Show 025 - An Interview with Jon Swartz
Jon Swartz, USA Today’s award-winning technology reporter and Pulitzer Prize nominee, is Gary’s guest on the 25th episode of The Silver Bullet Security Podcast. They discuss Jon’s new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity and the research that went into writing it. Gary and Jon also cover how cybercrime is driven by capitalist principals, why the general public’s attitude is so lax about software security, and how, even though it’s hard to get an accurate count of identity theft instances, they tend to show a sharp upward trend. Jon ends the episode by disclosing his secret dream career.
(Apologies for the below-average sound quality on this episode.)
April 18th, 2008 at 5:10 pm
Hi listeners,
Sorry about the sound quality on this episode. We used a new laptop that apparently has a really awful sound card. Too late to fix that problem, but rest assured that it won’t happen again!
Regardless of sound quality, this episode is a good one I think.
gem
April 23rd, 2008 at 11:18 am
[…] [This a guest post by Cigital’s Troy Jones, written in reference to episode 25 of The Silver Bullet Security Podcast, an interview with Jon Swartz.] […]
May 1st, 2008 at 11:07 am
Hi Gary,
The interview was interesting (but not nearly as technical and as in depth that I am now expecting
but I have a couple of issues in general - not with Mr. Swartz but with his content:
1. Trying to put the onus of software security on developers is so completely asinine (and Jon did not say that - he reported that others had said that). We have to get real. Most developers will never know software security; 70% don’t give a damn; 20% of those that want to know will never get funding by their company to learn it; the other 10% will learn by self-motivation and by buying a lot of books
Instead, why don’t we preach that when somebody buys or leases software from a company that they ask one simple question: (1) Can you give me a document that tells me the security that you’ve put in your software?
In Asia Pacific (excluding Australia & Japan), that question would knock out 98% of the companies immediately.
2. Again, completely unrelated to Mr. Swartz himself, but the value and dollar amount placed on breaches PER PERSON PER BREACH. It reminds me too much when I was younger and I would read the value of a marijuana bust, knowing that the cops included the weight of the buds, the stems, the roots, the soil, etc. at the inflated street price per gram. I don’t see that correlation. Adam Shostack in a recent Shmoocon event (”Security Breaches are Good for You”) tried to address this also - nobody know the actual amount, and my guess is that it is totally overinflated.
To take a page from RSnake and his proposed (and declined) talk at RSA, the heads of the BSVs (Big Security Vendors) are the biggest snake-oil salesman that I’ve ever seen. Who in their right mind would believe them? Of course, they are now peddling DLP - they’ve pumped hundreds of millions of dollars into it. I’m having a difficult time distinguishing these BSV CEOs from drug pushers.
Cheers.
May 1st, 2008 at 11:22 am
Hi Stephen,
I would have to agree with you about hype and security. I also agree that big vendors make stuff up if it helps them sell product. One of the reasons I wanted to interview Jon was to find out what he thought about hype, wide public coverage, and security engineering. What I like about Jon is his realistic attitude and his reporter’s skepticism.
Fact is, the part of computer security that the general public find exciting is the hacking/exploit part. You can even see this in the sales numbers of my books where the bad guy books outsell the good guy books almost 4:1. I call this the NASCAR effect.
I agree with you that asking software vendors to show you some evidence that their software is secure can be very helpful. We’ve been involved in situations like that a number of times at cigital (where the poor software vendor was scrambling toward software security and needed our help).
BTW, the next victim on Silver Bullet will be Adam Shostack…so we should get a bit more technical!
gem