This isn’t the weekly show, this is a deep dive vendor podcast we do 10 times a year. All the vendors who appear in the Soap Box podcasts paid to be here, but you know what? Even though this is sponsored content, it’s really interesting.

And this Soap Box edition is a double surprise, because we’re talking about one of the driest topics in infosec: email filtering. But this is actually a really engaging conversation. I was very surprised by how much I enjoyed talking to our guests in this special, Ryan Kalember and Christopher Iezzoni of Proofpoint.

Proofpoint, among other things, is a huge player in email security and filtering. This conversation all hinges on a report Proofpoint published called “The Human Factor”.

It made some really important observations. For example, the death of popular exploit kits like Angler has just pushed attackers into social engineering at scale as an attack vector. That can be straight up fraud, attached malware or macro stuff, and some of these campaigns involve really sophisticated mass personalisation. The days of exploit kits being used at scale might actually be over.

I picked up The Human Factor report the day before we recorded this session and its findings are genuinely interesting. Proofpoint’s Ryan Kalember (SVP, Cybersecurity Strategy) and Christopher Iezzoni (Manager, Threat Research) joined me to discuss report and also to talk about why email filtering is actually interesting again.

You can find The Human Factor report here.

On this week’s show we’re taking a look at a mediocre response from Microsoft’s security response centre in the face of a fairly run-of-the-mill bug report. Our guest today found some Microsoft software was failing to validate SSL certificates. He reported it, but Microsoft said it wasn’t a security issue because, drum roll please, the attacker would require man in the middle to exploit the failure. Ummm. What?

It all got sorted out eventually, and by sorted out I mean silently patched with no note to customers. So if you have a script running somewhere that’s invoking this tool it’s probably not checking for valid certificates, so that’s fun.

In this week’s show notes we’ll be talking with industry legend Jon Oberheide, co-founder of Duo Security, about a couple of things. We’ll be looking at the features platform vendors like Microsoft and Google are now baking into their operating systems that allow companies like Duo to be able to query the health of endpoints. We also have a general conversation about how it is actually the platform vendors who will solve the biggest problems, not so much the security industry. That’s this week’s sponsor interview, with big thanks to Duo Security.

The Grugq is this week’s news guest. Links to everything discussed are below, and you can also follow Patrick or The Grugq on Twitter if that’s your thing.

Ryan Duff fills in for Adam in this week’s news segment. Ryan used to work at US Cyber Command as a cyber operations tactician but these days he’s in the private sector. He shares his thoughts on the week’s happenings.

This week’s feature guest is Google Project Zero’s Natalie Silvanovich. A little while back she fired off a few tweets saying companies are simply not doing enough to minimise the attack surface in their software. She was finding it so frustrating that she tweeted an offer – she said she was happy to turn up at any company that would have her and give a talk on how to minimise attack surface.

She’s since done that talk about half a dozen times and she joins us today to give us the general idea of the advice she’s been providing.

This week’s sponsor interview is with the man, the legend, Haroon Meer.

Haroon is the founder of Thinkst Canary, simple hardware honeypots that work amazingly well. This week Haroon joins the show to talk about how we can avoid the next Equifax. He says a lot of it comes down to empowerment, which sounds like the sort of thing an annoying person with capped teeth would put in their slide deck, but when you hear Haroon explain what he actually means it actually makes sense.

See links to show notes below, and follow Patrick or Ryan on Twitter if that’s your thing!

Cylance, as many of you would know, is a so-called next generation AV company. They were early movers on machine learning tech, and they’ve been tremendously successful. They’re a tech unicorn – clocking up a valuation of over a billion dollars in a very short space of time.

Cylance was founded in 2012, and there’s been a lot of movement in the endpoint security space since. There are now a whole swag of next generation endpoint security companies gobbling up the market share of the incumbent AV companies. A lot of them started off in the EDR space and are now doing anti-virus as well. It feels like we’ve reached a consensus point. Endpoint security software should do both EDR and AV.

So, Cylance is building out its EDR products.

So we’ll be speaking with Cylance’s chief product officer, Rahul Kashyap, about convergence. Not just in terms of what they’re doing, but more broadly.

Rahul has been in the security game for a long time. He worked on developing network-based IDS products with Nsecure back in the early 2000s, before taking a job at McAfee. He served as McAfee’s head of vulnerability research for four years before joining Bromium as its chief security architect. Rahul has been on Risky Business before and he’s a guy who very much knows what’s up.

On this week’s show, of course, we’ll be using the news segment to take a look at the dumpster fire that is the Equifax breach. We’ve got suspicious short trades, executive share sales and an absolutely shambolic response. This one’s got the lot; something for everyone.

We’ll also take a look at these latest Bluetooth bugs and of course we’ll recap the rest of the week’s security news.

In this week’s feature interview we’re chatting with Emily Crose. After cutting her teeth at CIA, NSA and US Cyber Command, these days Emily works in the private sector, and her hobby at the moment is using machine learning-based image processing to identify problematic social media images.

Some social media companies say it’s too hard to identify, for example, ze Nazis. Emily says nope.

I would say this week’s show is brought to you by Tenable Network Security, but now I’m just going to say Tenable because these days that’s what they’re calling themselves. And it makes sense. Vulnerability management isn’t really just about what’s on your network anymore.

With that in mind, they’ve really changed the messaging of the company. They’re not calling it continuous monitoring anymore, they’re calling it cyber exposure measurement. Corey Bodzin, VP of product operations at Tenable joins the show to walk us through the rationale behind the new messaging.

Adam Boileau is this week’s news guest.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

On this week’s show we’re going to take a look at the ICO bubble. We’ll hear some excerpts from a chat I had with Coinjar CEO Asher Tan and then Adam and I are going to talk about what the hell is happening with all this crypto madness. We also take a look at the scuttling of the Kenyan election over hacking fears, the latest drama with Kaspersky being caught in the middle of geopolitical intrigue, the FSB’s unconventional BBQ in San Francisco and more.

This week’s show is brought to you by Netsparker.

Netsparker makes an automated webapp testing tool, you can kinda dial up the level of automation you want. They have a few nice tricks in their suite, too, like auto proof of concept exploitation of some bug classes so you can actually prove people need to fix stuff while you drink coffee, that’s nice.

In this week’s sponsor interview we’re speaking with Ferruh Mavituna, the founder and CEO of Netsparker, about automated testing at scale. It’s a sponsor interview, but it’s also a pretty generic chat about how you tackle that problem. Basically he says when you’re doing this scanning at scale you really can start with the bad, dumb stuff, because if you’re in an enterprise of any sort of size at all your automated testing is going to spit out a horror-show list.

Links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

This podcast deals with authentication tech – in particular, if you manage a Windows network, you’ll want to listen to this to get an idea of some different approaches to solving some of your authentication challenges.

This isn’t our weekly show, this is something we do four times a year – we get a bunch of vendors together and they explain their tech. Last week I published interviews with Crowdstrike, Replicated and AttackIQ, go check them out if you haven’t already, but I wanted to break out these two companies into their own podcast.

In this edition we’re going to hear from two companies – Remediant and Yubico.

Yubico, of course, makes yubikeys, the hardware authentication device used by companies like Google and Facebook to lock down accounts. I own one, and it wasn’t a freebie, I paid for it. A lot of security people use these USB devices because they work really, really well.

What I didn’t know, because I’m a dumbass, is there’s native support for Yubikeys in Windows. So if you want to add hardware-backed two factor authentication to your Windows accounts, this is one way to do it.

But before we talk to Yubico, we’re going to hear from Remediant.

Remediant is a start up that also makes some interesting Windows auth tech. Now, a lot of Risky Business listeners operate in high security or compliance heavy environments. This will often mean using password vault technology for better privileged account management. Remediant has something they think is better.

Basically they have created a tech that lets you enable and disable privileged accounts on, like a time-lock basis. If you have to do some admin work on a box, you log in to your Remediant server, enable that account for a set period of time, then off you go. Easy. It’s a very light touch way of solving some pretty serious management headaches, and it’s very easy to audit, which will keep our friends in heavily regulated environments very happy.

In this week’s show we recap all the week’s major security news items. St Jude Medical products will be patched in half a million patients, we get the latest with the DreamHost warrant, find out how Hansa marketplace members were de-cloaked by the Dutch cops and more.

In this week’s feature interview we chat with Scott Helme about HTTP Public Key Pinning as an attack vector. If someone manages to hack own your domain registrar, they can now cause all sorts of havoc. First, they redirect people to a box they control, then obtain a free, automated domain validated cert for that box, then flick on the HPKP header and pin every visitor to a certificate and key that they control.

You get your domain back, sure, but then what? Nobody who visited your site while it was under the attacker’s control can visit it. Yay. So Scott will join us this week to talk about HPKP ransom and what we might do about this situation.

This week’s sponsor interview is fascinating. We chat with Homer Strong, director of data science at Cylance, about machine learning explainability and “interrogatability”.

Adam Boileau is on a company retreat this week, so Haroon Meer is filling in. Links to everything are below.

Oh, and you can follow Patrick or Haroon on Twitter if that’s your thing.

This is part one of our latest Snake Oilers podcast, the sponsored podcast that doesn’t suck! I have to say, when I launched this podcast series I had no idea it would actually wind up being genuinely engaging and interesting. All three interviews in this podcast are top notch and I think anyone working in infosec would do well to listen.

The original idea behind these Snake Oilers podcasts was vendors would come on to the show and aggressively pitch their products. But you know what? What they mostly want to do is actually explain what their technology does so people out there in listener land actually know what they do.

I’ve broken this special into two parts. In this part we’ll hear from CrowdStrike, Replicated and AttackIQ. On Monday next week I’ll be posting part two with Remediant and Yubico, the makers of Yubikeys. Those two companies both make authentication technology, which is why I split them out on to their own.

In this part:

• Crowdstrike tell us why they think their EDR and AV solution is the best. A lot of you probably didn’t even know Crowdstrike does AV now… they’ve got a pretty compelling endpoint detection and response plus AV pitch.

• AttackIQ will pitch its software as a way to augment red teaming exercises and help you think of security as a continuous feedback loop

• Replicated talks through its tech. They take SaaS software and turn it into on-prem or private cloud software

On this week’s show we chat with James Kettle of Portswigger Web Security about some adventures he had with reverse proxies and malformed host headers. Using some simple tricks, James was able to do some craaaazy stuff and earn himself about $30k in bounties. He’s turned some of his techniques into tools for Burp Suite, so he’ll be joining us to talk about that.

In this week’s sponsor interview we’re tackling the new European general data protection regulation. With the new regime due to kick in on May 25 next year, there’s a lot of angst out there, and for good reason. The penalties for mishandling info are up to 4% of global turnover, which is a stiff enough penalty to strike fear into the hearts of CEOs everywhere.

Senetas’ is this week’s sponsor. They make layer 2 encryption gear, as well as SureDrop, a GDPR and enterprise friendly dropbox-style service. Senetas Europe’s managing director Graham Wallace joins the show this week to talk about some of the ins and outs of GDPR. Stay tuned for that.

As usual, Adam Boileau also joins the show to talk about the week’s security news. Links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show we chat with Charlie Miller all about the security of autonomous vehicles. As you’ll hear, he says autonomous vehicle security all comes down to some security fundamentals that are, in fact, being taken seriously by carmakers.

We’ve got an absolutely fantastic sponsor interview for you this week. This week’s show is brought to you by Senrio. They make an IoT network monitoring solution that’s actually really good. Stephen Ridley is the founder and head honcho at Senrio. He’s a very well known researcher and he joins us this week to talk about a few things.

First up he recaps the gSOAP library bugs the Senrio team found. They were a big deal in July, but as you’ll hear, people kinda missed the point. The affected gSOAP library is absolutely everywhere, including in, ahem, browsers. So yeaaaaah. There’s that.

Then we move on to the more sponsor-y part of the sponsor interview, talking about Senrio’s experience running the IoT hacking village at DEFCON. It was a great time for them, throwing their product at the most hostile IoT network the world has ever seen. To round out the Stephen Ridley omnibus experience we’ll also hear about a few training courses he’s offering on Android hacking and software exploitation via hardware exploitation.

Adam Boileau joins the show to talk about the week’s security news, links to everything are below.

Oh, and you can follow Patrick or Adam on Twitter if that’s your thing.

On this week’s show we’ll be chatting with Kelly Shortridge, formerly a detection manager at BAE, all about her Black Hat talk. It’s all about why most of what you hear about applying game theory to detection strategies is total bullshit.

This week’s show is brought to you by Signal Sciences!

Signal Sciences makes a killer product focussed on web application and web server security. It’s really popular with the dev ops crowd, which is interesting, because most security products in devops focus on the dev, whereas Signal Sciences focusses more on the ops component.

This week we speak to Signal Sciences co-founder Zane Lackey about this burgeoning market for security tooling geared towards non-security people. It’s actually a really interesting conversation. Non security groups at large organisations are having to become security self sufficient and it really is a game changer. More on that with Zane Lackey in this week’s sponsor interview.

Adam Boileau is this week’s news guest.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

This week’s feature interview is with Facebook CSO and Black Hat 2017 keynote speaker Alex Stamos. We’ll be digging a little deeper on some of the points he hit on in his talk in Las Vegas this year. I’ve linked through to a video of his keynote in this week’s show notes (below), and I’d really recommend you watch it. It was just very, very good.

This week’s show is brought to you by Thinkst Canary. They’re best known for their little Canary honeypots, you put them on your network and they’ll alert you to all sorts of lateral movement. Thinkst’s Founder and chief brain Haroon Meer will be along later on to talk about cloud security.

He’ll be echoing some of the points made in our interview a few week’s back with Daniel Grzelak from Atlassian, as well as looking at how you can start to put together a somewhat coherent strategy for detecting when your cloud services get popped.

Adam Boileau is this week’s news guest.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

In this week’s feature interview I speak with the Australian Prime Minister’s cyber security advisor Alastair MacGibbon about what it is that the Australian government is pushing for in terms of industry cooperation around surveillance.

There’s been a lot of hype on this one. “Al Mac” joins the show to work through some of it, and honestly, Australia’s push at the moment is the sort of thing I think you can expect to see more of around the world, so this is an interview of global relevance.

Some of that conversation hinges on a blog post I wrote on the weekend. If you want to, you can read that here.

This week’s show is brought to you by Remediant!

Remediant makes a product that’s designed to make lateral movement through a network much harder. Essentially it’s a way to restrict all privileged accounts on your infrastructure until you actually need it. So instead of being able to just log in to your production environment, you can actually set it up so you can enable the privilege you need to a set period of time.

It’s a different approach to privilege management than things like password vaults, so if you work in an authentication group you’re going to want to hear what they have to say. Remediant CEO Tim Keeler is this week’s sponsor guest.

Adam Boileau is this week’s news guest. We talk about all the continuing notPetya drama at Maersk and FedEx/TNT, the Alphabay latest and more.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

This month’s Soap Box podcast is brought to you by AttackIQ, a company that makes attack simulation software.

This is a wholly sponsored podcast that won’t bore you to tears.

There are countless CISOs who listen to this podcast who’ve shovelled an awful lot of money at their organisation’s security controls. Whether that’s endpoint/AV or fancy network kit that’s supposed to detect exfil, the sad truth is most organisations have no way to know if their expensive kit is actually doing what it’s supposed to.

Until, of course, they get breached. Then there is much wailing and gnashing of teeth.

So the idea behind attack simulation is pretty simple. You load a lightweight agent on to your corporate systems, the agent then runs scriptable attack scenarios that can simulate attacker behaviour.

These attack scripts might get some endpoints to start nmapping internal systems. They might start changing some registry keys or stimulate a bunch of disk activity that looks like an encryption/ransomware process. They might start sending off a bunch of dummy data via a DNS exfil technique. Did your endpoint solution catch the funny registry stuff? Did your network controls catch the simulated exfil?

Now imagine you have 1,000 pre-coded attack simulations with all sorts of different combinations and permutations of attacker behaviours. How many of them do you actually need to run through before you can spot the weak points in your defences?

Attack simulation is a great way to test and validate your security controls, and you can do it continuously.

AttackIQ’s cofounder and CEO Stephan Chenette joined me to talk about attack simulation and what it’s good for.

(UPDATE 17/7/17: The original version of this post implied major technology companies were only handing over user metadata via Mutual Legal Assistance Treaties. That is not the case and the piece has been edited for clarity.)

Over the last few days people have been losing their minds over an announcement by the Australian government that it will soon introduce laws to compel technology companies to hand over the communications of their users.

This has largely been portrayed as some sort of anti-encryption push, but that’s not my take. At all.

Before we look at the government’s proposed “solution,” it might make sense to define some problems, as far as law enforcement and intelligence agencies are concerned. The first problem has very little to do with end-to-end encryption and a lot more to do with access to messaging metadata.

If you’re Australian and you’re reading this blog, you’d most likely know that Australia passed a metadata retention law that came into effect in April this year. It requires telecommunications companies and ISPs (i.e. carriage service providers, or CSPs) to keep a record of things like the IPs assigned to internet users (useful for matching against seized logs) as well as details around phone, SMS and email use.

The problem is, people have moved towards offshore-based services that are not required, under Australian law, to keep or hand over such metadata. Think of iMessage, WhatsApp, Signal, Wickr and Telegram.

Australian authorities do have options when it comes to requesting metadata from these companies. They can just ask, and depending on the company they might get something back. I’m told the major companies generally help out, especially those with a presence here. Companies like Berlin-based Telegram? Not so much.

Some other companies might just tell you to go away. Then the only way forward, depending on where the app maker is based, might be an MLAT – a request through a Mutual Legal Assistance Treaty, specifically, the Mutual Assistance in Criminal Matters Act of 1987.

Detective plod draws up the paperwork, then the request goes off to our Attorney General’s Department, then to the US AG, then to the FBI, and then you might get something back about a year later. If you’re lucky.

If you’re seeking useful metadata involving communications that took place via Signal, you won’t get anything back anyway because they just don’t log much. (This is also an issue for US law enforcement.)

Currently, metadata access is at the whim of a patchwork of company policies, and the metadata tap – in the case of some communications apps – has been turned off completely. And as far as law enforcement is concerned, blocks to obtaining metadata are a very big problem.

There are no easy solutions here, but it’s part of the reason you’ve heard our Attorney General George Brandis talk a lot about treaties and mutual assistance over the last few months. Currently, there’s nothing the Australian government can do to speed up the process when authorities are dealing with offshore organisations.

The second problem involves messaging content. Now that we live in a world where anyone can buy a secure mobile handset (an iPhone) and use an end-to-end (e2e) encrypted messaging application (WhatsApp, Signal etc), there are serious challenges around intercepting communications. Currently, if you ask Facebook for some WhatsApp messaging data, they can simply say they don’t have it. That’s the beauty of end-to-end encryption.

But the Australian government has announced proposed laws that will seek to compel tech companies to hand over the content of user communications, e2e encrypted or not.

It’s very, very important to note at this point that there are legal barriers to obtaining communications content that simply don’t apply to metadata. Metadata is made available by request in most jurisdictions (i.e. without a warrant), but content is a whole other ballgame. In the case of a typical criminal investigation the police need a telecommunications intercept warrant to tap someone’s phone or internet connection. They can’t simply request it.

It’s here that people have spun off planet earth into frankly bizarre speculation as to what the government wants.

I’ve seen an awful lot of people suggesting that the government will compel tech companies to downgrade the encryption they use in their products, either by forcing them to adopt weak ciphers or maybe some sort of funny curve, reminiscent of the suspect Dual Elliptic Curve Deterministic Random Bit Generator incorporated into RSA’s BSAFE library. (That’s a mouthful, but you can read about that here.)

The thinking is, if everyone starts running crap crypto, the coppers can sniff the communications off the wire.

Let me put this bluntly: If this is what the government winds up suggesting, then by all means hand me a bullhorn and show me where to point it. It is a ridiculous idea that would erode so many of the security gains that we’ve made over the last decade.

But this is not what the government will suggest. If you want to know what this will look like from a technical perspective, just look at how authorities currently address this problem.

Thanks to our pal Phineas Fisher, we’ve had a glimpse into the sausage factory that is the law enforcement trojanware industry. Gamma Group and Hacking Team, two companies that make surveillance software for mobile phones, were both hacked by Mr. Fisher and the gory details of their operations laid bare.

What we learned is that law enforcement organisations already have perfectly functional trojans that they can install on a target’s phone. These trojans can already intercept communications from encrypted apps.

If you can access the endpoint – the phone – then you can access the user’s messages. No weakening of encryption is required.

These types of law enforcement trojans have typically been delivered to handsets by exploiting security vulnerabilities in mobile operating systems. Unfortunately for law enforcement, but fortunately for us, exploiting vulnerabilities on mobile handsets has become more and more difficult, time consuming and expensive. iOS is the leader here, a damn fine operating system, but Android is definitely catching up.

I want to spell this out clearly so there’s no confusion: The government already has the legal authority to access your end-to-end encrypted messages if they have a warrant. The barrier is not a legal one, it’s a technical one. Access to the expensive exploits used to deliver interception software to handsets is being rationed due to cost, feeds an industry full of shady players like Hacking Team, and in some cases agencies are simply unable to install surveillance software on to the phones of some really god-awful people, even though they have a warrant.

So, the government wants the tech companies to “fix” this for them. That’s why they’re not talking technical details. The regime will not be prescriptive, and thankfully the government knows that it’s probably not the most appropriate organisation to advise Apple or Google on the finer points of technology.

The feeling is non-US law enforcement and intelligence agencies aren’t getting the coverage they’d need to do their jobs. This is why we’ve seen New Zealand and the UK pass laws that supposedly compel US companies to assist them when they ask. (I hear they’re not being enforced yet.)

So let’s break down how it may work: Under this law, the AFP might ask Facebook, which owns WhatsApp, to hand over the message history and future messages of user X, because they have a court-issued warrant.

Now it’s all very well and good for WhatsApp to argue that it doesn’t have the technical means to do so, which is a response that has lead to all sorts of tangles in Brazil’s courts, but the Australian law will simply say “we don’t care. Get them.”.

In practice, there are a number of ways to skin this cat that don’t involve weakening encryption.

For example, Until May this year, WhatsApp backups weren’t even encrypted. (That’s right, all this song and dance about your messages being end-to-end encrypted, only to have them shunted into services like Apple’s iCloud, and we all know how well protected iCloud is!)

Even now, the precise encryption technique used by WhatsApp isn’t clear. Are they using a key generated on your device to encrypt your messages? That would be of limited use, considering the point of a backup is to restore your message history when you lose your phone and the corresponding encryption key. So my guess is it’s a form of encryption that is recoverable by WhatsApp.

What if the user doesn’t have backups turned on? Well, I’m sure there are some clever people out there at WhatsApp HQ who could figure out how to turn on a user’s backups for them.

A retort I often hear when I lay out a scenario like that one is that users will just move to another app, maybe something like Telegram, which is based in Germany. At that point, an enterprising police officer might contact either Google or Apple, two companies that control something like 99% of the cellphone market share, and ask them to devise a way to retrieve the requested data from that device. Like, say, pushing a signed update to the target handset that will be tied to that device’s UDID (Unique Device Identifier). That way there’s no chance the coppers can intercept that update and re-use it on whomever they want.

Again, no encryption was harmed in the making of this intercept.

There are some legitimate concerns around how a regime like this could be abused. However, the legal bar for content interception here in Australia is much higher than for metadata. Content access requires a warrant. If cops were looking to abuse this access then they’d need to engage in some pretty serious criminality, like forging warrants. And if the access regime revolves around asking the tech companies to do the grunt-work on behalf of the authorities, all intercepts should actually be easy to audit periodically.

In other words it would be a stupid way to spy on your girlfriend.

Now look, I’m not advocating for these laws. I’m not. What I am trying to do is move the goalposts for this discussion. The responses that I’ve seen to this proposal from the Twitterati have mostly been really daffy. People will insist the government doesn’t know what the hell it’s asking for (it does), that it wants to break maths (it doesn’t) and that it’s impossible for technology companies to provide law enforcement with what they need without introducing unacceptable new vulnerabilities and risks into our technology ecosystem (depends on your definition of “unacceptable”.).

I’d like to see the goalposts set up around a much simpler discussion than one about technology and encryption: To what degree do we believe, as a society, that the right to privacy is absolute?

Do we believe that law enforcement bodies should have the authority to monitor the communications of people suspected of serious criminal offences? If so, what should the legal process for provisioning that access look like? I mentioned auditing access under this scheme a couple of paragraphs ago. If we’re going to have a regime like this, can we have a decent access auditing scheme please? These are the sorts of things I would prefer to be talking about.

It’s also important to remember that Australia is not America. We don’t really have the same libertarian streak as our US cousins, so it’s entirely possible there won’t be a substantial backlash to these proposals. That makes framing this discussion properly – as a conversation about balancing our need for privacy with our desire for safety – vitally important.

If people who want to participate in this debate keep screaming that the government consists of a bunch of idiots who want to outlaw maths, well, the real conversation just won’t happen and no meaningful controls around the extent of access and the oversight of that access will be granted.

Not that you can expect grown up conversations between the tech firms and the government. The tech companies will fight this tooth and nail, both on libertarian/political grounds, and on business grounds. The government will do the usual scaremongering around terrorists and pedophiles. Expect some downright misleading information from both sides and absolutely bonkers salvos fired in both directions.

Can’t wait.

PS: Blind Freddy could have seen this coming.

On this week’s show we chat with Atlassian’s head of security, Daniel Grzelak, all about some AWS security tools he’s come up with. He also previews a new tool for generating AWS access key honeytokens at scale, which is really neat.

This week’s show is brought to you by Veracode!

Veracode’s director of developer engagement, Peter Chestna, will be along in this week’s sponsor interview to have a yarn about some common misunderstandings between security people and developers. We look at misunderstandings both ways.

Adam Boileau is this week’s news guest. We talk about all the latest dark markets drama, plus the Great Nuclear Hax Freakout of 2017.

See links to show notes below, and follow Patrick or Adam on Twitter if that’s your thing!

Adam Boileau has some out of town business to handle this week so he can’t join us in the news segment. But that’s ok, because industry legend Haroon Meer has very kindly agreed to fill in for him! We chat to Haroon shortly about all the latest NotPetya developments, we’ll also talk about the drama Kaspersky is experiencing right now, as well as dissecting the latest battle reports from the cryptowar! All the news is covered.

This week’s show is brought to you by ICEBRG!

ICEBRG’s co-founder, Will Peteroy, joins the show this week to chat a bit about what they’re up to. Will has an interesting background. He was the technical director of a government agency Red Team. That meant red team exercises against agencies, but he was also responsible for doing assessments on security products. He also put in a bunch of time at Microsoft where he was the endpoint for product security for Windows and Internet Explorer, which meant he was the recipient of oh-so-much-0day for around a year and a half. So yeah, Will knows what he’s doing, and he’s made a thing, and you’re going to hear about that thing after this week’s news.

See links to show notes below, and follow Patrick or Haroon on Twitter if that’s your thing!

In this edition of the Risky Business Soap Box podcast we chat with the founder and CEO of Bugcrowd, Casey Ellis, about the establishment of the bug bounty market and how things have shaped up. We also look at where it’s going.

The days of bounty programs being operated solely by large technology firms are long gone. Casey predicted that shift years ago. The question becomes, where will bounty programs be in three years from now?

Well, Casey doesn’t shy away from making some bold predictions. He thinks most enterprises will have vulnerability reporting mechanisms within two years, and a substantial proportion of those will offer rewards to bug hunters via companies like Bugcrowd.

He also sees bounty programs increasingly serving the specialist market.

You can find Casey on Twitter here.

This week we’ll be chatting with Andy Greenberg from Wired about his cover story for that magazine. He travelled to Ukraine back in March to research his story on Russian attacks against the Ukrainian power network. He joins us this week to share the insights he gleaned during his travels.

This week’s show is brought to you by SensePost.

SensePost are based in South Africa and England, but they are very well known for offering training courses at Black Hat. This year will be the 17th year they’ve run training courses there… as can be expected their brand new devops security course has gone absolutely gangbusters in terms of registrations this year, but they’re also offering a bunch of other courses. They’ll be joining us to chat about trends in training in this week’s sponsor interview.

Adam Boileau, as always, drops by for the week’s news segment. You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…