Reading view

Laurie Anderson Is Quoting Me

Not by name, but Laurie Anderson quotes me in one of the tracks of her new album:

My favorite quote is from a cryptologist who said “If you think technology will solve your problems, you don’t understand technology and you don’t understand your problems.”

Also in interviews:

“Of course, it’s ridiculous, outrageous, blah, blah, blah,” Anderson says about the ad. ‘But, I mean, my favorite quote on this is from a cryptologist who said, ‘If you think technology will solve your problems, you don’t understand technology ­ and you don’t understand your problems.’ And I think I’m completely on board with that.”

People are telling me that she has been reciting this quote in performances for years. (I lost track of her since college and her 1981 hit “O Superman.”)

The origins of the quote is from Roger Needham:

If you think cryptography can solve your problem, you don’t understand your problem and you don’t understand cryptography.

I modified the quote in the preface to my 2000 book Secrets and Lies:

A few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

I can’t tell you why me in 2000 didn’t credit Needham by name. I should have.

I have used the quote pretty consistently since then. Somewhere along the line I dropped “security” from the phrase, and now say it more like Anderson quotes me:

If you think technology will solve your problem, you don’t understand your problem and you don’t understand technology.

I sometimes use singular and sometimes use plural. Sometimes I say “the problem” and “the technology.” But I think the quote flows better ending with just the word “technology.”

  •  

Introducing the updated AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption

The financial services industry (FSI) is using AI to transform how financial institutions serve their customers. AI solutions can help proactively manage portfolios, automatically refinance mortgages when rates decrease, and negotiate insurance premiums for customers.

However, this adoption brings new governance, risk, and compliance (GRC) considerations that organizations need to address. To help FSI customers navigate these challenges, AWS is excited to announce an updated AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption within Financial Services Industries.

This comprehensive guide provides FSI customers practical considerations for responsible AI adoption across key dimensions including governance, risk management, compliance, data management, model management and AI agent management. It includes detailed AWS service capabilities that customers can use to address these considerations, such as Amazon Bedrock AgentCore, Amazon Bedrock Guardrails, Amazon Bedrock Agents, Amazon SageMaker Autopilot, and Amazon SageMaker Model Monitor.

The guide is available at the AWS Whitepaper portal and is complementary to other AWS resources such as the AWS Responsible Use of AI Guide, AWS Cloud Adoption Framework for AI, AWS Well-Architected Framework – Responsible AI Lens, AWS Well-Architected Framework – Generative AI Lens, and AWS Well-Architected Framework – Machine Learning Lens.

As the regulatory environment and leading practices continue to evolve, we will provide further updates on the AWS Security Blog and AWS Compliance Center. You can also reach out to your AWS account team for help finding the resources you need.

Resources

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Krish De

Krish De

Krish is a Principal FSI Governance, Risk, and Compliance (GRC) specialist. He works with AWS customers, their regulators, and AWS teams to safely accelerate customers’ AI and cloud adoption by providing prescriptive guidance on GRC. Krish has over 20 years of experience working in governance, risk, and technology across the financial services industry in Australia, New Zealand, and the United States.

Brenda Fong

Brenda Fong

Brenda is a senior FSI risk and compliance specialist. She works with AWS customers in banking, insurance, and capital markets within the ASEAN region to help them meet regulatory, governance, risk, and compliance expectations. Brenda has over 20 years of experience working in governance, risk, and technology across the financial services industry within Asia Pacific.

Stephen Martin

Steve is the Head of Financial Services Compliance and Security for EMEA and APAC. Steve Joined AWS after working for over 20 years in financial service in senior leadership roles with responsibility across ASIA, the Middle East, and Europe. At AWS, he supports customers as they use the scale, security, and agility of AWS to transform the industry.

Kelvin Leung

Kelvin Leung

Kelvin is the AWS FSI Security and Compliance Lead based in Hong Kong. He has 20 years of experience specializing in AI Governance, risk management and regulatory compliance within the financial services sector. Prior to joining AWS, Kelvin worked for a financial regulator where he was responsible for technology risk policy-making and IT regulatory examinations, with a particular focus on AI risk assessment and control frameworks.

  •  

How to Identify and Exploit New Vulnerabilities

In the ever-evolving world of cybersecurity, staying ahead of the curve is not just a goal—it’s a necessity. As new vulnerabilities emerge, the race to identify and mitigate them begins. But how do we, the guardians of the digital realm, rapidly pinpoint these threats as they become public? Let’s dive into the fascinating world of vulnerability identification and see how the magic happens.

The post How to Identify and Exploit New Vulnerabilities appeared first on Black Hills Information Security, Inc..

  •  

Patch Tuesday, May 2026 Edition

Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers — including Apple, Google, Microsoft, Mozilla and Oracle — fixing near record volumes of security bugs, and/or quickening the tempo of their patch releases.

As it does on the second Tuesday of every month, Microsoft today released software updates to address at least 118 security vulnerabilities in its various Windows operating systems and other products. Remarkably, this is the first Patch Tuesday in nearly two years that Microsoft is not shipping any fixes to deal with emergency zero-day flaws that are already being exploited. Nor have any of the flaws fixed today been previously disclosed (potentially giving attackers a heads up in how to exploit the weakness).

Sixteen of the vulnerabilities earned Microsoft’s most-dire “critical” label, meaning malware or miscreants could abuse these bugs to seize remote control over a vulnerable Windows device with little or no help from the user. Rapid7 has done much of the heavy lifting in identifying some of the more concerning critical weaknesses this month, including:

  • CVE-2026-41089: A critical stack-based buffer overflow in Windows Netlogon that offers an attacker SYSTEM privileges on the domain controller. No privileges or user interaction are required, and attack complexity is low. Patches are available for all versions of Windows Server from 2012 onwards.
  • CVE-2026-41096: A critical RCE in the Windows DNS client implementation worthy of attention despite Microsoft assessing exploitation as less likely.
  • CVE-2026-41103: A critical elevation of privilege vulnerability that allows an unauthorized attacker to impersonate an existing user by presenting forged credentials, thus bypassing Entra ID. Microsoft expects that exploitation is more likely.

May’s Patch Tuesday is a welcome respite from April, which saw Microsoft fix a near-record 167 security flaws. Microsoft was among a few dozen tech giants given access to a “Project Glasswing,” a much-hyped AI capability developed by Anthropic that appears quite effective at unearthing security vulnerabilities in code.

Apple, another early participant in Project Glasswing, typically fixes an average of 20 vulnerabilities each time it ships a security update for iOS devices, said Chris Goettl, vice president of product management at Ivanti. On May 11, Apple shipped updates to address at least 52 vulnerabilities and backported the changes all the way to iPhone 6s and iOS 15.

Last month, Mozilla released Firefox 150, which resolved a whopping 271 vulnerabilities that were reportedly discovered during the Glasswing evaluation.

“Since Firefox 150.0.0 released, they have been on a more aggressive weekly cadence for security updates including the release of Firefox 150.0.3 on May Patch Tuesday resolving between three to five CVEs in each release,” Goettl said.

The software giant Oracle likewise recently increased its patch pace in response to their work with Glasswing. In its most recent quarterly patch update, Oracle addressed at least 450 flaws, including more than 300 fixes for remotely exploitable, unauthenticated flaws. But at the end of April, Oracle announced it was switching to a monthly update cycle for critical security issues.

On May 8, Google started rolling out updates to its Chrome browser that fixed an astonishing 127 security flaws (up from just 30 the previous month). Chrome automagically downloads available security updates, but installing them requires fully restarting the browser.

If you encounter any weirdness applying the updates from Microsoft or any other vendor mentioned here, feel free to sound off in the comments below. Meantime, if you haven’t backed up your data and/or drive lately, doing that before updating is generally sound advice. For a more granular look at the Microsoft updates released today, checkout this inventory by the SANS Internet Storm Center.

  •  

The Evolution of the Geotag: How AI is Bridging the Gap in Location-Based OSINT

Blogs

Blog

The Evolution of the Geotag: How AI is Bridging the Gap in Location-Based OSINT

In this post, we explore how the decline of geotagged data is reshaping location-based OSINT, the intelligence gaps it creates for analysts, and how AI-driven keyword generation and geofencing are restoring visibility into real-world events.

SHARE THIS:
Default Author Image
May 12, 2026

For years, location-based open-source intelligence (OSINT) has relied heavily on a steady stream of user-generated geographic data. Geotagged social media posts with embedded latitude and longitude coordinates have long been a goldmine for tracking regional trends, monitoring real-time events, and understanding on-the-ground public sentiment. Intelligence professionals and data scientists have historically used this passively-generated location-based data to aggregate real-time insights for everything from tracking public sentiment to monitoring natural disasters.

However, the era of effortless geographic tracking is coming to an end. Geotagged social media data is becoming increasingly scarce, making it significantly harder for security teams to gather a complete picture of location-based intelligence.

The Decline of Location Sharing

The primary driver behind the diminishing use of geotags is a massive shift in digital privacy standards. For instance, major platform-level policy interventions, such as Apple’s November 2021 iOS privacy update, changed the default consent model for device tracking. Instead of requiring users to actively opt out of location tracking, iPhone users must now explicitly opt in.

As a result of these strengthened privacy controls, a massive behavioral shift occurred: within a year of the iOS update, 62% of affected users chose to opt out of location tracking entirely. This platform-mediated behavioral barrier has drastically reduced the availability and visibility of granular location traces, creating complex new blind spots for researchers and intelligence analysts.

The Intelligence Gap

With precise coordinates disappearing from social feeds, security practitioners and OSINT investigators are left facing a major data void. Relying purely on traditional keyword or hashtag searches to find location-specific events is highly inefficient. In fact, as little as 7% of social media posts actually contain hashtags. If an analyst is scanning 10,000 posts a day looking for a specific hashtag, they could be missing up to 9,300 posts that hold critical intelligence.

To compensate for missing geotags, security practitioners have traditionally had to spend valuable time performing manual, tedious searches for specific local details like street names, landmarks, and local businesses to figure out where an event is taking place.

Bridging the Gap with AI

To overcome the increasing scarcity of explicit location data, the intelligence industry is leveraging artificial intelligence and spatial technologies.

AI-powered keyword optimization tools like Echosec’s new AI-powered “Optimize” feature are designed specifically to bridge this data gap. Instead of relying on users to share their precise coordinates, AI automatically generates hyper-relevant, location-based keywords for an investigator’s search. If an analyst is looking into a specific neighborhood, the AI will suggest relevant landmarks, tourist attractions, schools, government buildings, and businesses to monitor. This instantly converts manual, time-consuming research into an automated process, significantly increasing the volume and relevance of the data collected.

Geo-Based OSINT 2.0

Geo-based search combined with AI keyword generation is taking OSINT to the next level. Geofencing allows teams to draw virtual perimeters around physical sites, such as corporate offices, foreign meeting sites, or public gatherings, to monitor digital activity strictly within those areas. This means you don’t need to know what keywords or hashtags you are looking for; you only need to know where to look. This is incredibly valuable for real-time executive protection and monitoring civil unrest, as it surfaces visual intelligence and early warnings directly from the scene, cutting out irrelevant noise.

The Future of OSINT for Situational Awareness

The decline of the geotag is a victory for consumer privacy, but it isn’t the end of location-based intelligence. By leveraging AI-driven keywords and hyper-local geofencing, security teams can move beyond broad geographic searches. These smart tools alleviate research bottlenecks, allowing analysts to redirect their expertise away from exhaustive data hunting and toward the critical analysis needed to respond to threats before they escalate. The geotag may be fading, but our situational awareness remains sharper than ever.

Don’t let the intelligence gap compromise your situational awareness. Ready to move from tedious manual searches to immediate, actionable insights? Book your Echosec demo today and empower your team with the next generation of location-based insight.

Request a demo today.

The post The Evolution of the Geotag: How AI is Bridging the Gap in Location-Based OSINT appeared first on Flashpoint.

  •  
❌