Mon, 18 March 2013
In this episode...
Guests
Direct download: DtR_Episode_32_-_Big_Data_in_Little_InfoSec.mp3
Category:Information Security -- posted at: 12:00am CST |
Fri, 8 March 2013
Synopsis Security has an interesting view on "business decisions", and in this podcast episode recorded at GrrCon 2012 in Grand Rapids, MI I sit down with some of the talent behind MISEC and we discuss #SecBiz topics of interest including the ugly phrase "it's a business decision" and why we say that. We also dive into how decisions are made, and why security and business are still often at odds on goals and acceptable 'risks'... and why our recommendations and guidance still falls on seemingly deaf ears. We sample some of the sage wisdom of J.W. Goerlich as he runs his IT and security organization, and how he asks his security employees to think business, and put themselves into the frame of reference of the business when making decisions. Jen Fox brings up Miller's Law, and teachs us to ask "What is that true of?" when framing discussions in the business context with non-technologists. Jen makes us think about frames of reference. She tells us that we must assume that a statement someone makes is true ... from their frame of reference and we simply must get inside their frame of reference to understand their thinking. Steven Fox gives us a little bit of a glimpse into the government world where you can't always go sit down with the decision maker, and have to depend on your relationships, cooperation, and sometimes back-room politics to get things done. I invite you to listen in, this is a timeless discussion that everyone should participate in. Guests
Direct download: DtR_Episode_30_-_Its_Always_a_Business_Decision.mp3
Category:Information Security -- posted at: 9:17am CST |
Mon, 4 February 2013
Synopsis Shawn and I have been trying to get together to record an episode for what seems like forever. We first started talking about the CFAA (Computer Fraud and Abuse Act) when it was ruled that a person could not be charged as a 'hacked' under the CFAA by their employer when they accessed information improperly if the employed did not restrict that access appropriately. Shawn's expert insight here as an attorney dealing with the CFAA shines as we talk about hacking, vulnerability research, and other critical topics to the hacker culture, information security industry and security professionals. You're not going to want to miss what Shawn has to say... I want to thank him for his time, and encourage anyone who needs the sort of advice Shawn has to give him a call, or send him a Tweet. Guest Shawn E. Tuma - Shawn E. Tuma is an experienced business, litigation, and intellectual property attorney at BrittonTuma who helps businesses and individuals assess, avoid, and resolve business and legal issues. Shawn has spent his career handling cases before state and federal courts alike and is well versed in both traditional and emerging areas of the law. In addition to his career-long business law and litigation practice, he has developed a niche practice as a thought-leader in emerging areas of such as computer fraud, data breach, privacy, and social media law, with a strong command of the Computer Fraud and Abuse Act. Shawn enjoys handling highly complex commercial, technological, and intellectual property matters as much as he does those that are more traditional. Shawn can be found on Twitter as @shawnetuma.
Direct download: DtR_Episode_29_-_The_Law_and_the_Hacker.mp3
Category:Information Security -- posted at: 9:32pm CST |
Tue, 29 January 2013
Synopsis I sat down with Bill at ISSA International in Anaheim, CA in the fall of 2012 to discuss what it's like, and what types of challenges he faces in the fast-paced, hybrid world of security at Netflix. We talked about some of the challenges his environment faces, and more generic issues that are endemic to the evolving security landscape. It's fascinating to hear Bill's take on what the big picture items are, and how security is really in a state of evolution right now. Join us, I tihnk you'll love this episode. Guest Bill Burns - Director of IT Security and Networking, Netflix - Bill is a silicon valley titan, his name is associated with the likes of Infoblox, Riverbed and Netflix. Currently he's the Director of IT Security and networking at Netflix managing security in a hybrid cloud, traditional IT world, and facing some of the most complicated challenges in today's tough security landscape.
Direct download: DtR_Episode_28_-_InfoSec_in_a_Cloud_of_Constant_Flux.mp3
Category:Information Security -- posted at: 9:19am CST |
Mon, 7 January 2013
Synopsis To kick off January on the Down the Rabbithole podcast I have Mikko Hypponen, the "malware adventurer" and Chief Resarch Officer from F-Secure Corp and we're talking about the state of malware and 'viruses' digging into the modern threat landscape and maybe digging up a bit of nostalgia from the late 90's. This is a fascinating conversation so I invite you to break out your old boot sector and COM viruses and join us for some interesting discussion! Guest Mikko Hypponen - Chief Research Officer at F-Secure Corp., TED speaker, and self-professed "malware adventurer". He can be found on Twitter at @Mikko
Direct download: DtR_Episode_27_-_Way_behond_viruses.mp3
Category:Information Security -- posted at: 4:00am CST |
Fri, 21 December 2012
Synopsis This microcast episode was recorded live from hackfest.ca 2012, on location in Quebec. The conference is a phenomenal success for the challenges they face (primarily non-English speaking region, small market, etc) but they've managed to attract a ridiculous amount of people to this conference, awesome speakers, and have one of the best 'War games' scenarios I've ever seen... listen to these two guys talk about how they make this happen. Guests
Direct download: DtR_MicroCast_06_-_Hacking_in_Quebec_Hackfest.ca.mp3
Category:Information Security -- posted at: 12:00am CST |
Tue, 18 December 2012
Synopsis This episode is special because it's been a long-time-in-the-making interview with Brad Arkin of Adobe. This is the organization that many of the hacker community like to hate, and pick on - without realizing the monumental task of securing the software that Brad's team is responsible for. Brad's official title at Adobe is Engineering Senior Director but in real life one of the responsibilities his team is tasked with is doing product security for products like Adobe Flash and Reader ... Brad's take on software security and how he got the bug problem under control at Adobe is worth a listen! Guest Brad Arkin - Engineering Senior Director at Adobe - Brad has a long history of being involved in the Information Security world, particularly software security and has held many interesting roles from Cigital, to a technical director at @Stake, to working his way through Adobe since 2008. Brad can be found on LinkedIn, here: http://www.linkedin.com/pub/brad-arkin/1/2a8/4.
Direct download: DtR_Episode_26_-_Software_Security_under_pressure.mp3
Category:Information Security -- posted at: 4:30pm CST |
Fri, 26 October 2012
Synopsis LIVE from day 2 of the ISSA International conference 2012, in Anaheim, California I cornered Eric Cowperthwaite after a much-anticipated year-long wait... and we talked about his prediction that in the next 2 years many of the traditional IT employees will be employed as either business-IT resources in the enterprise, or IT-technical resources at an IT outsource or cloud provider... Eric's predictions tend to be right on the money so it'll be interesting if some of the things he advocates in this microcast come true! Only time will tell. Guest
Direct download: Cowperthwaite-ISSA_Intl_-_Rise_and_Fall_of_Enterprise_IT_01.mp3
Category:Information Security -- posted at: 5:43pm CST |
Mon, 22 October 2012
Syhopsis When I caught up with these two gentlemen in Amsterdam over the week of Black Hat 2012, I knew we wouldn't run out of things to talk about! We ended up chatting for quite some time, and I think you'll find this conversation interesting from hearing of David's recent work with Oracle, and Jim's perspective on "the fix"... I kept the conversation going and am probably at last partially responsible for how long this podcast ended up being. It's well worth the time, in my opinion, as we cover the following topics:
Guests
Direct download: DtR_Episode_25_-_From_Black_Hat_Amsterdam_2012_with_SQLi.mp3
Category:Information Security -- posted at: 2:43pm CST |
Thu, 4 October 2012
Synopsis This week we went free-form with two of my favorite InfoSec insiders ...people you probably follow on Twitter but can't quite place. Here are some of the topics covered this week:
Guests
Direct download: DtR_Episode_24_-_All_the_things_InfoSec.mp3
Category:Information Security -- posted at: 11:00am CST |
Mon, 24 September 2012
Synopsis Today's podcast discussion is with someone who has one of the toughest jobs in the security world... Patrick helps organizations that generate and deliver the power that runs our gadgets and critical systems that maintain life as we know it. The power grid is not only surprisingly vulnerable due to it's age-old infrastructure, but also surprisingly resilient due to the complex nature of power distribution and generation... there's just a lot more to it than most people realize. Patrick separates fact from fiction and goes into the pragmatic approach on national electric grid security - where we realize that it's really worse than we believed from a cyber security perspective, but better than we know because as you read this the electric grid is under constant attack, but it's still transmitting clean power. I urge you to listen to this podcast, and then engage Patrick (@PatrickCMiller) or I in discussion... Guest
President & CEO of EnergySec Principal Investigator of National Electric Sector CyberSecurity Organization (NESCO) Links:
Direct download: DtR_Episode_23_-_Energy_Sector_SmartGrid_and_Resiliency.mp3
Category:Information Security -- posted at: 10:08am CST |
Wed, 29 August 2012
Synopsis In this episode we ask the big question of "Can security be a part of the 'build/deploy faster!' culture?" We discuss the need to separate out high/low risk code, understanding how to deploy dormant components of the applications, proper testing strategies and branching/merging in a world where faster isn't just an ask, it's a need to stay competitive. A huge thank you to all my guests for their time and expert insight. The combined talent and experience of my 3 guests is something you should absolutely take a listen to, as these gentlemen really know what they're talking about - whether it's Information/Application Security, or DevOps ... this is a discussion that bridges both with expert precision. Guests
Links:
Direct download: DtR_21_-_Wickett_Galbreath_Saudan_-_Continuous_deployment__security.mp3
Category:Information Security -- posted at: 10:20am CST |
Mon, 6 August 2012
Synopsis This episode was recorded in June '12, live from the show floor at HP Discover Las Vegas, 2012 and the talk of the town was once again DevOps. Gene and I have had 2 prior conversations on the topic, but we're once again tackling the impact of DevOps on the IT and security relationship and overall business value. We tip our hats to several people including Josh Corman (Rugged DevOps), David Mortman, James Wickett, Nick Galbreath and Mr. Daniel Blander for their prior contributions and supporting work on the topic. Gene talks about some of the mechanisms we have available to us to bridge that IT Security-to-developer-to-operations gap that's holding us back from true business value. Fun fact- studies have found that when you wake up a developer at 2am to solve an issue, problem resolution times plummet! Enjoy the podcast, and go grab Gene's books when they're available... comments are welcome! Guest
Links
Direct download: DtR_20_-_Gene_Kim_-_DevOps_from_HP_Discover.mp3
Category:Information Security -- posted at: 12:00am CST |
Tue, 10 July 2012
Synopsis This episode is special, not because it's more Info Security stuff, but because we take a far departure from the world of bits and bugs to the world of the pick-pocket and thief. Sitting down with Bob Arno is a real pleasure, as he has the storytelling ability and knowledge to educate and open your eyes to a world where nothing is as it seems and anyone can be separated from their valuables. Yes - this extends into the world of Information Security, and there are lessons to learn. In this episode Bob and I talk about picking pockets, keeping yourself safe, and the world of criminal activity in the physical and digital world... Bob is also speaking at Hacker Halted, Miami 2012 so if you listen to this episode and are thinking about going ... there's a contest coming! Stay tuned... and you can win an excusive, private dinner with Bob in Miami! Guest Bob Arno is widely known as the "World's foremost legal pick-pocket". He's performed on stage, on television and has provided advice to travelers on how to keep from being roused... Bob is a speaker, entertainer, author, and special lecturer to law enforcement agencies. He has been profiled or quoted on NPR, CNN, MSNBC, ABC’s 20/20, The Travel Channel, The Learning Channel, Discovery, Court TV, in The New York Times, USA Today, Fortune, Kiplinger’s, National Geographic Traveler, Law and Order, and others. He has lectured for the Police Departments of Chicago, San Diego, Houston, Las Vegas, Detroit, Honolulu, Anaheim, and many abroad; for the California Tourism Safety & Security Conference, the International Tourism Safety and Security Conference, and many others; for Kroll & Associates, RSA Security Conference and Expo, and more. He taught an accredited course at the Connecticut State Police Training Academy. Links
Direct download: Episode_19_-_Bob_Arno_-_The_Worlds_foremost_legal_pickpocket.mp3
Category:Information Security -- posted at: 3:12pm CST |
Sun, 1 July 2012
Synopsis I caught up with my friend Kellman Meghu at BSides Detroit as the conference was coming to a close and we finally got to sit down and have a fun conversation about chaos, and what sorts of things enterprises can realistically do to increase security today. We both work for vendors so we talked about "shiny blinky boxes", when things fail, and the notion of resiliency. Fun conversation ensues ... with a random sprinkling of security buzzwords. Kellman's famous quote is from this episode is "I can hand you this tool, and that doesn't suddenly make you any more secure than if you hand me a hammer I suddenly become a carpenter." Wise words to live by folks, wise words indeed. Spend a few minutes with Kellman and I, and see why he's one of my favorite people to interview. Guests
Links
Direct download: DtR_Episode_18_-_Kellman_Meghu_-_Chaos.mp3
Category:Information Security -- posted at: 11:06pm CST |
