Risky Business Podcast

Senator Scott Ludlam of the Greens party is the only Australian politician kicking up a stink about the government's metadata retention bill. And we're glad about that, it's a pretty defective bill, even if some recent amendments recommended by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) have made it much more palatable.

Scott was passing through my town last week campaigning on behalf of the local Greens state election candidate for Ballina -- the NSW election is coming up at the end of March. So, we caught up and did this interview all about the latest with the bill and the politics behind it.

The Green's full metadata video is here.

Check out the full text of Scott's senate speech here.

This week's feature interview is with Alex Stamos, CISO of Yahoo. Alex did a fantastic AppSec keynote in early February that I wanted to ask him about, so we booked this interview a couple of weeks ago.

Then, last week, Alex made the news. Big time.

While on a panel with Admiral Mike Rogers, Alex challenged the NSA chief on the government's apparent desire to mandate the introduction of interception capabilities into products made by technology companies.

Alex asked if companies that agreed to introduce back doors for the US government should also agree to provide similar back doors to other countries as well, ones that might not be democratic. From there, there was some to and fro.

It was a cordial exchange but it was written up as a stoush.

Alex joined me via Skype to discuss that exchange, security at scale and bug bounties.

It's time for this week's sponsor interview now with Julian Fay, CTO and co-founder of Senetas, makers of fine, fine hardware security equipment.

Julian joined me this week to discuss a raft of crypto news, starting off with the Freak vulnerability, which, as best I can tell, isn't actually a giant fireball heading towards earth, despite what some of the tech press might be saying.

Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's show we're speaking with Philippe Langlois. You may remember him as the founder of Qualys in the 90s, but these days he's the CEO and founder of P1 Security, a telecommunications security firm. He'll be joining us to discuss the NSA and GCHQ operation against SIM card manufacturer Gemalto.

Last week The Intercept reported on some Snowden dox that said NSA and GCHQ were basically scooping up SIM card private keys from anywhere they could, including from within Gemalto's network. Because cellphone encryption schemes are symmetric, this is bad. It's very, very bad. We'll talk to Philippe about that.

This week's show is sponsored by Palo Alto Networks, big thanks to them. PAN CSO Rick Howard will be along in this week's sponsor interview to talk about one of his passion projects, the Cybersecurity Canon. It's basically his book club idea that PAN is now sponsoring and it's got a LOT of potential. Find out how you can get involved in this week's sponsor interview, with big thanks to Palo Alto Networks.

Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

On this week's show we're chatting with Assured Information Security senior research engineer Jacob Torrey about some work he's due to present at SysCAN and Infiltrate. It's called HARES, and it's basically a pretty impressive party trick that makes reverse engineering malware payloads a lot harder.

He's also been following some work around some compile-time tricks that make software builds unique. This can make your 0day a lot less useful because exploit has to be custom built for each target... think of it as a compile-time ASLR trick, but better.

NOTE: Originally this post said the compile-time tricks were Jacob's research. They're not, I got that mixed up. Soz. Been crook this week and I guess I've been a bit sloppy. The podcast still contains the incorrect assertion that the research Jacob is talking about is his own. I'll put a clarifying statement in next week's show. - Pat

This week's show is brought to you by BugCrowd, crowdsourced bug bounties. And we'll be chatting with Bugcrowd founder and CEO Casey Ellis about some interesting stuff this week -- like how to you take bug reports from people who don't speak english? Will a video do it?

We also chat about some comments made by Alex Stamos, the CISO of Yahoo, in a recent AppSec conference keynote. He says bug bounty crowds need to chill out; that until a few years ago they would have gone to prison for running SQLMap against a target and now they're
getting paid. He also says the CFAA makes bounty programs legally risky for participants and we're one prosecution away from blowing the whole model up.

We'll find out what Casey thinks about that.

Adam Boileau, as usual, joins us to discuss the week's news headlines.

Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

This week's feature interview is with Andy Greenberg, senior writer with WIRED. He's covered Silk Road from the get go, even scoring an in depth interview with DPR before he was caught and unmasked as Ross Ulbricht. He attended every day of Ulbricht's trial and says he was there every minute the jury was.

He joined me via Skype earlier this week to talk about the trial of Ross Ulbricht, the future of underground markets and the disconnect between Ross Ulbricht's real life and online personas.

In fact, that disconnect is so great that Andy actually feels sorry for Ross Ulbricht, despite the allegation that as the Dread Pirate Roberts he commissioned as many as six murders for hire.

This week's show is brought to you by a new sponsor, Intralinks! These guys have a background doing very specialist work in facilitating mergers and acquisitions, but they're pushing into the enterprise space with a really interesting product which you can think of as an enterprise-grade file sharing service with built in IRM.

Intralinks Richard Anstey joins us a bit later on for a chat about the security challenge presented by file sharing services, and what some solutions might look like. And I've gotta say, even though we talk about their product a bit, it's a very interesting interview.

Don't forget you can now support the Risky Business page via our Patreon campaign. Oh, and do add Patrick and Adam on Twitter if that's your thing.

In this week's feature we're chatting with Dave Aitel of Immunity Inc. We chat to him about the Sony hack being a demonstration of North Korean capability as opposed to genuine revenge... we also talk about security conferences in 2015 and chat to him about his rage-inspiring musings on so-called junk hacking from last year.

In this week's sponsor interview we speak with HackLabs big cheese Chris Gatford about the so-called Ghost vulnerability.

As it turned out, it was a bit of a fizzer, but it's still an interesting bug from a management point of view. How the hell do you figure out what the impact of something like that is on your network? The gethostbyname code is, of course, all over your nix boxes, but it's no doubt statically included in a whole bunch of your enterprise crapware as well. And the thing is, the fact that it's causing heart palpitations out there in some enterprise teams proves one thing: We don't trust out upstream software providers to patch this stuff... we don't even trust them to know what code is in their own products! It's a contemporary pickle and Chris Gatford of Hacklabs will be along in a bit to discuss it.

Don't forget you can now support Risky Business via our Patreon campaign!

You can follow Patrick on Twitter here and Adam here.

In this week's feature interview we're chatting with Wired journalist Kim Zetter about her fantastic book Stuxnet: Countdown to Zero Day. As it turns out, the assumption that US and Israeli intelligence agencies had "boots on ground" intelligence to design the malicious code could very well be bunkum!

This week's show is brought to you by Tenable Network Security, so in this week's sponsor interview we're chatting with Tenable's very own Marcus Ranum about attribution.

No, not just the North Korea angle... we cover off what sort of focus the average enterprise needs to put on attributing attacks. Does it even matter?

Adam Boileau, as always, joins the show to discuss the week's security news.

You can become a Risky Business patron thanks to our Patreon campaign.

And you can also follow Patrick or Adam on Twitter, if that's your thing.

Welcome back to Risky Business for another year. This is the ninth year of weekly Risky Business podcasts, we're stoked you're sticking around for more.

In this week's show Patrick Gray and Adam Boileau discuss the last month's crazy CyberNews(tm) and Palo Alto CTO and founder Nir Zuk stops by for the sponsor interview.

You can now support Risky Business by becoming a Patron.

In this special edition we take a look back over the big news items of 2014.

On this week's show Adam and I establish that it's actually quite possible the disaster unfolding at Sony Pictures is, in fact, a North Korean government plot. I know, I know, there are sceptics, but any way you slice or dice it, it actually looks plausible. Tune in to find out why.

In this week's feature interview we chat with Dan Guido, CEO of Trail of Bits, about his company's approach to DARPA's Cyber Grand Challenge. It's an initiative that will see automated attack and defence rigs do battle at DEF CON in Las Vegas in 2016. It's a fascinating idea that involves a lot of cutting edge research. Don't miss that interview.

In this week's sponsor interview Matt Alderman of Tenable joins us to talk about what tech is going to be hot in 2015. Will a clear definition of threat intelligence (besides herpa derp) emerge in 2015? What about the skills shortage? Will that put even more impetus behind the push to security automation?