open source and cybersecurity news

May 10, 2023

Sydney Cancer Treatment Center Data Breach, AI Hacking Skills, Spot Dog, AST

In this Episode:

Episode Transcription:

Pokie Huang:

Hey, it’s 5:05 on Wednesday, May 10th, 2023. From the Sourced Podcast Network in New York city, this is your host, Pokie Huang. Stories in today’s episode come from Edwin Kwan in Sydney, Australia, Shannon Lietz in San Diego, California, Katy Craig in San Diego, California, Olimpiu Pop, in Transylvania, Romania, and Marcel brown in St. Louis, Missouri. 

Let’s get to it. 

Edwin Kwan: 

This is Edwin Kwan from Sydney, Australia. 

The Crown Prince Mary Cancer Center, which is part of Westmead Hospital, has suffered a data breach with the hackers demanding a ransom. The group claiming to be behind the attack is called Medusa and is known to be actively targeting Australian and New Zealand organizations since the start of 2023.

The group listed the Crown Prince Mary Cancer Center on its dedicated leak site with a countdown timer for the ransom demands. 

New South Wales Health is currently investigating this incident. And currently believes that there is no impact to any New South Wales Health databases nor the Crown Prince Mary Cancer Center’s database.

Shannon Lietz: 

It’s time to brush up on your AI hacking skills, folks. This is Shannon Lietz reporting from San Diego, California. 

Last week the White House and AI-GPT makers challenged the world’s best hackers to put their AI tech to the test at DEFCON-31’s s AI Village. The White House also committed $140 million to launch seven new national AI research institutes, which brings the total to 25 across the US. 

More importantly, the US government plans to lead by example on mitigating AI risks so that we can harness more AI opportunities. 

The commitment to harness and leverage more AI shouldn’t be surprising. Many US companies and citizens are leaping forward at AI innovation, finding new opportunities to invent and create rapidly every single day.

 Meanwhile, security research isn’t cheap. There’s a lot of notoriety in finding bugs and getting them fixed before hackers leverage them. But, uh, not yet a growing number of bounty programs that are fully embracing the security research community. And what I’m curious about is whether we will continue to see greater adoption of bug bounty programs by the wider community, or whether the government will push forward with greater transparency in measuring the adversary resilience of AI platforms. Something it has yet to do even with normal software. 

 If you haven’t read it yet, you should go check out the latest announcement by the White House on AI innovation and their commitments. I think it goes quite a long way, but still falls a little bit short when it comes to that transparency initiative they’re so fond of.

Katy Craig: 

Remember Spot, the Boston Dynamics Robodog. Well, he’s gotten a brain upgrade, but this time it’s ChatGPT. 

This is Katy Craig in San Diego, California.

Spot hasn’t transformed into a loquacious orator, but this AI field partnership does give it some serious communication skills. Gone are the days of the mysterious remote operator wielding control over the four-legged robo friend. With ChatGPT on board, anyone can walk up to Spot and have a little chat, just like talking to a well, a very smart metal dog. 

No more cryptic remote commands. Just a friendly, “Hey Spot. Where is Gadget X stored?” 

Creators say this one upgrade immediately improves safety by enabling anyone to provide voice commands. It’s like having a helpful coworker, but with way fewer coffee breaks and zero gossip. 

As Spot and ChatGPT’s love story unfolds, we can’t help but chuckle at the thought of robots and AI bringing us closer together, one voice command at a time. It’s a reminder that in the ever-evolving world of AI and technology, sometimes all you need is a friendly AI enhanced Robodog to brighten your day. Sit Spot! Sit! Good dog. 

This is Katy Craig. Stay safe out there.

Olimpiu Pop: 

Whenever you hear two people in technology debating something, it sounds like a game of chicken with acronyms. Who will be the first one to admit that he doesn’t know one of them? And because I’m usually quite bad at this tongue twisters of modern society, I was very grateful that Theresa Mammarella and Eddie Knight from Sonatype took the time to write an article decluttering a bit about what is the role of DAST SAST, IAST, RASP and SCA, and how do they enhance the security of your application? 

Let’s take them one by one. 

SCA or software composition analysis looks at your imported dependencies, but it won’t be used to inspect your own code base. Depending on the approach and maturity of the chosen tool, it’ll do some or all of the following. 

-Number one, inspect third party code. 

-Number two, identifying known vulnerabilities. 

-Number three, spot licensing concerns. 

-Number four, detect malicious programs. 

-Number five, find code tampering. 

Number six, highlight weak code patterns .

So it covers an important side of your supply chain security, but it doesn’t look at the code written in your organization. One of the next tools will take care of that. 

The next one is Static Application Security testing, or SAST. This one looks at all your code base. It could be considered complimentary to the SCA tool. It looks at the code line by line like a security flaws-aware linter. It provides feedback early in the software development process, so the earlier the easiest and cheaper to fix. Given the broad area that it covers, it could provide many false positives or information overload. Make sure you have a prioritization in place for approaching the findings. 

DAST, or Dynamic Application Security testing. This one is one of a kind, not resembling any of the others. Your external operator who doesn’t care only about results. Similar to the next two, it involves testing a running application.

Loosely speaking, you can compare it to an automated pen tester tool. 

Some of the things it might catch. 

-Number one, validation vulnerabilities such as a SQL injection and cross-site scripting. 

-Number two, authentication issues. 

-Number three, configuration errors. 

– Number four, weak ciphers. 

 The biggest weakness is that these kind of tools just point to the failure without any connection to the code. 

ISAT, Interactive Application Security Testing. It is probably the most robust and holistic needs approach. It sends request from outside like a DSAT, but is familiar with your code so it can point out the weaknesses as well.

An active one would require your input while the passive one will watch your system and alert you accordingly.

RSAP or Runtime Application Self Protection. Even though it is not in the family of ASAT tooling, it is worth mentioning it too. RSAP is very similar to a passive ISAT. The sole difference is that the RSAP protects us, while the ISAT just alerts us. 

If you are looking for the type of conclusion that hints at which tool to use, you’ll not have it. Each of the tools cover some area and if somebody promised to do it all, probably it lacks in some corner and they leave you exposed. 

So just proxying the conclusion Eddie reached ,use at least one open source or open core tool from the ASAT family and make sure your SCA tool is complex enough to ensure your supply chain is properly looked at. 

This was Olimpiu Pop reporting from Transylvania, Romania. I strongly advise you to read the whole article. You can find it in the resources area of

Marcel Brown: 

This is Marcel Brown, the most trusted name in technology, serving you up some technology history for May 9th and May 10th. 

May 9th, 1996. Linus Torvals describes in an email to a mailing list his conception of what he believes should be the logo for the Linux operating system. This is what soon becomes Tucks the Penguin, the brand character for Linux .Perhaps had Linus known the movie, Happy Feet would be released a little over 10 years later, he would’ve chosen a warbler instead. 

May 10th, 1894. Wireless is born when Guglielmo Marconi sends a radio wave three quarters of a mile. Three years later, the Marconi Company will successfully commercialize ship-to-shore over a distance of 12 miles. Marconi’s work leads to the commercialization and proliferation of most of the radio technologies we know today. 

That’s your technology history for today. For more, tune in tomorrow and visit my website

Pokie Huang: 

That’s it for today’s open source and cybersecurity updates. For direct links to all stories and resources mentioned in today’s episode, go to, where you can listen to our growing library of over 100 episodes. You can also download the transcript of all episodes for easy reference.

5:05 is a Sourced Networks Production with updates available Monday through Friday on your favorite audio streaming platform. Just search for “It’s 5:05!”. And please consider subscribing while you’re there. 

Thank you to Edwin Kwan, Olimpiu Pop, Shannon Lietz, Katy Craig and Marcel brown for today’s contributions.

The Executive Producer and the editor is Mark Miller. The sound engineer is Pokie Huang. Music for today’s episode is by Blue Dot Sessions. We use Descript for spoken text editing and Audacity to layer in the soundscapes. The show distribution platform is provided by This is Pokie Huang. See you tomorrow… at 5:05.



Leave the first comment