Shared Security Podcast

This week on Shared Security, Tom and Kevin sit down with Jay Beale — founder of InGuardians, long-time Black Hat trainer, creator/contributor behind Kubernetes security training, and part of the team behind the DEF CON Kubernetes CTF. Jay shares stories from decades of offensive security work, including the time Tom hired him for a physical penetration test and Jay somehow ended up inside a call center instead of stuck in the lobby. The crew also digs into what makes good security training, why Kubernetes is such a natural platform for both defenders and attackers to understand deeply, and how th...

The U.S. government reportedly ordered Anthropic to suspend access to two of its newest frontier AI models, Fable 5 and Mythos 5, citing national security concerns tied to a possible jailbreak. Anthropic complied, but pushed back on the reasoning, arguing that the reported behavior was narrow and that similar capabilities already exist in other advanced AI models.

In this episode, Tom, Scott, and Kevin discuss why treating AI capabilities like export-controlled technology may create more problems than it solves. The conversation connects today’s AI restrictions to earlier fights over encryption export controls, hacker tools, and government attempts to...

AI agents are useful, but they become risky when they can take action in real systems. In this episode, Tom Eston discusses recent reporting about attackers tricking Meta’s AI support chatbot into helping hijack Instagram accounts, and why that story matters far beyond social media. Tom explains practical guardrails for AI agents: read-only access first, human approval for consequential actions, separated accounts and contexts, prompt-injection awareness, least privilege, logging, monitoring, and adversarial testing for support and account recovery workflows.

Special thanks to Guardsquare for sponsoring this episode! Guardsquare is the leader in mobile application security, wi...

Mobile apps are now deeply connected platforms for identities, payments, sessions, APIs, healthcare, retail, gaming, and cloud services. In this special episode, Tom Eston talks with Joel Destefano, Senior Product Manager at Guardsquare, about the modern mobile app threat landscape and why organizations can’t treat mobile security as an afterthought.

Topics include runtime manipulation, API abuse, account takeover, fake apps, overlays, malware-assisted fraud, reverse engineering, iOS vs Android risk, AI-assisted attacks, and why backend-only security is not enough.

Special thanks to Guardsquare for sponsoring this episode! Guardsquare is the leader in mobile ap...

Microsoft’s response to a researcher publicly disclosing proof-of-concept exploit code has reignited an old debate in security: where does responsible disclosure end and reckless disclosure begin? Tom and Scott discuss the Nightmare Eclipse controversy, the history of full disclosure, bug bounty incentives, and why legal threats against researchers may ultimately hurt customers. They also explain why researchers still need to follow responsible processes — and why vendors need to avoid punishing the people who help make their products safer.

Special thanks to Guardsquare for sponsoring this episode! Guardsquare is the leader in mobile application security, with...

Apple and Google are finally bringing end-to-end encrypted RCS messaging to iPhone and Android chats. In this episode, Tom Eston and Kevin Tackett explain why that matters, why insecure SMS is not going away anytime soon, and why Signal is still the better choice for truly sensitive conversations. They also revisit the green bubble versus blue bubble debate, platform trust issues, and what everyday users should understand before assuming every text message is private.

Special thanks to Guardsquare for sponsoring this episode! Guardsquare is the leader in mobile application security, with multi-layered protection for your...

OpenAI is now allowing some ChatGPT users to connect their bank accounts and financial data directly to the platform. In this episode, we discuss the technology behind the feature, the convenience it promises, and the serious privacy and security questions it raises.

From AI-generated budgeting advice to the risks of centralized financial profiling, we examine what happens when conversational AI gains visibility into your spending habits, debts, subscriptions, and financial goals.

Special thanks to Guardsquare for sponsoring this episode! Guardsquare is the leader in mobile application security, with multi-layered protection for your Android...

In this episode we discuss the recent cyber attack targeting Instructure’s widely used learning platform, Canvas, and the major late-breaking development that Instructure reached an “agreement” with the ShinyHunters cybercriminal group after threats to leak large amounts of stolen student and faculty data. Instructure says the stolen data was returned and that attackers provided digital confirmation that the information was destroyed, but the company did not deny making a payment—language that many in cybersecurity interpret as a ransom settlement.

Special thanks to Guardsquare for sponsoring this episode! Guardsquare is the leader in mobile applicat...

World Password Day was on May 7th—but are we actually getting better at password security?

In this episode, we discuss why compromised credentials are still behind the majority of breaches in 2026. From password reuse and phishing to infostealer malware and MFA bypass techniques, attackers are finding it easier than ever to log in instead of hack in. We also talk about whether passkeys can finally shift the landscape—and what organizations should be doing right now to reduce risk.

Special thanks to Guardsquare for sponsoring this episode! Guardsquare is the leader in mobile application secu...

Attackers are now impersonating invitation services to trick people into clicking malicious links and sharing sensitive information. These phishing attempts look like legitimate event invites, making them especially effective. In this episode, we discuss how these scams work and what steps you can take to stay protected.

Special thanks to Guardsquare for sponsoring this episode! Guardsquare is the leader in mobile application security, with multi-layered protection for your Android and iOS apps. Learn more at Guardsquare.com.

** Links mentioned on the show **

New Phishing Scam: Fake Invitations
https://www...

New York’s latest budget proposal could fundamentally change how 3D printers work—requiring built-in software that scans and blocks certain designs. Supporters say it’s about stopping ghost guns. Critics say it opens the door to surveillance and limits innovation.

In this episode, we discuss what’s actually in the proposal, why it’s raising alarms across the tech community, and what it could mean for the future of user-controlled technology.

** Links mentioned on the show **

Stop New York’s Attack on 3D Printing!
https://www.eff.org/deeplinks/20...

Anthropic has introduced Project Glasswing, a cybersecurity initiative powered by an unreleased AI model called Claude Mythos. This system can identify zero-day vulnerabilities, generate exploits, and even help fix them—often without human input.

But there’s a catch: it’s considered too powerful for public release.

In this episode, we discuss what Project Glasswing is, why it matters, and what it means for the future of cybersecurity, red teaming, and AI-driven threats.

Is this the beginning of AI defending us—or the start of something much harder to control?

** Lin...

The dark web is often misunderstood, but it plays an important role in both privacy technology and cybercrime activity.

In this episode, Tom Eston speaks with cybersecurity researcher and educator John Hammond about what the dark web actually is and how it has evolved in recent years. The discussion covers underground marketplaces, ransomware leak sites, threat intelligence collection, and the operational risks involved in dark web investigations.

John also shares details about his new training course Dark Web 2, which focuses on using a hacker mindset to gather cyber threat intelligence from dark web sources.

A landmark jury verdict has found Meta and YouTube negligent in a social media addiction case, raising major questions about platform accountability and legal protections under Section 230.

This episode covers the details of the case, why the ruling is significant, and what it could mean for the future of social media, privacy, and cybersecurity. Could this trigger a wave of lawsuits against tech companies? And are platforms finally being held accountable?

** Links mentioned on the show **

Jury rules against Meta, YouTube in bellwether teen addiction case
https://www.businessinsider.com/social-media-addiction-trial-jury-verdict-meta-youtube-negligent-2026...

In this episode, Tom Eston and co-host Scott Wright discuss research showing that Tire Pressure Monitoring Systems (TPMS) can create privacy risks because the sensors broadcast unencrypted, uniquely identifying wireless signals that could be used to track vehicles. They reference a 10-week study by researchers at IMDEA in Madrid that collected about 6 million signals from over 20,000 cars at roughly 50 meters range, noting the signals can reveal details like tire pressure, car type, weight, and possible driving patterns, and can be captured with about $100 of equipment. The hosts explain TPMS is a safety feature required on 2008+ cars, consider realistic threat...

Tom Eston interviews offensive AI researcher and PhD candidate Andrew Wilson, a former Bishop Fox partner who helped grow the firm from under 20 people to nearly 500, built award-winning AI solutions for SOC modernization, founded Cactus Con, and relocated his family to Guadalajara to open and scale a Bishop Fox office. They discuss Mexico’s growing cybersecurity and AI ecosystem, driven by talent, community events, and government-university partnerships, and how offensive security has shifted from “one-person army” generalists to more specialized roles. Wilson explains his PhD work modeling expert pen testers’ cognitive approaches to shape AI agents, argues AI lowers barriers...

This episode discusses Meta Ray-Ban Smart Glasses, which blend a camera, microphone, AI features, and social media integration into sunglasses that look like normal fashion eyewear, raising major privacy concerns. It highlights reports that footage captured by the glasses may be reviewed by human contractors to help train Meta’s AI systems, and notes critics’ concerns about how easily people can be recorded in public without their knowledge. Although the glasses include a small LED indicator when recording, many people reportedly don’t notice it.

** Links mentioned on the show **

People Are Calling Meta Ray-Ba...

In a move that bucks the entire industry trend, TikTok has confirmed it will not implement end-to-end encryption (E2EE) for direct messages on its platform — arguing that E2EE would make users less safe. We break down what’s really going on: the child safety argument, the privacy counterargument, the geopolitical questions surrounding ByteDance, and what it all means for TikTok’s 1 billion+ users. If you use TikTok, this episode is essential listening.

** Links mentioned on the show **

TikTok won’t protect DMs with controversial privacy tech, saying it would put users at risk
...

Anthropic’s Claude Code Security research preview promises AI-powered code analysis and vulnerability detection at scale. The announcement triggered strong reactions across the cybersecurity community and sent several vendor stocks lower. In this episode, we break down what the tool actually does, where it fits in modern AppSec, and whether AI automation threatens traditional security products or simply makes teams more efficient. Expect a practical, no-hype conversation about what changes and what doesn’t.

** Links mentioned on the show **

Anthropic’s New Claude AI Security Tool Wipes Out Over $15 Billion From Cybersecurity Stocks
https...

TikTok has shifted to a majority-American entity, TikTok USDS Joint Venture, LLC, to comply with U.S. national security requirements and avoid a ban. This week we discuss why a recent privacy policy update went viral—especially language about sensitive data like immigration status and precise location—and argue much of it reflects longstanding practices and required California privacy disclosures. We emphasize reading policies, understanding your threat model, and making your own decision about using TikTok or other social platforms. The episode also briefly mentions Ring ending its partnership with Flock and a rumored internal email about expanding Ring’s “sea...

In this episode, we discuss two major tech stories impacting privacy and security. First, we analyze Ring’s new AI-powered ‘Search Party’ feature and its controversial Super Bowl ad that sparked privacy concerns. We then transition to a breaking story about a zero-click remote code execution flaw in the Claude Desktop, highlighting the potential risks of AI. The hosts also reflect on their most popular YouTube episode on why Gen Z is ditching smartphones.

** Links mentioned on the show **

How to disable Search Party on your Ring Camera
Open the Ring app, tap the ha...

Autonomous AI assistants are hitting the mainstream — but at what cost? This week, we discuss the recent OpenClaw phenomenon (formerly Clawdbot/Moltbot), the security fiasco surrounding Moltbook’s exposed database, and the quirky yet concerning AI agent dating platform MoltMatch. We explore the privacy and cybersecurity implications of entrusting AI agents with sensitive access and how defenders should think about emerging agentic risks.

** Links mentioned on the show **

OpenClaw (a.k.a. Moltbot) is everywhere all at once, and a disaster waiting to happen
https://garymarcus.substack.com/p/openclaw-aka-moltbot-is-everywhere

Exposed Molt...

Younger generations are increasingly ditching smartphones in favor of “dumbphones”—simpler devices with fewer apps, fewer distractions, and less tracking. But what happens when you step away from a device that now functions as your wallet, your memory, and your security key?

In this episode, Tom and Scott explore the dumbphone movement through a privacy and cybersecurity lens. Drawing from a recent Wired article, the conversation digs into digital burnout, surveillance capitalism, multi-factor authentication dependencies, and whether opting out of smartphones is an act of digital self-defense—or a step toward digital disadvantage.

** Links mentioned on the s...

In this episode, we explore the latest changes to AirDrop in iOS 26.2 and how they enhance privacy and security. Learn about the new 10-minute limitation on the ‘Everyone’ setting and the introduction of AirDrop codes for safer file sharing with non-contacts. We also discuss best practices for configuring your AirDrop settings to safeguard your privacy, including tips for high-risk individuals and general recommendations for everyday use. Stay informed and keep your device secure by updating to the latest iOS version and regularly reviewing your AirDrop settings.

** Links mentioned on the show **

iOS 26.2 adds an AirDrop secu...

In this episode, we explore Amazon Ring’s newly introduced Familiar Faces feature that utilizes AI for facial recognition. We discuss the convenience of identifying familiar people at your doorstep, the privacy concerns it raises, and the legal implications surrounding biometric data. Learn about how this feature works, potential inaccuracies, and privacy laws in certain U.S. states. We also discuss broader concerns about AI and surveillance, and provide practical advice on using this technology responsibly.

** Links mentioned on the show **

Ring Doorbells Can Now Identify Faces—But Experts Say It’s a Major Privacy Invasi...

In this episode of Shared Security, we discuss a significant Pennsylvania Supreme Court ruling that permits police to access unprotected Google search histories without a traditional warrant. The discussion centers around the implications of the Commonwealth vs. Kurtz case and the concept of reverse keyword searches. Kevin Tackett joins the conversation, providing insights and posing critical questions about the balance between law enforcement needs and privacy rights. The episode explores concerns over digital privacy, third-party data, and potential broader impacts on users.

** Links mentioned on the show **

Pennsylvania court rules Google searches are not private<...

Welcome to the first episode of the Shared Security Podcast in 2026! As AI becomes increasingly integrated into technical fields such as software development and cybersecurity, traditional entry-level roles are evolving or disappearing. This episode discusses the implications of AI on entry-level knowledge worker jobs, emphasizing the need for students, recent graduates, and those entering the job market to adapt their strategies. Discover the new skills and approaches needed to stay relevant, explore potential career pivots, and learn why degrees and certifications alone are no longer sufficient. Tune in for practical advice on thriving in an AI-driven job market.

Join us this week as we rewind the tape on our 2025 predictions. In this episode, we revisit last year’s forecasts in cybersecurity, geopolitics, and AI, discussing which ones came true, which ones fizzled out, and which ones were a mixed bag. Additionally, we share insights from past guests, celebrate milestones, and make bold new predictions for 2026. Find out what we got right, what surprised us, and what we think is on the horizon for the coming year!

** Links mentioned on the show **

Scott’s 2025 Predictions
https://youtu.be/Fgc4UlraU-o?si=hgTp0trKZ6vlwq...

In this episode, Tom Eston discusses the unique challenges in the current cybersecurity job market, emphasizing the importance of networking. Tom provides practical tips on how to enhance networking skills, such as attending conferences, volunteering for open source projects, creating a blog, and seeking mentors. He also addresses misconceptions about the job shortage in cybersecurity and encourages listeners to start building their professional networks early. Tune in for valuable insights to help you advance your cybersecurity career.

** Links mentioned on the show **

Connect with Tom on LinkedIn
https://www.linkedin.com/in/tomeston/

Join us in the midst of the holiday shopping season as we discuss a growing privacy problem: tracking pixels embedded in marketing emails. According to Proton’s latest Spam Watch 2025 report, nearly 80% of promotional emails now contain trackers that report back your email activity. We discuss how these trackers work, why they become more aggressive during the holidays, the data being collected by marketers, and how you can protect yourself. We are joined by Scott Wright to explore Proton’s comprehensive study, identify the worst offenders in email tracking, and share tips on maintaining your online privacy. Tune in and...

In this episode we discuss the rising challenge of AI-generated videos, including deepfakes and synthetic clips that can deceive even a skeptical viewer. Once the gold standard of proof, video content is now increasingly manipulated through advanced AI tools like Sora 2 and Google’s Nano Banana, making it harder to separate reality from fiction. Tom and Scott discuss the differences between malicious deepfakes and poorly-made AI-generated content, identify key indicators that reveal a video might be AI-generated, and explain how these videos are used in social engineering attacks. Practical advice is offered on how to protect yourself and your or...

In this special episode of the Shared Security Podcast, host Tom Eston reunites with former co-host and experienced fractional CISO, Chris Clymer. They reminisce about their early podcasting days and discuss the evolving role of a Chief Information Security Officer (CISO). The conversation covers the responsibilities, challenges, and skills required to be a successful CISO, including technical and soft skills, business acumen, and people management. Chris shares his journey, the concept of a fractional CISO, and offers valuable advice for those aspiring to enter the CISO role. Tune in for a mix of nostalgia, real-world advice, and mentorship on...

In this episode, we discuss the first reported AI-driven cyber espionage campaign, as disclosed by Anthropic. In September 2025, a state-sponsored Chinese actor manipulated the Claude Code tool to target 30 global organizations. We explain how the attack was executed, why it matters, and its implications for cybersecurity. Join the conversation as we examine the details, Anthropic’s response, and the broader impact on AI in cybersecurity.

** Links mentioned on the show **

Disrupting the first reported AI-orchestrated cyber espionage campaign
https://www.anthropic.com/news/disrupting-AI-espionage

Jen Easterly’s LinkedIn post about the Anthropic disc...

In this episode, we discuss the newly released OWASP Top 10 for 2025. Join hosts Tom Eston, Scott Wright, and Kevin Johnson as they explore the changes, the continuity, and the significance of the update for application security. Learn about the importance of getting involved with the release candidate to provide feedback and suggestions. The conversation touches on the history of the OWASP Top 10, its release cycle, the evolution from specific vulnerabilities to broader categories, and the impact on vulnerability assessment and compliance.

The future of home robotics is here — and it’s a little awkward. Meet the NEO 1X humanoid robot, designed to help with chores but raising huge cybersecurity and privacy questions. We discuss what it can actually do, the risks of having an always-connected humanoid in your home, and why it’s definitely not the “Robot Rosie” we were promised.

In this episode, we explore OpenAI's groundbreaking release GPT Atlas, the AI-powered browser that remembers your activities and acts on your behalf. Discover its features, implications for enterprise security, and the risks it poses to privacy. Join hosts Tom Eston and Scott Wright as they discuss everything from the browser's memory function to vulnerabilities like indirect prompt injection. Stay informed on how AI browsers could reshape web browsing and cybersecurity.

In this episode 404 (no pun intended!), we discuss the recurring issue of DNS outages, the recent Amazon AWS disruption, and what this reveals about our dependency on cloud services. The conversation touches on the need for tested business continuity plans, the implications of DNS failures, and the misconceptions around cloud infrastructure's automatic failover capabilities.

OpenAI’s Sora 2 is here — and it’s not just another AI toy. This episode explores how Sora 2 works, how users can insert real people into generated content, and why that’s raising alarms about privacy, identity, and copyright. We walk you through the initial opt-out copyright controversy, the backlash from studios and creators, and how OpenAI is scrambling to offer more control. Tune in to understand what rights you might lose — or want to protect — in this new media era.

In this episode, we discuss the surge of age verification laws spreading across the US, including the recent implementation in Ohio. These laws intend to shield children but come at a significant cost to privacy and cybersecurity. We'll explore how third-party ID verification companies operate, the risks associated with these systems, and the broader definition of adult content beyond pornography. We also question the effectiveness and security of these measures as we share insights into the ease of bypassing verification systems. Are we protecting kids, or building a privacy nightmare?

Phishing simulations have been a cornerstone of security awareness training for years. But do they actually change user behavior, or are they just creating frustration and fatigue? In this episode, Tom Eston and Scott Wright (CEO of ClickArmor) debate whether simulated phishing attacks are still valuable in 2025. We cover the benefits, challenges, and how phishing programs might evolve — or even be replaced — in the future.