Jon Swartz, USA Today’s award-winning technology reporter and Pulitzer Prize nominee, is Gary’s guest on the 25th episode of The Silver Bullet Security Podcast. They discuss Jon’s new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity and the research that went into writing it. Gary and Jon also cover how cybercrime is driven by capitalist principals, why the general public’s attitude is so lax about software security, and how, even though it’s hard to get an accurate count of identity theft instances, they tend to show a sharp upward trend. Jon ends the episode by disclosing his secret dream career.

(Apologies for the below-average sound quality on this episode.)

• Zero Day Threat
• Jon’s USA Today articles
• Three recent articles:
• Microsoft still seen with a win
• Online crime’s impact spreads
• AOL, News Corp. join battle over Yahoo
• The New Face of Cybercrime trailer

Oracle Chief Security Officer Mary Ann Davidson is the guest on the 24th episode of The Silver Bullet Security Podcast. Gary and Mary Ann discuss how an MBA helps in the CSO role, Oracle’s “Unbreakable” campaign, why everyone needs training in secure coding, and how military history informs computer security. They also talk about how a young CSO-to-be got her first library card.

• Mary Ann Davidson’s blog
• Unbreakable Linux
• Lone Survivor

On the 23rd episode of The Silver Bullet Security Podcast, Gary talks with Chris Wysopal, founder and CTO of Veracode and author of The Art of Software Security Testing. Chris was one of the seven original members of the L0pht hacker collective (operating under the hacker handle Weld Pond) and later went on to work for @stake. Gary and Chris reminisce about L0pht (and the warehouse full of stuff) and discuss the role of security researchers now versus in the mid-late ’90s. They also talk about the current state of the software security market and its continued growth.

• Chris’ Wikipedia entry
• The Art of Software Security Testing
• Veracode
• Zero in a bit - Veracode’s blog
• L0pht Heavy Industries
• Vulnwatch
• SOURCE: Boston 2008

On the 22nd episode of The Silver Bullet Security Podcast, Gary interviews Ed Amoroso, Chief Information Security Officer of AT&T. They discuss how Peter Neumann influenced Ed, the difference between bugs and flaws and whether bugs are getting too much attention, the propensity for confusion around how security actually works, privacy, security, and monitoring, and software correctness/quality vs software security. They also discuss the Hugh Thompson show now airing on AT&T’s Tech Channel.

• Cyber Security
• Fundamentals of Computer Security Technology
• Silver Bullet Interview with Peter Neumann
• AT&T’s Tech Channel
• Gary on The Hugh Thompson Show

For the 21st episode of The Silver Bullet Security Podcast, Gary hosts a panel discussion with Cigital’s principals. Participants include Sammy Migues (Director of Training and Knowledge Management), John Steven (Principal Consultant) and Pravir Chandra (Principal Consultant). The group discusses the best ways for large companies to get started with software security and the similarities between CLASP, Microsoft’s SDL, and the Security Touchpoints. They also ponder how much the security testing burden should fall on QA and whether developing expertise in architectural risk analysis or threat modeling is more helpful. John Steven also discusses the hole in his dining room, which threat modeling would not have helped to prevent.

• Transcript of this episode [PDF]
• Justice League blog
• Threat Modeling - a blog entry by John Steven
• OWASP Top 10 for 2007
• OWASP
• The Shmoo Group

For the landmark 20th episode of The Silver Bullet Security Podcast, Gary interviews Markus Jakobsson, soon to be a reseacher at PARC after a stint as an Associate Professor of Informatics and associate director of the Center for Applied Cybersecurity Research at Indiana University. Gary and Markus discuss the difference between academic and corporate research, the idea of “perfect privacy,” moving from hardcore cryptography to sociology, how reality is mimicking phishers, and how cartoons can be used to teach security. In addition, Markus mentions the best place in Southeast Asia to get a haircut.

• Markus @ Indiana
• Markus @ Wikipedia - he’s “orphaned”!
• RavenWhite
• SecurityCartoon.com
• Crimeware
• Phishing and Countermeasures
• Using Cartoons to Teach Internet Security

For the 19th episode of The Silver Bullet Security Podcast, Gary interviews Mikko Hyppönen, Chief Research Officer at F-Secure. During this show, Gary and Mikko discuss Helsinki and Finnish pronunciation, whether mobile viruses are all hype or a legitimate threat, if the iPhone as a closed system is good or bad for security, and Mikko’s prediction for the appearance of the first mobile botnet. They also chat about Finnish hip-hop.

• Mikko Hyppönen
• Mikko Hyppönen- Wikipedia
• F-Secure
• Mobile Malware - Mikko’s USENIX 2007 talk, both audio and video (scroll down a bit)
• Xevious
• The FSMCs

On the 18th episode of The Silver Bullet Security Podcast, Gary talks with Dr. Eugene Spafford, better known as “Spaf.” Spaf is a professor of computer science and Electrical and Computer Engineering at Purdue University and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS). On this episode, Gary and Spaf discuss the role of software testing in computer security, commercial certifications and whether they obviate the need for academic training, how Spaf feels about so-called “ethical hacking,” and why auditing and compliance is an area of emerging specialization.

• Transcript of this episode [PDF]
• Dr. Eugene Spafford
• Spaf’s blog at CERIAS
• Gene Spafford - Wikipedia
• CERIAS - Center for Education and Research in Information Assurance and Security
• Mothra - Mutation testing
• PITAC - President’s Information Technology Advisory Committee
• What did you really expect? - Spaf’s post on “reformed hackers”
• The Internet Worm Program: An Analysis
• Yucks Digest

On the 17th episode of The Silver Bullet Security Podcast, Gary talks with Eric Cole, CEO of Secure Anchor. Eric has written seven books on computer security, including books on steganography and network security. Gary and Eric discuss how to demostrate security ROI in different types of organizations (ranging from government to corporate), the academic approach to security versus practitioner certification models, and what kinds of training makes for good network security practitioners. They also discuss the difficulty of certifying software developers.

• Secure Anchor
• Security Haven
• Stego-marking packets to control information leakage on TCP/IP based networks - Eric’s dissertation

On the 16th episode of The Silver Bullet Security Podcast, Gary talks with Greg Hoglund, who runs the popular rootkit.com, CEO of HB Gary, and co-author of Rootkits: Subverting the Windows Kernel and Exploiting Software. In addition to shameless self-promotion of their new book, Exploiting Online Games, Gary and Greg discuss the natural tendency of certain types of code to allow exploits, how disclosure is a good thing when it comes to revealing exploits, and the use of rootkits by the “good guys.” Greg also makes us concerned that his 11-year-old daughter may 0wn our box.

• Rootkit.com
• HB Gary
• Greg’s Blackhat presentation from 2006: Hacking World of Warcraft(r): An Exercise in Advanced Rootkit Design [rar, 2.35M]
• Exploiting Online Games
• AWL Software Security Series

On the 15th episode of The Silver Bullet Security Podcast, Gary interviews Annie Antón, Associate Professor of Software Engineering at North Carolina State University and director of theprivacyplace.org. During their discussion, Annie and Gary focus on privacy. They start with an attempt to define what “privacy” is in the digital world, moving on to Annie’s work with The Privacy Place. Annie also discusses airlines’ pretty much pitiful privacy policies, the impact that a Google/Doubleclick deal would have on consumer privacy, crazy talk in EULAs, and the book Letters to a Young Catholic (which has nothing to do with privacy).

• A partial transcript of the interview in IEEE Security & Privacy
• Annie I. Antón
• The Privacy Place
• The ChoicePoint Data Security Breach
• Letters to a Young Catholic

The 14th episode of The Silver Bullet Security Podcast features Peter Neumann, designer of the Multics OS file system, moderator of comp.RISKS, and Principal Scientist at the SRI Computer Science Laboratory. In this show, Gary and Peter discuss the most important changes in computer security since the 1960s, the discipline involved in early Multics engineering (”nodody writes a line of code without the approving authorities [having] read and understood the specification”), why DRM is the “wrong solution to the wrong problem,” and who was more interesting to meet: Albert Einstein or Norah Jones.

• Peter Neumann
• comp.RISKS
• Computer-Related Risks
• Multics
• A General-Purpose File System For Secondary Storage - Peter’s 1965 paper on Multics
• Multics History Project
• The Brooklyn Boogaloo Blowout

On the 13th episode of The Silver Bullet Security Podcast, Gary chats with Ross Anderson, Professor of Security Engineering at the Computer Laboratory at Cambridge University and author of the book Security Engineering. Gary and Ross discuss the effect of posting his excellent book on the net for free, the simple reasons why most systems fail, the economic imbalance between engineers/developers and a system’s users (with respect to who should address security), and why publicly describing attacks is essential to security engineering. They close out by examining the security implications of wearing a kilt.

• Ross Anderson
• Light Blue Touchpaper - A security blog by Cambridge computer scientists.
• Security Engineering - Ross’ groundbreaking book in print and online
• WEIS 2007 - Sixth Workshop on the Economics of Information Security
• RFID and the Middleman [PDF]
• The Clan Anderson Society
• Ross playing the bagpipes

On the 12th episode of The Silver Bullet Security Podcast, Gary
talks with Becky Bace, Advisor to Venture Capital firm Trident Capital. Becky spent twelve years at the NSA working on intrusion detection and cryptography from 1984 until 1996, followed by a stint at Los Alamos National Laboratory. Gary and Becky discuss growing up in rural America, explosives, and Becky’s Jimmy Hoffa sponsored college funding situation. They also talk about the evolution of security curricula in academia, rampant commercialization of computer security, Becky’s involvement in tracking down the notorious Kevin Mitnick, vicodin-induced creativity, and eclectic music.

• Who’s Who in Infosec: Rebecca Bace
• Trident Capital - The VC firm where Becky is an advisor
• The IDS Den Mother - a 2002 interview
• Los Alamos National Labs
• Intrusion Detection
• A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony As An Expert Technical Witness - Co-authored with Fred Smith
• Executive Women’s Forum
• Frank Sinatra
• The Kinsey Sicks

On the 11th episode of The Silver Bullet Security Podcast, Gary talks with Dorothy Denning, a professor in the Department of Defense Analysis at the Naval Postgraduate School. Previously, Dorothy was a distinguished professor at Georgetown University and a professor at Purdue University. Gary and Dorothy discuss Dorothy’s involvement in the Clipper Chip controversy (which earned Dorothy the moniker “clipper chick”), the concept of geo-encryption, and a famous 1990 paper she wrote describing a series of interviews with malicious hackers.

• Wikipedia: Dorothy Denning
• Clipper Chip (More)
• Clipper Chick - a 1996 Wired article about the Clipper Chip controversy.
• The Future of Cryptography
• Location-Based Authentication: Grounding Cyberspace for Better Security - A 1996 paper by Dorothy Denning and Peter F. MacDoran about geo-encryption.
• Concerning Hackers Who Break into Computer Systems - Dorothy’s 1990 paper.
• Big Sur Power Walk

The tenth episode of The Silver Bullet Security Podcast features a panel discussion with the Fortify Software Technical Advisory Board, several of whom have been featured on previous episodes. The group discusses what commercial software tools can learn from academic research, the state of software security in China, real world lessons learned while using static analysis tools, and software security pedagogy.

Participating members of the Technical Advisory Board include:

• Bill Pugh, Professor at University of Maryland, static analysis for finding bugs
• Li Gong, GM at Microsoft, MSN in China
• Marcus Ranum, CSO of Tenable Network Security, security products trainer
• Avi Rubin, Professor at Johns Hopkins, electronic voting security
• Fred Schneider, Professor at Cornell, trustworthy computing
• Greg Morrisett, Professor at Harvard, dependant type theory
• Matt Bishop, Professor at UC Davis, computer security
• Dave Wagner, Professor at Berkeley, software security and electronic voting

A complete transcript of this podcast will be available soon from Fortify at http://www.fortify.com/silverbullet.

In the ninth episode of The Silver Bullet Podcast, Gary interviews Bruce Schneier. Bruce is the founder and CTO of Counterpane and is regarded as the “uber-guru” of computer security. He has written eight bestselling books, most recently Beyond Fear: Thinking Sensibly About Security in an Uncertain World and is the editor of the massively popular Cryptogram mailing list. In this episode, Gary and Bruce discuss the connection between physical security its technological component, the idea of risk management, the intersection of economics and security, and the ideas of “wholesale surveillance” and “security theater.” They also discuss patch Tuesday, hack Wednesday, and Microsoft’s approach to software security.

• Bruce’s Wikipedia entry
• Bruce’s books
• Bruce’s recent restaurant reviews
• Counterpane
• Crypto-Gram security podcast
• Property Rights Management - Ed Felten’s discussion of PRM, mentioned on the show
• Copyright Mythbusters: Believe It or Not, Fair Use Exists - a look at the “fair use doesn’t exist” argument
• BBC plans attacked for ‘TV tax’ (March 14, 2006)
• Bruce’s suggestion for “cheap” wines: Loire wines, Provence Wines, Southern Rhone wines

In the eighth episode of The Silver Bullet Podcast, Gary talks with Brian Chess, co-founder and chief scientist of Fortify Software. Brian completed his computer science Ph.D. at UC Santa Cruz after several years in the commercial sector. Gary and Brian discuss what commercial developers and academics have to learn from each other, what it’s like to work for a Kleiner-Perkins startup (KP is the VC firm behind familiar names like Google, Amazon, and Sun), and how mystifying it is that some developers are OK with XSS vulnerabilities in their web applications.

• Fortify Software
• extra - Fortify’s software security blog
• Matt Bishop’s Computer Security: Art and Science (mentioned again!)
• Kleiner Perkins Caufield & Byers
• DIMACS Workshop on Software Security with Brian Kernighan
• Brian as a wee lad

In the seventh episode of The Silver Bullet Podcast, Gary interviews Cisco Chief Security Officer John Stewart. Gary and John discuss what CSOs do all day, how John got started in computer security, and the infamous Morris Worm from 1988 (which John was deeply involved in while a student at Syracuse). John and Gary also revisit Cisco-gate, talk about how John’s identity was stolen, and determine why John’s kids don’t have e-mail addresses.

• Executive Perspective: John Stewart on Vulnerability Disclosure
• Wikipedia: CSO
• Digital Island
• The What, Why, and How of the 1988 Internet Worm - a look at the history of the Morris Worm
• Cisco-gate
• Five Ways to Fight ID Theft - John talks about finding himself a victim of identity theft; see also: the motorcycle he was trying to buy when he found out
• John Stewart, but not the one Gary interviews (and not the one you’re thinking of)

The sixth episode of the show features an interview with Michael Howard, the Senior Security Program Manager of Microsoft’s Security Technology Unit. Michael has been at Microsoft since 1992 and discusses what it has been like watching the company come to grips with software security. Michael continues to play a key roll in implementing the Trustworthy Computing Initiative at Microsoft. Gary and Michael also discuss the security features of Windows Vista and Michael’s recommendations for the two most important best practices when developing secure software. Listen for a startling revelation about Michael’s choice of a “desert island book.”

• Michael Howard’s blog
• Writing Secure Code by Michael Howard
• Wikipedia: Defense in Depth
• Microsoft’s Trustworthy Computing Security Development Lifecycle
• Matt Bishop’s computer security books - These would go with Michael to a desert island.
• Michael Howard - but not the one Gary interviewed.

The fifth edition of the Silver Bullet Security Podcast features Ed Felten, Professor of Computer Science and Public Affairs at Princeton University and the Director of the Center for Information Technology Policy. Gary and Ed take a look at Ed’s predictions for 2006 and how he’s faring so far and then discuss Ed’s relationship with his former adversaries. They also talk about how to discuss difficult technology issues with lawmakers and the importance of public policy and the law to computer scientists. Ed also outlines the challenges of raising a bright 11-year-old.

• A partial transcript of the interview in IEEE Security & Privacy
• Freedom to Tinker - Ed Felten’s blog
• Ed’s Predictions for 2006
• Wikipedia: Series of Tubes
• Subscribe to IEEE Security & Privacy

In the fourth episode of the Silver Bullet Security Podcast, Gary’s guest is Dana Epp, CEO and founder of Scorpion Software. Dana also runs a popular software security blog and is a jazz trumpeter. On this show, Dana and Gary talk about past programming disasters (”code lives forever”), the security implications of systems with ever-increasing complexity, suggestions for new developers interested in learning about software security, regulation’s role in information security, and Miles Davis.

• SilverStr’s blog - Dana’s blog
• It’s Pat!
• RemoteAccess BBS
• The 5 Rules of the Regulatory Process
• Chris Botti
• SC-L List
• Bitches Brew
• Subscribe to IEEE Security & Privacy

In the third episode of the Silver Bullet Security Podcast, Gary talks with Marcus Ranum, who is an acclaimed security guru widely credited with inventing the proxy firewall. Marcus and Gary discuss why Marcus thinks we’re not making progress in the computer security field, how common sense would help computer security, Richard Feynman, and power tools for home repair and improvement.

• A partial transcript of the interview in IEEE Security & Privacy
• Ranum.com
• BlackHat Keynote ‘97 (MP3)
• The Six Dumbest Ideas in Computer Security
• Old West Snake Oil
• Patch Tuesday
• Richard Feynman
• DeWalt cordless screwdriver
• Subscribe to IEEE Security & Privacy

In this episode of the Silver Bullet Security Podcast, Gary chats with Dan Geer, Chief Scientist at Verdasys. Dan has a Ph.D. in biostatistics from Harvard. He and Gary discuss the need to understand both technology and business in order to be a good security practitioner, Dan’s paper Cyber Insecurity, his work on Project Athena, and livestock.

• A partial transcript of the interview in IEEE Security & Privacy
• Dan Geer on Wikipedia
• Cyber Insecurity: The Cost of Monopoly (PDF)
• Project Athena on Wikipedia
• How Much Information 2003
• Subscribe to IEEE Security & Privacy

In the debut episode of the Silver Bullet Security Podcast, Gary talks with Avi Rubin, professor of computer science and technical director of the information security institute at Johns Hopkins University. Avi made headlines in 2003 when he revealed glitches in Diebold electronic voting machines.

Links:

• A partial transcript of the interview in IEEE Security & Privacy
• Avi’s site
• Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting, Avi’s forthcoming book
• ACCURATE - A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections
• Froot Loops and Corn Flakes
• Subscribe to IEEE Security & Privacy