On the 53rd episode of The Silver Bullet Security Podcast, Gary interviews Richard Bejtlich, Director of Incident Response for General Electric and Principal Technologist for GE’s Global Infrastructure Services division. They discuss whether it’s better to look for known problems or anomalies when performing network security monitoring, how to explain security incidents to “business guys,” the notion of “building visibility in,” and the difference between working as an independent consultant in a very small shop and working in a large corporation.

• TaoSecurity blog
• Silver Bullet #19: Mikko Hyppönen
• Silver Bullet #41: Fred Schneider
• VizSec 2010 keynote

 

 Show 053 - An Interview with Richard Bejtlich [31:51m]: Play Now | Play in Popup | Download

On the 52nd episode of The Silver Bullet Security Podcast, Gary chats with Paul Kocher, President and Chief Scientist of Cryptography Research. Gary and Paul discuss the first system that Paul ever broke, whether engineers and architects need to think like the “bad guys” or not, the decision to put content protection on Blu-Ray discs rather than the player, and whether P=NP.

• Cryptography Research (Paul @ Cryptography Research)
• How Crypto Won the DVD War
• Macrovision to Acquire Blu-ray Disc Security Technology from Cryptography Research, Inc. (press release)
• P versus NP problem

 

 Show 052 - An Interview with Paul Kocher [27:14m]: Play Now | Play in Popup | Download

On the 51st episode of The Silver Bullet Security Podcast, Gary talks with former co-worker Dr. Anup Ghosh. Anup has authored three books on e-commerce security and over 40 peer-reviewed articles and is founder and chief scientist of Invincea. Gary and Anup discuss the difference between working in a startup and in goverment research, why antivirus doesn’t work against the ZeuS botnet and what businesses should do to protect themselves, and the relevance of the desktop in the future of computing. They close out with a discussion about Anup’s favorite newspapers and recent books.

• Invincea
• Anup’s books on Amazon
• Advanced Technology Program
• ZeuS botnet summary
• Why Patching Isn’t Enough

 

 Show 051 - An Interview with Anup Ghosh [33:07m]: Play Now | Play in Popup | Download

On the landmark 50th episode of Silver Bullet, Gary talks with Richard A. Clarke. Richard Clarke is an internationally-recognized expert on security, including homeland security, national security, cyber security, and counterterrorism. Gary and Dick discuss what needs to change in order for the United States to focus more attention on defense against cyber war (as opposed to offense). They also discuss the importance of software security in preventing cyber crime and cyber war, network scanning as a part of Dick’s “Defensive Triad,” and balancing cybersecurity against individual liberty. We also uncover whether being a guest on Silver Bullet is more stressful than being on The Colbert Report.

This special edition of Silver Bullet was also captured on video. View the video below (for those on feed readers, go to this episode’s page for the video):

• Transcript of this episode [PDF]
• Richard A. Clarke
• Cyber War
• 9/11 Commission Report
• What if the smart grid has stupid security?
• Select TV appearances: Real Time with Bill Maher (2010) / The Daily Show (2008) / The Colbert Report (2007) / The Colbert Report (2005) / 60 Minutes (2004)

 

 Show 050 - An Interview with Richard Clarke [33:42m]: Play Now | Play in Popup | Download

On the 49th episode of The Silver Bullet Security Podcast, Gary talks with Ivan Arce, co-founder and CTO of Core Security Technologies. Gary and Ivan discuss whether teaching builders to think like attackers is worthwhile, how living in Argentina both helps and hinders a career in computer security, the current state of embedded systems attacks, and Ivan’s ongoing disagreement with Microsoft about Virtual PC vulnerabilities. They close things out with a discussion of science fiction books and whether scotch trumps bourbon.

• Core Security Technologies
• Ivan @ Core Security Technologies
• Attack Points blog (CSO Online)
• Ivan on the Core Security Technologies’ blog
• Security vulnerability in Microsoft’s Virtual PC
• Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson?
• SiSU manifest of document filetypes and metadata

 

 Show 049 - An Interview with Ivan Arce [36:47m]: Play Now | Play in Popup | Download

On the 48th episode of The Silver Bullet Security Podcast, Gary interviews Andrew Jaquith, senior analyst at Forrester. Gary and Andy discuss how security has become overrun by compliance in the biggest change to corporate security in 15 years, the battle between social networking technology use in the workplace (think Twitter, Facebook, AIM…) and security, security metrics (or lack of such), and Andy’s latest musical find.

• Andrew Jaquith
• Andy on Twitter
• Data Security Predictions For 2010 (December 02, 2009)
• Know Your Code: How Static Analysis Tools Make Applications More Secure (November 20, 2009)
• BSIMM
• @stake
• Securitymetrics.org
• Security Metrics: Replacing Fear, Uncertainty, and Doubt
• S/MIME
• Silver Bullet #26: Adam Shostack
• Moby: “Southside (feat. Gwen Stefani)”

 

 Show 048 - An Interview with Andrew Jaquith [30:32m]: Play Now | Play in Popup | Download

On the 47th episode of The Silver Bullet Security Podcast, Gary calls in from Leuven, Belgium to chat with childhood friend and security expert Greg Morrisett. Greg is the Allen B. Cutting Professor of Computer Science and Associate Dean for Computer Science and Engineering in the School of Engineering and Applied Sciences at Harvard University. Gary and Greg discuss the relationship between security and programming languages, why the choice of a good programming language (and/or VM) is more important than code review, sensor networks and security, information control, and Gary and Greg’s most embarrassing moment from adolescence.

• Greg Morrisett
• The Center for Research on Computation and Society
• Ynot
• RoboBees
• NoBot
• GoNative

 

 Show 047 - An Interview with Greg Morrisett [29:00m]: Play Now | Play in Popup | Download

On the bonus-length 46th episode of The Silver Bullet Security Podcast, Gary talks with David Rice, Executive Director of the Monterey Group and author of Geekonomics: The Real Cost of Insecure Software. Gary and David discuss David’s involvement with Infowar at the Naval Postgraduate School and how it impacted his thinking about software, the recent Chinese cyberattack on Google, what incentives exist to create and apply software security best practices, how users may be mistaking marketing for security, and the SANS WhatWorks in Application Security Summit. They close out by discussing unusual yoga positions.

• Monterey Group
• Geekonomics: The Real Cost of Insecure Software (also: Geekonomics Blog)
• Silver Bullet #41 – Fred Schneider
• Silver Bullet #11 – Dorothy Denning
• Software Security Comes of Age (InformIT) – on the growth of the software security space
• Google Defends Against Large Scale Chinese Cyber Attack
• SANS WhatWorks in Application Security Summit 2010
• BSIMM
• Beached Whale yoga position

 

 Show 046 - An Interview with David Rice [36:06m]: Play Now | Play in Popup | Download

On the 45th episode of The Silver Bullet Security Podcast, Gary chats with Lorrie Cranor, Associate Professor of Computer Science and Engineering and Public Policy at Carnegie Melon University. Gary and Lorrie discuss how everyday people think about privacy and what we can do to get them to care about it, the relationship between trust and privacy, and why the US is lagging behind the EU on privacy-related issues. They close out the discussion by talking about women in computing.

• Lorrie Cranor
• Security and Usability: Designing Secure Systems That People Can Use
• Web Privacy with P3P
• CyLab Usable Privacy and Security Laboratory (CUPS)
• A “Nutrition Label” for Privacy
• BSIMM Europe
• Google search privacy video

 

 Show 045 - An Interview with Lorrie Cranor [26:51m]: Play Now | Play in Popup | Download

On the 44th episode of The Silver Bullet Security Podcast, Gary talks with Steve Kent, Chief Scientist – Information Security, for BBN Technologies, a division of Raytheon. Gary and Steve discuss the history of network security, secure transport and base Internet protocols, the role of politics in the adoption of security on the Internet, applied cryptography, and whether security and individual liberty co-exist. They finish by discussing extremely high end wine.

• Internet’s Biggest Security Hole
• Securing the Border Gateway Protocol (PPT)
• 2006: Statement before Congress regarding a nationwide ID system
• BSIMM Europe

 

 Show 044 - An Interview with Steve Kent [32:29m]: Play Now | Play in Popup | Download