Synopsis

Greetings fans, this episode promises to be a great one with the likes of Adam Shostack starting off talking about what the whole concept of "New School Security" is all about, and how it differs from the way we've all done it for the past 15+ years.  Adam and I talked through some new interesting ideas for moving the information security community and discipline forward, and even commented on how we can start to overcome the security community's focus on 'secrecy' when things go wrong.  How do security professionals understand what the desired outcomes should be, then start to move towards implemting pragmatic approaches to move closer to those desired outcomes - because in the end it's really about business and getting it done, not about 'security'.

You will be sorry if you miss this episode!

Guest

• Adam Shostack - Adam Shostack is a principal program manager on the Usable Security team in Trustworthy Computing. As part of ongoing research into classifying and quantifying how Windows machines get compromised, he recently led the drive to change Autorun functionality on pre-Win7 machines; the update has so far improved the protection of nearly 400 million machines from attack via USB. Prior to Usable Security, he drove the SDL Threat Modeling Tool and the Elevation of Privilege threat modeling game as a member of the SDL core team. Before joining Microsoft, Adam was a leader of successful information security and privacy startups, and helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the widely acclaimed book, The New School of Information Security.

Links

• Adam on Twitter: @AdamShostack
• The New School Security blog: http://newschoolsecurity.com/

Synopsis

Last winter, on a frigid afternoon I got a chance to sit down with 2 of my favorite Iowa locals, Kevin and Kenneth to talk about the tenuous relationship between QA and Information Security.  Earlier in the day I had given a workshop on software security testing (of the web variety) to a ViViT user group, and with that topic and their questions/concerns fresh in my mind I settled down for a 30 minute conversation with Kevin and Kenneth ... we essentially continued the conversation from Episode 3 (please give that a listen if you haven't yet to get a background).

Some of the questions we tackled included "Which team within the software development or security organization is best positioned to test the security of applications?", and "Can Information Security ever really thoroughly test an application without the full context?" ...and much more.

Give this episode a listen!

Guests

• Kevin Riggins - @kriggins - Kevin is a veteran of the Information Security community with many years experience in vast IT systems and a quality, development and systems background as well.
• Kenneth Johnson - @patories - Kenneth has been in the Information Security field for the last six years, with five of those years working as an IT Analyst for Principal Financial Group. He graduated in 2007 with a BS degree in Information Systems Security from ITT Tech, and he is currently attending Iowa State to pursue a Ph.D in Information Assurance, with a specialization in Digital Forensics, Incident Response and Malware Analysis.

Greetings friends!  I am taking some time to do something a little out of the ordinary right now... I'm coming to you from beautiful Las Vegas, Nevada and HP Discover 2012 where the theme is Make it matter.

Rather than doing yet another blog post on how beautiful the show floor is, and how amazing the content is going to be, I've recorded a little bit of audio, about 6:30 miutes or so to give you a feel for what we're up to, what's going on, and why I'm downright giddy with excitement.

Synopsis

This episode of Down the Rabbithole microcast (~15 minutes length) was recorded live at the Ohio Information Security Summit.

Albert and Paul were kind enough to sit down with me and discuss metrics and process - and essentially what demonstrating "good security" means to an enterprise.  "Can we ever get there?"  Where is there?  Understanding the basics of security, measurement, and whether if we really do a great job, Information Security can work itself out of a job ... those are some heavy topics for a mini-podcast.  Enjoy!

Feedback is always welcome

Guests

• Paul Elwell - Security Specialist for a Fortune 500 company
• Albert School - Application Security Specialist and Penetration Tester at a Fortune 500 company

Synopsis

In this episode, streamed live and recorded for your listening pleasure, I'm joined by @SpaceRog and @Shpantzer from Security BSides Delaware.  What started out as an off-the-cuff discussion on the 'Cyber Apocalypse' quickly materialized into a much longer discussionw which dove into various aspects of infrastructure security, critical protection and even the inability to separate the physical from the cyber worlds.  Join us for a little bit of nostalgia, a little bit of knowledge and a lot of commentary from these two very smart staples of the security community.

This is one of those conversations which I barely edited... it was free-flowing, entertaining and insightful.  I hope you enjoy it!

Guests

• @Spacerog - Spacerog is one of the founders of L0pht, and founder of the HNN (Hacker News Network) way, way back in "the day"... He has a full profile here.
  
• @Shpantzer - Shpantzer is a veteran of the security industry and describes himself as "Information security and risk management consultant. Strong project manager with interdisciplinary skillset to solve complex business and technical problems."  He also writes for the "Shpantzer on Security" blog (which you should be following).

Synopsis

It's rare that I get to be a spectator at a podcast, but in this case I was listening to some of the conversations and talks being given at Chicago's very own THOTCON 0x3, and decided it would be valueable to you to get some of the conversation movers on the microphone.  We started talking about the applicability of information security conferences to your "day job", got into a discussion on "hallway con" and then went down the rabbithole on some interesting tangential topics ... and of course the fresh rap from DualCore was awesome.  I hope you enjoy the episode ...

Guests

• Georgia Weidman - Georgia is a independent consultant, penetration tester and mobile device hacker.
• Ken Swick - Ken is a security manager from the Financial Services vertical with many years experience in defending corporate networks, and bringing business value to information security programs.
• DualCore - DualCore ... what can I say - dropping raps like packets straight to your ears ... DualCore music is what you should hear.

Synopsis

In this short microcast we rap about the THOTCON 0x3 experience, why we think the Chicago community has taken off so much, and what sorts of interesting things make THOTCON, and the local hacker con here in Chicago, so attractive to people from around the world.  Yes, there is comedy involved...

Guests

• Todd - Audio genius, InfoSec luminary, pen tester ...better known to his Twitter fans as @Phoobar
• Ben - Ben is a Chicago suburban staple, first time on the microphone, otherwise known on Twitter as @Ben0xA

Synopsis

This episode I sit down with Dave Frederickon who has a unique viewpoint on cloud computing from a Canadian point of view, as well as a VP of the HP Canada business.  I pose some tough questions to Dave including "Is 'cloud' just marketing hype?" and other discussion topics and we have a good chat on the reality of cloud computing, who's adopting it and how it's changing and revolutionizing Information Technology at the pace of business.  This is another great podcast in the cloud series, and you should not miss it!

Guest

• Dave Frederickson - (Vice President & General Manager Enetrprise Servers, Storage & Networking Business at HP Canada) - Dave Frederickson is the VP of the ESSN group and is located in HP Canada's HQ in Mississauga, Ontario.  He is responsible for leading sales, pre-sales, channels, marketing and product management teams, achieving top and bottom line and market share objectives.  His role also includes responsibility for Enterprise marketing for HP and linking HP services and software.  He is a board member of Sharcnet and Schulich Corporate and Social Reponsibility.

Synopsis

On this episode of Down the Rabbithole I get the distinct pleasure of sitting down with one of Silicon Valley's top attorneys to talk Cloud Computing T's and C's ...and let me tell you this was a wild ride.  I learned a lot, including the fact that I know a famous legal court case about a tugboat captain and the use of radar ... and what all that CAPSLOCK PRINT ON SOFTWARE LICENSE AGREEMENTS means ...and so very much more.  Join me, and learn a little bit more about the legal aspects of cloud, before you find out the hard way.  This is a do not miss episode.

Guest

Mark Radcliffe [DLA Piper] - Mark F. Radcliffe concentrates in strategic intellectual property advice, private financing, corporate partnering, software licensing, Internet licensing and copyright and trademark.

Leading international legal publishers consistently rank Mr. Radcliffe among the top lawyers in his profession. The respected English publishers Chambers and Partners has repeatedly named him in Chambers USA: America's Leading Lawyers for Business, and has described him as "outstanding" and "a leader in open source-related matters." Legal 500 also recognizes him, commenting: "His expertise in providing strategic IP advice, with particular specialism in open-source matters, has won him plaudits. Indeed, one client describes him as 'probably the best lawyer in his field.'"

More on Mark on his profile page: http://www.dlapiper.com/mark_radcliffe/

Summary

This 1 hour podcast was recorded live at the March 7th, Chicago Cloud Security Alliance chapter meeting, where we were fortunate enough to have a panel of attorneys discuss the issues with cloud security from a legal perspective.  I hope you find the content stimulating, if not a little bit worrisome.

Apologies for some of the flaws in the audio, but this was an ad-hoc recording and I didn't have time to clean up the taps and paper shuffling that the super-sensitive microphone picked up.

This was the first recording using the mobile Zoom H4n, and I think you'll agree it's an amazing piece of tech.

This podcast is posted as-is, and hosting is provided courtesy of HP.

Synopsis

The guest on this podcast will blow your mind ... literally.  He is none other than the "human hacker" himself, Christopher Hadnagy, who has written a book and now runs social-engineer.org.  Chris is a long-time friend of mine and an invaluable resource in the psy-ops James Bond style social engineering world.  Chris knows his stuff, and he's willing to teach you if you're willing to listen... so buckle down and get educated on social engineering background, tricks and even the 6 things your company must do to prevent being a victim of social engineering attacks.  Oh ... and let's not forget, somewhere in this episode Chris makes you an offer you can't refuse, just for you Down the Rabbithole listeners, how cool is that?  If you've ever thought about taking a class, or having your organization fortified against social engineering attacks but didn't think it was within your budget - listen to this podcast ... 

Guest

 Christopher Hadnagy - Chris, or as his friends on Twitter know him - @HumanHacker - is a fountain of knowledge on social engineering and the art and science behind corporate-level offense and defense using the human mind.  Chris has written a book called Social Engineering: The art of human hacking, and runs social-engineer.org contributing to community through teaching, speaking and writing as well as hosting a heck of a podcast on the fascinating topic of social engineering.  Chris's organization offers SE penetration testing, education and is at the forefront of social engineering tactics for the defensive good.

Links

• The official social engineering portal - Social-Engineer.org
• Register for social engineering training & services through Chris's organization here

Synopsis

I had the pleasure of sitting down with Nathaniel Dean, someone I had met through a mutual colleague's introduction, and hear about a neat concept that takes the software security program to a new level.  Interestingly enough, Nathaniel runs a red team but it's guaranteed to be unlike any red team you've probably ever worked with.  The crazy thing?  It's working.  We talk through the mechanics, psychology, and business implications of what he's driving, and how he's rollig up his sleeves and getting it done which is probably more important than anything else.

Jack in and get a 25-minute does of knowledge from someone I know you'll learn something from.

Guest

• Nathaniel Dean - Business Information Security Officer at a major financial institution.  Nathaniel has been managing and building programs in this space for a long time, and his experience shows.

Synopsis

  We were "live to tape" (as Adam says) from HP's Master the Cloud event in Calgary.  As we wrap up the road tour in the frozen city of Calgary I had the pleasure of sitting down with a comedian and celebrity, a technical expert on virtualization from HP, and the manager of Intel's advanced server technologies team.  This was a wild, off-the-rails discussion and you can really tell we were just having a good time and excited to wrap up the tour.  Great topics of discussion...

Topics covered in this episode include...

• Hypervisors and their value to cloud computing, virtualization and hacking
• Why are hypervisors critical to cloud computing?
• Will Intel build a hypervisor into the silicone?
• How robust driver stacks keep hypervisors 'safe' on the software level...
• "Raising the bar" on security (analogies of a department store)
• Virtualization of compute resources & BYOD ...slightly off the rails
• Federation of identities, and applied to social media

Special Guests

• Jake Smith (Advanced Server Technologies Manager at Intel Corp.) - Jake was a keynote speaker at HP's "Master the Cloud" tour across Canada speaking about Intel's vision for a more connected, more virtualized, and more secure Cloud Computing environment; including Intel's partnerships with HP and some of the advancements they have embarked on together.  Jake can be found on LinkedIn here: http://www.linkedin.com/in/jakesmith42
• Adam Growe (Celebrity host of Cash Cab Canada) - Adam is the host of Canada's "Cash Cab" show on the Discovery Channel.  Additionally, Adam has his own quiz show ("The Adam Growe Quiz Show") and is a recognized celebrity, accomplished comedian and emcee, and has the uncanny gift to derail any boring IT conversation! Adam can be found on FaceBook here: http://fb.com/AdamGrowe and on his own site: http://adamgrowe.com - on behalf of HP I wish to thank Adam for his presence and making us all chuckle.
• Emrah Alpa (HP TippingPoint technical specialist) - Emrah in addition to being an accomplished DJ is the Northwest Canada regional HP TippingPoint technical expert.

Links

• HP TippingPoint Secure Virtualization Framework (SVF) - http://h17007.www1.hp.com/us/en/solutions/security/svf/index.aspx
• Federation (federated identity) - http://en.wikipedia.org/wiki/Federated_identity

Synopsis

World-renowned author, researcher, speaker and founder of legendary TripWire joins me semi-live from LASCON in Austin, Texas to talk about his current project(s) [The DevOps Cookbook, and When IT Fails: A Novel], and his book Visible Ops and how this can all be applied to security in today's tough business climate.  Gene and I discuss what in the DNA of well-performing (or "agile") IT organizations, based on Gene's research and experience, enables them to not only perform better, but also serve the business faster.  These high-performing organizations all have things in common, and you may be shocked to hear it's not heaps of money, or resources, or "powerful" CISOs.  The experience was a pleasure and I guarantee you'll learn something from this podcast, and I highly encourage you to add Gene's books as a staple of your career-building library.

Guest

• "The real" Gene Kim - I am working on my third and fourth books, "When IT Fails: The Novel" and "The DevOps Cookbook," scheduled to be published in June 2012. Both are the culmination of over 13 years of researching both high-performing and low-performing IT organizations, as well as benchmarking over 1500 IT organizations to help inform what behaviors simultaneously advance business and information security objectives.  LinkedIn profile, just in case you have never had the pleasure - http://realgenekim.me.

Links

Synopsis

I sat down at the HP Master the Cloud (hp.com/go/cloud) event in Toronto, Canada to answer some Twitter-based questions, talk about the trade show, and listen to some of the fantastic things Victor and his team are working on right now in their incubator ... and it was a really great 20 minutes.  We covered the questions below (posted directly from Twitter, special thanks to all who participated) and talked about technology, the evolution of security, and how organizations can take advantage of this shift as technology turns the corner in a new operating and delivery paradigm.  Is cloud right for everyone?  Probably not.  Is cloud right in every situation?  Probably not.  This is exactly why you need to listen to Victor ... this is definitely a worthwhile way to spend 20 minutes of your time.

Questions from Twitter

1. "What's your perspective on letting the entire Internet pen test your service in a sandboxed environment?" -- HackBlat (@HackBlat)
2. Virtual processing is great, but how are we supposed to layer on data privacy? IoW - w/the "To the Cloud!" rush, why aren't there any (effective) integration patterns emerging? Lift & Drop is bad for data. -- awpiii (@awpiii)
3. How does one establish bandwidth requirements when establishing a pipe to a cloud service? -- RonService (@RonService)
4. Vendor routinely sell something not using themselves. What percentage of HP infrastructure is running in public cloud offering? -- brew_ninja (@brew_ninja)
   

Guest

• Victor Garcia (CTO HP Canada) - Victor is the Chief Technology Officer for HP's Canada business, leading the business in technology & business strategy, incubation and commercialization of new technologies, strategic alliances, and systems integration as well as business management.  Victor's LinkedIn profile is here.
  

Links

• "The security poverty line" from Wendy Nather of the 451 Group (podcast with Alan Shimel) - https://gpodder.net/podcast/securityexe-powered-by-the-ciso-group-with-alan-shimel-1/security-below-the-poverty-line-with-wendy-nather-of-the-451-group
• <Links to whitepapers Victor mentioned will be here shortly>