CyberWire Daily - CyberWire Daily at 10: The vulnerabilities, zero‑days, and hardware flaws over the last decade. [Special Edition]

Episode Date: July 3, 2026

In this special edition of CyberWire Daily’s 10th anniversary series, N2K CyberWire's Maria Varmazis and Dave Bittner discuss 10 years of vulnerabilities, zero‑days, and hardware flaws. Together t...hey reflect on the last decade of cybersecurity vulnerabilities, exploring key shifts, landmark incidents like WannaCry and Log4Shell, and the evolving landscape shaped by hardware issues and AI. Join Maria and Dave as they discuss how these changes impacted security practices and the importance of vigilance in a rapidly interconnected world. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. Hi, everybody. I'm Dave Bittner. Over the past decade, we've watched the cybersecurity landscape transform at an astonishing pace. Attackers found new ways in, defenders adapted, and vulnerabilities from software bugs to hardware flaws, became defining moments that reshaped how we think about security. In this special edition of our Cyberwire Daily 10th anniversary series, Maria Vermazas joins me for a look back at 10 years of vulnerabilities, zero days, and the lessons they've taught us. From watershed events like Wanna Cry and Log for Shell to the growing impact of hardware security and artificial intelligence,
Starting point is 00:01:03 we'll explore the flaws that change the industry and what they tell us about the road ahead. Stay with us. It is my singular joy and pleasure to welcome once again the host of the Cyberwire Daily. Dave Bittner, thank you so much for joining me today. It's always my pleasure. Happy to be back with you here today. Oh, I'm so glad we get to talk yet again in this year of the 10-year anniversary of the CyberWire Daily. We're getting to, I think, the meatiest of the meat and potatoes conversation, I know.
Starting point is 00:01:39 I think people have been sort of wondering when we would get to this one. Well, it's here, everybody. We're talking about... Hold on. Buckle up. Buckle up, Bucaroo. We're doing it. Vulnerabilities. Truly.
Starting point is 00:01:52 The world that so many... of us live in, we breathe this, the volumes of the last 10 years. Ooh, all right. So to set this stage first and foremost, neither Dave nor I are security researchers by trade. So do we have every single vuln of the last 10 years and then some memorized? No, we don't. However, Dave, I know that you have a good sense of sort of the overarching narrative arc of a lot of the biggies, given that you've looked at these and been covering these the last 10 years. So we're going to stick to sort of the big of. The big. stories of the last 10 years of Volns.
Starting point is 00:02:27 Yeah, so I guess let's start with maybe a scene setting first. Where were we 10 years ago when you think about the state of vulnerabilities then? I think 10 years ago, I think most people thought of vulnerabilities as being an IT problem rather than a company-wide problem. I don't think companies were thinking of vulnerabilities as being business risk the way that they do today. So some vulnerability would be found and it was up to the IT team to
Starting point is 00:03:03 figure out how quickly it needed to be taken care of, how serious it was, and what kind of schedule we could patch that relative to our business needs. And it probably, you know, it was probably a line item in the quarterly presentation that the IT folks made to, their bosses or the board or whatever and said, oh, we patch this many bugs this quarter and it's great.
Starting point is 00:03:29 But I don't know that security was top of mind because we hadn't really seen any of the really bad things that were coming on the horizon. Yeah, I would imagine adding to that there was also an element, and this is me editorializing a little bit, but when IT would go to someone up the executive chain and go, so this specific situation, the specific volunt that we got a patch, it's going to result in some downtime. I imagine back then they would get a lot more pushback than they might
Starting point is 00:03:58 now, and of course, I imagine that may depend a lot, but I imagine making the business case for, why do you have to take this system down to just do a patch? Like, why is that so important? Can't this wait? Yeah, I think the the IT folks were probably
Starting point is 00:04:14 considered to be lower on the chain, in the pecking order, however you want describe it within the business because again we hadn't really seen this possibility that the cyber issues could kill your business so the stakes weren't as high yeah and i'm i'm thinking also about timelines for vulnerability exploitation i mean not a secret in the last 10 years those those timelines have accelerated dramatically do you have any recollection of what we were typically looking at 10 years ago I think it was much, well, let's see, again, not a practitioner, but my sense is it was probably
Starting point is 00:04:55 more often than not, we'll get to that when we get to it. In other words, we'll get to that when it will have the least impact on the business. And so I think that meant a lot of things got put off, but there probably weren't serious consequences because of that. That was a reasonable plan back then. Yeah, yeah. So, inevitable question here. What changed? Something changed. Can we point to a singular vuln or situation? Or was it a cascade thing? What changed? I think the emergence of ransomware was a big part of it. That becoming its own business. The attackers being able to take these vulnerabilities and use them.
Starting point is 00:05:45 in ways against companies that were truly potentially devastating to the organizations, the whole notion of reputational damage, which again is connected to ransomware. It's just much... And also, I guess, awareness
Starting point is 00:06:01 among the general public that this is now a thing, that a cyber attack is a thing, because now, as opposed to even 10 years ago, everybody's online, everybody has some connection to something online.
Starting point is 00:06:17 There's no escaping it. And 10 years ago, I think it was a little easier to escape it if you wanted to. Yeah, and going back a little before 10 years ago, going back further than 10 years ago, heartbleed was, I think, 2014, and that made a whole lot of people who had no idea what OpenSSL was.
Starting point is 00:06:36 Suddenly everybody had to become an expert on that pretty quickly, especially if you had a business that did anything online, which is most businesses. So not that I want to say, hey, thanks everybody for naming vulnerabilities because it made it easier, but maybe that actually did help a little bit as much as we make fun of that kind of thing. It might have actually helped a little bit with awareness. Who knows? I'm just throwing that one out there.
Starting point is 00:06:59 I'm going to get hate mail for that one. But anyway, looking back specifically within the last 10 years, if you had to choose maybe one volume that was the most seismic with its arrival on the scene. Is there one that you could point to? Well, I think the most seismic was probably log for shell in terms of how broad and serious it was and how people responded to it. So log for shell was, I would say, late 2021, I believe, and it took advantage of what was a vulnerability in Log for J, which is this open source logging framework.
Starting point is 00:07:46 Again, not to get too deep in the weeds, but it was a very serious thing, and what made it so serious was how many devices it affected. It was just kind of this thing that was in everything, and so it meant that all these devices were vulnerable to it. I think Jenny Sterly, when she was running Sissa at the time, And she said it was one of the most serious that she'd ever seen in her career, if not the most serious. You mean the Federal Trade Commission got involved to get companies to update so that they weren't vulnerable to this?
Starting point is 00:08:23 It was kind of an all-hands-on-deck kind of moment in terms of seriousness. I think if you want to rewind the clock to when did a lot of this stuff start to become more. more broadly known throughout the non-IT world, I think you have to look at Eternal Blue, which was, what, 2017 or so? So Eternal Blue was an exploit that, allegedly, came out of the U.S. National Security Agency. Allegedly.
Starting point is 00:09:01 I think that's pretty settled by this point. Who ain't Stuxnet? Okay, I think we're good. Yeah, who knows? We'll never know. It's a mystery. Yeah. And so this was a zero-day vulnerability affecting Windows systems,
Starting point is 00:09:16 but it got acquired, found whatever, by the shadow brokers, who then, you know, famously used it in Wanna Cry. Yeah. She used the Eternal Blue Exploy. Want to cry was a worm. And it made you want to cry. Yeah. It sure did.
Starting point is 00:09:34 Yeah. Yeah. And it was also used in the Not Petia attack. So if you want to talk about turning points, I think that certainly was one. And then also the notion that a tool that had been developed by our own intelligence community, air quotes, the good guys, got turned against us, turned against the world. Yeah, and I remember before Want to Cry, there was a lot of work being done, I think, within the IT world to try and help practitioners. and, you know, IT execs even message the importance of, this is why we need a patch,
Starting point is 00:10:13 and, you know, sometimes it fell on deaf ears to the higher up, so to speak. I feel like WannaCry kind of did a lot of that heavy lifting for people from that point. It's like, you know, no security awareness campaign was ever going to be as effective as touching your hand on the hot stove like Wanna Cry was. That's right. That's right. That's right. Yes. I'm laughing because as the father of a teenage son, who goes through life touching hot stoves and being the only way he can learn anything,
Starting point is 00:10:43 you know, that resonates with me. I feel like truly it's a very human thing, very, very human. Yes, yes, absolutely. We warned you, we warned you, warned you, oh, now you've got to learn the hard way. Oh, dang it. Now we've all learned the hard way. Yeah, but I mean, want to cry,
Starting point is 00:11:01 and truly if we bubble that up to Eternal Blue in general, I remember there was also the geopolitical aspect that you touched on this a bit as well about you know governments having zero day stockpiles and what does that mean you know what's the danger there that's an ongoing conversation too yeah it was eye-opening uh you know you mentioned stuxnet before and um every now and then one of these makes its way out you know it's a question that i've asked folks i interview some of the um the researchers you know particularly for our research saturday show and it's usually a question I ask
Starting point is 00:11:39 off the air but it's yeah it's when the interesting stuff comes out it's for my own curiosity and people you know feel more like they can share more but I'll say you know how often do you come
Starting point is 00:11:53 across something that has all the signs of being a piece of United States offensive trade wear or yeah yeah yeah and they'll say yeah it happens you know there are Yeah, of course it happens.
Starting point is 00:12:10 That's why espionage exists. Right, yeah. Right, exactly. So, you know, we joke about what we call it, you know, eternal eagle or something, something like that. There's some very stereotypically American name, you know, righteous eagle or something like that. But anyway. Yeah.
Starting point is 00:12:30 Well, going back to touching the hot stove for a second also, there was what the sort of overall business community learned, I think, from Wanna Cry, but what would we say sort of the takeaways for the security industry were from that? For Wanna Cry? Yeah. I think it was a message of
Starting point is 00:12:53 responsibility. Who's responsible for these things? Because in this case, this was affecting Windows systems. So to what degree is this Microsoft's responsibility to get patches out there to remediate this. But then to what degree is it the responsibility of agencies or researchers
Starting point is 00:13:16 who stockpile these things, who know they exist, and rather than disclosing them, either sell them or keep them or save them for whatever use that they might be useful for in the future, what's the moral and ethical thing to do in a case like that? That is a question for much smarter people than us. Yes, I concur. It's a good question, though. Yeah, so we've been talking about, you know, these paradigm shifts and vulnerabilities, and typically when we talk about volns, it's a software problem.
Starting point is 00:13:51 But another huge paradigm shift in the last 10 years was when we saw varns that were hardware problems, and I'm thinking of Specter. That was massive. It's not just because I'm married to a hardware guy who works at one of these companies, although full disclosure I am. But I mean, that was a really, that was, I remember, felt actually kind of scary on a level of, oh, gosh, were we really thinking about that? I thought, you know, hardware issues were the realm of the extraordinarily nerdy security through obscurity. Why do we have to even think about that?
Starting point is 00:14:21 We've got enough problems with software. And then came Spector and Meltdown. Yeah. I remember when Spector came out, my first thought was about a bug that affected Pentium problems. processors back in like 1994 or 1995. There was some issue baked into certain Intel processors, Pentiums, that would return floating point results that were wrong. And we kind of count on processors to get math right, right?
Starting point is 00:14:57 A little bit important. And, you know, it was one of those things where it was a very rare bug. it probably wouldn't happen very often, but there was also a way that if you fed it this exact, very simple math problem, it would give you the wrong answer. So it was very easy to illustrate,
Starting point is 00:15:15 which made it easy to understand, which made it easy for people to be nervous about it. And Intel did a recall, and, you know, we all lived to tell the tale and live another day. So that's what I was thinking of. Are all of these chips going to have to be recalled? and figure the difference between 2020, or I'm sorry, 1994 and 2016,
Starting point is 00:15:42 whatever Specter and Meltdown were, that's a lot more CPUs out there. That's a lot of hardware. What's going to happen? And how do we fix it? How do we easily patch that at scale? Right. Because hardware's hardware.
Starting point is 00:15:56 And let's, you know, talking about like, I don't know, field programmable gate arrays or something really down in the weeds. your processor is your processor and so over time all these assumptions had been baked into modern processor design and were tried and true and suddenly you discover a vulnerability
Starting point is 00:16:18 what does that mean and what it meant in the short term was that the patches made the processors slower because well you're adding something to it right I mean yeah you're adding something to it but you're also taking something away. Like there was this, my recollection, and I'm sure this is imperfect, but my recollection is that it had something to do with the predictive nature of how modern processors flow information through
Starting point is 00:16:44 them and some of the assumptions of what you could and couldn't do, that's where the vulnerability was. And so you had to basically disable some of those predictive presumptions, and that slowed things down. So now your server rack that yesterday you were selling that had these capabilities had those capabilities minus 20%. Right? And so what do you do? And it also, zooming out a little bit, really changed the conversation around what we sort of consider the arena of fair play for what needs to be actively monitored, I guess. I mean, maybe that's the wrong phraseology there, but I just, I don't remember the average bear talking about, you know,
Starting point is 00:17:36 hardware volumes as much. And now it's like, yep, that's part of what we got to be thinking about more regularly as opposed to, you know, that's a weird anomaly and just don't worry about that. Don't look in that corner. Yeah, it's just part of the field of play now, I suppose. I guess. And I wonder, too, how much of it is just that, like, we're at the, point where so much of the low-hanging fruit has been picked.
Starting point is 00:17:59 So you're getting into more of these edge cases. Now, I guess, and I know, you know, they'll take away our broadcasting licenses if we don't mention AI in this somewhere. Everybody drink? Right, yeah. But I think AI has replenished that fruit. We'll be right back. We probably don't want to leave AI to.
Starting point is 00:18:37 the very end. Okay. Yeah, no, although I kind of want to, because there's so much that happened in the last 10 years before AI really shook things up. But, yeah, I mean, it's AI is really adding, I don't want to just say it's changing the paradigm. It's adding so much into the pipeline
Starting point is 00:18:58 that it's just kind of hard to know what to do anymore. It's hard to know what needs to get prioritized. It's hard to know how to make sense of just the pure volume of it without saying, okay, AI's finding all these problems, let AI fix it, but where's the human in the loop on that? And it's just, that's, I mean, I think that's where we're all at right now. I think so. To me, a big part of it for people who are fighting the good fight out there is it's a velocity issue. That stuff's just coming at you so much faster. And for me, like, you know, I back in the day, I used to enjoy playing first-person shooters like marathon.
Starting point is 00:19:37 or Doom or, you know, that first generation and the first version of Halo, right? I can't play them anymore. I can't watch my kids play them because they're too twitchy. They're too fast. And I feel as though I was wired up, right? My first exposure to these was at a certain speed. And that speed is way faster than it used to be. And so it's hard for me to adapt.
Starting point is 00:20:06 and the next generation coming up, that's all they know. So they can handle the speed. They don't think twice about it. And I wonder if that's something that we're experiencing right now where you have generations of researchers, people who came up with a certain cadence of patching, of remediation, all that's been thrown out the window because it's like, what's the thing in Mario Kart where you get the speed boost, right?
Starting point is 00:20:32 It's like that. The mushroom, yeah. Yeah, yeah. And so how is it just the old timers who have to catch up and the next generation is going to be fine with this new velocity because it's all they know? Or as many people are saying, the only way to do this is machine versus machine,
Starting point is 00:20:52 where the AI is the only thing that can be fast enough to keep up with the AI. Yeah, it almost makes me wonder if someone listening to this conversation a few years from now might go, oh, how quaint they're talking about, singular named vulnerability who has time for that anymore. But talking about humans patching,
Starting point is 00:21:12 you know, oh, it wasn't, what, what was that like? You people actually, you had keyboards, you touched your computers, ew, yuck. And also that you had the time, things were slow enough that you were looking at, you know, one or a group of things at a time as opposed to just like a torrent. I mean, I know vans and patching,
Starting point is 00:21:29 I mean, the report lists are, you know, hundreds of pages long and, you know, nobody knows every single one that gets patched, but at the same time, okay, that's not true. But the idea of like we're thinking about one specific volume as opposed to, you know, tens of thousands at that, the volume is just a total different scale. We're going to be talking about things in scientific notation instead of, you know, just in dozens. Yeah, like we thought we were in an age of automation.
Starting point is 00:21:57 Like, hold on to the bar because here comes a new age of automation that is driven by necessity. Okay, so as we're talking about all of these huge paradigm shifts over the last 10 years, as we reflect on vulnerabilities, I would be remiss if I didn't also mention supply chain attacks. That was another huge shift in the last 10 years. And the biggie was solar wins, and that's the one that, you know, is synonymous with supply chain issues. What's your recollection of how that went down when that started out? Well, I think people were whistling past the graveyard, right, for a long time before that one landed. And it was proof that it wasn't a matter of if, it was a matter of when. So solar winds hit, and it was a massive supply chain impact all over the world. And so, and, you know, affected real people. you know, couldn't use their gas pumps. I remember in the southeast of the U.S. here.
Starting point is 00:23:03 People were hoarding gas. So real-world, regular people repercussions of this. And it got everyone's attention and served as a, I guess, the proof of concept that supply chain vulnerabilities are a thing and they need to be taking seriously. And so I think it kicked off a whole era of supply chain research, of things like S-bomb initiatives,
Starting point is 00:23:32 software bills and materials, triggered a bunch of scrutiny of open-source ecosystems. Everybody started thinking about what's in my system that I don't know is in my system, right? It was the unknown unknowns. Thank you, Rumsfeld.
Starting point is 00:23:50 Yeah, because nobody's, you know, nobody is, I'm sorry, I shouldn't use absolutes. Most people are not creating software from whole cloth. They're using open source packages. They're using, because why not? Who has time to write everything? Yeah, it's just efficient. I mean, that's just how things are built now. I mean, it's how it's always been, really, is my understanding. I mean, you don't have to recreate everything from scratch. There's a perfectly good library or something else that someone has done. You build on that. That's how we make progress.
Starting point is 00:24:20 Yeah. So if you have these dependencies and you've been using this little nugget of of open source software for the past five years. And every time a new version comes, you wait a few days to see if there are any major issues, and then you just slide it into your own production environment. No problem, business as usual. And then all of a sudden, somebody can take that, put something bad in it,
Starting point is 00:24:45 and without even realizing it, it slides into your environment, and now you've got a problem. And going back to AI, we're seeing such an influx of people, vibe coding or trying to contribute to open source projects using AI, what we're talking about right here is part of that conversation for why that is so dangerous. You know, we have the idea of people making contributions to these extremely important
Starting point is 00:25:09 open source projects that a lot of our modern world is built on, but who's actually able to keep track of what's being contributed if it's being done through AI? And understandably, some open source project maintainers are saying no AI contributions whatsoever, but this is part of the reason why there's a lot of paranoia, understandably, about that because who knows what's being introduced that way. It's wild seeing these things converge in real time. Wild, scary, fun, interesting, I suppose. It keeps a lot of people in business.
Starting point is 00:25:42 Truly. And speaking of wild, fun, interesting, and all those things, a story that honestly, before we started doing research for this, I had actually a little bit forgotten about, and I cannot believe I forgot about this. Bloomberg had this huge bombshell story about super micro, and that set off this sort of feeding frenzy to chase that one down, and it ends up that that one wasn't real.
Starting point is 00:26:07 And if you look for it, though, it's still there on Bloomberg.com. Yeah. So it's, I, what the heck happened here? Well, it was 2018, I believe, that Bloomberg published this story, and the allegation was that Chinese operatives had, inserted these tiny little hardware devices, little tiny chips into super micro motherboards. Right. Yep.
Starting point is 00:26:35 And so this was a supply chain compromise and a degree of sophistication we had not seen before. And a nightmare situation that all this physical hardware has been tacked on to all this incredibly important stuff on the motherboard. like that's a nightmare. Right. And these super micro servers are everywhere in the government and, you know, very popular, good brand, all that. They got dragged into this. And so everybody started looking for what's going on here because if this is truly a hardware bug, well, the hardware exists. It's a real thing. It must be on the motherboard. And nobody found anything. There was never
Starting point is 00:27:27 any public evidence that supported the central claims. Yeah, and I remember the initial reaction from a lot of folks in sort of the federal sector going was just, how the heck did we miss this? Like, this is the kind of thing we're looking for. How on earth did we
Starting point is 00:27:43 miss this and how did Bloomberg find it first? And the answer was that you guys didn't miss it. But that was a crazy cause story and you know
Starting point is 00:27:58 that you know everybody kind of especially in the media sector we all want to be the ones to report on the new the new you know hot volume because you want to be the
Starting point is 00:28:07 place that breaks that story that's a great way to be in front of stuff but this one didn't exist so it's hard-fying and do we think Bloomberg was acting in bad faith
Starting point is 00:28:19 I don't think so but they got it very wrong whatever internal checks and balances they must have had failed them, in my opinion. And remarkably, what's been eight or nine years now, and there's never been a serious retraction from Bloomberg. Like you said, the article is, you can still go read it. So, Dave, this is, we've only taken a very top line view of the many, many volumes over the last 10 years. Certainly, this is not an all-inclusive look. We could not possibly do that in even just a few hours. It would take
Starting point is 00:29:00 us days. You know, it's been a good 10 years of you hearing these stories come and go. Some of them, some of these volumes have a pretty short life cycle. Some are ongoing still, like Log for Shell, for example, like we're still dealing with these. What sticks with you as you look back on these? Well, I think the thread that runs through all of this is this notion about having our assumptions challenged, right? Like we talked about at the beginning, people assumed, rightly assumed, that they had time to patch.
Starting point is 00:29:34 People rightly assumed that software was trustworthy. People rightly assumed that hardware was trustworthy. They thought they had time to take care of things. And each of these events have challenged those assumptions. Who do you trust? To what degree do we have to scrutinize software or rely on other people to do that for us? To what degree could something be lurking in our hardware? We have all these assumptions and ultimately at some point you have to trust things.
Starting point is 00:30:12 You have to trust people. That's how the world works. I can hear a few people going, no, no, I won't. Right. Well. Well, there are few folks that feel that way. That's true. Yeah, yeah. And, you know, trust but verify, right? All that, all that stuff.
Starting point is 00:30:29 Yeah, yeah. There's only so much you can do, but at some point, you have to believe something. Yeah, no, no, you're right. You're right. Yeah. It could be as simple as when I flick the light switch, the light comes on, right? Like you have, there are, and so I think it's over the past decade, we've seen many of our assumptions fall away, and we've learned that things that we used to assume, were true, now require an additional level of scrutiny, additional level of care, double-checking, all of those things. Assumptions we didn't even know we had in
Starting point is 00:31:04 some cases. They were so baseline that we just... It was like breathing. We didn't even think about it. And now it's like, oh, we have to examine that as well? Oh, my God. Right. And things have gotten so much more complex. Things are so much more interconnected than they used to be. And now
Starting point is 00:31:19 we've thrown AI into the mix, which has put us all in on turbo speed. And, yeah, what a world. What a world. Well, we'll be here for the next 10 years, too, I'm sure, Dave. And I don't see it slowing down anytime soon. Yeah.
Starting point is 00:31:38 And it's always something interesting. That's the thing about this business, right? There's always something to learn. There's always something new coming and surprises. And so it never gets old. That's an awesome way to end it. So Dave Bittner, host of the CyberWire Daily, thank you very much for joining me today.
Starting point is 00:31:59 My thanks to Maria Vermazes for joining me as we continue looking back on a decade of cybersecurity stories that shape the world we defend today. Thanks for listening to this special edition of the CyberWire Daily's 10th anniversary series. We'll be back with more conversations exploring the people, the moments, and the milestones that have defined the past 10 years of cybersecurity.
Starting point is 00:32:28 I'm Dave Bittner. Thanks for listening.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.