Podcasts

This week's show is one for the CSOs! It's the economics edition, I guess you'd call it. We'll be chatting with Professor Lawrence Gordon, co-creator of the Gordon Loeb model for Cyber Security investment. We speak to him about contemporary infosec budgets and how spending of $500m a year by some financial institutions in the USA is actually sensible.

We're sticking with the economics theme in this week's feature interview. We'll be chatting with Jonahan Cran, VP of operations for BugCrowd about their recently released Defensive Vulnerability Pricing Model. They've also released their Vulnerability Rating Taxonomy. Both of these documents are really, really interesting, so stay tuned for this week's sponsor interview to hear all about them!

Adam Boileau joins us, as always, to discuss the week's security news.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

As many of you would know, last week I posted a listener survey to SurveyMonkey. I dropped the link on Twitter and then mentioned it in the show. I wasn't really expecting much of a response, but after about a week, 500 of you have already spent the time to fill out the questionnaire. Thanks!

A few of you are a bit nervous that Risky Business is about to radically change. It won't. The plan is to add more content -- yes, sponsored content -- and to leave the main show more or less completely untouched. There will be a maximum of fourteen new individual podcasts added per calendar year. That will bring the total number of podcasts posted in a year to 58 from 44. The addition of those extra, wholly sponsored podcasts will do things like fund an interview booker, producer and researcher. This is going to mean a MUCH better main podcast, and I'd also encourage you to bear with me when it comes to the additional sponsored stuff -- I think I can make it not suck. I'll write another post that spells out these changes in more detail soon.

Back to the survey -- there were two reasons for doing it: To collect a bit more demographic data on listeners for advertisers, as well as get some feedback on possible new content ideas and improvements I could be making to the show. The data collected so far has been pretty interesting. Prior to this survey I've only been able to guess about who my listeners are and how they actually feel about the show. So here's what I've learned after 500 responses:

1. Your demographics are...

The majority of listeners are aged between 35-50, with the remaining listeners are mostly in the 21-35 bracket. 72% of you work in the infosec discipline, and 54% of all listeners have been working in infosec for more than four years.

81% of respondents listen to Risky Business every week. Around a third of you work on staff for a large enterprise and 10% of you work for a federal or state government. There's a smattering of consultants, contractors and engineers in the audience mix and surprisingly, 15% of you are software developers!

Here's something the advertisers will love: 24% of the audience are upper-mid to upper management. That means they're a C-level executive (includes CSO), information security director/manager, IT manager/director or a product security manager. 15% of you work for organisations with large networks -- over 50,000 endpoints.

The overwhelming majority of you (80%) listen to Risky Business during your commute, but some of you listen at home and others sneak in some audio at work.

2. You all love the news segment.

Universally, everyone loves the news segment and finds Adam hilarious. You've noticed that we don't disagree as much as we used to, you miss that friction, and you wish we wouldn't cover things like vendor patches unless they're particularly noteworthy.

It's true. When Adam replaced Munir Kotadia as the regular News Guy seven(ish) years ago, we would often fire up at each other. The thing is, our opinions and perspectives have largely converged over the last (almost) decade.

Adam used to be a pretty rabid beardy hacker guy who held complete disdain for CSOs and big business in general. I used to be a freelance (former staff reporter) newspaper journalist who regarded arguing as a bloodsport.

But these days Adam's a serious biz security consultant who runs a shit-hot professional services firm and I'm someone who realises listening to someone berating their guests in an audio program isn't actually entertaining; you can still draw out uncomfortable truths in an interview without being a dick about it.

The agenda has also changed in that time and there is much more consensus in the infosec community on certain key issues than there used to be. Our arguing each week was a reflection of the bigger argument happening all around us. I like to think we gave a voice to some of these conversations at a time when the majority of the tech media was talking about stuff infosec practitioners weren't actually interested in.

Now the norms are established, there's less to argue about. I agree that it makes for slightly less entertaining listening, but hey, what can you do? A lot of the big issues have simply been worked out.

But we will stop covering patches at the end of the news. A few people have commented that it's the wrong medium for that sort of information and they're absolutely right.

Now for something surprising: All of you love Adam, but some of you like a bit of diversity every now and then in the news segment. You enjoy mixing it up with special news guests like Adam's colleague Mark "Pipes" Piper, HD Moore, Haroon Meer or The Grugq.

This is something for us to work out on this end. Over the last few years Adam has become increasingly busy being a Cyber Hacker Entrepreneur(tm) so he'd probably relish the chance to sit out a few episodes. Or maybe not. We don't know yet.

But don't worry, we'll likely do another survey before we make any changes.

3. You demand the show stays critical of vendors and the industry

It's sad but it's true, it's hard to find media outlets in infosec (and tech in general) that are as critical of the industry as they should be. To tell you the truth, when I first started Risky Business and it actually made money I was stunned. There was no way I thought it would actually *last*. I thought the vendors would figure out that they were paying for us to piss all over them and I'd wind up on some sort of blacklist.

But the thing is, if you do it right, vendors don't mind a little kick in the ass, as long as it's fair, and as long as it's not in the segment they're sponsoring. (Do it in the news beforehand!)

Maintaining editorial independence has always been extremely important to me and it's great to see that it's one of the things the audience values most about the show. I've found it downright amazing that the vendors who pick up the tab also respect that.

Have I ever pulled a punch because of sponsorship arrangements? I'd be lying if I said no. On a few rare occasions over the last decade I have. But in my defence I'd say the punches I've pulled have been cheap shots to begin with.

When it comes to anything substantive I've always played it straight, and I *have* lost a couple of advertisers/sponsors over the years because of critical coverage. But that's what's great about having multiple sponsors. You take a little hit, you keep quiet about it, and you know what? They come back eventually. Hakuna matata.

4. You love/hate the music segment at the end

Results here are proof you can't make everyone happy. People either love the music segment at the end of the show or they flat out hate it. Considering it's right at the end of the program I don't see why the haters get annoyed by it. Just press stop!

But while we're on the topic, it's gotten a lot harder for me to find music for every week's show. I have to find stuff that's sufficiently obscure that I won't wind up sued by rights holders but of sufficient quality to be entertaining. I'm 396 episodes deep and I'm running out of ideas. I don't go to as many gigs as I used to so these days I'm just exposed to less indie music.

So from now on I'll only be including music when I've come across something interesting. I'm going to stop searching for it. The pressure of finding something new every week is getting to me.

5. You want some little changes

You want the show notes in the podcast description not a separate post, you want full post content in RSS and you want more than eight historical episodes available through iTunes.

The main website is pretty ugly and that bothers some of you (a new one is coming) and you think it's ridiculous that it serves via http. (It is, and that's changing.)

You'd love it if we released merch, but none of that "CafePress junk"; you want it done properly.

One thing you don't want to change is the length. An hour is about right, but some of you would like even more, and a few of you a bit less.

I'll be writing a couple of other blog posts over the next week or two spelling out some of the mooted changes to risky.biz, and what I plan to do with the site in the medium term.

Thanks so much to everyone who filled in the survey!

******Here's a link to the Risky Business listener survey. Please take some time to fill it in! It'll really help the show!********

On this week's show we're checking in with HD Moore. He's left Rapid7 after six years and he'll be along to fill us in on his future plans in this week's feature interview. He'll also be reassuring all you Metasploit users out there that he'll be staying involved. He'll talk about a couple of absolutely awful bugs and he'll also weigh in on NorseGate: The implosion of the world's most cybery cyber advanced threat intelligence derpa derpa firm.

This week's show is brought to you by an Australian security consultancy, HackLabs. It's probably worth noting for our American friends that the Australian exchange rate has shifted pretty substantially over the last six months or so... so Australia might be a pretty good place for you to send some app review work!

In this week's sponsor interview HackLabs founder and head honcho Chris Gatford joins us to discuss strategies for administering unmaintained and hideously vulnerable enterprise apps.

Microsoft has end-of-lifed a stack of old IE versions, Oracle is killing the Java browser plugin... this will leave a lot of legacy apps marooned. So what can you do?

Adam Boileau joins us, as always, to discuss the week's security news. He also discusses Java deserialisation attacks that are shaping up as a major attack vector for 2016.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's show we've got two feature interviews!

We're talking to Chris Wysopal from Veracode about using static analysis techniques to find back doors in software. With Juniper, AMX, Fortinet and Cisco all experiencing either maliciously planted or accidental backdoors, this is a hot topic. Chris joins us to talk about how you go about finding this stuff and whether or not vendors are taking this issue seriously enough.

We also check in with Martijn Grooten, editor of Virus Bulletin. We're having a quick chat to him about how the AV industry is reacting to Tavis Ormandy's latest research into the security of its products. He's been reporting bugs in all sorts of AV products lately and apparently the disclosures are having an impact.

This week's sponsor interview is a special one -- it's with Haroon Meer of Thinkst Applied Research. Thinkst has released some free tools that generate and track honey tokens. Old ideas made easy and workable... he'll be along to explain his new tech. Personally think this stuff is great.. just great... and of course he'll plug his even more awesome commercial stuff, Canary Tools.

Adam Boileau, as always, drops in for a chat about the week's news headlines.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

In this week's feature interview Facebook CISO Alex Stamos joins us to discuss a few things.

• We'll be talking about moves by both browser developers and some CAs to deprecate SHA1 signed certificates. He says we need to support SHA-1 for now and he explains why soon.
• We're also chatting with him about the Juniper fiasco.
• We also get his thoughts on NSA surveillance now he's responsible for the security of user information at the world's biggest social media platform.

In this week's sponsor interview we chat with Tenable network security CEO Ron Gula about how to collect decent telemetry from both cloud applications and cloud infrastructure services. Just because it's going on outside your network, that doesn't mean you should treat these services as a big blindspot. That's this week's feature interview, with big thanks to Tenable Network Security, this week's sponsor!

Adam Boileau is back this week to discuss the news headlines we missed while we were on break.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's show we're chatting with Johns Hopkins University cryptographer Matthew Green about rumblings emanating out of DC with regard to "stopping encryption", whatever the hell that means.

In this week's sponsor interview we're chatting with Oliver Fay from Context about a paper they did in conjunction with UK's CERT about exploit kits. How much do they cost? Are there any that stick out as being particularly good? Or bad, depending on your point of view...

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's show -- in addition to covering the latest claims about the true identity of Satoshi Nakamoto -- we're taking a look at a recent deal between a very large bank in Australia and Sydney's University of New South Wales.

UNSW has had a lot of success over the last few years in actually training people to think offensively. They seem to have cracked a formula where others have tried and failed. Now, they've got $1.6m to play with courtesy of the Commonwealth Bank. This could be a model for colleges and universities everywhere. Whether you're a CSO having trouble recruiting good staff or you work in academia, you really want to hear this week's feature interviews with Brendan Hopper and CBA CSO Ben Heyes.

This week's show is brought to you by Bromium.

Bromium makes awesome micro-virtualisation software that really does neutralise the threat of memory corruption exploits in desktop environments. A speed bump for them has been their software requires Intel's virtualisation instruction extensions to work. Well, they've been around long enough now for Bromium to be getting some serious traction at the top end of town. They've also brought out version 3 of their software. with Bromium's Chief Security Architect Rahul Kashyap joins us in this week's sponsor interview to update us on what they've been up to for the last year or so.

The Grugq is in the news chair this week. Adam is busy running Kiwicon in Wellington.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Grugq on Twitter if that's your thing.

On this week's show we're chatting with Kevin Finisterre about Silverpush -- the creepy ultrasonic audio-beaconing technology used by advertising companies that was in the press a couple of weeks ago. Kevin was all over it and he joins me to discuss the growing overlap between the techniques used by marketers and blackhats.

This week's show is brought to you by Bugcrowd, big thanks to them. In this week's sponsor interview Bugcrowd CEO Casey Ellis joins us to discuss more on bug economics -- how do you price bugs? How do you determine bounty pools? It's not as simple as saying, well, XXE's are worth $500 each and XSS $200. The dynamics here are actually a little more complex than that.

Adam Boileau, as always, joins the show to discuss the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's show we're chatting with Darren Kemp of Duo Security. He's one of the authors of a post about the latest example of computer manufacturer shitware introducing catastrophic vulnerabilities into shipped systems. This time it's Dell's turn.

If you haven't heard what they actually did you'll hardly even believe it. That's this week's feature interview.

This week's sponsor guest is Tenable's very own Brian "Jericho" Martin. He's a guy who knows a thing or two about vulnerabilities and the software supply chain. We dodged a bullet with those libpng vulnerabilities of a few weeks ago not really being exploitable. But what if they were? How do you prepare your organisation for some serious bugs dropping in libraries when you're not even sure if you're using that code?

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.

In this week's feature interview we're checking in with FireEye's Jonathan Wrolstad. He's a threat intelligence guy at FireEye and they've just published a really interesting report about what a threat group is doing in terms of target recon. They're using marketing company tricks to recon all sorts of high value targets. It's very interesting stuff, and it's likely tied to the Russian state.

This week's show is brought to you by Senetas Security, makers of terrific layer 2 encryption gear. Senetas CTO Julian Fay stops by in this week's sponsor interview to chat about Network Function Virtualisation. It's a new twist on a concept that's been around for a while. It's getting a second wind thanks to some work being done at Etsy, of all places.

Don't forget you can now support the Risky Business page via our Patreon campaign.

Oh, and do add Patrick and Adam on Twitter if that's your thing.