On this week's show, as promised, we'll be checking in with Dan Kaminsky of WhiteOps to discuss their bread and butter -- click fraud prevention. We also get his thoughts on what the ad industry could do to stamp out malvertising. As you'll hear, he thinks the only way forward is to actually fix browsers. Seems sensible to us!
On this week's show we chat with HD Moore about the woeful state of security at Panamanian law firms. Mossack Fonseca isn't the only one that truly, truly sucks at security.
On this week's show we're chatting with Nathaniel Wakelam, a professional bug bounty participant who, distressingly, at age 20, earns shitloads more money than I do! We'll talk to him about how he got into bug bounties, and how he manages to take down a massive paycheck in such a competitive space.
On this week's show we're chatting with myNetWatchman's Donald McCarthy about some research he's done into these crews shaking down US companies for W2 forms. He and his colleagues have identified at least 40 crews involved in this stuff. We'll get the skinny on that in this week's feature interview.
On this week's show we're chatting with David Wells. He's ex GCHQ and ASD but these days he's a counterterrorism boffin with the Lowy Institute. He's joining us to discuss the IS document leak. Depending on which story you read its either the death of the organisation or it won't do anything at all to disrupt it. We get David's thoughts on what this leak will actually for the so-called Caliphate.
On this week's show we're chatting with re/code's senior editor and "enterprise dude" Arik Hesseldahl about the business of infosec. Information security related stocks and shares are tanking on indexes all over the world... why? How can this be happening in a $75bn sector that is tipped to grow into a $175bn sector in the next four years?
On this week's show we get into a serious technical discussion about deserialisation attacks with with one of Adam Boileau's colleagues, Brendan Jamieson about the biggest issue in infosec that no one is talking about -- deserialisation vulnerabilities and their exploitation.
On this week's podcast we'll hear from Daniel Hodson of Elttam Security here in Australia. Daniel and his business partner Matt Jones have been looking into the security of messaging software that has recommended by the EFF. Does a bunch of ticks from the EFF actually say much about app security? Well, not really, as it turns out.
On this week's show we chat with Dan Guido from Trail of Bits about the stoush between Apple and the US department of justice.
This week's show is one for the CSOs! It's the economics edition, I guess you'd call it. We'll be chatting with Professor Lawrence Gordon, co-creator of the Gordon Loeb model for Cyber Security investment. We speak to him about contemporary infosec budgets and how spending of $500m a year by some financial institutions in the USA is actually sensible.
As many of you would know, last week I posted a listener survey to SurveyMonkey. I dropped the link on Twitter and then mentioned it in the show. I wasn't really expecting much of a response, but after about a week, 500 of you have already spent the time to fill out the questionnaire. Thanks!
A few of you are a bit nervous that Risky Business is about to radically change. It won't. The plan is to add more content -- yes, sponsored content -- and to leave the main show more or less completely untouched. There will be a maximum of fourteen new individual podcasts added per calendar year. That will bring the total number of podcasts posted in a year to 58 from 44. The addition of those extra, wholly sponsored podcasts will do things like fund an interview booker, producer and researcher. This is going to mean a MUCH better main podcast, and I'd also encourage you to bear with me when it comes to the additional sponsored stuff -- I think I can make it not suck. I'll write another post that spells out these changes in more detail soon.
Back to the survey -- there were two reasons for doing it: To collect a bit more demographic data on listeners for advertisers, as well as get some feedback on possible new content ideas and improvements I could be making to the show. The data collected so far has been pretty interesting. Prior to this survey I've only been able to guess about who my listeners are and how they actually feel about the show. So here's what I've learned after 500 responses:
1. Your demographics are...
The majority of listeners are aged between 35-50, with the remaining listeners are mostly in the 21-35 bracket. 72% of you work in the infosec discipline, and 54% of all listeners have been working in infosec for more than four years.
81% of respondents listen to Risky Business every week. Around a third of you work on staff for a large enterprise and 10% of you work for a federal or state government. There's a smattering of consultants, contractors and engineers in the audience mix and surprisingly, 15% of you are software developers!
Here's something the advertisers will love: 24% of the audience are upper-mid to upper management. That means they're a C-level executive (includes CSO), information security director/manager, IT manager/director or a product security manager. 15% of you work for organisations with large networks -- over 50,000 endpoints.
The overwhelming majority of you (80%) listen to Risky Business during your commute, but some of you listen at home and others sneak in some audio at work.
2. You all love the news segment.
Universally, everyone loves the news segment and finds Adam hilarious. You've noticed that we don't disagree as much as we used to, you miss that friction, and you wish we wouldn't cover things like vendor patches unless they're particularly noteworthy.
It's true. When Adam replaced Munir Kotadia as the regular News Guy seven(ish) years ago, we would often fire up at each other. The thing is, our opinions and perspectives have largely converged over the last (almost) decade.
Adam used to be a pretty rabid beardy hacker guy who held complete disdain for CSOs and big business in general. I used to be a freelance (former staff reporter) newspaper journalist who regarded arguing as a bloodsport.
But these days Adam's a serious biz security consultant who runs a shit-hot professional services firm and I'm someone who realises listening to someone berating their guests in an audio program isn't actually entertaining; you can still draw out uncomfortable truths in an interview without being a dick about it.
The agenda has also changed in that time and there is much more consensus in the infosec community on certain key issues than there used to be. Our arguing each week was a reflection of the bigger argument happening all around us. I like to think we gave a voice to some of these conversations at a time when the majority of the tech media was talking about stuff infosec practitioners weren't actually interested in.
Now the norms are established, there's less to argue about. I agree that it makes for slightly less entertaining listening, but hey, what can you do? A lot of the big issues have simply been worked out.
But we will stop covering patches at the end of the news. A few people have commented that it's the wrong medium for that sort of information and they're absolutely right.
Now for something surprising: All of you love Adam, but some of you like a bit of diversity every now and then in the news segment. You enjoy mixing it up with special news guests like Adam's colleague Mark "Pipes" Piper, HD Moore, Haroon Meer or The Grugq.
This is something for us to work out on this end. Over the last few years Adam has become increasingly busy being a Cyber Hacker Entrepreneur(tm) so he'd probably relish the chance to sit out a few episodes. Or maybe not. We don't know yet.
But don't worry, we'll likely do another survey before we make any changes.
3. You demand the show stays critical of vendors and the industry
It's sad but it's true, it's hard to find media outlets in infosec (and tech in general) that are as critical of the industry as they should be. To tell you the truth, when I first started Risky Business and it actually made money I was stunned. There was no way I thought it would actually *last*. I thought the vendors would figure out that they were paying for us to piss all over them and I'd wind up on some sort of blacklist.
But the thing is, if you do it right, vendors don't mind a little kick in the ass, as long as it's fair, and as long as it's not in the segment they're sponsoring. (Do it in the news beforehand!)
Maintaining editorial independence has always been extremely important to me and it's great to see that it's one of the things the audience values most about the show. I've found it downright amazing that the vendors who pick up the tab also respect that.
Have I ever pulled a punch because of sponsorship arrangements? I'd be lying if I said no. On a few rare occasions over the last decade I have. But in my defence I'd say the punches I've pulled have been cheap shots to begin with.
When it comes to anything substantive I've always played it straight, and I *have* lost a couple of advertisers/sponsors over the years because of critical coverage. But that's what's great about having multiple sponsors. You take a little hit, you keep quiet about it, and you know what? They come back eventually. Hakuna matata.
4. You love/hate the music segment at the end
Results here are proof you can't make everyone happy. People either love the music segment at the end of the show or they flat out hate it. Considering it's right at the end of the program I don't see why the haters get annoyed by it. Just press stop!
But while we're on the topic, it's gotten a lot harder for me to find music for every week's show. I have to find stuff that's sufficiently obscure that I won't wind up sued by rights holders but of sufficient quality to be entertaining. I'm 396 episodes deep and I'm running out of ideas. I don't go to as many gigs as I used to so these days I'm just exposed to less indie music.
So from now on I'll only be including music when I've come across something interesting. I'm going to stop searching for it. The pressure of finding something new every week is getting to me.
5. You want some little changes
You want the show notes in the podcast description not a separate post, you want full post content in RSS and you want more than eight historical episodes available through iTunes.
The main website is pretty ugly and that bothers some of you (a new one is coming) and you think it's ridiculous that it serves via http. (It is, and that's changing.)
You'd love it if we released merch, but none of that "CafePress junk"; you want it done properly.
One thing you don't want to change is the length. An hour is about right, but some of you would like even more, and a few of you a bit less.
I'll be writing a couple of other blog posts over the next week or two spelling out some of the mooted changes to risky.biz, and what I plan to do with the site in the medium term.
Thanks so much to everyone who filled in the survey!
******Here's a link to the Risky Business listener survey. Please take some time to fill it in! It'll really help the show!********
On this week's show we've got two feature interviews!
In this week's feature interview Facebook CISO Alex Stamos joins us to discuss a few things.
On this week's show we're chatting with Johns Hopkins University cryptographer Matthew Green about rumblings emanating out of DC with regard to "stopping encryption", whatever the hell that means.
On this week's show -- in addition to covering the latest claims about the true identity of Satoshi Nakamoto -- we're taking a look at a recent deal between a very large bank in Australia and Sydney's University of New South Wales.
On this week's show we're chatting with Kevin Finisterre about Silverpush -- the creepy ultrasonic audio-beaconing technology used by advertising companies that was in the press a couple of weeks ago. Kevin was all over it and he joins me to discuss the growing overlap between the techniques used by marketers and blackhats.
On this week's show we're chatting with Darren Kemp of Duo Security. He's one of the authors of a post about the latest example of computer manufacturer shitware introducing catastrophic vulnerabilities into shipped systems. This time it's Dell's turn.
In this week's feature interview we're checking in with FireEye's Jonathan Wrolstad. He's a threat intelligence guy at FireEye and they've just published a really interesting report about what a threat group is doing in terms of target recon. They're using marketing company tricks to recon all sorts of high value targets. It's very interesting stuff, and it's likely tied to the Russian state.
On this week's show we're chatting with computer crime lawyer extraordinaire Tor Ekeland! He's worked on a number of high profile CFAA cases. Most recently he's been defending former Reuters and LA Times journalist Matthew Keys on some pretty hefty CFAA charges. He's also the guy who got Andrew Aurenheimer out of jail so he could go and live a free life as a Nazi troll. (Is that really a win?) He also defended Lauri Love... basically if you're a hacker who's fallen foul of the CFAA, this is the guy you want on your team.
