On this week’s show we’re looking at an issue that kicked up last week when creepware scumbags Flexispy announced they were moving their bug bounty program to HackerOne. VICE journalist Joseph Cox asked HackerOne CEO Marten Mickos if he’d be happy to host their program, and his answer is as follows:
“Any company that operates legally within its jurisdiction, treats our hackers with respect and takes vulnerability disclosure seriously is generally welcome to run their program on the HackerOne platform. Improving the integrity of all connected software is to the benefit of the digital society.”
A lot of people, myself included, didn’t react so well to that line of thinking. HackerOne CTO Alex Rice suggested he come on the show to talk about the company’s stance. As you’ll hear, Alex is pushing a much softer line than his CEO, but still says this is complicated. Stay tuned for that, at times, excruciating interview.
This week’s sponsor interview is with Signal Sciences CSO and co-founder Zane Lackey. Zane was the head of security at Etsy, but he moved on to found Signal Sciences, a company that is making webapp security software that by all reports is pretty damn good.
He joins us in the sponsor slot this week to talk about Devops, WAFs and a whole bunch of other fun stuff.
Adam Boileau, as usual, drops by to discuss the week’s news.
Links to items discussed in this week’s show have moved – they’re now included in this post, below.
Oh, and do add Patrick, or Adam on Twitter if that’s your thing.
Show notes
- Intel Patches Nine-Year-Old Critical CPU Vulnerability | Threatpost | The first stop for security news
- Intel patches remote hijacking vulnerability that lurked in chips for 7 years | Ars Technica
- Hacker leaks Orange is the New Black new season after ransom demands ignored | Ars Technica
- Meet the Hackers Holding Netflix to Ransom - Motherboard
- All your Googles are belong to us: Look out for the Google Docs phishing worm | Ars Technica
- Facebook enters war against “information operations,” acknowledges election hijinx | Ars Technica
- Russian-controlled telecom hijacks financial services’ Internet traffic | Ars Technica
- Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol | Ars Technica
- WikiLeaks Reveals CIA Tool 'Scribbles' For Document Tracking | Threatpost | The first stop for security news
- Blind Trust in Email Could Cost You Your Home — Krebs on Security
- Google and Facebook scammed out of $100M in elaborate phishing attack
- New COOP Attack Method Highlights Weaknesses In Microsoft's CFG Defenses | Threatpost | The first stop for security news
- Watch Hackers Sabotage an Industrial Robot Arm | WIRED
- Proposed NIST Password Guidelines Soften Length, Complexity Focus | Threatpost | The first stop for security news
- geer.tinho.net/geer.source.27iv17.txt
- A vigilante is putting a huge amount of work into infecting IoT devices | Ars Technica
- An Obscure App Flaw Creates Backdoors In Millions of Smartphones | WIRED
- Apple Revokes Certificate Used By OSX/Dok Malware | Threatpost | The first stop for security news
- IBM: Destroy USBs Infected with Malware Dropper | Threatpost | The first stop for security news
- Google Patches Six Critical Mediaserver Bugs in Android | Threatpost | The first stop for security news
- Picture this: Senate staffers’ ID cards have photo of smart chip, no security | Ars Technica
- nomx: The world's most secure communications protocol
- Wanna Know If Someone Planted Spyware on Your Computer? - Motherboard
- Winston Smith on Twitter: "@x0rz @cryptoishard Sorry that was me lol"
- FlexiSPY on Twitter: "In the interest of transparency, we're moving the bounty program to @Hacker0x01 ..."
- Modern Application Security from Signal Sciences