDIA, and seven other organizations into Project Glasswing: A $100M defensive coalition. They're not releasing this model publicly. Instead, they're racing to patch the world's infrastructure before models like this proliferate.

I'm excited to be speaking at RSAC again! I'll be doing 3 presentations, a book signing (4 of my books will be in the RSAC bookstore), and hanging out in the KnowBe4 most of the time. If you want to meet me, please come by.

A vendor just emailed us an invoice. Right logo. Right project. Right invoice number. New bank account. If we had paid it, $50K is gone. No recovery. No insurance. Just gone. We got an email a few days later that the vendors email had been hacked. This is happening to businesses every single day. And it's about to get much worse. AI is an incredible tool when it's used for good. But it is also a weapon. The same technology helping us underwrite deals and manage portfolios is helping criminals build perfect fraud at zero cost and infinite scale. The "Nigerian Prince" is dead. He's been replaced by AI that sits inside your vendor's email for months. It watches your payment cycles. It learns your controller's name. It waits for the perfect moment to swap banking info on a real invoice. It requires vigilance and good processes to not get fooled. Here are a few basic things we do: 1. Banking info changes = full stop. No exceptions. We stop and we call. 2. Never call the number on the new email. That's the hacker's number. We dig up the old contact info and call someone we already know. 3. Hold payment if there is a bank change. Every updated account gets a mandatory hold and a voice callback to the vendor. Two-minute phone call costs you nothing. One bad ACH is an expensive mistake. What else should we be doing?

@DallasAptGP @rogeragrimes You must also be careful of the 3rd party financial portals. They provide a false sense of security.

Unlock ultra-fast, resilient cloud infrastructure! Discover how StorPool with Oracle Virtualization power efficient HCI in our on-demand webinar. Watch now: hubs.ly/Q041JNPh0 #OracleVirtualization #SoftwareDefinedStorage #HCI #CloudInfrastructure #EnterpriseIT

Epic Systems filed a lawsuit accusing data brokers of masquerading as medical facilities in order to pull nearly 300,000 patient records. forbes.com/sites/monicahu… Almost certainly, this has been happening for decades at a far greater scale than this single instance.

Discover how Dustin Group boosted cloud performance, simplified ops, and scaled efficiently with StorPool’s software-defined storage. Read the full case study: hubs.ly/Q03W1_2d0 #StorPool #CloudInfrastructure #SDS #CaseStudy

Check out my latest article: Microsoft Help Desk Phishing Scam linkedin.com/pulse/microsof…

Building a next-gen cloud? StorPool’s experts help you validate hardware, model performance & TCO, and accelerate deployment. Skip trial and error and talk to a specialist today: hubs.ly/Q03Nq3fF0 #CloudInfrastructure #SoftwareDefinedStorage #StorPool #ITStrategy

VIDEO: Listen as our CEO, Karen Gondoly, walks through how Leostream delivers centralized, secure, high-performance access across any environment leostream.com/resources/rein… #RemoteAccess #HybridCloud #ZeroTrust #VDI #VPAM #DigitalWorkspace

Phishing Campaign Impersonates Password Managers By Sending Fake Emails Saying They've Been Hacked And Telling Customers To Download a New (Trojan) Version blog.knowbe4.com/phishing-campa…

China does not play around. 11 scam operators were sentenced to death, plus more were sentenced to jail. The criminals earned over $1.3B in illegal gains by kidnapping, human trafficking, and forcing those who were kidnapped to scam the rest of the world risky.biz/risky-bulletin…

Fake Google Drive alert sent to Gmail user. Tricky because it does have your gmail.com address if you have one, so it could look somewhat legit. But it's not. Google is not giving final warnings!!

What if AI agents could build new agents on the fly and anyone in your enterprise could use them? In our latest @TruthinIT interview, our VP, AI Agents, @vivekhaldar , joins Mike Matchett (Principal Analyst at Small World Big Data) to unpack how Emergence is solving one of the biggest challenges in enterprise AI: the vast volumes of unanalyzed data trapped behind bottlenecks in data science and engineering. Here are some highlights from the conversation: - Build, deploy & reuse AI agents with CRAFT, all through natural language - Dynamic agent creation, with agents that can even generate new agents at runtime - No-code AI that empowers both technical teams and business users to unlock insights once out of reach - Works seamlessly with structured & unstructured data, with built-in compliance and PII redaction - Flexible deployment options: SaaS, VPC, or on-prem For organizations drowning in untapped data, CRAFT delivers a fast, adaptive path from question to insight and harnesses AI for broader business workflows across the enterprise.

From the Forrester Breach Benchmark Report: 67% of orgs suffer one or more breaches EACH YEAR, and the average org suffers almost 3 data breaches a year. Let that sink in! That's how bad our current defenses are. Why aren't we doing something different?? forrester.com/report/2025-br…

Check out my latest article: PayPal Scam From PayPal linkedin.com/pulse/paypal-s… via @LinkedIn