Podcasts

On this week's show we're chatting with David Wells. He's ex GCHQ and ASD but these days he's a counterterrorism boffin with the Lowy Institute. He's joining us to discuss the IS document leak. Depending on which story you read its either the death of the organisation or it won't do anything at all to disrupt it. We get David's thoughts on what this leak will actually for the so-called Caliphate.

In this week's sponsor interview we're doing something a bit different.. following on from last week's interview with Re/Code's Arik Hesseldahl we're chatting with Tenable's CFO, Steve Vintz.

And you know what? It's really interesting getting his perspectives on what's happening in the BUSINESS of security -- the type of analysis a guy like Steve does is different from how security people do it, and he's got some really interesting perspectives on what 2016 could bring. Long story short? Expect consolidation among smaller vendors as CSOs look to trim the number of vendors in their supply chain.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's show we're chatting with re/code's senior editor and "enterprise dude" Arik Hesseldahl about the business of infosec. Information security related stocks and shares are tanking on indexes all over the world... why? How can this be happening in a $75bn sector that is tipped to grow into a $175bn sector in the next four years?

Arik will join us with the skinny on that. But don't panic, tanking infosec share prices might be a good thing for the discipline. We'll find out why a bit later on.

In this week's sponsor interview we chat with BugCrowd CEO Casey Ellis.

This week Casey joins us to discuss the Pentagon's decision to open up a bounty program.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's show we get into a serious technical discussion about deserialisation attacks with with one of Adam Boileau's colleagues, Brendan Jamieson about the biggest issue in infosec that no one is talking about -- deserialisation vulnerabilities and their exploitation.

This attack class is a serious problem in enterprise environments thanks to the release of the YSoSerial tool about a year ago. Pen-testers who are across this bug class are finding issues everywhere they look, and hardly anyone is talking about it. But we do, this week.

Also this week we'll chat with Chris Gatford, the big Kahuna over at this week's sponsor HackLabs. I was talking to Chris recently and he mentioned that cryptolocker ransomware really isn't just affecting consumers anymore.

There was the recent news about a hospital in California that got hosed by ransomware, but I always thought that was the exception to the rule and that consumers were the most likely group to be affected by this stuff. Nope, wrong. Ransomware is getting inside corporate networks and causing all sorts of drama, Chris joins us soon to talk about that. Big thanks to HackLabs for its sponsorship of this week's show!

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's podcast we'll hear from Daniel Hodson of Elttam Security here in Australia. Daniel and his business partner Matt Jones have been looking into the security of messaging software that has recommended by the EFF. Does a bunch of ticks from the EFF actually say much about app security? Well, not really, as it turns out.

In this week's sponsor interview we hear from Senetas co-founder and CTO Julian Fay. Senetas, of course, make layer 2 encryption equipment. They'll be releasing a 100Gbps full line rate encryption box soon, they make awesome kit. But this week Julian joins us to weigh in, briefly, on the Apple vs FBI mess, as well as to have a discussion about some interesting use cases he's seen for layer two stuff lately.

Adam Boileau, as always, will also pop in to discuss the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's show we chat with Dan Guido from Trail of Bits about the stoush between Apple and the US department of justice.

In this week's sponsor interview we speak with Cris Thomas, a.k.a. Space Rogue. Cris works for Tenable Network Security, this week's sponsor, and he joins us in this week's podcast to talk about NIST's cyber security framework.

Adam Boileau joins the show to discuss the week's security news.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

This week's show is one for the CSOs! It's the economics edition, I guess you'd call it. We'll be chatting with Professor Lawrence Gordon, co-creator of the Gordon Loeb model for Cyber Security investment. We speak to him about contemporary infosec budgets and how spending of $500m a year by some financial institutions in the USA is actually sensible.

We're sticking with the economics theme in this week's feature interview. We'll be chatting with Jonahan Cran, VP of operations for BugCrowd about their recently released Defensive Vulnerability Pricing Model. They've also released their Vulnerability Rating Taxonomy. Both of these documents are really, really interesting, so stay tuned for this week's sponsor interview to hear all about them!

Adam Boileau joins us, as always, to discuss the week's security news.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

As many of you would know, last week I posted a listener survey to SurveyMonkey. I dropped the link on Twitter and then mentioned it in the show. I wasn't really expecting much of a response, but after about a week, 500 of you have already spent the time to fill out the questionnaire. Thanks!

A few of you are a bit nervous that Risky Business is about to radically change. It won't. The plan is to add more content -- yes, sponsored content -- and to leave the main show more or less completely untouched. There will be a maximum of fourteen new individual podcasts added per calendar year. That will bring the total number of podcasts posted in a year to 58 from 44. The addition of those extra, wholly sponsored podcasts will do things like fund an interview booker, producer and researcher. This is going to mean a MUCH better main podcast, and I'd also encourage you to bear with me when it comes to the additional sponsored stuff -- I think I can make it not suck. I'll write another post that spells out these changes in more detail soon.

Back to the survey -- there were two reasons for doing it: To collect a bit more demographic data on listeners for advertisers, as well as get some feedback on possible new content ideas and improvements I could be making to the show. The data collected so far has been pretty interesting. Prior to this survey I've only been able to guess about who my listeners are and how they actually feel about the show. So here's what I've learned after 500 responses:

1. Your demographics are...

The majority of listeners are aged between 35-50, with the remaining listeners are mostly in the 21-35 bracket. 72% of you work in the infosec discipline, and 54% of all listeners have been working in infosec for more than four years.

81% of respondents listen to Risky Business every week. Around a third of you work on staff for a large enterprise and 10% of you work for a federal or state government. There's a smattering of consultants, contractors and engineers in the audience mix and surprisingly, 15% of you are software developers!

Here's something the advertisers will love: 24% of the audience are upper-mid to upper management. That means they're a C-level executive (includes CSO), information security director/manager, IT manager/director or a product security manager. 15% of you work for organisations with large networks -- over 50,000 endpoints.

The overwhelming majority of you (80%) listen to Risky Business during your commute, but some of you listen at home and others sneak in some audio at work.

2. You all love the news segment.

Universally, everyone loves the news segment and finds Adam hilarious. You've noticed that we don't disagree as much as we used to, you miss that friction, and you wish we wouldn't cover things like vendor patches unless they're particularly noteworthy.

It's true. When Adam replaced Munir Kotadia as the regular News Guy seven(ish) years ago, we would often fire up at each other. The thing is, our opinions and perspectives have largely converged over the last (almost) decade.

Adam used to be a pretty rabid beardy hacker guy who held complete disdain for CSOs and big business in general. I used to be a freelance (former staff reporter) newspaper journalist who regarded arguing as a bloodsport.

But these days Adam's a serious biz security consultant who runs a shit-hot professional services firm and I'm someone who realises listening to someone berating their guests in an audio program isn't actually entertaining; you can still draw out uncomfortable truths in an interview without being a dick about it.

The agenda has also changed in that time and there is much more consensus in the infosec community on certain key issues than there used to be. Our arguing each week was a reflection of the bigger argument happening all around us. I like to think we gave a voice to some of these conversations at a time when the majority of the tech media was talking about stuff infosec practitioners weren't actually interested in.

Now the norms are established, there's less to argue about. I agree that it makes for slightly less entertaining listening, but hey, what can you do? A lot of the big issues have simply been worked out.

But we will stop covering patches at the end of the news. A few people have commented that it's the wrong medium for that sort of information and they're absolutely right.

Now for something surprising: All of you love Adam, but some of you like a bit of diversity every now and then in the news segment. You enjoy mixing it up with special news guests like Adam's colleague Mark "Pipes" Piper, HD Moore, Haroon Meer or The Grugq.

This is something for us to work out on this end. Over the last few years Adam has become increasingly busy being a Cyber Hacker Entrepreneur(tm) so he'd probably relish the chance to sit out a few episodes. Or maybe not. We don't know yet.

But don't worry, we'll likely do another survey before we make any changes.

3. You demand the show stays critical of vendors and the industry

It's sad but it's true, it's hard to find media outlets in infosec (and tech in general) that are as critical of the industry as they should be. To tell you the truth, when I first started Risky Business and it actually made money I was stunned. There was no way I thought it would actually *last*. I thought the vendors would figure out that they were paying for us to piss all over them and I'd wind up on some sort of blacklist.

But the thing is, if you do it right, vendors don't mind a little kick in the ass, as long as it's fair, and as long as it's not in the segment they're sponsoring. (Do it in the news beforehand!)

Maintaining editorial independence has always been extremely important to me and it's great to see that it's one of the things the audience values most about the show. I've found it downright amazing that the vendors who pick up the tab also respect that.

Have I ever pulled a punch because of sponsorship arrangements? I'd be lying if I said no. On a few rare occasions over the last decade I have. But in my defence I'd say the punches I've pulled have been cheap shots to begin with.

When it comes to anything substantive I've always played it straight, and I *have* lost a couple of advertisers/sponsors over the years because of critical coverage. But that's what's great about having multiple sponsors. You take a little hit, you keep quiet about it, and you know what? They come back eventually. Hakuna matata.

4. You love/hate the music segment at the end

Results here are proof you can't make everyone happy. People either love the music segment at the end of the show or they flat out hate it. Considering it's right at the end of the program I don't see why the haters get annoyed by it. Just press stop!

But while we're on the topic, it's gotten a lot harder for me to find music for every week's show. I have to find stuff that's sufficiently obscure that I won't wind up sued by rights holders but of sufficient quality to be entertaining. I'm 396 episodes deep and I'm running out of ideas. I don't go to as many gigs as I used to so these days I'm just exposed to less indie music.

So from now on I'll only be including music when I've come across something interesting. I'm going to stop searching for it. The pressure of finding something new every week is getting to me.

5. You want some little changes

You want the show notes in the podcast description not a separate post, you want full post content in RSS and you want more than eight historical episodes available through iTunes.

The main website is pretty ugly and that bothers some of you (a new one is coming) and you think it's ridiculous that it serves via http. (It is, and that's changing.)

You'd love it if we released merch, but none of that "CafePress junk"; you want it done properly.

One thing you don't want to change is the length. An hour is about right, but some of you would like even more, and a few of you a bit less.

I'll be writing a couple of other blog posts over the next week or two spelling out some of the mooted changes to risky.biz, and what I plan to do with the site in the medium term.

Thanks so much to everyone who filled in the survey!

******Here's a link to the Risky Business listener survey. Please take some time to fill it in! It'll really help the show!********

On this week's show we're checking in with HD Moore. He's left Rapid7 after six years and he'll be along to fill us in on his future plans in this week's feature interview. He'll also be reassuring all you Metasploit users out there that he'll be staying involved. He'll talk about a couple of absolutely awful bugs and he'll also weigh in on NorseGate: The implosion of the world's most cybery cyber advanced threat intelligence derpa derpa firm.

This week's show is brought to you by an Australian security consultancy, HackLabs. It's probably worth noting for our American friends that the Australian exchange rate has shifted pretty substantially over the last six months or so... so Australia might be a pretty good place for you to send some app review work!

In this week's sponsor interview HackLabs founder and head honcho Chris Gatford joins us to discuss strategies for administering unmaintained and hideously vulnerable enterprise apps.

Microsoft has end-of-lifed a stack of old IE versions, Oracle is killing the Java browser plugin... this will leave a lot of legacy apps marooned. So what can you do?

Adam Boileau joins us, as always, to discuss the week's security news. He also discusses Java deserialisation attacks that are shaping up as a major attack vector for 2016.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's show we've got two feature interviews!

We're talking to Chris Wysopal from Veracode about using static analysis techniques to find back doors in software. With Juniper, AMX, Fortinet and Cisco all experiencing either maliciously planted or accidental backdoors, this is a hot topic. Chris joins us to talk about how you go about finding this stuff and whether or not vendors are taking this issue seriously enough.

We also check in with Martijn Grooten, editor of Virus Bulletin. We're having a quick chat to him about how the AV industry is reacting to Tavis Ormandy's latest research into the security of its products. He's been reporting bugs in all sorts of AV products lately and apparently the disclosures are having an impact.

This week's sponsor interview is a special one -- it's with Haroon Meer of Thinkst Applied Research. Thinkst has released some free tools that generate and track honey tokens. Old ideas made easy and workable... he'll be along to explain his new tech. Personally think this stuff is great.. just great... and of course he'll plug his even more awesome commercial stuff, Canary Tools.

Adam Boileau, as always, drops in for a chat about the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

In this week's feature interview Facebook CISO Alex Stamos joins us to discuss a few things.

• We'll be talking about moves by both browser developers and some CAs to deprecate SHA1 signed certificates. He says we need to support SHA-1 for now and he explains why soon.
• We're also chatting with him about the Juniper fiasco.
• We also get his thoughts on NSA surveillance now he's responsible for the security of user information at the world's biggest social media platform.

In this week's sponsor interview we chat with Tenable network security CEO Ron Gula about how to collect decent telemetry from both cloud applications and cloud infrastructure services. Just because it's going on outside your network, that doesn't mean you should treat these services as a big blindspot. That's this week's feature interview, with big thanks to Tenable Network Security, this week's sponsor!

Adam Boileau is back this week to discuss the news headlines we missed while we were on break.

Oh, and do add Patrick and Adam on Twitter if that's your thing.