Panel: RCS-Based Verification vs Insecure SMS OTPs

Here’s a number that should bother you: SMS-based one-time passwords remain the default second factor for the vast majority of consumer authentication flows. Banks, healthcare portals, government services, e-commerce platforms. Most still send a six-digit code over a protocol designed in the 1980s. No encryption. None.

NIST formally classified SMS OTP as a “restricted authenticator” in SP 800-63B Revision 4. That’s bureaucratic language for “we don’t trust this anymore, and neither should you.”

Panel: M2M Trust and the Security Gap in Agentic AI

I moderated a panel last week on machine-to-machine trust in agentic AI systems, and the conversation went sideways almost immediately. The plan was to discuss identity management frameworks. What we ended up talking about—for the better part of an hour—was how fundamentally unprepared enterprise security is for a world where AI agents act autonomously on behalf of organizations.

The core problem is simple to state and terrifying to think through: every AI agent needs an identity. Every identity is an attack surface. And we’re scaling agents faster than we’re scaling the governance around them.

Vishing Attacks Increase by 442% via AI Cloning

Three seconds. That’s all a modern voice cloning model needs—just three seconds of your voice—to produce a replica convincing enough to fool your CFO, your IT helpdesk, or your mom.

I’ve been tracking this space since my DreamFlare days, when we were building entertainment products with generative AI. The speed at which offensive tooling has matured? Genuinely unsettling.

The numbers back it up. CrowdStrike’s threat intelligence team documented a 442% increase in voice phishing (vishing) attacks between the first and second halves of 2024. Not a typo. Four hundred and forty-two percent.

Node.js 20: Permission Model and Test Runner Stability

Node.js has always operated on a trust-everything model. Your code, your dependencies, your dependencies’ dependencies — they all get the same unrestricted access to the filesystem, network, and child processes. A malicious package in your node_modules can read your SSH keys, exfiltrate environment variables, or spawn arbitrary processes. No guardrails. No questions asked.

Node.js 20, released April 18, starts changing that.

The Permission Model #

The new --experimental-permission flag lets you restrict what your Node.js process can do at runtime. Want to prevent filesystem writes outside a specific directory? Done. Want to block child process spawning entirely? Also done. Worker thread creation? Controllable.

Scaling AppSec at Netflix with Cosmos Microservices

Netflix launches new microservices daily. Not weekly. Daily.

When your architecture is thousands of services deep and growing at that pace, you can’t secure it with manual reviews and quarterly audits. You just can’t. The only viable strategy is automation plus queryable data, and Netflix’s engineering team has written openly about how they’ve built exactly that.

Their Scaling AppSec blog post lays out an approach that I think any engineering leader running a microservices architecture should study — not to copy Netflix’s specific tooling, but to understand the organizational model behind it.

Cybersecurity Mesh: Moving toward Zero Trust Designs

Gartner loves naming things. They’ve built an entire industry around it — the Hype Cycle, the Magic Quadrant, the annual list of Strategic Technology Trends that every CTO feels obligated to reference in their board deck. But occasionally, buried under all that branding, there’s a genuinely useful architectural concept. Cybersecurity Mesh Architecture (CSMA) is one of those.

CSMA made Gartner’s top strategic technology trends for 2022, sitting there alongside hyperautomation and autonomic systems. The headline prediction caught my eye: organizations that adopt a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90% by 2024.

Geopolitical IT Armies and the Role of Technology

Something shifted in the last 48 hours and I’m still processing it.

The geopolitical situation between Russia and Ukraine has been escalating for weeks, but what I want to focus on is the cyber dimension. Not because the physical dimension isn’t more important—it obviously is—but because what’s happening online represents a fundamental change in how technology intersects with conflict. And our industry is directly implicated.

The cyber front opens first #

On February 23rd, a major cyberattack hit Viasat’s KA-SAT network. The attack targeted satellite modems serving Ukraine, knocking out internet access across the country. But satellite beams don’t respect borders. The same attack disrupted Viasat terminals across Europe, including in Germany, where it knocked out remote monitoring of approximately 5,800 wind turbines operated by Enercon.

The Log4Shell Aftermath: Why Maintenance is Creation

A critical vulnerability in Apache Log4j dropped this morning. CVE-2021-44228. Remote code execution in a logging library embedded in basically everything Java touches. Scrambling starts now, if it hasn’t already.

Writing this the same day the news broke because the conversation already heads the wrong way. Patching, scanning, who updated dependencies fastest — those things matter. Symptoms, though. All symptoms.

The disease? The industry treats maintenance like it counts for nothing.

Node.js 17: OpenSSL 3.0 and Improved Stack Traces

Node.js 17 drops next week, and the headline change is one that’ll cause some headaches: OpenSSL 3.0 replaces OpenSSL 1.1.1.

This isn’t a minor version bump. OpenSSL 3.0 tightens restrictions on which algorithms and key sizes are allowed by default. If your application (or more likely, one of your dependencies) uses algorithms that OpenSSL 3.0 considers legacy, you’ll start seeing ERR_OSSL_EVP_UNSUPPORTED errors. No deprecation warning period — just errors.

As a Current (non-LTS) release, Node 17 won’t run in most production environments. That’s actually the point. It gives the ecosystem time to find and fix compatibility issues before OpenSSL 3.0 ships in Node.js 18 LTS, which is the release that’ll matter for production workloads.

Node.js 6.14.7: Security Patches and Dependency Audits

Last month, the Node.js project shipped security releases for versions 10, 12, and 14. If you’re running Node 6 in production—and I know some of you are—you got nothing.

Node.js 6 reached End-of-Life in April 2019. That was over a year ago. No more patches, no more backports, no more security fixes. The June 2020 releases addressed TLS session reuse vulnerabilities, HTTP request smuggling vectors, and DNS rebinding issues across the active release lines. Node 6? Exposed to all of them, with zero official remediation path.