The Silver Bullet Security Podcast

On the 16th episode of The Silver Bullet Security Podcast, Gary talks with Greg Hoglund, who runs the popular rootkit.com, CEO of HB Gary, and co-author of Rootkits: Subverting the Windows Kernel and Exploiting Software. In addition to shameless self-promotion of their new book, Exploiting Online Games, Gary and Greg discuss the natural tendency of certain types of code to allow exploits, how disclosure is a good thing when it comes to revealing exploits, and the use of rootkits by the “good guys.” Greg also makes us concerned that his 11-year-old daughter may 0wn our box.

• Rootkit.com
• HB Gary
• Greg’s Blackhat presentation from 2006: Hacking World of Warcraft(r): An Exercise in Advanced Rootkit Design [rar, 2.35M]
• Exploiting Online Games
• AWL Software Security Series

 

 Show 016 - An Interview with Greg Hoglund [24:03m]: Play Now | Play in Popup | Download (8567)

On the 15th episode of The Silver Bullet Security Podcast, Gary interviews Annie Antón, Associate Professor of Software Engineering at North Carolina State University and director of theprivacyplace.org. During their discussion, Annie and Gary focus on privacy. They start with an attempt to define what “privacy” is in the digital world, moving on to Annie’s work with The Privacy Place. Annie also discusses airlines’ pretty much pitiful privacy policies, the impact that a Google/Doubleclick deal would have on consumer privacy, crazy talk in EULAs, and the book Letters to a Young Catholic (which has nothing to do with privacy).

• A partial transcript of the interview in IEEE Security & Privacy
• Annie I. Antón
• The Privacy Place
• The ChoicePoint Data Security Breach
• Letters to a Young Catholic

 

 Show 015 - An Interview with Annie Antón [25:16m]: Play Now | Play in Popup | Download (10124)

The 14th episode of The Silver Bullet Security Podcast features Peter Neumann, designer of the Multics OS file system, moderator of comp.RISKS, and Principal Scientist at the SRI Computer Science Laboratory. In this show, Gary and Peter discuss the most important changes in computer security since the 1960s, the discipline involved in early Multics engineering (”nodody writes a line of code without the approving authorities [having] read and understood the specification”), why DRM is the “wrong solution to the wrong problem,” and who was more interesting to meet: Albert Einstein or Norah Jones.

• Peter Neumann
• comp.RISKS
• Computer-Related Risks
• Multics
• A General-Purpose File System For Secondary Storage - Peter’s 1965 paper on Multics
• Multics History Project
• The Brooklyn Boogaloo Blowout

 

 Show 014 - An Interview with Peter Neumann [20:59m]: Play Now | Play in Popup | Download (7088)

On the 13th episode of The Silver Bullet Security Podcast, Gary chats with Ross Anderson, Professor of Security Engineering at the Computer Laboratory at Cambridge University and author of the book Security Engineering. Gary and Ross discuss the effect of posting his excellent book on the net for free, the simple reasons why most systems fail, the economic imbalance between engineers/developers and a system’s users (with respect to who should address security), and why publicly describing attacks is essential to security engineering. They close out by examining the security implications of wearing a kilt.

• Ross Anderson
• Light Blue Touchpaper - A security blog by Cambridge computer scientists.
• Security Engineering - Ross’ groundbreaking book in print and online
• WEIS 2007 - Sixth Workshop on the Economics of Information Security
• RFID and the Middleman [PDF]
• The Clan Anderson Society
• Ross playing the bagpipes

 

 Show 013 - An Interview with Ross Anderson [22:50m]: Play Now | Play in Popup | Download (17706)

On the 12th episode of The Silver Bullet Security Podcast, Gary
talks with Becky Bace, Advisor to Venture Capital firm Trident Capital. Becky spent twelve years at the NSA working on intrusion detection and cryptography from 1984 until 1996, followed by a stint at Los Alamos National Laboratory. Gary and Becky discuss growing up in rural America, explosives, and Becky’s Jimmy Hoffa sponsored college funding situation. They also talk about the evolution of security curricula in academia, rampant commercialization of computer security, Becky’s involvement in tracking down the notorious Kevin Mitnick, vicodin-induced creativity, and eclectic music.

• Who’s Who in Infosec: Rebecca Bace
• Trident Capital - The VC firm where Becky is an advisor
• The IDS Den Mother - a 2002 interview
• Los Alamos National Labs
• Intrusion Detection
• A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness - Co-authored with Fred Smith
• Executive Women’s Forum
• Frank Sinatra
• The Kinsey Sicks

 

 Show 012 - An Interview with Becky Bace [23:39m]: Play Now | Play in Popup | Download (4108)

On the 11th episode of The Silver Bullet Security Podcast, Gary talks with Dorothy Denning, a professor in the Department of Defense Analysis at the Naval Postgraduate School. Previously, Dorothy was a distinguished professor at Georgetown University and a professor at Purdue University. Gary and Dorothy discuss Dorothy’s involvement in the Clipper Chip controversy (which earned Dorothy the moniker “clipper chick”), the concept of geo-encryption, and a famous 1990 paper she wrote describing a series of interviews with malicious hackers.

• Wikipedia: Dorothy Denning
• Clipper Chip (More)
• Clipper Chick - a 1996 Wired article about the Clipper Chip controversy.
• The Future of Cryptography
• Location-Based Authentication: Grounding Cyberspace for Better Security - A 1996 paper by Dorothy Denning and Peter F. MacDoran about geo-encryption.
• Concerning Hackers Who Break into Computer Systems - Dorothy’s 1990 paper.
• Big Sur Power Walk

 

 Show 011 - An Interview with Dorothy Denning [22:22m]: Play Now | Play in Popup | Download (3271)

The tenth episode of The Silver Bullet Security Podcast features a panel discussion with the Fortify Software Technical Advisory Board, several of whom have been featured on previous episodes. The group discusses what commercial software tools can learn from academic research, the state of software security in China, real world lessons learned while using static analysis tools, and software security pedagogy.

Participating members of the Technical Advisory Board include:

• Bill Pugh, Professor at University of Maryland, static analysis for finding bugs
• Li Gong, GM at Microsoft, MSN in China
• Marcus Ranum, CSO of Tenable Network Security, security products trainer
• Avi Rubin, Professor at Johns Hopkins, electronic voting security
• Fred Schneider, Professor at Cornell, trustworthy computing
• Greg Morrisett, Professor at Harvard, dependant type theory
• Matt Bishop, Professor at UC Davis, computer security
• Dave Wagner, Professor at Berkeley, software security and electronic voting

A complete transcript of this podcast will be available soon from Fortify at http://www.fortify.com/silverbullet.

 Show 010 - A Panel Discussion with Fortify Software's Technical Advisory Board [19:34m]: Download (3228)

In the ninth episode of The Silver Bullet Podcast, Gary interviews Bruce Schneier. Bruce is the founder and CTO of Counterpane and is regarded as the “uber-guru” of computer security. He has written eight bestselling books, most recently Beyond Fear: Thinking Sensibly About Security in an Uncertain World and is the editor of the massively popular Cryptogram mailing list. In this episode, Gary and Bruce discuss the connection between physical security its technological component, the idea of risk management, the intersection of economics and security, and the ideas of “wholesale surveillance” and “security theater.” They also discuss patch Tuesday, hack Wednesday, and Microsoft’s approach to software security.

• Bruce’s Wikipedia entry
• Bruce’s books
• Bruce’s recent restaurant reviews
• Counterpane
• Crypto-Gram security podcast
• Property Rights Management - Ed Felten’s discussion of PRM, mentioned on the show
• Copyright Mythbusters: Believe It or Not, Fair Use Exists - a look at the “fair use doesn’t exist” argument
• BBC plans attacked for ‘TV tax’ (March 14, 2006)
• Bruce’s suggestion for “cheap” wines: Loire wines, Provence Wines, Southern Rhone wines

 

 Show 009 - An Interview with Bruce Schneier [24:50m]: Play Now | Play in Popup | Download (5238)

In the eighth episode of The Silver Bullet Podcast, Gary talks with Brian Chess, co-founder and chief scientist of Fortify Software. Brian completed his computer science Ph.D. at UC Santa Cruz after several years in the commercial sector. Gary and Brian discuss what commercial developers and academics have to learn from each other, what it’s like to work for a Kleiner-Perkins startup (KP is the VC firm behind familiar names like Google, Amazon, and Sun), and how mystifying it is that some developers are OK with XSS vulnerabilities in their web applications.

• Fortify Software
• extra - Fortify’s software security blog
• Matt Bishop’s Computer Security: Art and Science (mentioned again!)
• Kleiner Perkins Caufield & Byers
• DIMACS Workshop on Software Security with Brian Kernighan
• Brian as a wee lad

 

 Show 008 - An Interview with Brian Chess [24:33m]: Play Now | Play in Popup | Download (4535)

In the seventh episode of The Silver Bullet Podcast, Gary interviews Cisco Chief Security Officer John Stewart. Gary and John discuss what CSOs do all day, how John got started in computer security, and the infamous Morris Worm from 1988 (which John was deeply involved in while a student at Syracuse). John and Gary also revisit Cisco-gate, talk about how John’s identity was stolen, and determine why John’s kids don’t have e-mail addresses.

• Executive Perspective: John Stewart on Vulnerability Disclosure
• Wikipedia: CSO
• Digital Island
• The What, Why, and How of the 1988 Internet Worm - a look at the history of the Morris Worm
• Cisco-gate
• Five Ways to Fight ID Theft - John talks about finding himself a victim of identity theft; see also: the motorcycle he was trying to buy when he found out
• John Stewart, but not the one Gary interviews (and not the one you’re thinking of)

 

 Show 007 - An Interview with John Stewart [27:04m]: Play Now | Play in Popup | Download (4876)