• The recent Booz Allen Hamilton report into GRU activity over the years
• The role of SIGINT collection in the COVID-19 crisis
• Microsoft Azure struggling to keep up with new capacity demands

You can view the YouTube recording here:

WARNING: Contains a fair bit of discussion about Australian politics. You may be permanently scarred after listening.

On this edition of the show we're talking to Dan about a bunch of stuff. Kanye West has apparently announced he's running for president in 2020, we talk about that. We talk about Donald Trump because, wow... just wow...

Then we move on to the depressing stuff, the European refugee crisis. Are the handful of flashpoint images and stories actually going to get people motivated about fixing the wider problem? Or will they result in a few Kickstarters to directly help the affected individuals, absolving donors of their first world guilt? We have a bob each way on that one.

We talk about the vaccination free childcare centre springing up in my 'hood -- geez, what could go wrong there -- and finally we look at the way streaming services are reshaping the media landscape, in particular the types of shows that are being commissioned. Could NetFlix spell the end of high-quality tv news and current affairs?

This week we're talking about the nationalist, anti-Islam rallies held across Australia over the last week or so. We also chat about Donald Trump being a douche and Barack Obama's new lease of life as a lame duck president. Oh, and we also talk about the Ashley Madison hack because, hey, who isn't...

We also speak about Apple's stupid watch. I should warn you, too, I don't edit this podcast for bad language and there are f-bombs aplenty. So if you have your kids in your car and you don't want them hearing my awful, awful language, please turn off this podcast now.

Like:

* Australia's obsession with the Gallipoli campaign and the sacking of Scott McIntyre from the SBS.
* Australia's new vaccination requirements for parents who still want all those tasty, tasty tax benefits.
* The "ISIS doctor", Tareq Kamleh. Is he doing anything wrong?

PLEASE NOTE: I didn't bother editing out naughty words in this one, so if you have kids in the car you may not wish to expose them to our awful language.

Scott was a part of the original PacketLoop team -- PacketLoop was an Australian start up that created some pretty impressive big data security analytics technology. It was so impressive that it wound up being acquired by Arbor Networks and is now sold under the Pravail brand.

Somehow the original team managed to convince Arbor to keep the bulk of the R&D on those products based right here in Australia. So you could say we're all pretty big fans of Scott and his team for scoring some runs for the home team. They've got 12 staff in Sydney, and they're growing.

It's been eight months since the deal was struck, so I caught up with Scott to talk about what's new in the field of big data security analytics. And interestingly enough, the Pravail tech wound up being pretty useful lately. Because it performs packet-capture based analysis, the Pravail team could help their clients roll back through their stored packet captures to see if anyone had used the Heartbleed flaw against them. Somewhat reassuringly, the Pravail guys at Arbor did not find any evidence of Heartbleed actually being used in the wild.

It's the reason we're seeing a lot of gear hit the market that will help you post intrusion. I started off by asking Dave if he'd noticed this shift in thinking in the market.

I was a debater this year and as you'll hear I had zero time to prepare, so my contributions are pretty lame, but there was a hell of a panel like always. The whole thing was moderated by Adam Spencer.

Most of it makes no sense, some of it is funny, some of it is just stupid. Like it or loathe it, it's almost become an institution at this point so we absolutely have to include it.

So here it is! The speed debate! The closing event from AusCERT 2014, I hope you enjoy it.

Peter knows crypto. He's a professor at Auckland University, has written crypto libraries and even had a hand in writing PGP.

I started off by asking Peter for his thoughts on the controversial dual elliptic curve number generator. Was it really backdoored by the NSA?

Jason's expertise is in finding out how to take the motivational aspects of games and apply them to work processes. We all know that sitting your staff down in a dimly lit auditorium to lecture them on spear phishing does precisely nothing to change user behaviour. But what if you made the hunt for spear phishing messages a game?

I sat down with Jason Fox after his presentation and recorded this interview.

I spoke to Mark about the massive influx of NTP-based DDoS traffic we've seen this year. Can we expect attackers to move on to other protocols and services like SNMP and Chargen? He thinks so. But it's not until we start seeing SNMP-based DDoS capabilities built into generic malware that we'll really have big problems.

Kate is ex-DSD and currently serves as a principal consultant with Datacom TSS in Perth. She's been doing a bunch of work with a bunch of different organisations on preparing them for the looming G20 summit in Brisbane.

What do the threats look like? Where are they coming from? And what can be done about them?

Peter is well positioned to do this talk. He's a researcher in the Department of Computer Science at the University of Auckland and works on the design and analysis of cryptographic security architectures and security usability.

He helped write PGP, has authored a number of papers and RFC's on security and encryption, and is the author of the open source cryptlib security toolkit. And luckily for us, he's a fairly regular guest on Risky Business.

He's been working on a very interesting side project for a couple of years now. Essentially it's a social media analyser that identifies sources of high-quality information. Users can tap in a keyword and drill through the conversations on social media that actually matter -- the conversations that influence the influencers. The project was born of Matt's desire to never have to log in to Twitter again.

I warn you in advance that there are a few references from the movie Hackers in this interview... sorry about that... HACK THE PLANET!! .... but yeah, Neal has been doing some work involving supercomputers and I decided to interview him about them. They make excellent bitcoin mining boxes!

I posted his talk yesterday... he touched on the Weev vs AT&T trial in that and I thought it would be interesting to get his perspective on the CFAA, precisely because it's not the sort of thing he normally concerns himself with. He has less of an agenda than a defence attorney or a prosecutor.

(If you haven't heard the episode of the regular Risky Business podcast where I had a chat with Weev and recapped that whole thing you might want to check it out because we reference it in this interview. It's here.)

So I asked him what has changed in the field of database security. Has Oracle improved its procedures?

The possibility of burning their sweet, sweet 0days is actually turning some attackers away from well-resourced targets and towards secondary targeting; attacking their targets' partners and suppliers.

This is a recording of a presentation by Bob Clark, who these days teaches at the US Naval Academy. He has a long history as a department of defence lawyer including a stint as the counsel for the US Army Cyber Command.

In this talk Bob covers some ground he has covered before -- looking at when an online action represents an act of war under the laws of armed conflict -- but also takes a look at some legal cases in the civilian world involving the CFAA.

Felix is a very well known hacker and researcher, and his talk is titled we come in peace, they don't. As you'll hear, he's not exactly Google's number one fan. Here he is, I hope you enjoy it!

Ed Felton is a professor of computer science and public affairs at Princeton's centre for information technology policy. From 2011 to 2012 he was the first Chief Technologist for the Federal Trade Commission. He's a very well known and highly regarded researcher and academic and he spoke at AusCERT on security in a surveilled world.

Some of you would remember the interview I did with Dave last year about his OSINT analysis of North Korea, I also recorded and published his AusCERT talk on that topic last year. Well, this year he returned to AusCERT with his pal Olivia Maree to do another North Korea-themed presentation. This time the pair presented a talk about the information cordon - how information gets in and out of the country. Between USB thumb drives attached to home-made air balloons to tiny radios smuggled in to the Democratic People's Republic of Korea, you'll hear that state control of information entering the country isn't what it used to be, and, you know, that's a pretty big deal. and yes, I know this isn't your typical info sec story but you all loved my interview with Dave last year so I figured you'd all want to hear about this anyway\u2026

I started off by asking Olivia how the regime seeks to control information flowing into North Korea\u2026

**************EDITOR'S NOTE: This post originally referred to Olivia Maree as a lawyer. While she has a law degree, Olivia has never worked as a lawyer or completed articles. Apologies for any confusion. The audio introduction to this interview is still incorrect and will not be updated. - PG

I started off by asking Paul to recap the paper for people who aren't familiar with it.

In this presentation she looks at why these young men got involved in such risky activity. What drove them, and what does the future of Anonymous look like?

One of CrowdStrike's founders was Dmitri Alperovitch. He was at AusCERT and used his speaking slot to basically deliver the thinking behind CrowdStrike's pitch. It's nothing earth shattering, but it's a really well packaged speech that presents a cogent argument for the concept of active defence. So here it is, Dmitri Alperovitch's AusCERT talk titled Offence as the Best Defence.

Datacom TSS is a Canberra-based, national security firm founded by ex Australian government security specialists. These guys specialise in dealing with highly skilled adversaries... Now, when they founded this business a few years ago, there was awareness in government that highly skilled adversaries were a real challenge... but it's really been 2013 where executives at the boardroom level have sat up and taken note of security issues, particularly the issue of APT.

They've realised it isn't just the Google's of the world who are being attacked by state sponsored adversaries -- Oil companies, broadcasters and insurance companies have been absolutely nailed by teams working for the governments of North Korea and Iran, for example.

Furthermore, Mandiant's APT1 report really put the issue on the map for a lot of people who previously just weren't aware of the issues. It's that whole chicken versus egg thing -- are people becoming aware of it because of the media attention or is the media reporting on it because people are becoming aware?

So how has this affected things for a business like Datacom TSS? Declan Ingram joined me to discuss. I started off by asking him how perceptions of sophisticated threats have changed over the last couple of years.

The team at Datacom TSS recnetly ported its Red Team Trojan over to the Android platform, and it's surprisingly easy to trick people into installing it. You just email it to them and ask them to install the APK package.

And what you get once you're on someone's phone is quite awesome. Not only can you turn on the microphone and snoop on boardroom conversations, but you can use the 3G or LTE connection on the device to do your exfiltration. That way you're completely bypassing the heavily watched gateway. You can also use it to bypass SMS-based authentication.

Mark Brand is the Datacom TSS guy who did the Android port. He joined me by phone to tell us all about it.

Dave, who works as a security response engineer for a vendor, studies geography and mathematics at the University of Queensland and recently completed a study on long-term remote-sensing analysis of North Korea. In his talk he looks at an OSINT analysis of North Korea\u2026 he talks about the work he did as well as looking at what other North Korea watchers are up to. There's some really cool stuff in there about Red Star Linux, too -- it's a North Korean Linux distribution that's surprisingly polished.

So here he is -- it's Dave Jorm's AusCERT talk. Enjoy.

In this talk Mark argues that we're focussing on the wrong stuff when it comes to SCADA security. He gives us an experts view on the conversation we should be having if we actually want to fix things. Here's Mark Fabro, I hope you enjoy it.

BugCrowd is an Australian business, but Casey is currently in the USA where the appetite for information security investment opportunities is apparently hitting fever pitch. In this interview I ask him how one might get started off on the path to massive phatcash through their cybersecurity startup.

Michael has worked as chief technologist of Google Maps, Earth, was the CTO of Keyhole Corporation, the company that developed the technology behind Google Earth and was also CEO of Intrinsic Graphics, and was director of advanced graphics at Silicon Graphics.

His presentation was called Security's Biggest Risk, and it basically boils down to the dumb stuff bringing us unstuck. It's a very high level talk that definitely has its moments, and I hope you enjoy it. Here he is.

During the great "SSL wars" of 2011, when hackers like Comodohacker went cyber-berserk owning CAs and minting their own certificates for sites like Gmail and Facebook, valuable lessons were learned. It's becoming the norm for browsers to pin certs for well known websites... and now this same approach to certificate sanity checking is finding its way into code signing checks.

Microsoft's latest EMET, version 4.0 which I think is still in Beta, will pin certs for signed applications. It's a good idea -- it makes life a little tougher for the bad guys, but as you'll hear, it's not going to kick the can THAT far down the road, as Paul Ducklin explains.

When Casey co-founded the business the idea was simple -- the company would host outsourced bug bounty programs for clients that didn't have the expertise to run their own. As some of you may know, the idea really took off, but what no one expected was for BugCrowd's registered testers to do a better job than many penetration testing teams.

It's cheaper than a pentest, and in the case of Web application or mobile application security testing, these bug bounty programs are turning up more actionable issues than penetration testing teams.

Could these types of programs be disruptive to the penetration testing services industry? Casey joined me to discuss.

His talk at Ruxcon Breakpoint was all about the security of baseband chipsets. If you follow this stuff you might know that the baseband chipsets in these smartphones -- which handle all the basic communications functions of the phones -- are actually quite sophisticated. And where there's sophistication, there are potential problems.

As you'll hear, there's research going into attacking baseband chipsets through two vectors -- directly through the cell network, if you control it, or if you can trick your targets handset into associating with your fake networks... or indeed through the OS. It's interesting stuff.

As regular listeners of the Risky Business podcast would know, we're pretty much convinced Android was rushed to market -- it was insecure, immature, way too open and a big, glaring risk to its users. Combine that with the inherent problems with the Android ecosystem and you had a recipe for disaster.

For those unfamiliar with those ecosystem problems, Android is very difficult to patch. Android users must wait for Google to update the OS, then ship the updates to the manufacturers who customise them for their hardware, then in turn they have to pass them on to the carriers, who may or may not customise those OS builds for compatibility with their apps and then pass the updates out over the air. Long story short, most Android devices wind up remaining unpatched.

Well, things have changed. As Joshua outlined in his presentation, Google has built a lot of exploit mitigations into the mobile OS and they're starting to look pretty effective. Is it possible that Google has dodged what many saw as an inevitable bullet?

That's because he's been looking at implantable defibrillators and pacemakers. As it turns out they have wireless interfaces that allow you to connect to them. You can bypass their rudimentary authentication and start sending 830 volt zaps into your victim's heart which, obviously, isn't ideal.

Jack says these techniques could be used for targeted assassinations, or perhaps even more worryingly, a maliciously motivated person could actually create an auto-propagating worm designed to kill people!

PacketLoop is a new Australian business that applies big data analysis techniques to your packet captures... you can visualise your captures, drill down into them, and even spot successful 0day attacks against your organisation after the event -- that's a simple trick, that one, they just loop your packet captures through IPSs after the fact... when they get signature updates, they loop them through again. Hence the name, PacketLoop.

You can sign up to a Beta at PacketLoop.com, and I suggest you do. Think of this stuff as like NetWitness in the cloud.

I caught up with PacketLoop co-founder Michael Baker to discuss his presentation at the Ruxcon conference, which was all about Big Data security analytics. I started off by asking him roughly what he planned to talk about.

It's a chance to have a bit of a laugh at all things security and it's hosted by ABC personality Adam Spencer. Enjoy!

Really what this chat is all about is interface. We cover a few topics; how users are finding it increasingly difficult to determine when a warning dialogue or popup is genuine or fake, how online crime syndicated are investing a great deal more effort into pretty graphics and good copywriting, and then we chat about how mobile operating systems like Android have succeeded by making extraordinarily complicated things appear very very simple, and what the security implications of that are.

Her talk is titled Surveillance or Security? The Risks Posed by New Wiretapping Technologies.

Datacom TSS is a relatively new Aussie company that offers all the usual services, like penetration testing and app review, and we're going to chat with Declan about when those types of services can be best deployed. Dropping massive amounts of budget on pentesting might not be the best way to use your resources, he says.

As soon as you listen to Mark for more than five minutes you'll quickly realise he really knows what he's talking about.

This talk is about performing incident response and forensic analysis on live SCADA networks. It's very interesting stuff and Mark is a great presenter.

We spoke about attempts by governments to mandate minimum security requirements for critical infrastructure through regulation. I started off by asking him what regulation attempts in North America look like now.

We discuss the state of both application and volumetric based DDoS techniques.

As you'd no doubt be aware, Arbor makes DDoS mitigation equipment -- there's the enterprise stuff that blocks application-based attacks, like attacks that exhaust resources on the target, then there's the telco stuff that blocks the volumetric attacks -- a.k.a. bandwidth exhaustion attacks.

I started off by speaking with Matt Hollis of ASX - listed connectivity provider Vocus. These guys have some serious tubes, so they're used to seeing a lot of volumetric attacks. Then I got on the line with Arbor Networks' Nick Race to discuss app-based attacks.

A part of that vision is advocating a more communication and integration between apps and infrastructure. He says apps should be able to interact directly with networking infrastructure through APIs. It sounds great, but could it be a disaster?

It's a nice overview that points out some of the dumber implementation mistakes that have been made by card brands and issuers.

There's a reference to a Shmoocon talk in this recording. You can find the whole thing here.

During his presentation he mentioned that espionage is actually legal under international law. I asked him to expand on that and we had a great chat about the legal aspects of online espionage.

If you're lucky enough to have met Rob, you'd know that not only has he built a crazily successful business, but he's one of the most technologically savvy people you will ever meet. He lives and breathes his business, and lately he's been focussing on what he sees as a future problem area: Denial of service attacks against mobile 3G and 4G/LTE networks.

As you'll hear, Rob says the average mobile network is a bit of a disaster and there'll be plenty of opportunities for miscreants to wreak havoc on them.

It takes him a few minutes to pick up steam, but I definitely recommend sticking with his talk. It starts out good and winds up fascinating. The title of his talk is The Enemy, and in it he examines three groups of attackers -- Criminals, Hacktivists and Nation States. It sounds like well worn material, but Mikko's take is definitely worth listening to.

Here he is: Christopher Hoff, chief security architect of Juniper Networks. Enjoy.

His presentation examines the legal regime surrounding cyberspace operations.

He looks at the legal underpinnings of computer network security; defense; exploitation; and, attack. It is absolutely riveting stuff and I hope to be catching up with Mr. Clark at some point during the conference to ask him about six million questions.

Datacom TSS is a relatively new Australian company backed by the Datacom group, the large integrator. They're an independent company offering the usual stuff, like penetration testing and app review, but what makes them a little different are its founders.

They used to work in the security and intelligence community for the Australian government, which means they've spent a lot of time viewing the threat environment with a slightly different perspective to the rest of us. With that in mind, I thought it would be interesting to ask Richard what it was like for him to transition from his previous place of employment into the private sector. Here's what he had to say.

RAW AUDIO.

Moderating the panel is The Chaser's Julian Morrow. On the panel:

* Nicholas Hayden, Hungry Beast, ABC TV
* Marc Fennell, Hungry Beast, ABC TV
* Grace Morgan, Julian Assange's Australia-based solicitor
* Suelette Dreyfus, Author, Underground
* Patrick Gray, Host of the Risky Business podcast
* Christine Assange, Julian Assange's mother

The recording is unedited. Enjoy!

Maarten Van Horenbeeck works in the Microsoft Security Response Center managing Microsoft's efforts to share information on security vulnerabilities with third party security software providers, government agencies and national CERT teams.

This talk is about how Microsoft applies ratings to its product vulnerabilities... there are a bunch of ratings systems out there... Maarten covers off some of these and discuss how MS boils down its own scores. I hope you enjoy this talk.

Ross has kindly allowed us to podcast his entire talk.

Ross is professor of security engineering at Cambridge University, and author of the bestselling textbook "Security Engineering: A Guide to Building Dependable Distributed Systems". He was a pioneer of peer-to-peer systems, of hardware tamper-resistance, and of the economics of information security.

Ross will discuss the economics of information security in two contexts: frauds against payment networks, and the resilience of the Internet. The talk will draw on a recent major study Cambridge did on the resilience of the Internet.

It's hosted by Australian broadcaster and journalist Adam Spencer. I hope you enjoy it.

According to the official synopsis: This presentation will outline the role of addresses and routing and the potential attack vectors, and will also report on the progress to establish a secure framework for addresses and their use in the Internet, highlighting the progress in establishing a secure routing environment for the Internet.

As regular RB listeners would know, we've followed APNIC's work and papers in this area and they have a habit of pushing out good stuff... so this should be a decent talk. Enjoy!

And in this interview we're chatting with Microsoft Australia's Chief Security Advisor Stuart Strathdee about the affect the PSN network breach has had on large organisations' security outlook. As you'll hear, Stuart says a lot of security projects that had been on the back burner are now being brought forward.

Enjoy!

His talk focuses on what he calls the IT Security Generation Gap. Too often are today's security policies written and enforced by people who don't "get" social media, the public Internet, iPads and BitTorrent. But at the same time, anyone with an infrastructure to secure needs workable procedures and tooling to protect their data and systems. His talk covers common failings in this generation gap and provides guiding principles to close the gap and reduce exposure.

Internode is an ISP and Mark really knows his stuff. We all know security considerations in IPv6 aren't exactly thrilling, but Mark managed to actually make this presentation interesting and a little bit thought provoking. I was popping in and out throughout this session and yeah, it was definitely more interesting than I was expecting. So here it is!

As a part of that sponsorship Risky Business is posting a few sponsored podcasts -- this is one of them, an interview with Microsoft's Identity specialist Paul Conroy. In it, we discuss what enterprise customers out there are actually looking for, as well as having a bit of a chat about SAML 2.0 -- an authentication protocol that you can use... and I can't believe I'm going to say this. In the... cloud. I said cloud. I'm sorry. But listen to the interview, it'll make sense.

The talk is on Risk Management in a Smart Metering Environment.

There were mutterings in the Queensland state parliament some time ago about a project consultant criticising the rollout... the minister responsible also said something about the department exploring legal options to shut said critic up. Geez, I wonder if it was Tim?

Tim did a presentation here at AusCERT earlier today... I asked him to tell me what he spoke about.

I'm going to read from his talk synopsis here: The first half of Jason's presentation will be an overview and update on what's happening in control. In most cases, simply sending properly formatted commands to the field equipment is enough, but there are cases when this does not achieve the attacker's goals. If the field equipment contains sanity checks, the attacker needs sub-second control, or if he simply wants to hide, he will invade the field equipment. Understanding the challenges the attacker faces are essential for any sort of investigative or forensics effort. The second part of the presentation will cover attack and forensics of the embedded systems used in industrial control systems.

We were a couple of minutes late plugging into the desk, so we'll pick up Jason's talk just a few minutes in.

Several years ago Bennett Arron was in serious debt. He owed thousands of pounds to mobile phone companies, catalogues and department stores. But it wasn't him! As it turned out, he was a victim of Identity Theft.

Years later, he wound up writing a comedy show about his experience... he eventually directed and presented a Documentary for Channel 4 called How To Steal An Identity.

In it he actually stole the identity of the then Home Secretary, Charles Clarke.

He was arrested over it, but you'll be pleased to know he was never convicted.

Anyway, Bennett was kind enough to allow Risky Business to play an excerpt from his talk. The whole thing is about an hour long and very entertaining... so obviously you should book him for your next exotically-located conference and or event. Big thanks to Bennett for allowing us to play this chunk of his talk.

If you haven't heard of beef it's a very cool tool. If you can get someone to load it into your browser, either by them visiting a site you control directly, or alternatively through some sort of cross site scripting bug, then you can get the browser to do all sorts of stuff for you -- like portscan the victim's LAN, attack JBOss servers and stuff like that.

I caught up with Wade and asked him to tell us all about BeEF and what's the latest. With beef. Here's the beef.

Mobile security is all the rage these days, so when Research In Motion (RIM) VP of security Scott Totzke came to Australia a few weeks ago, we made sure we got an interview.

RIM is the company that makes the Blackberry. While it doesn't have as many cool points as the iPhone, the Blackberry has become the mobile workhorse of the modern enterprise. US President Barack Obama famously insisted on keeping his Blackberry when he came to office, so obviously anything Scott has to say about mobile security deserves to be heard.

I spoke to him by phone a couple of weeks ago.

For those who don't know what it is, Tor is a free-software anonymizing network that helps people around the world use the Internet in safety, the official blurb says.

Tor's 1600 volunteer relays carry traffic for several hundred thousand users including ordinary citizens who want protection from identity theft and prying corporations, corporations who want to look at a competitor's website in private, and soldiers and aid workers in the Middle East who need to contact their home servers without fear of physical harm.

So if you're based in Iran or China and don't want the government being able to identify your source IP, it's a pretty handy tool.

But governments are cottoning on to Tor and making efforts to block their citizens from using the Tor network. Roger discusses the changes the Tor project has made to combat these government restrictions. It's a good talk and I hope you enjoy it!

Sutton claims that malicious pages linked to trending topics are rising through Google's rankings almost immediately. In other words, the bad guys have gotten good at SEO.

But if Sutton and his colleagues can identify these pages from outside Google, why can't Google detect them? It's not exactly short on resources or cash.

With all this rogue AV stuff floating about, the Microsofties are encountering a few fairly significant dilemmas on how to deal with this stuff. Should the OS only accept certain, known brands of AV? Well, then they're acting as a gateway and telling people what they can and can't run. Can't do that. What about a warning system like they did with device drivers? Well, that wasn't much good in the end because people just ignored the warnings.

So what can Microsoft do about this rogue AV problem?

A highlight of the conference, this year's panel was hosted by Australian media personality guy Adam Spencer. Panelists were: Max Kilger, Scott McIntyre, Marcus J. Ranum, Roger Dingledine, Alastair MacGibbon, Paul Gampe and Tim Redhead.

It was one of the better talks.

Scott's the Chief Security Officer for Dutch ISP XS4all and serves on the board of directors for the Forum of Incident Response and Security Teams, or FIRST.

In this talk Scott argues that all the FUD out there is leading to over regulation. He also argues that CSIRT teams and incident handlers actually cause some security failures and that understanding the far reaching consequences to our actions is critical if we're ever going to have a safe Internet experience for the masses.

His talk is titled "Scenes from the 2010 US/China Cyber war".

It is, in part, a criticism of the way vendors and CERTS are actually dealing with each other.

He argues that by understanding the recurring behavioural patterns of victims that hustlers have learned to exploit, we can create systems that are more resistant to fraud.

Frank plays three videos in the talk. With two of them you can get by with the audio alone, but the first one has a significant visual component. The good news is I found the video on Youtube, and I've linked to it here.

You'll hear me, during this presentation, say something along the lines of "check out the video now" so you can pause the mp3 and watch the video. Sounds a bit involved, I know, but it's the only way I could think of to bring this presentation to you.

Here's the YouTube link again.

Ben Bromhead and Ken Hendrie spend their lives up to their armpits in Windows mobile devices -- they actually do the worldwide common criteria evaluations for Windows mobile devices right here in Australia. As a result, these guys know a thing or two about mobile device security.

In their presentation, titled simply "mobile security", the two looked at the common threats to mobile devices and some mitigations. I caught up with them after their presentation for this interview.

I grabbed Whit for an interview in the hotel lobby bar and started off by asking him if he's disappointed that PKI hasn't been universally adopted yet.

These days he spends his time trying to retrofit Windows with decent security. He works for the Windows core team.

I'll drop you into the talk here where he's explaining how certain bad things happened to Windows and the Microsoft ecosystem, namely, how interoperability concerns hampered the software company's ability to secure Windows.

You'll have most likely heard that Google has been busted collecting payload data from wireless networks as its vans drove around doing Google Street view videos... so I asked Neal for his take on that also. Enjoy.

It was commissioned by Microsoft and was intended to assess the data security practices of North American, European, and Australian enterprises by surveying CISOs.

Forrester sought to understand the value of sensitive information contained in enterprise portfolios; the security controls used to protect this information; the drivers of information security programs; and the cost and impact of enterprise data security incidents.

There were some interesting findings. Among them, that security managers use compliance regimes to justify security spending, not security for security's sake.

You can download the report here.

This week we're chatting with the company's vice president of security response, Vincent Weafer.

In this interview, Vincent and I discuss the relative complexity of modern malware. Gone are the days of 214-byte malware that could spread via a single UDP packet. They were good days, but now they're gone and we're dealing with some really diabolically complicated stuff.

But we're still seeing malware that's relatively simple considering its 2010. Gumblar is a good example of that -- it's simple and not particularly sophisticated, but it's been very effective.

So which poses a bigger threat? Simple stuff or complicated stuff?

And today we're speaking with Vincent Weafer, Symantec's director of security response. Regular listeners of Risky.Biz podcasts would have heard me tonking on a LOT about patch management lately, and in particular the moves by large security vendors like McAfee, Trend and Symantec into that space.

McAfee and Trend have licensed technology from BigFix and Symantec is integrating technology from its Altiris acquisition into its endpoint security products.

It's an interesting trend, and one that I personally think will have some meaningful implications for enterprise security. For one, patch management will all of a sudden be a capability of security teams, not just desktop teams.

So I thought I'd talk about this with Vincent, who sheds light on the trend from a vendor perspective. As you'll hear, I also talked malware with Vincent -- everything from the Zues botnet to the media's favourite Aurora. Enjoy!

Erhan mostly specialises in technology-related stuff, and I wanted to get his thoughts on this so-called hacking scandal engulfing the corridors of power in New South Wales.

Last week a couple of journalists from the Sydney Morning Herald were given a handy tip -- if they pointed their browsers to nswtransportblueprint.com.au they would find a bunch of documents there that shouldn't have been released yet -- namely, the State Government's transport blueprint.

They went to the site, sure enough the documents were there, they wrote up the story and it ran on page one of last Saturday's Sydney Morning Herald.

The comical twist in all of this is the minister then went out and accused the journalists of hacking into the system to obtain the documents. This is especially funny given the journalists in question are known for being technologically challenged and possessing a fondness for fountain pens.

I thought it would be interesting to discuss this with a solicitor like Erhan. Although the documents were left on a webserver, could it be argued that the journalists had been doing something wrong by accessing them? When is a hack a hack? What if you had to guess a complicated URL through some sort of brute-force attack?

Well as you'll hear, unless you actually have some sort of access control on your data -- like a password, you're up the proverbial creek. I interviewed Erhan yesterday.

A recent report in the Sydney Morning Herald detailed changes to Australian law that would allow the Australian Federal Police to physically destroy computers if they contain encrypted data the police can't unlock.

The story also talked about further changes to laws that would stiffen penalties for suspects who refuse to hand over encryption keys and passwords.

Anyway, it all sounded pretty extreme and drew a pretty adverse reaction from Adam Boileau, our regular news guest on the Risky Business podcast, so I thought I'd get Neil on the line and ask him about these changes, instead of just assuming the worst.

Neil joined me by phone on Monday for this interview!

We don't normally talk to sponsors about their own technology, but this is just where the conversation went, and it's pretty interesting stuff!

Symantec's vision for the future is to gauge the level of risk posed to systems by building up a database that ranks executables according to their reputation. It's sort of like eBay's system of ranking buyers and sellers. I'd heard of this approach a while ago, but Vincent drills down into a bit of detail here. It's good stuff.