@GossiTheDog Yes I agree that @tomatospy raised appropriate security culture concerns in the newsletter. The keys weren't handled with enough security attention (architecture, testing, etc.) given how important they were as a root of trust. With better governance this type of flaw shouldn't have existed.

I've seen security design & operational practices in a wide range of organisations and from my experience the top-tier US-based cloud services run security dramatically better than the vast majority of commercial or public sector organisations.

Once a cloud service becomes seriously successful the customer impact and criticality increases dramatically - and likewise for attackers. Five years ago best-practice commercial security may have been sufficient, but when capable nation state intelligence agencies are interested the threat model seriously changes. And security practices really need to shift up.

@thegrugq and @tomatospy - I enjoyed your chat on Between Two Nerds about potential applications of AI for scams.

When you talked about possible market size limits for scammers I thought of the sales term for that (total addressable market, or TAM) which is when it clicked that this is the most adjacent job type in legitimate (?) work.

One obvious implication is that the scammers will need a good CRM for tracking prospects and when they identify real opportunities. So I assume they're all using Salesforce to manage their deals and to keep management aware of how close the deals are to completion. Will they close the scam in this quarter?!

I was also struck that the people working in the scam call centres are doing Inside Sales. For large or huge customers, vendors assign account managers (sales reps), or teams of them if the customer is large enough. For mid-market customers each account rep is assigned many customers and works remotely - it's all done using email, phone and conf calls.

Good discussion by @riskybusiness and @metlstorm about Crowdstrike's report on VMware ESXi risks.
In my view the key risks with classic VMware data centre environments are similar to the risks with classic Active Directory, and backup systems - these are all core IT infrastructure for a lot of places, and there's as much legacy in the access control to these services as in the services themselves.

The Crowdstrike post (https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/) was quite good in their recommendations on what to do for vSphere environments - yes it needs to be patched, but start with tightening access to the control plane.