Podcasts

In addition to covering the end of the world, this week's Risky Business features Don Bailey of Lab Mouse Security on his excellent IoT blog post, written largely in response to a Daily Dave post by Dave Aitel on so-called "junk hacking".

This week's show is brought to you by Context Information Security, big thanks to them! And in this week's sponsor interview we chat with Context's director of research Michael Jordon about his adventures in getting old computer games to work on printer screens. It's actually pretty cool.

In this week's show we chat with The Grugq about the latest invisible.im announcement and we'll also meet the creator of the Ricochet anonymous messenger software, John Brooks.

In this week's sponsor interview we chat with Senetas CTO Julian Fay about an interesting paper on defeating traffic analysis attacks against encrypted cloud storage, and also a "sign of the times" Kickstarter... a group has managed to get a weird little crypto device funded... basically a hardware crypto module. You plug your phone in on one end and your headset in on the other. They've raised over $40k, but who's going to use this?

Before we get started, Ricochet *isn't* ready for mass consumption. It's a really great starting point, but it's currently unaudited and we're making some big changes to it in the next couple of months that will render it incompatible with current versions. If you're still curious, you can download the binaries anyway and have a play with it.

The biggest change is a reimplementation of the comms protocol Ricochet uses to enable chats. The current protocol is a custom binary thing that John Brooks knocked together and a group decision was made to move to something based on a serialisation library like protobuf. John is working on that now under the guidance of HD Moore and The Grugq.

The new protocol will basically be more resistant to attacks. We want Ricochet to be a secure tool, and we must stress that currently it is unaudited. We're planning a code-scan and an informal audit by the invisible.im team, but that hasn't been done yet. So, you know, use a VM if you're the paranoid type.

We're also adding a file transfer capability. John's working full time on both of these features, which should ship around mid November.

After that release we'll look at tightening up the code and shaking out security bugs. The upshot is, from around February next year you'll be able to download a reasonably secure, anonymous chat utility you can use to transfer files.

You can read the Wired story for the background on Ricochet and how the invisible.im team wound up joining forces with John Brooks. But I wanted to spell out the base motivations behind the invisible.im project here in this post.

I've been an information security journalist since around 2001, when I started submitting occasional infosec stories to The Age newspaper in Melbourne. I went full time with journalism in 2002, worked in the ZDNet newsroom (with a fantastic team -- James Pearce, Andrew Colley and Iain Ferguson) in 2003 before going full-time freelance.

I wrote for the Fairfax papers, ZDNet, Wired, Australian Men's Style and a bunch of others, before launching the Risky Business podcast in 2007. It's been my main gig ever since.

During my time in media I've seen some pretty incredible stuff. I've witnessed the rapid decline of newspapers over the last 10 years as they've succumbed to ad dollars going online. And I've also observed the effect readily accessible metadata has had on journalism.

Governments used to respect the media. Not because they admired the role of the media as the fourth estate, but because they knew the media could hurt them. With the fragmentation of the media landscape, that power has been substantially diluted. It's now much more common for authorities to investigate trivial (but inconvenient) leaks -- both from the corporate and government sector -- and the Wikileaks/Manning fiasco of 2010 only served to accelerate the trend.

Every time a source picks up a telephone to call a journalist, there's a record of it. Every time they email, IM, Skype or SMS a journalist, there's a record of it. Authorities can access these metadata records without court issued warrants, and they frequently do. A polite request on a letterhead is all they need.

They won't be able to access the content of those communications without a warrant, but if I publish a story about a leak from the Attorney General's Department and authorities can see that I spoke to someone from AG the day prior, my source is still burned.

Make no mistake: There are serious news and public interest stories that are going unreported because of this.

I founded invisible.im because it solves a need that I've identified in my work -- I need sources to feel confident that they can contact me with public interest information and not be identified by a metadata trail.

Because Ricochet is serverless, there's simply no third party to request metadata from.

This project will, of course, also be of great benefit to non-journalists. People in oppressive regimes can use Ricochet to shield themselves from passive state surveillance. We think there's a lot of promise there, and we'd like to translate the software into languages like Farsi so ordinary people can conduct their risky conversations a little bit more safely.

A lot of people will spend a lot of time asking whether invisible.im is an "NSA-proof" tool. We can't create an "NSA-proof" tool, and we're not claiming Ricochet is, despite the headline on the Wired piece that suggests otherwise.

What we can do is make sure it requires difficult, time consuming, and targeted effort to identify Ricochet users' associations and intercept their chats. We'll also make retrospective identification of leakers by lesser agencies (state police, for example) more or less impossible. (Well, if they're identified it's not because they used Ricochet.)

And while Ricochet may not be "NSA-proof", it certainly makes mass surveillance of its users very, very difficult. Remember that story about the GCHQ grabbing everyone's IM contact lists off the wire as they flew past? Yeah, good luck doing that with Ricochet.

But what about the "tear-rists", I hear you ask?

Well, we're yet to see evidence that mass surveillance has been responsible for any significant wins in the counter terrorism arena. And running Ricochet on your box isn't going to stop the NSA owning you sideways with 0day if you're a legitimate target. Once you're owned you're owned. If you're running Ricochet, the NSA (or equivalent agency) can still map out your IM contacts. But the nice thing is you have to be a target before they own you and do this to you. Until they access your machine, the only person who has your Ricochet contact list is you. Not your IM provider, not your telco. Just you.

I hope this post does something to help people understand why I decided to get involved and bring together some of the smartest people I know to tackle this problem. Invisible.im is seeking to solve a real world problem -- too much metadata is accessible to too many corporate entities and government agencies.

Simple, really.

You can flame Patrick Gray on Twitter.

On this week's show we've got a great interview with Haroon Meer of Thinkst. Thinkst has a paid service that analysis the output of security conferences and puts together reports. Now, some of you might wonder why such a service would be needed, so let's put things in perspective: there were 2,700 conference presentations in the second quarter of this year at 116 events over 140 conference days. Yikes!

Haroon will be along in a bit to talk about the conference content boom, and he's also made their latest report free for Risky Business listeners! As I say, it's part of Thinkst's paid subscription service, so you'd be nuts not to grab it.

This week's show is brought to you by Tenable Network Security, thanks to the guys and gals over there. In this week's sponsor interview we're chatting with Paul Asadoorian, Tenable's product marketing manager for Nessus.

Paul is also well known as the host of the security weekly podcast! It's an infosec podcast with a massive audience that you've no doubt heard of.

We're chatting with Paul about embedded devices. He co-wrote a book on hacking the WRT54g home wireless gateway some years ago and he's gearing up to teach a SANS course on embedded device assessments. So yeah, Paul's going to stop by and discuss the state of all things embedded.

I'm back from a two week holiday in beautiful Indonesia, so we'll be spending most of this show catching up on what I missed while I was away! So there's plenty of news to talk about with Adam Boileau, and also a chat about some very interesting politicking going on in New Zealand.

A hacker going by the name of Whaledump has been dropping leaked emails and documents all over the place that are causing all sorts of headaches for the government. If that wasn't enough, Kim Dot Com has jumped into the fray... apparently he has a big reveal coming on September 15th that could change the course of the NZ election campaign. Is this the future of democracy?

This week's show is brought to you by BugCrowd, big thanks to them.

We'll be chatting with BugCrowd head honcho Casey Ellis all about the skills shortage in infosec, particularly in testing. People interested in a career in infosec are using platforms like BugCrowd as a proving ground, but will that pipeline be enough to satiate the demand for talent out there?

Here is the portion of my interview with Brian Snow that I didn't have room for in the main show. Snow is concerned that quantum computing breakthroughs are closer than we think and could invalidate much of the technology we depend on to secure data.

This is a recording of a panel I hosted at the Splendour in the Grass music festival forum. It features NSA whistleblower Thomas Drake, WA Greens Senator Scott Ludlam, Underground author Suelette Dreyfus and Edward Snowden's attorney Jesselyn Radack.

On this week's show we're having an extended chat with 34-year NSA veteran Brian Snow. During his career he rose to director level -- he acted as technical director of three divisions within the agency -- before he retired in 2006.

Brian joins us to talk about the Snowden disclosures and how the NSA's culture changed post 9/11.

Brian also had some great comments on quantum crypto concerns that I've broken out into a separate podcast - I've put that one in the RB2 feed along with a recording of a panel I hosted at the Splendour in the Grass music festival a few weeks ago. You can find them in the RB2 feed.

This week's show is brought to you by Tenable Network Security, thanks to them, and in this week's sponsor interview we're chatting with Tenable CEO Ron Gula about continuous monitoring.

Adam Boileau joins us for this week's news, as does special guest Andrew Colley.

We've got an absolute cracker of a show for you this week. I've let it run longer than usual because we've just got some great news and interviews this week.

Our feature interview is with Alex Stamos, Yahoo's CISO. We hear from him on what his job looks like -- Yahoo has a billion users and its business and technology is incredibly diverse. So what has Alex been up to since he took the helm earlier this year? Tune in to find out!

In this week's sponsor interview we chat with Rahul Kashyap, Bromium's Chief Security Architect. Bromium has taken a look at endpoint exploitation trends and it might surprise you to know that in 2014 there have been more public exploits for IE than for Java!

In this week's feature interview we're chat with Catherine Pearce of Neohapsis about some research she'll be presenting at BlackHat next week with her colleague Patrick Thomas. They're doing a talk all about Multipath TCP, and yes, it's exactly what it sounds like and yes, it's great for doing stuff like IDS evasion and confusing firewalls.

In this week's sponsor interview we speak with Senetas CTO Julian Fay about the so-called BADA55 paper. Senetas is about to ship elliptic curve algos with its gear -- is it reconsidering now we know that elliptic curves can be subverted? No way! Tune in to find out why.