Podcasts

This week's edition of Risky Business is sponsored by Tenable Network Security and hosted by Vigabyte virtual hosting.

This week we're back to normal programming after attending AusCERT's annual conference last week. In all, the Risky Business crew managed to put up 21 podcasts over five days, featuring interviews and full presentations. Check it out here.

On this week's show, however, we hear from Peter Gutmann. You've heard Peter argue in these podcasts (part 1, part 2) that the idea that hundreds of dedicated open source fans are busy auditing code for security bugs, right now, is fanciful to say the least.

In light of the Debian disaster, we thought we'd touch base with Peter again to see if there's anything that can be done to incentivise the discovery of open source bugs.

Also on this week's show, security legend and Tenable CSO Marcus Ranum joins us in this week's sponsor interview. Marcus joined us to talk about innovation -- or the lack thereof -- in the security industry. It's a case of the same old solutions to the same old problems.

And of course, Munir Kotadia from ZDNet Australia pops in to chew the fat with host Patrick Gray in our regular news segment.

In this AusCERT talk self-described security geek Daniel Klein paints a disturbingly bleak picture of the state of IT security.

It's a shame this is just an audio presentation -- the slides he was showing were quite funny -- usually photos of stupid people doing stupid things. But the talk is definitely worth listening to.

In this AusCERT presentation, Independent Security Evaluators' Charles Miller discusses the bug marketplace.

Miller is well known as an iPhone hacker and winner of this year's PWN2OWN competition in Las Vegas. This talk gives us a rare insight into the legal bug trading environment, which is usually obscured by non disclosure agreements and general paranoia.

In this quick AusCERT presentation, the Australian Attorney General Department's Steve Stroud talks about Cyberstorm II -- the global cyber war game. Cyberstorm is a full-scale war game involving governments and private sector organisations from Canada, USA, Australia, Britain and New Zealand. It's designed to test the resilience of our infrastructure under a full blown cyber attack.

As you'll hear, most organisations didn't follow their incident response plans during the exercise -- they were too busy putting out spot fires to notice the whole house was on fire.

In this interview Risky Business spoke to Arbor Networks' Chief Research Officer, Danny McPherson. Danny also serves on the MPLScon Advisory Board, the FCC's Network Reliability and Interoperability Council (NRIC) and is active in the network and security operations and research communities. He's a bizarre hybrid -- a twisted split between a security guy and a network guy!

In February Danny enjoyed a 15 minutes of fame of sorts when he blogged about a snafu at a Pakistani ISP that saw YouTube knocked offline for two hours.

Globally.

The Pakistani ISP had been asked by the government to block YouTube. An admin decided to blackhole it with a BGP announce. Unfortunately, routers upstream from the pakistani ISP swallowed the BGP announce as well, and the whole thing propagated around the world until YouTube was completely offline.

So in this interview I spoke to Danny about the Internet as critical infrastructure -- as you'll hear, he believes the way the internet address space is configured gives the bad guys a little wiggle room when it comes to routing attacks.

In this interview, with Australian Law Reform Commission President David Weisbrot talks privacy law. The ALRC has been asked to recommend changes to existing privacy laws in Australia, and its report is due to be handed to the Attorney General next week.

It looks almost certain that Australia will get mandatory data breach disclosure laws similar to those introduced in the USA. But, as you'll hear, disclosure of data loss will only be mandatory if there's a serious risk the information will be misused. It's a different approach.

We've added more coverage from AusCERT's 2008 conference. You can download it here.

Day two coverage features interviews and presentations from:

• David Litchfield, NGS Software
• Bill Cheswick, AT&T
• Kimberly Zenz, iDefense's Russia expert
• Colin Whittaker, Head of Security for APACS, the UK payments association

In this AusCERT presentation, iDefense's Kimberly Zenz talks about Russian cyber crime.

Zenz is iDefense's Russia analyst. She speaks multiple languages -- including fluent Russian -- and routinely travels into interesting places all around the world in an effort to understand the who and the why behind cyber attacks. She's an expert on the Russian Business Network and Russian electronic fraud in general.

Welcome to this special audio presentation from AusCERT. In the following presentation you'll hear Colin Whittaker, the head of security for APACS, the UK payments association, trying to determine whether biometrics are really ready for use in banking and payments.

Here Risky Business host Patrick Gray talks to Kimberly Zenz, iDefense's Russia expert. You can hear her full AusCERT presentation here. In this interview we find out how Zenz, based in the USA, became a recognised expert on Russian cybercrime, and where she sees malware hosting providers like the Russian Business Network heading.