CyberWire Daily - CyberWire Daily at 10: The vulnerabilities, zero‑days, and hardware flaws over the last decade. [Special Edition]
Episode Date: July 3, 2026In this special edition of CyberWire Daily’s 10th anniversary series, N2K CyberWire's Maria Varmazis and Dave Bittner discuss 10 years of vulnerabilities, zero‑days, and hardware flaws. Together t...hey reflect on the last decade of cybersecurity vulnerabilities, exploring key shifts, landmark incidents like WannaCry and Log4Shell, and the evolving landscape shaped by hardware issues and AI. Join Maria and Dave as they discuss how these changes impacted security practices and the importance of vigilance in a rapidly interconnected world. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Hi, everybody. I'm Dave Bittner.
Over the past decade, we've watched the cybersecurity landscape transform at an astonishing pace.
Attackers found new ways in, defenders adapted, and vulnerabilities from software bugs to hardware flaws,
became defining moments that reshaped how we think about security.
In this special edition of our Cyberwire Daily 10th anniversary series,
Maria Vermazas joins me for a look back at 10 years of vulnerabilities, zero days, and the lessons they've taught us.
From watershed events like Wanna Cry and Log for Shell to the growing impact of hardware security and artificial intelligence,
we'll explore the flaws that change the industry and what they tell us about the road ahead.
Stay with us.
It is my singular joy and pleasure to welcome once again the host of the Cyberwire Daily.
Dave Bittner, thank you so much for joining me today.
It's always my pleasure.
Happy to be back with you here today.
Oh, I'm so glad we get to talk yet again in this year of the 10-year anniversary of the CyberWire Daily.
We're getting to, I think, the meatiest of the meat and potatoes conversation, I know.
I think people have been sort of wondering when we would get to this one.
Well, it's here, everybody.
We're talking about...
Hold on. Buckle up.
Buckle up, Bucaroo.
We're doing it.
Vulnerabilities.
Truly.
The world that so many...
of us live in, we breathe this, the volumes of the last 10 years.
Ooh, all right. So to set this stage first and foremost, neither Dave nor I are security
researchers by trade. So do we have every single vuln of the last 10 years and then some
memorized? No, we don't. However, Dave, I know that you have a good sense of sort of the
overarching narrative arc of a lot of the biggies, given that you've looked at these and
been covering these the last 10 years. So we're going to stick to sort of the big of. The big.
stories of the last 10 years of Volns.
Yeah, so I guess let's start with maybe a scene setting first.
Where were we 10 years ago when you think about the state of vulnerabilities then?
I think 10 years ago, I think most people thought of vulnerabilities as being an IT problem
rather than a company-wide problem.
I don't think companies were thinking of vulnerabilities as being
business risk the way that they do today.
So some vulnerability would be found
and it was up to the IT team to
figure out how quickly it needed to be taken care of,
how serious it was, and what kind of schedule
we could patch that relative to our business needs.
And it probably, you know,
it was probably a line item in the quarterly presentation
that the IT folks made to,
their bosses or the board or whatever and said, oh, we patch this many bugs this quarter and
it's great.
But I don't know that security was top of mind because we hadn't really seen any of the
really bad things that were coming on the horizon.
Yeah, I would imagine adding to that there was also an element, and this is me editorializing
a little bit, but when IT would go to someone up the executive chain and go, so this specific
situation, the specific
volunt that we got a patch, it's going to result in some
downtime. I imagine back then
they would get a lot more pushback than they might
now, and of course,
I imagine that may depend a lot, but
I imagine making the business
case for, why do you have to take this system
down to just do a patch? Like, why is that so
important? Can't this wait? Yeah, I think
the
the IT folks were probably
considered to be lower on
the chain, in
the pecking order, however you want
describe it within the business because again we hadn't really seen this possibility that the
cyber issues could kill your business so the stakes weren't as high yeah and i'm i'm thinking also about
timelines for vulnerability exploitation i mean not a secret in the last 10 years those those timelines
have accelerated dramatically do you have any recollection of what we were typically looking at 10 years ago
I think it was much, well, let's see, again, not a practitioner, but my sense is it was probably
more often than not, we'll get to that when we get to it. In other words, we'll get to that
when it will have the least impact on the business. And so I think that meant a lot of things
got put off, but there probably weren't serious consequences because of that. That was a reasonable
plan back then.
Yeah, yeah. So, inevitable question here. What changed? Something changed.
Can we point to a singular vuln or situation? Or was it a cascade thing? What changed?
I think the emergence of ransomware was a big part of it. That becoming its own business.
The attackers being able to take these vulnerabilities and use them.
in ways against companies
that were truly
potentially devastating
to the organizations,
the whole notion of reputational damage,
which again is connected to ransomware.
It's just much...
And also, I guess, awareness
among the general public
that this is now a thing,
that a cyber attack is a thing,
because now, as opposed to
even 10 years ago,
everybody's online,
everybody has some connection
to something online.
There's no escaping it.
And 10 years ago, I think it was a little easier to escape it
if you wanted to.
Yeah, and going back a little before 10 years ago,
going back further than 10 years ago,
heartbleed was, I think, 2014,
and that made a whole lot of people
who had no idea what OpenSSL was.
Suddenly everybody had to become an expert on that pretty quickly,
especially if you had a business
that did anything online, which is most businesses.
So not that I want to say, hey, thanks everybody for naming vulnerabilities because it made it easier,
but maybe that actually did help a little bit as much as we make fun of that kind of thing.
It might have actually helped a little bit with awareness.
Who knows?
I'm just throwing that one out there.
I'm going to get hate mail for that one.
But anyway, looking back specifically within the last 10 years,
if you had to choose maybe one volume that was the most seismic with its arrival on the
scene. Is there one that you could point to?
Well, I think the most seismic was probably log for shell in terms of how broad and serious it was
and how people responded to it. So log for shell was, I would say, late 2021, I believe,
and it took advantage of what was a vulnerability in Log for J,
which is this open source logging framework.
Again, not to get too deep in the weeds,
but it was a very serious thing,
and what made it so serious was how many devices it affected.
It was just kind of this thing that was in everything,
and so it meant that all these devices were vulnerable to it.
I think Jenny Sterly, when she was running Sissa at the time,
And she said it was one of the most serious that she'd ever seen in her career, if not the most serious.
You mean the Federal Trade Commission got involved to get companies to update so that they weren't vulnerable to this?
It was kind of an all-hands-on-deck kind of moment in terms of seriousness.
I think if you want to rewind the clock to when did a lot of this stuff start to become more.
more broadly known throughout the non-IT world,
I think you have to look at Eternal Blue,
which was, what, 2017 or so?
So Eternal Blue was an exploit that, allegedly,
came out of the U.S. National Security Agency.
Allegedly.
I think that's pretty settled by this point.
Who ain't Stuxnet?
Okay, I think we're good.
Yeah, who knows?
We'll never know.
It's a mystery.
Yeah.
And so this was a zero-day vulnerability affecting Windows systems,
but it got acquired, found whatever, by the shadow brokers,
who then, you know, famously used it in Wanna Cry.
Yeah.
She used the Eternal Blue Exploy.
Want to cry was a worm.
And it made you want to cry.
Yeah.
It sure did.
Yeah.
Yeah.
And it was also used in the Not Petia attack.
So if you want to talk about turning points, I think that certainly was one.
And then also the notion that a tool that had been developed by our own intelligence community, air quotes, the good guys, got turned against us, turned against the world.
Yeah, and I remember before Want to Cry, there was a lot of work being done, I think, within the IT world to try and help practitioners.
and, you know, IT execs even message the importance of,
this is why we need a patch,
and, you know, sometimes it fell on deaf ears to the higher up, so to speak.
I feel like WannaCry kind of did a lot of that heavy lifting for people from that point.
It's like, you know, no security awareness campaign was ever going to be as effective
as touching your hand on the hot stove like Wanna Cry was.
That's right. That's right. That's right.
Yes. I'm laughing because as the father of a teenage son,
who goes through life touching hot stoves
and being the only way he can learn anything,
you know, that resonates with me.
I feel like truly it's a very human thing, very, very human.
Yes, yes, absolutely.
We warned you, we warned you, warned you,
oh, now you've got to learn the hard way.
Oh, dang it.
Now we've all learned the hard way.
Yeah, but I mean, want to cry,
and truly if we bubble that up to Eternal Blue in general,
I remember there was also the geopolitical
aspect that you touched on this a bit as well about you know governments having zero day
stockpiles and what does that mean you know what's the danger there that's an ongoing
conversation too yeah it was eye-opening uh you know you mentioned stuxnet before and
um every now and then one of these makes its way out you know it's a question that i've asked
folks i interview some of the um the researchers you know particularly for our research saturday
show and it's usually a question I ask
off the air
but it's
yeah it's when the interesting stuff comes out
it's for my own curiosity
and people you know
feel more like they can
share more
but I'll say you know how often do you come
across something that has all the signs
of being a piece of
United States offensive
trade wear or
yeah yeah yeah and
they'll say yeah it happens
you know there are
Yeah, of course it happens.
That's why espionage exists.
Right, yeah.
Right, exactly.
So, you know, we joke about what we call it, you know, eternal eagle or something,
something like that.
There's some very stereotypically American name, you know, righteous eagle or something like that.
But anyway.
Yeah.
Well, going back to touching the hot stove for a second also, there was what the sort of overall
business community learned, I think, from
Wanna Cry, but what would we
say sort of the takeaways for
the security industry were from that?
For Wanna Cry? Yeah.
I think it was
a message of
responsibility.
Who's responsible for these things?
Because in this case, this was
affecting Windows systems.
So to what degree
is this Microsoft's
responsibility to get patches out
there to remediate this. But then to what degree is it the responsibility of agencies or researchers
who stockpile these things, who know they exist, and rather than disclosing them, either sell them
or keep them or save them for whatever use that they might be useful for in the future,
what's the moral and ethical thing to do in a case like that?
That is a question for much smarter people than us.
Yes, I concur.
It's a good question, though.
Yeah, so we've been talking about, you know, these paradigm shifts and vulnerabilities,
and typically when we talk about volns, it's a software problem.
But another huge paradigm shift in the last 10 years was when we saw varns that were hardware problems,
and I'm thinking of Specter.
That was massive.
It's not just because I'm married to a hardware guy who works at one of these companies,
although full disclosure I am.
But I mean, that was a really, that was, I remember, felt actually kind of scary on a level of, oh, gosh, were we really thinking about that?
I thought, you know, hardware issues were the realm of the extraordinarily nerdy security through obscurity.
Why do we have to even think about that?
We've got enough problems with software.
And then came Spector and Meltdown.
Yeah.
I remember when Spector came out, my first thought was about a bug that affected Pentium problems.
processors back in like 1994 or 1995.
There was some issue baked into certain Intel processors, Pentiums, that would return
floating point results that were wrong.
And we kind of count on processors to get math right, right?
A little bit important.
And, you know, it was one of those things where it was a very rare bug.
it probably wouldn't happen very often,
but there was also a way
that if you fed it this exact,
very simple math problem,
it would give you the wrong answer.
So it was very easy to illustrate,
which made it easy to understand,
which made it easy for people to be nervous about it.
And Intel did a recall,
and, you know, we all lived to tell the tale
and live another day.
So that's what I was thinking of.
Are all of these chips going to have to be recalled?
and figure the difference between 2020, or I'm sorry, 1994 and 2016,
whatever Specter and Meltdown were,
that's a lot more CPUs out there.
That's a lot of hardware.
What's going to happen?
And how do we fix it?
How do we easily patch that at scale?
Right.
Because hardware's hardware.
And let's, you know, talking about like, I don't know,
field programmable gate arrays or something really down in the weeds.
your processor is your processor
and so over time
all these assumptions
had been baked into modern processor design
and were tried and true
and suddenly you discover a vulnerability
what does that mean
and what it meant in the short term
was that the patches made the processors slower
because well you're adding something to it right
I mean yeah you're adding something to it
but you're also taking something
away. Like there was this, my recollection, and I'm sure this is imperfect, but my recollection is that
it had something to do with the predictive nature of how modern processors flow information through
them and some of the assumptions of what you could and couldn't do, that's where the vulnerability
was. And so you had to basically disable some of those predictive presumptions, and that slowed things
down. So now your server rack that yesterday you were selling that had these capabilities
had those capabilities minus 20%. Right? And so what do you do? And it also, zooming out a little bit,
really changed the conversation around what we sort of consider the arena of fair play for
what needs to be actively monitored, I guess.
I mean, maybe that's the wrong phraseology there,
but I just, I don't remember the average bear talking about, you know,
hardware volumes as much.
And now it's like, yep, that's part of what we got to be thinking about more regularly
as opposed to, you know, that's a weird anomaly and just don't worry about that.
Don't look in that corner.
Yeah, it's just part of the field of play now, I suppose.
I guess.
And I wonder, too, how much of it is just that, like, we're at the,
point where so much of the low-hanging fruit has been picked.
So you're getting into more of these edge cases.
Now, I guess, and I know, you know, they'll take away our broadcasting licenses if we don't
mention AI in this somewhere.
Everybody drink?
Right, yeah.
But I think AI has replenished that fruit.
We'll be right back.
We probably don't want to leave AI to.
the very end.
Okay.
Yeah, no, although I kind of want to,
because there's so much that happened in the last 10 years
before AI really shook things up.
But, yeah, I mean, it's AI is really adding,
I don't want to just say it's changing the paradigm.
It's adding so much into the pipeline
that it's just kind of hard to know what to do anymore.
It's hard to know what needs to get prioritized.
It's hard to know how to make sense of just the pure
volume of it without saying, okay, AI's finding all these problems, let AI fix it, but where's the
human in the loop on that? And it's just, that's, I mean, I think that's where we're all at right now.
I think so. To me, a big part of it for people who are fighting the good fight out there is it's
a velocity issue. That stuff's just coming at you so much faster. And for me, like, you know,
I back in the day, I used to enjoy playing first-person shooters like marathon.
or Doom or, you know, that first generation and the first version of Halo, right?
I can't play them anymore.
I can't watch my kids play them because they're too twitchy.
They're too fast.
And I feel as though I was wired up, right?
My first exposure to these was at a certain speed.
And that speed is way faster than it used to be.
And so it's hard for me to adapt.
and the next generation coming up, that's all they know.
So they can handle the speed.
They don't think twice about it.
And I wonder if that's something that we're experiencing right now
where you have generations of researchers,
people who came up with a certain cadence of patching, of remediation,
all that's been thrown out the window because it's like,
what's the thing in Mario Kart where you get the speed boost, right?
It's like that.
The mushroom, yeah.
Yeah, yeah.
And so how is it just the old timers who have to catch up
and the next generation is going to be fine with this new velocity
because it's all they know?
Or as many people are saying,
the only way to do this is machine versus machine,
where the AI is the only thing that can be fast enough
to keep up with the AI.
Yeah, it almost makes me wonder
if someone listening to this conversation a few years from now might go,
oh, how quaint they're talking about,
singular named vulnerability
who has time for that anymore.
But talking about humans patching,
you know, oh, it wasn't, what, what was that like?
You people actually, you had keyboards,
you touched your computers, ew, yuck.
And also that you had the time,
things were slow enough that you were looking at,
you know, one or a group of things at a time
as opposed to just like a torrent.
I mean, I know vans and patching,
I mean, the report lists are, you know,
hundreds of pages long and, you know,
nobody knows every single one that gets patched,
but at the same time, okay, that's not true.
But the idea of like we're thinking about one specific volume
as opposed to, you know, tens of thousands at that, the volume is just a total different scale.
We're going to be talking about things in scientific notation instead of, you know, just in dozens.
Yeah, like we thought we were in an age of automation.
Like, hold on to the bar because here comes a new age of automation that is driven by necessity.
Okay, so as we're talking about all of these huge paradigm shifts over the last 10 years, as we reflect on vulnerabilities, I would be remiss if I didn't also mention supply chain attacks. That was another huge shift in the last 10 years. And the biggie was solar wins, and that's the one that, you know, is synonymous with supply chain issues. What's your recollection of how that went down when that started out?
Well, I think people were whistling past the graveyard, right, for a long time before that one landed.
And it was proof that it wasn't a matter of if, it was a matter of when.
So solar winds hit, and it was a massive supply chain impact all over the world.
And so, and, you know, affected real people.
you know, couldn't use their gas pumps.
I remember in the southeast of the U.S. here.
People were hoarding gas.
So real-world, regular people repercussions of this.
And it got everyone's attention and served as a,
I guess, the proof of concept that supply chain vulnerabilities are a thing
and they need to be taking seriously.
And so I think it kicked off a whole era of
supply chain research, of
things like S-bomb initiatives,
software bills and materials,
triggered a bunch of scrutiny of open-source
ecosystems.
Everybody started thinking about
what's in my system that I don't know
is in my system, right?
It was the unknown unknowns.
Thank you, Rumsfeld.
Yeah, because nobody's, you know,
nobody is,
I'm sorry, I shouldn't use
absolutes. Most people are not creating software from whole cloth. They're using open source packages.
They're using, because why not? Who has time to write everything? Yeah, it's just efficient.
I mean, that's just how things are built now. I mean, it's how it's always been, really, is my understanding.
I mean, you don't have to recreate everything from scratch. There's a perfectly good library or
something else that someone has done. You build on that. That's how we make progress.
Yeah. So if you have these dependencies and you've been using this little nugget of
of open source software for the past five years.
And every time a new version comes,
you wait a few days to see if there are any major issues,
and then you just slide it into your own production environment.
No problem, business as usual.
And then all of a sudden, somebody can take that,
put something bad in it,
and without even realizing it,
it slides into your environment,
and now you've got a problem.
And going back to AI,
we're seeing such an influx of people,
vibe coding or trying to contribute to open source projects using AI, what we're talking about
right here is part of that conversation for why that is so dangerous.
You know, we have the idea of people making contributions to these extremely important
open source projects that a lot of our modern world is built on, but who's actually
able to keep track of what's being contributed if it's being done through AI?
And understandably, some open source project maintainers are saying no AI contributions
whatsoever, but this is part of the reason why there's a lot of paranoia, understandably,
about that because who knows what's being introduced that way.
It's wild seeing these things converge in real time.
Wild, scary, fun, interesting, I suppose.
It keeps a lot of people in business.
Truly.
And speaking of wild, fun, interesting, and all those things,
a story that honestly, before we started doing research for this,
I had actually a little bit forgotten about,
and I cannot believe I forgot about this.
Bloomberg had this huge bombshell story about super micro,
and that set off this sort of feeding frenzy to chase that one down,
and it ends up that that one wasn't real.
And if you look for it, though, it's still there on Bloomberg.com.
Yeah.
So it's, I, what the heck happened here?
Well, it was 2018, I believe, that Bloomberg published this story,
and the allegation was that Chinese operatives had,
inserted these tiny little hardware devices, little tiny chips into super micro motherboards.
Right.
Yep.
And so this was a supply chain compromise and a degree of sophistication we had not seen before.
And a nightmare situation that all this physical hardware has been tacked on to all this incredibly
important stuff on the motherboard.
like that's a nightmare. Right. And these super micro servers are everywhere in the government and,
you know, very popular, good brand, all that. They got dragged into this. And so everybody
started looking for what's going on here because if this is truly a hardware bug, well,
the hardware exists. It's a real thing. It must be on the motherboard. And nobody found
anything. There was never
any public evidence
that supported the central claims.
Yeah, and I remember
the initial reaction from a lot of folks
in sort of the federal sector going
was just, how the heck did we miss
this? Like, this is the kind of thing
we're looking for. How on earth did we
miss this and how did Bloomberg find it first?
And the answer was that
you guys didn't miss it.
But
that was
a crazy cause
story
and you know
that you know
everybody kind of
especially in the media sector
we all want to be the ones
to report on the new
the new
you know hot volume
because you want to be the
place that breaks that story
that's a great way
to be in front of stuff
but this one didn't exist
so it's hard-fying
and do we think
Bloomberg was acting
in bad faith
I don't think so
but they got it very wrong
whatever internal
checks and balances they must have had failed them, in my opinion. And remarkably, what's
been eight or nine years now, and there's never been a serious retraction from Bloomberg.
Like you said, the article is, you can still go read it. So, Dave, this is, we've only taken
a very top line view of the many, many volumes over the last 10 years. Certainly, this is
not an all-inclusive look. We could not possibly do that in even just a few hours. It would take
us days. You know, it's been a good 10 years of you hearing these stories come and go. Some of them,
some of these volumes have a pretty short life cycle. Some are ongoing still, like Log for Shell,
for example, like we're still dealing with these. What sticks with you as you look back on these?
Well, I think the thread that runs through all of this is this notion about having our assumptions
challenged, right?
Like we talked about at the beginning,
people assumed, rightly assumed,
that they had time to patch.
People rightly assumed that software was trustworthy.
People rightly assumed that hardware was trustworthy.
They thought they had time to take care of things.
And each of these events have challenged those assumptions.
Who do you trust?
To what degree do we have to scrutinize software or rely on other people to do that for us?
To what degree could something be lurking in our hardware?
We have all these assumptions and ultimately at some point you have to trust things.
You have to trust people.
That's how the world works.
I can hear a few people going, no, no, I won't.
Right.
Well.
Well, there are few folks that feel that way.
That's true.
Yeah, yeah. And, you know, trust but verify, right? All that, all that stuff.
Yeah, yeah. There's only so much you can do, but at some point, you have to believe something.
Yeah, no, no, you're right. You're right. Yeah.
It could be as simple as when I flick the light switch, the light comes on, right? Like you have, there are, and so I think it's over the past decade, we've seen many of our assumptions fall away, and we've learned that things that we used to assume,
were true, now require
an additional level of scrutiny,
additional level of care,
double-checking, all of those things.
Assumptions we didn't even know we had in
some cases. They were so baseline
that we just... It was like
breathing. We didn't even think about it. And now it's like,
oh, we have to examine that as well? Oh, my God.
Right. And things have gotten so much
more complex. Things are so
much more interconnected than they used to be.
And now
we've thrown AI into the mix,
which has put us all in
on turbo speed.
And, yeah, what a world.
What a world.
Well, we'll be here for the next 10 years, too, I'm sure, Dave.
And I don't see it slowing down anytime soon.
Yeah.
And it's always something interesting.
That's the thing about this business, right?
There's always something to learn.
There's always something new coming and surprises.
And so it never gets old.
That's an awesome way to end it.
So Dave Bittner, host of the CyberWire Daily,
thank you very much for joining me today.
My thanks to Maria Vermazes for joining me
as we continue looking back on a decade of cybersecurity stories
that shape the world we defend today.
Thanks for listening to this special edition
of the CyberWire Daily's 10th anniversary series.
We'll be back with more conversations
exploring the people, the moments, and the milestones
that have defined the past 10 years of cybersecurity.
I'm Dave Bittner. Thanks for listening.
