Podcast appearances and mentions of rich mogull

We spoke to Will Bengtson (VP of Security Operations at HashiCorp) bout the realities of cloud incident response and detection. From root credentials to event-based threats, this conversation dives deep into: Why cloud security is NOT like on-prem – and how that affects incident response How attackers exploit APIs in seconds (yes, seconds—not hours!) The secret to building a cloud detection program that actually works The biggest detection blind spots in AWS, Azure, and multi-cloud environments What most SOC teams get WRONG about cloud security Guest Socials: ⁠⁠⁠⁠⁠⁠⁠Will's Linkedin Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠ If you are interested in AI Cybersecurity, you can check out our sister podcast -⁠⁠⁠⁠⁠ AI Cybersecurity Podcast Questions asked: (00:00) Introduction (00:38) A bit about Will Bengtson (05:41) Is there more awareness of Incident Response in Cloud (07:05) Native Solutions for Incident Response in Cloud (08:40) Incident Response and Threat Detection in the Cloud (11:53) Getting started with Incident Response in Cloud (20:45) Maturity in Incident Response in Cloud (24:38) When to start doing Threat Hunting? (27:44) Threat hunting and detection in MultiCloud (31:09) Will talk about his BlackHat training with Rich Mogull (39:19) Secret Detection for Detection Capability (43:13) Building a career in Cloud Detection and Response (51:27) The Fun Section

Guest: Rich Mogull, SVP of Cloud Security at Firemon and CEO at Securosis Topics: Let's talk about cloud security shared responsibility.  How to separate the blame? Is there a good framework for apportioning blame? You've introduced the Cloud Shared Irresponsibilities Model, stating cloud providers will be considered partially responsible for breaches even if due to customer misconfigurations. How do you see this impacting the relationship between cloud providers and their customers? Will it lead to more collaboration or more friction? We both know the Jay Heiser 2015 classic “cloud is secure, but you not using it securely.” In your view, what does “use cloud securely” mean for various organizations today? Here is a very painful question: how to decide what cloud security should be free with cloud and what security can be paid?  You dealt with cloud security for a long time, what is your #1 lesson so far on how to make the cloud more secure or use the cloud more securely? What is the best way to learn how to cloud? What is this CloudSLAW thing? Resources: EP201 Every CTO Should Be a CSTO (Or Else!) - Transformation Lessons from The Hoff The Cloud Shared Irresponsibilities Model 2002 Trustworthy computing memo Use Cloud Securely? What Does This Even Mean?! EP145 Cloud Security: Shared Responsibility, Shared Fate, Shared Faith? No Snow, No Flakes: Pondering Cloud Security Shared Responsibility, Again! Cloud Security Lab a Week (S.L.A.W) Megatrends drive cloud adoption—and improve security for all Shared fate main page Defining the Journey—the Four Cloud Adoption Patterns Celebrating 200 Episodes of Cloud Security Podcast by Google and Thanks for all the Listens!

In this episode of the Cloud Security Podcast, we bring together an incredible panel of experts to explore the evolving landscape of cloud security in 2024. Hosted by Ashish Rajan, the discussion dives deep into the challenges and realities of today's multi-cloud environments. With perspectives ranging from seasoned veterans to emerging voices this episode offers a broad spectrum of insights from cloud security practitioners who are living and breathing cloud security everyday. We are very grateful to our panelist who took part in 1st of its kind edition for the State of Cloud Security - Meg Ashby, Damien Burks, Chris Farris, Rich Mogull, Patrick Sanders, Ammar Alim and Abdie Mohamed. The conversation covers essential topics such as the pitfalls of multi-cloud adoption, the persistent security issues that remain even as cloud technologies advance, and the importance of specializing in one cloud platform while maintaining surface-level knowledge of others. The panelists also share their thoughts on the future of cloud security, including the increasing relevance of Kubernetes and edge security. Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp Questions asked: (00:00) Introduction (02:22) How much has Cloud Security Changed? (07:05) Is the expectation to be MultiCloud? (19:07) What's top of mind in Cloud Security in 2024? (27:17) The current Cloud Service Provider Landscape (39:26) Where to start in Cloud Security ? (52:10) The Fun Section Resources discussed during the episode: fwd:cloudsec conference Cloud Security Bootcamp DevSecBlueprint YouTube Channel - Damien Burks Rich Mogull's Cloud Security Lab of the Week

What are the practical steps for orienting yourself in a new cloud environment? Ashish sat down with Rich Mogull and Chris Farris to explore the intricacies of effective cloud security strategies. Drawing on their extensive experience, Rich and Chris speak about critical importance of moving beyond just addressing vulnerabilities and embracing a more comprehensive approach to cloud security.Rich and Chris share their professional experiences and practical advice for anyone who finds themselves "airdropped" into an organization's cloud environment. They also discuss the development of the Universal Threat Actor Model and how it can help prioritize security efforts in a chaotic landscape of constant alerts and threats. Guest Socials: Rich's Linkedin + Chris's Linkedin Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp Questions asked: (00:00) Introduction (02:26) A bit about Chris Farris (03:10) A bit about Rich Mogull (03:45) First Cloud Service they worked on! (06:27) Where to start in an AWS environment? (10:50) Cloud Security Threat Landscape (15:25) Navigating through the CSPM findings (18:14) Using the Universal Cloud Threat Model (23:16) How is Cloud Ransomware different? (25:44) Surprising attacks or compromises in Cloud (29:43) Where are the CSPM Alerts going? (36:30) Cloud Security Landscape in 2024 (45:37) The need for Cloud Security training in 2024 (46:58) Good starting point to learn Cloud Security (52:13) The Fun Section Resources spoken about during the episode: The Universal Cloud Threat Model AWS Customer Security Incidents by Rami McCarthy Breaches.cloud CloudSLAW

Learning cloud security can be daunting for experienced network engineers, much less complete newbies. That's why Rich Mogull started “Cloud Security Lab A Week,” aka Cloud SLAW. Every Thursday, he emails subscribers a new hands-on lab, building a full enterprise deployment week-by-week, step-by-step. Rich explains all the details to JJ and Drew including the cost... Read more »

Learning cloud security can be daunting for experienced network engineers, much less complete newbies. That's why Rich Mogull started “Cloud Security Lab A Week,” aka Cloud SLAW. Every Thursday, he emails subscribers a new hands-on lab, building a full enterprise deployment week-by-week, step-by-step. Rich explains all the details to JJ and Drew including the cost... Read more »

Rich Mogull, SVP of Cloud Security at FireMon, joins Corey on Screaming in the Cloud to discuss his career in cybersecurity going back to the early days of cloud. Rich describes how he identified that cloud security would become a huge opportunity in the early days of cloud, as well as how cybersecurity parallels his other jobs in aviation and emergency medicine. Rich and Corey also delve into the history of Rich's involvement in the TidBITS newsletter, and Rich unveils some of his insights into the world of cloud security as a Gartner analyst. About RichRich is the SVP of Cloud Security at FireMon where he focuses on leading-edge cloud security research and implementation. Rich joined FireMon through the acquisition of DisruptOps, a cloud security automation platform based on his research while as CEO of Securosis. He has over 25 years of security experience and currently specializes in cloud security and DevSecOps, having starting working hands-on in cloud over 12 years ago. He is also the principle course designer of the Cloud Security Alliance training class, primary author of the latest version of the CSA Security Guidance, and actively works on developing hands-on cloud security techniques. Prior to founding Securosis and DisruptOps, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator.Rich is the Security Editor of TidBITS and a frequent contributor to industry publications. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DefCon, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).Links Referenced: FireMon: https://www.firemon.com/. Twitter: https://twitter.com/rmogull Mastodon: [https://defcon.social/@rmogull](https://defcon.social/@rmogull) FireMon Blogs: https://www.firemon.com/blogs/ Securosis Blogs: https://securosis.com/blog TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today is Rich Mogull, SVP of Cloud Security over at FireMon now that I'm a bit too old to be super into Pokémon, so I forget which one that is. Rich, thanks for joining me. I appreciate it.Rich: Thank you. Although I think we need to be talking more Digimon than Pokémon. Not that I want to start a flame war on the internet in the first two minutes of the conversation.Corey: I don't even have the level of insight into that. But I will say one of the first areas where you came to my notice, which I'm sure you'll blame yourself for later, is that you are the security editor behind TidBITS, which is, more or less, an ongoing newsletter longer than I've been in the space, to my understanding. What is that, exactly?Rich: So, TidBITS is possibly the longest-running—one of the longest-running newsletters on the internet these days and it's focused on all things Apple. So, TidBITS started back in the very early days as kind of more of an email, I think like, 30 years ago or something close to that. And we just write a lot about Apple and I've been reading about Apple security there.Corey: That's got to be a bit of an interesting experience compared to my writing about AWS because people have opinions about AWS, particularly, you know, folks who work there, but let's be clear, there is nothing approaching the zealotry, I think I want to call it, of certain elements of the Apple ecosystem whenever there is the perception of criticism about the company that they favor. And I want to be clear here to make sure I don't get letters myself for saying this: if there's an Apple logo on a product, I will probably buy it. I have more or less surrounded myself with these things throughout the course of the last ten years. So, I say this from a place of love, but I also don't wind up with people threatening me whenever I say unkind things about AWS unless they're on the executive team.Rich: So, it's been a fascinating experience. So, I would say that I'm on the tail end of being involved with kind of the Mac journalist community. But I've been doing this for over 15 years is kind of what I first started to get involved over there. And for a time, I wrote most of the security articles for Macworld, or a big chunk of those, I obviously was writing over a TidBITS. I've been very lucky that I've never been on the end of the death threats and the vitriol in my coverage, even though it was balanced, but I've also had to work a lot—or have a lot of conversations with Apple over the years.And what will fascinate you is at what point in time, there were two companies in the world where I had an assigned handler on the PR team, and one was Apple and then the other was AWS. I will say Apple is much better at PR than [laugh] AWS, especially their keynotes, but we can talk about re:Invent later.Corey: Absolutely. I have similar handlers at a number of companies, myself, including of course, AWS. Someone has an impossible job over there. But it's been a fun and exciting world. You're dealing with the security side of things a lot more than I am, so there's that additional sensitivity that's tied to it.And I want to deviate for a second here, just because I'm curious to get your take on this given that you are not directly representing one of the companies that I tend to, more or less, spend my time needling. It seems like there's a lot of expectation on companies when people report security issues to them, that you're somehow going to dance to their tune and play their games the entire time. It's like, for a company that doesn't even have a public bug bounties process, that feels like it's a fairly impressively high bar. On some level, I could just report this via Twitter, so what's going on over there? That feels like it's very much an enterprise world expectation that probably means I'm out of step with it. But I'm curious to get your take.Rich: Out of step with which part of it? Having the bug bounty programs or the nature of—Corey: Oh, no. That's beside the point. But having to deal with the idea of oh, an independent security researcher shows up. Well, now they have to follow our policies and procedures. It's in my world if you want me to follow your policies and procedures, we need a contract in place or I need to work for you.Rich: Yeah, there is a long history about this and it is so far beyond what we likely have time to get into that goes into my history before I even got involved with dealing with any of the cloud pieces of it. But a lot about responsible disclosure, coordinated disclosure, no more free bugs, there's, like, this huge history around, kind of, how to handle these pieces. I would say that the core of it comes from, particularly in some of the earlier days, there were researchers who wanted to make their products better, often as you criticize various things, to speak on behalf of the customer. And with security, that is going to trigger emotional responses, even among vendors who are a little bit more mature. Give you an example, let's talk about Apple.When I first started covering them, they were horrific. I actually, some of the first writing I did that was public about Apple was all around security and their failures on security disclosures and their inability to work with security researchers. And they may struggle still, but they've improved dramatically with researcher programs, and—but it was iterative; it really did take a cultural change. But if you really want to know the bad stories, we have to go back to when I was writing about Oracle when I was a Gartner analyst.Corey: Oh, dear. I can only imagine how that played out. They have been very aggressive when it comes to smacking down what they perceive to be negative coverage of anything that they decide they like.Rich: Yeah, you know, if I would look at how culturally some of these companies deal with these things when I was first writing about some of the Oracle stuff—and remember, I was a Gartner analyst, not a vulnerability researcher—but I'm a hacker; I go to Blackhat and DEF CON. I'm friends with the people who are smarter than me at that or have become friends with them over the years. And I wrote a Gartner research note saying, “You probably shouldn't buy any more Oracle until they fix their vulnerability management process.” That got published under the Gartner name, which that may have gotten some attention and created some headaches and borderline legal threats and shade and all those kinds of things. That's an organization that looks at security as a PR problem. Even though they say they're more secure, they look at security as a PR problem. There are people in there who are good at security, but that's different. Apple used to be like that but has switched. And then Amazon is… learning.Corey: There is a lot of challenge around basically every aspect of communication because again, to me, a big company is one that has 200 people. I think that as soon as you wind up getting into the trillion-dollar company scale, everything you say gets you in trouble with someone, somehow, somewhere, so the easiest thing to do is to say nothing. The counterpoint is that on some point of scale, you hit a level where you need a fair bit of scrutiny; it's deserved at this point because you are systemically important, and them's the breaks.Rich: Yeah, and they have improved. A lot of the some of the larger companies have definitely improved. Microsoft learned a bunch of those lessons early on. [unintelligible 00:07:33] the product in Azure, maybe we'll get there at some point. But you have to—I look at it both sides a little bit.On the vendor side, there are researchers who are unreasonable because now that I'm on the vendor side for the first time in my career, if something gets reported, like, it can really screw up plans and timing and you got to move developer resources. So, you have outside influences controlling you, so I get that piece of it. But the reality is if some researcher discovered it, some China, Russia, random criminals are going to discover it. So, you need to deal with those issues. So, it's a bit of control. You lose control of your messaging and everything; if marketing gets their hands in this, then it becomes ugly.On the other hand, you have to, as a vendor, always realize that these are people frequently trying to make your products better. Some may be out just to extort you a little bit, whatever. That's life. Get used to it. And in the end, it's about putting the customers first, not necessarily putting your ego first and your marketing first.Corey: Changing gears slightly because believe it or not, neither you nor I have our primary day jobs focused on, you know, journalism or analyst work or anything like that these days, we focus on these—basically cloud, for lack of a better term—through slightly different lenses. I look at it through cost—which is of course architecture—and you look at it through the lens of security. And I will point out that only one of us gets called at three in the morning when things get horrible because of the bill is a strictly business-hours problem. Don't think that's an accident as far as what I decided to focus on. What do you do these days?Rich: You mean, what do I do in my day-to-day job?Corey: Well, it feels like a fair question to ask. Like, what do you do as far as day job, personal life et cetera. Who is Rich Mogull? You've been a name on the internet for a long time; I figured we'd add some color and context to it.Rich: Well, let's see. I just got back from a flying lesson. I'm honing in on my getting ready for my first solo. My side gig is as a disaster response paramedic. I dressed up as a stormtrooper for the 501st Legion. I've got a few kids and then I have a job. I technically have two jobs. So—Corey: I'm envious of some of those things. I was looking into getting into flying but that path's not open to me, given that I have ADHD. And there are ways around it in different ways. It's like no, no, you don't understand. With my given expression of it, I am exactly the kind of person that should not be flying a plane, let's be very clear here. This is not a regulatory thing so much as it is a, “I'm choosing life.”Rich: Yeah. It's a really fascinating thing because it's this combination of a physical and a mental challenge. And I'm still very early in the process. But you know, I cracked 50, it had always been a life goal to do this, and I said, “You know what? I'm going to go do it.”So, first thing, I get my medical to make sure I can actually pass that because I'm over 50, and then from there, I can kind of jump into lessons. Protip though: don't start taking lessons right as summer is kicking in in Phoenix, Arizona, with winds and heat that messes up your density altitude, and all sorts of fun things like that because it's making it a little more challenging. But I'm glad I'm doing it.Corey: I have to imagine. That's got to be an interesting skill set that probably doesn't have a huge amount of overlap with the ins and outs of the cloud business. But maybe I'm wrong.Rich: Oh God, Corey. The correlations between information security—my specialty, and cloud security as a subset of that—aviation, and emergency medicine are incredible. These are three areas with very similar skill sets required in terms of thought processes. And in the case of both the paramedic and aviation, there's physical skills and mental skills at the same time. But how you look at incidents, how you process things algorithmically, how you—your response times, checklists, the correlations.And I've been talking about two of those three things for years. I did a talk a couple years ago, during Covid, my Blackhat talk on the “Paramedics Guide to Surviving Cybersecurity,” where I talked a lot about these kinds of pieces. And now aviation is becoming another part of that. Amazing parallels between all three. Very similar mindsets are required.Corey: When you take a look at the overall sweep of the industry, you've been involved in cloud for a fairly long time. I have, too, but I start off as a cynic. I started originally when I got into the space, 2006, 2007, thinking virtualization was a flash in the pan because of the security potential impact of this. Then cloud was really starting to be a thing and pfff, that's not likely to take off. I mean, who's going to trust someone else to run all of their computing stuff?And at this point, I've learned to stop trying to predict the future because I generally get it 180 degrees wrong, which you know, I can own that. But I'm curious what you saw back when you got into this that made you decide, yeah, cloud has legs. What was that?Rich: I was giving a presentation with this guy, Chris Hoff, a good friend of mine. And Chris and I joined together are individual kind of research threads and were talking about, kind of, “Disruptive Innovation and the Future of Security.” I think that was the title. And we get that at RSA, we gave that at SOURCE Boston, start kind of doing a few sessions on this, and we talked about grid computing.And we were looking at, kind of, the economics of where things were going. And very early, we also realized that on the SaaS side, everybody was already using cloud; they just didn't necessarily know it and they called them Application Service Providers. And then the concepts of cloud in the very early days were becoming compelling. It really hit me the first time I used it.And to give you perspective, I'd spent years, you know, seven years as a Gartner analyst getting hammered with vendors all the time. You can't really test those technologies out because you can never test them in a way that an enterprise would use them. Even if I had a lab, the lab would be garbage; and we know this. I don't trust things coming out of labs because that does not reflect operational realities at enterprise scale. Coming out of Gartner, they train me to be an enterprise guy. You talk about a large company being 200? Large companies start at 3000 to 5000 employees.Corey: Does that map to cloud services the way that AWS expresses? Because EKS, you're going to manage that differently in an enterprise environment—or any other random AWS service; I'm just picking EKS as an example on this. But I can spin up a cluster and see what it's like in 15 minutes, you know, assuming the cluster gets with the program. And it's the same type of thing I would use in an enterprise, but I'm also not experiencing it in the enterprise-like way with the processes and the gating and the large team et cetera, et cetera, et cetera. Do you think it's still a fair comparison at that point?Rich: Yeah, I think it absolutely is. And this is what really blew my mind. 11 or 12 years ago, when I got my first cloud account setup. I realized, oh, my God. And that was, there was no VPC, there was no IAM. It was ephemeral—and—no, we just had EBS was relatively new, and IAM was API only, it wasn't in the console yet.Corey: And the network latency was, we'll charitably call it non-deterministic.Rich: That was the advantage of not running anything at scale, wasn't an issue at the time. But getting the hands-on and being able to build what I could build so quickly and easily and with so little friction, that was mind-blowing. And then for me, the first time I've used security groups I'm like, “Oh, my God, I have the granularity of a host firewall with the manageability of a network firewall?” And then years later, getting much deeper into how AWS networking and all the other pieces were—Corey: And doesn't let it hit the host, which I always thought a firewall that lets—Rich: Yes.Corey: —traffic touch the host is like a seatbelt that lets your face touch the dashboard.Rich: Yeah. The first thing they do, they go in, they're going to change the rules. But you can't do that. It's those layers of defense. And then I'm finding companies in the early days who wanted to put virtual appliances in front of everything. And still do. I had calls last week about that.But those are the things that really changed my mind because all of a sudden, this was what the key was, that I didn't fully realize—and it's kind of something that's evolved into something I call the ‘Grand Unified Theory of Cloud Governance,' these days—but what I realized was those barriers are gone. And there is no way to stop this as people want to build and test and deploy applications because the benefits are going to be too strong. So, grab onto the reins, hold on to the back of the horse, you're going to get dragged away, and it's your choice if your arm gets ripped off in the process or if you're going to be able to ride that thing and at least steer it in the general direction that you need it to go in.Corey: One of the things that really struck me when I started playing around with cloud for more than ten minutes was everything you say is true, but I can also get started today to test out an idea. And most of them don't work, but if something hits, suddenly I don't have the data center constraints, whereas today, I guess you'd call it, I built my experiment MVP on top of a Raspberry Pi and now I have to wait six weeks for Dell to send me something that isn't a piece of crap that I can actually take production traffic on. There's no okay, and I'll throw out the junky hardware and get the good stuff in once you start hitting a point of scale because you're already building on that stuff without the corresponding massive investment of capital to get there.Rich: Yeah well, I mean, look, I lived this, I did a startup that was based on demos at a Blackhat—sorry, at a Blackhat. Blackhat. Did some demos on stage, people were like, “We want your code.” It was about cloud security automation. That led to doing your startup, the thing called DisruptOps, which got acquired, and that's how I ended up at FireMon. So, that's the day job route where I ended up.And what was amazing for that is, to add on to what you said, first of all, the friction was low; once we get the architecture right, scalability is not something we are hugely concerned with, especially because we're CI/CD. Oh, no, we hit limits. Boom, let's just stand up a new version and redirect people over there. Problem solved. And then the ability to, say, run multiple versions of our platform simultaneously? We're doing that right now. We just had to release an entirely free version of it.To do that. It required back-end architectural changes for cost, not for scalability so much, but for a lot around cost and scheduling because our thing was event-driven, we're able to run that and run our other platform fully in parallel, all shared data structures, shared messaging structures. I can't even imagine how hard that would have not been to do in a traditional data center. So, we have a lot of freedom, still have those cost constraints because that's [laugh] your thing, but the experimentation, the ability to integrate things, it's just oh, my God, it's just exciting.Corey: And let's be clear, I, having spent a lot of time as a rat myself in these data centers, I don't regret handing a lot of that responsibility off, just because, let's not kid ourselves, they are better at replacing failed or failing hardware than I will ever be. That's part of the benefit you get from the law of large numbers.Rich: Yeah. I don't want to do all of that stuff, but we're hovering around something that is kind of—all right, so former Gartner analyst means I have a massive ego, and because of that, I like to come up with my own terms for things, so roll with me here. And it's something I'm calling the ‘Grand Unified Theory of Cloud Governance' because you cannot possibly get more egotistical than referring to something as your solution to the biggest problem in all of physics. The idea is, is that cloud, as we have just been discussing, it drops friction and it decentralizes because you don't have to go ask somebody for the network, you don't have to ask somebody for the server. So, all of a sudden, you can build a full application stack without having to call somebody for help. We've just never had that in IT before.And all of our governance structures—and this includes your own costs, as well as security—are built around scarcity. Scarcity of resources, natural choke points that evolved from the data center. Not because it was bad. It wasn't bad. We built these things because that's what we needed for that environment at the data center.Now, we've got cloud and it's this whole new alien technology and it decentralizes. That said, particularly for us on security, you can build your whole application stack, of course, we have completely unified the management interfaces in one place and then we stuck them on the internet, protected with nothing more than a username and password. And if you can put those three things together in your head, you can realize why these are such dramatic changes and so challenging for enterprises, why my kids get to go to Disney a fair bit because we're in demand as security professionals.Corey: What does FireMon do exactly? That's something that I'm not entirely up to speed on, just because please don't take this the wrong way, but I was at RSA this year, and it feels like all the companies sort of blend together as you walk between the different booths. Like, “This is what you should be terrified of today.” And it always turns into a weird sales pitch. Not that that's what you do, but it at some point just blinds me and overloads me as far as dealing with any of the cloud security space.Rich: Oh, I've been going to RSA for 20 years. One of our SEs, I was briefly at our booth—I'm usually in outside meetings—and he goes, “Do you see any fun and interesting?” I go—I just looked at him like I was depressed and I'm like, “I've been to RSA for 20 years. I will never see anything interesting here again. Those days are over.” There's just too much noise and cacophony on that show floor.What do we do? So—Corey: It makes re:Invent's Expo Hall look small.Rich: Yeah. I mean, it's, it's the show over at RSA. And it wasn't always. I mean, it was—it's always been big as long as I've been there, but yeah, it's huge, everyone is there, and they're all saying exactly the same thing. This year, I think the only reason it wasn't all about AI is because they couldn't get the printers to reprint the banners fast enough. Not that anybody has any products that would do anything there. So—you look like you want to say something there.Corey: No, no. I like the approach quite a bit. It's the, everything was about AI this year. It was a hard pivot from trying to sell me a firewall, which it seems like everyone was doing in the previous year. It's kind of wild. I keep saying that there's about a dozen companies that exhibit at RSA. A guess, there are hundreds and hundreds of booths, but it all distills down to the same 12 things. They have different logos and different marketing stories, but it does seem like a lot of stuff is very much just like the booth next to it on both sides.Rich: Yeah. I mean, that's—it's just the nature. And part of—there's a lot of reasons for this. We used to, when I was—so prior to doing the startup thing and then ending up at FireMon, I did Securosis, which was an analyst firm, and we used to do the Securosis guide to RSA every year where we would try and pick the big themes. And the reality is, there's a reason for that.I wrote something once the vendors lied to you because you want them to. It's the most dysfunctional relationship because as customers, you're always asking, “Well, what are you doing for [unintelligible 00:22:16]? What are you doing for zero trust? What are you doing for AI?” When those same customers are still just working on fundamental patch management and firewall management. But it doesn't stop them from asking the questions and the vendors have to have answers because that's just the nature of that part of the world.Corey: I will ask you, over are past 12 years—I have my own thoughts on this, but I want to hear your take on it—what's changed in the world of cloud security?Rich: Everything. I mean, I was one of the first to be doing this.Corey: Oh, is that all?Rich: Yeah. So, there's more people. When I first started, very few people doing it, nobody knew much about it outside AWS, we all knew each other. Now, we've got a community that's developed and there's people that know what they're doing. There's still a shortage of skills, absolutely still a shortage of skills, but we're getting a handle on that, you know? We're getting a bit of a pipeline.And I'd say that's still probably the biggest challenge faced. But what's improved? Well, it's a give-and-take. On one hand, we now have strategies, we have tools that are more helpful, unfortunately—I'll tell you the biggest mistake I made and it ties to the FireMon stuff in my career, in a minute; relates directly to this question, but we're kind of getting there on some of the tool pieces.On the other hand, that complexity is increasing faster. And that's what's made it hard. So, as much as we're getting more skilled people, better at tooling, for example, we kind of know—and we didn't have CloudTrail when I started. We didn't have the fundamental things you need to actually implement security at the start of cloud. Most of those are there; they may not be working the way we wish they always worked, but we've got the pieces to assemble it, depending on which platform you're on. That's probably the biggest change. Now, we need to get into the maturity phase of cloud, and that's going to be much more difficult and time-consuming to kind of get over that hump.Corey: It's easy to wind up saying, “Oh, I saw the future so clearly back then,” but I have to ask, going back 12 years, the path the world would take was far from certain. Did you have doubts?Rich: Like, I had presented with Chris Hoff. We—we're still friends—presented stuff together, and he got a job that was kind of clouding ancillary. And I remember calling him up once and going, “Chris, I don't know what to do.” I was running my little analyst firm—little. We were doing very, very well—I could not get paid to do any work around cloud.People wanted me to write shitty papers on DLP and take customer inquiries on DLP because I had covered that at the Gartner days, and data encryption and those pieces. That was hard. And fortunately, a few things started trickling in. And then it was a flood. It completely changed our business and led to me, you know, eventually going down into the vendor path. But that was a tough day when I hit that point. So, absolutely I knew it was the future. I didn't know if I was going to be able to make a living at it.Corey: It would seem that you did.Rich: Yeah. Worked out pretty well [laugh].Corey: You seem sprightly to me. Good work. You're not on death's door.Rich: No. You know, in fact, the analyst side of it exploded over the years because it turns out, there weren't people who had this experience. So, I could write code to the APIs, but they'll still talk with CEOs and boards of directors around these cloud security issues and frame them in ways that made sense to them. So, that was wonderful. We partnered up with the Cloud Security Alliance, I actually built a bunch of the CSA training, I wrote the current version of the CSA guidance, we're writing the next version of that, did a lot of research with them. They've been a wonderful partner.So, all that went well. Then I got diverted down onto the vendor path. I had this research idea and then it came out, we ended up founding that as a startup and then it got, as I mentioned, acquired by FireMon, which is interesting because FireMon, you asked what we did, it's firewall policy management is the core of the company. Yet the investors realize the company was not going in the right direction necessarily, to deal with the future of cloud. They went to their former CEO and said, “Hey, can you come back”—the founder of the company—“And take this over and start moving us in the right direction?”Well, he happened to be my co-founder at the startup. And so, we kind of came in and took over there. And so, now it's a very interesting position because we have this one cloud-native thing we built for all these years. We made one mistake with that, which I'll talk about which ties back to your predicting the future piece if you want to go into it, but then we have the network firewall piece now extending into hybrid, and we have an asset management moving into the attack surface management space as well. And both of those products have been around for, like, 15-plus years.Corey: No, I'm curious to your thoughts on it because it's been one of those weird areas where there's been so much change and so much evolution, but you also look at today's “OWASP Top 10” list of vulnerabilities, and yeah, they updated a year or so ago, but it still looks basically like things that—from 2008—would have made sense to me when I'm looking at this. Well, insomuch as they do now. I didn't know then, nor do I now what a cross-site scripting attack might be, but other than that, I find that there's, “Oh, you misconfigured something and it winds up causing a problem.” Well, no kidding. Imagine that.Rich: Yeah. Look, the fundamentals don't change, but it's still really easy to screw up.Corey: Oh, having done so a lot, I believe you.Rich: There's a couple of principles, and I'll break it into two sides. One is, a lot of security sounds simple. There's nothing simple at scale. Nothing simple scales. The moment you get up to even 200 employees, everything just becomes ridiculously harder. That's the nature of reality. Simplicity doesn't scale.The other part is even though it's always the same, it's still easy to think you're going to be different this time and you're not going to screw it up, and then you do. For example, so cloud, we were talking about the maturity. I assumed CSPM just wasn't going to be a thing. For real. The Cloud Security Posture Management. Because why would the cloud providers not just make that problem go away and then all the vulnerability assessment vendors and everybody else? It seemed like it was an uninteresting problem.And yet, we were building a cloud security automation thing and we missed the boat because we had everything we needed to be one of the very first CSPM vendors on the market and we're like, “No, no. That problem is going to go away. We'll go there.” And it ties back to what you said, which is it's the same stuff and we just outsmarted ourselves. We thought that people would go further faster. And they don't and they aren't.And that's kind of where we are today. We are dramatically maturing. At the same time, the complexity is increasing dramatically. It's just a huge challenge for skills and staffing to adjust governance programs. Like I think we've got another 10 to 20 years to go on this cloud security thing before we even get close. And then maybe we'll get down to the being bored by the problems. But probably not because AI will ruin us.Corey: I'd like to imagine, on some level, that AI could be that good. I mean, don't get me wrong. It has value and it is transformative for a bunch of things, but I also think a lot of the fear-mongering is more than a little overblown.Rich: No, I agree with you. I'm trying to keep a very close eye on it because—I can't remember if you and I talked about this when we met face-to-face, or… it was somebody at that event—AI is just not just AI. There's different. There's the LLMs, there's the different kinds of technologies that are involved. I mean, we use AI all over the place already.I mean my phone's got it built in to take better pictures. It's a matter of figuring out what the use cases and the, honestly, some of the regulatory structure around it in terms of copyright and everything else. I'm not worried about Clippy turning into Skynet, even though I might make jokes about that on Mastodon, maybe someday there will be some challenges, but no, it's just going to be another tech that we're going to figure out over time. It is disruptive, so we can't ignore that part of it.Corey: I really want to thank you for taking the time to speak with me. If people want to learn more, where's the best place to find you that isn't one of the Disney parks?Rich: That really is kind of the best place to find—no. So, these days, I do technically still have a Twitter presence at @rmogull. I'm not on there much, but I will get DMs if people send those over. I'm more on Mastodon. It's at @rmogull defcon.social. I write over at FireMon these days, as well as occasionally still over Securosis, on those blogs. And I'm in the [Cloud Security Slack community 00:30:49] that is now under the banner for CloudSec. That's probably the best place if you want to hit me up and get quick answers on anything.Corey: And I will, of course, include links to all of that in the show notes. Thank you so much for taking the time to speak with me today. I really appreciate it.Rich: Thanks, Corey. I was so happy to be here.Corey: Rich Mogull, SVP of Cloud Security at FireMon. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment talking about how at Dell these days, it does not take six weeks to ship a server. And then I will get back to you in six to eight weeks.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.

Roaming Mantis, the FBI, Magecarts, CloudMensis, FreePBX, Russia, and liquid-cooled laptops, we also have a special guest, Rich Mogull from Firemon on this episode of the Security Weekly News. This segment is sponsored by FireMon. Visit https://securityweekly.com/firemon to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn224

Roaming Mantis, the FBI, Magecarts, CloudMensis, FreePBX, Russia, and liquid-cooled laptops, we also have a special guest, Rich Mogull from Firemon on this episode of the Security Weekly News. This segment is sponsored by FireMon. Visit https://securityweekly.com/firemon to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn224

Roaming Mantis, the FBI, Magecarts, CloudMensis, FreePBX, Russia, and liquid-cooled laptops, we also have a special guest, Rich Mogull from Firemon on this episode of the Security Weekly News.   This segment is sponsored by FireMon. Visit https://securityweekly.com/firemon to learn more about them!   Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn224

This week, in our first segment, we welcome Rich Mogull, the CISO of DisruptOps - FireMon to discuss The Turbulent Cloud Security Market! Then, Andrew Hindle, the Content Chair at Identiverse & Chair of IDPro at Identiverse, joins to discuss Digital Identity: The Cornerstone of Our Digital World! Finally, in the Enterprise News: Basis Theory raises $17 million funding round, Crunchbase Funding Round Profile, Devo Acquires AI-Powered Security Automation Innovator to Deliver the “Autonomous SOC”, Hivemapper Dashcam, Authtech, Twitter accepts Elon Musk's $44 billion offer, Austin Peay State University on Twitter, Basis Theory raises $17 million funding round, & more! To register for our upcoming webcast with Rich Mogull on Deploying Cloud Applications Securely, visit https://attendee.gotowebinar.com/register/3131398543024475915?source=esw Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw271

This week, in our first segment, we welcome Rich Mogull, the CISO of DisruptOps - FireMon to discuss The Turbulent Cloud Security Market! Then, Andrew Hindle, the Content Chair at Identiverse & Chair of IDPro at Identiverse, joins to discuss Digital Identity: The Cornerstone of Our Digital World! Finally, in the Enterprise News: Basis Theory raises $17 million funding round, Crunchbase Funding Round Profile, Devo Acquires AI-Powered Security Automation Innovator to Deliver the “Autonomous SOC”, Hivemapper Dashcam, Authtech, Twitter accepts Elon Musk's $44 billion offer, Austin Peay State University on Twitter, Basis Theory raises $17 million funding round, & more! To register for our upcoming webcast with Rich Mogull on Deploying Cloud Applications Securely, visit https://attendee.gotowebinar.com/register/3131398543024475915?source=esw Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw271

Cloud security is confusing enough these days, but a complex product landscape doesn't make it any easier. In this segment we'll talk about what's driving this, how to make sense of it, and where to find things that actually help. To register for our upcoming webcast with Rich Mogull on Deploying Cloud Applications Securely, visit https://attendee.gotowebinar.com/register/3131398543024475915?source=esw   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw271

Cloud security is confusing enough these days, but a complex product landscape doesn't make it any easier. In this segment we'll talk about what's driving this, how to make sense of it, and where to find things that actually help. To register for our upcoming webcast with Rich Mogull on Deploying Cloud Applications Securely, visit https://attendee.gotowebinar.com/register/3131398543024475915?source=esw   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw271

Rich joins us to discuss the differences in managing security policies between on-premises network environments and the cloud and the impacts that has on companies that are 100% cloud-based. He'll also be discussing the additional considerations that these organizations need to consider if they are considering SASE and SD-WAN to expand network access for their users.   This segment is sponsored by FireMon. Visit https://securityweekly.com/firemon to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw730

Rich joins us to discuss the differences in managing security policies between on-premises network environments and the cloud and the impacts that has on companies that are 100% cloud-based. He'll also be discussing the additional considerations that these organizations need to consider if they are considering SASE and SD-WAN to expand network access for their users.   This segment is sponsored by FireMon. Visit https://securityweekly.com/firemon to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw730

This week, we start the show off with the Security News for this week: Was It Russia?, Blocking software updates, crowd-sourced attacks, protecting FPGAs, moving Linux to modern C, Nvidia hit, the split of cyber criminals, Namecheap banning, Anonymous declares war, the Alan framework, and leaving your Docker port exposed... & more! Next up, we welcome Alissa Torres, Senior Threat Hunter at Palo Alto Networks, to explain how to “Hack the Hiring Process”! Last up, the a pre-recorded interview featuring Rich Mogull from FireMon, to discuss The Unique Challenges of Companies Born in the Cloud!   Show Notes: https://securityweekly.com/psw730 Segment Resources: Alissa's class with Antisyphon InfoSec Training **Advanced Endpoint Investigations** - https://www.antisyphontraining.com/advanced-endpoint-investigations-w-alissa-torres/ Visit https://securityweekly.com/firemon to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we start the show off with the Security News for this week: Was It Russia?, Blocking software updates, crowd-sourced attacks, protecting FPGAs, moving Linux to modern C, Nvidia hit, the split of cyber criminals, Namecheap banning, Anonymous declares war, the Alan framework, and leaving your Docker port exposed... & more! Next up, we welcome Alissa Torres, Senior Threat Hunter at Palo Alto Networks, to explain how to “Hack the Hiring Process”! Last up, the a pre-recorded interview featuring Rich Mogull from FireMon, to discuss The Unique Challenges of Companies Born in the Cloud!   Show Notes: https://securityweekly.com/psw730 Segment Resources: Alissa's class with Antisyphon InfoSec Training **Advanced Endpoint Investigations** - https://www.antisyphontraining.com/advanced-endpoint-investigations-w-alissa-torres/ Visit https://securityweekly.com/firemon to learn more about them!   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

Dennis Fisher talks with Katie Moussouris, Rich Mogull, Kymberlee Price, and Thomas Ptacek about the unique and inspiring life and legacy of hacker Dan Kaminsky.

Our conversation with Rich Mogull was intended to provide an analyst view point on public cloud security. While Rich certainly delivered on this promise, the episode turned into something more important: therapy. If you find yourself wondering if you’re burnt out from cyber security and life in general, this is for you. Our conversation with Rich starts with the work he does in disaster response, focusing on his recent time responding to the COVID-19 pandemic as a paramedic.  He explains how key concepts of anti-fragility from responder culture such as “trench foot” and “changing your socks” also apply to the rough and tumble world of cyber security— especially in assessing yourself for burnout.If you find yourself drowning in work and straining to catch up to the rest of the organization's push to the public cloud, this is for you.  We discuss how this happens quite naturally in most places, resulting in a dysfunctional norm of security teams inadvertently being left behind but still responsible for protecting the public cloud. Rich lays out a recipe for getting back on track, starting with making sure it simply isn’t time to throw in the towel and find a better gig.If multi-cloud seems impossible to defend with the skills and resources you have, you’re probably right. Rich takes us through the mind-boggling complexity of what it takes to stay on top of a single public cloud environment, let alone several. He doesn’t mince words in his unflattering assessment of the challenges with all 3 major cloud service providers: Amazon, Google & Microsoft.We wrap up with a hopeful look at what lies ahead for protecting the public cloud. Rich and Dave share examples of how long standing problems such as re-architecting are now solvable and operational challenges can truly be simplified when mantras like “shift left” move from buzzword bingo to new reality.

Rich Mogull, CEO of Securosis and a longtime paramedic and disaster medic, joins Dennis Fisher to discuss the mindsets required to prepare for and respond to both physical disasters and security incidents. Listen to Rich's own podcast, the Cloud Security Mindset.

Special guest Rich Mogull joins the show. Topics cover a range of security and privacy-related issues: the Jeff Bezos/National Enquirer saga, laptop webcams, abuse of Apple’s enterprise developer program to enable sideloading of iOS apps, Amazon’s acquisition of Eero, and more.

They say if you live long enough . . . Few things give me greater pleasure than seeing my friends well earned success. Rich Mogull and Mike Rothman (along with Adrian Lane, Jody Brazil & Brandy Peterson) have been chasing a dream for more than a few years now. How to make the SecOps persons life easier, while bringing security into the age of DevOps, automation, agile, CI/CD, etc. Say hello to DisruptOps (http://www.disruptops.com). I first interviewed Mike about DisruptOps a few months ago. The company was just emerging from stealth. While they are still in preview, they were one of hundreds of companies that threw their hat into the ring for the prestigious RSAC Innovation Sandbox. Very proud to report that they were one of 10 finalists selected for this years program. If history is any guide, the fact they made the final cut is a good indicator of success to come. And well it should frankly. This founding team are some of the most dynamic, talented and smartest people I know in the business. I had a chance to sit down with Rich Mogull and Mike Rothman to discuss what is driving DisruptOps and what the disruption is all about. Have a listen as we talk about it from the executive view, the security admin view and the market view. Also be sure to check out DisruptOps at DevOps Connect: DevSecOps Days at RSAC, Monday, March 4th. https://www.devopsconnect.com/event/devops-connect-devsecops-days-rsac-2019/ Rich is also on a panel at the event as well as several other sessions at RSAC this year. Enjoy!

It is really my pleasure to present this episode of DevOps Chat. I have known Mike Rothman for 15 years or so. He and his partners in DisruptOps, Rich Mogull, Adrian Lane, Jody Brazil and Brandy Peterson have been some of the sharpest guys in the information security world for a long time. I knew they were working on a DevSecOps startup but I couldn't say anything. Well know the cat is out of the bag and I am happy to give you this conversation with Mike, who is President of DisruptOps. This is a company to watch with real ideas and experience behind it. Have a listen to our conversation and check them out at http://disruptops.com

  Episode 0x70 Dave Doesn't Exist We've been unable to capture Dave on video yet despite turning out a absolutely epic amount of video material. We think it's because he doesn't actually exist. Do not even get me started on the hipster beard and hipster actor. Those two. Sigh. In any case... Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag (or Deep Dive) And there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary Surveillance of reporters has chilling effects Great series of articles from Rich Mogull on Cloud Security Your Cloud Consultant Probably Sucks How to Start Moving to Cloud Seven Steps to Secure Your AWS Root Account Breaches Github responsible disclosure haveibeenpwned - NSA edition (a written message from the Shadow Brokers) SCADA / Cyber, cyber... etc White hat Marai UK gov investing mucho Brexit dollars in cyber security DERP Don't do illegal searches of CPIC (especially if you're a police officer) Mailbag What's with google disclosing vulns without patches? (thanks to Ed) Briefly -- NO ARGUING OR DISCUSSION ALLOWED Macbook Pro review Ten Securosis Years Let's Encrypt Crowdfunding campaign Upcoming Appearances:  -- more gratuitous self-promotion Dave: - invading Sweden James: - VACATION! Ben: - still work Matt: - beard Wil: - hipster Other LSD Writers: - whaaaaaaa? Closing Thoughts Seacrest Says: Dave loves swedish meatballs Creative Commons license: BY-NC-SA

Security and perimeter experts Rich Mogull, CEO and analyst at Securosis, and Jim Routh, CSO and leader of the global information security function for AETNA, sat down at RSA Conference 2016 to discuss what it takes to be successful in the information security industry, and what it's like to be on the front lines of the battle against cybercriminals.

"Flying Drones & Fiery Phones: Liz and Jonathan Rupprecht, aviation and drone attorney, check in on the rollout of the FAA's Part 107 drone rules; in the wake of the FAA's ban of Samsung Note 7 cell phones on all flights, security analyst Rich Mogull breaks down the issues surrounding these fiery batteries and attorney Derin Dickerson provides tips for consumers."

Glenn and Susie are joined by Rich Mogull, and everyone is angry.

Security researcher Rich Mogull joins us to talk about security when traveling to countries where you might have a very good reason to be paranoid.

Episode 0x3A We Can Do Better Before we get too far into things this week, I want to draw special attention to Rich Mogull's $500 Cloud Security Screwup posting. Truly awe inspiring and an example of Doing Infosec Right - admitting that you screwed up and getting on with the solution rather than the very common response which would include hiding what happened and hoping no one finds out that it was you who were the screwup. We should all act more like this. Moving along... Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag (or Deep Dive) And there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary Five Product Security Questions Nobody At CES Wants You To Ask. Because, you know, internets. Mandiant gets bought by FireEye Infographic: New ISO 27001:2013 - What Has Changed? Find security flaw, go to jail? Breaches Former TIAA-CREF Worker Gets 6 Years for Selling IDs OpenSSL Defacement - Not a Hypervisor Thing Riverside Health System 4-year-long HIPAA Breach Thank Goodness for the NSA! - a fable Yahoo infects people with Malware and makes the bitcoin SCADA / Cyber, cyber... etc Several European manufacturers spawn NSA-proof Android “cryptophones” NSA denials DERP UK ‘Porn Filter’ Blocks Legitimate File-Sharing Services Mailbag We receive some of the most batcrap crazy emails here at LSD. What's the right response to people who don't just have a tinfoil hat, but are opting for the full ensemble? Dear Mailbag I'm thinking about not speaking at RSA because of the NSAs, what do you think? Hugs Mikko H. (not the other Mikko guy) Briefly -- NO ARGUING OR DISCUSSION ALLOWED Crypto Hardening guide for Sysadmins Penetration Testing Lab Contents Mindmap sigcheck now with Virus total Wordpress plugin exploit data Skipfish Scanner Used In Financial Sector Attacks Liquidmatrix Staff Projects -- gratuitous self-promotion The Security Conference Library Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances:  -- more gratuitous self-promotion Dave: - Shmoocon, SOURCE, Infosec EU, BSides London, HITB EU, Secure360, FIRST... James: - At Shmoocon (with a cool surprise), then RSA (sad trombone) Ben: - N/A Matt: - behind the beard Wil: - Gave up, is a car dealer now Other LSD Writers: - huh? Advertising - pay the bills... Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! Or do the math and figure out if 5% off a course would be a better deal with "Liquidmatrix_5" Closing Thoughts Seacrest Says: My Voice Is My Passport, Verify Me Creative Commons license: BY-NC-SA

Rich has twenty years experience in information security, physical security, and risk management. He is the founder of Securosis and specializes in data security, application security, emerging security technologies, and security management.

Rich has twenty years experience in information security, physical security, and risk management. He is the founder of Securosis and specializes in data security, application security, emerging security technologies, and security management.

Brian Katz chats with Rich Mogull, CEO of Securosis, about topics on mobile security. They start with how Rich’s background in physical security led to his natural progression into IT Security and then move onto mobile topics. They discuss how modern mobile OS’s tackle security in this day and age which leads to biometrics and how security needs to take usability into account.

Episode 0x2D Nobody loves us. It's all about us this week. Well, not really. It's more about getting the world to get off the crazy train. Upcoming this week... Lots of News Kittens Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag and There will NOT be a DEEP DIVE And there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary The web is a bad bad place SSL: Intercepted today, decrypted tomorrow (or why you need to use PFS) (but PFS TLS has a peformance impact) The Future of Civil Disobedience Online OECD complaint against finfisher The personal side of taking on the NSA: emerging smears Breaches Facebook exposes itself Opera's breach lady sings 47k student teachers in Florida exposed SCADA / Cyber, cyber... etc So you want to be a CIP consultant. Australia decides not to be American DERP South Korea misidentifies China as cyberattack origin Mailbag Hi, Greetings! Would you be interested to reach out to your target market for your Marketing Initiatives like Email Marketing, Tele Marketing, Direct Mailing and Fax Campaigns? Our list comes with the following information such as: First Name, Last Name, Title, Email, Tele-phone Number, Mobile Number, Company, Current Address, Country State/Province, City, Zip Code, Employee size, Sales; SIC Code/Industry, NAICS and Web Address. If you are interested please send me your target audience and geographical area, so that I can get back to you with exact counts and list details. Best Regards, Linda Lead Generation Briefly -- NO ARGUING OR DISCUSSION ALLOWED Burp trips and tricks PDF Cyanogen mod gets secure messaging Running a Hackerspace Raspberry Pi bot tracks hacker posts to vacuum up passwords and more MITM via PPTP Hacking monopoly Pentagon's failed flash drive ban policy: A lesson for every CIO Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- You've asked when and where - that'd be "We don't know yet" and "The week of Blackhat/BSides/DEFCON". You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org. The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org The Security Conference Library Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James Training (with Rich Mogull) and Matt Speaking at BHUSA. Dave now will be writing for CSO Online and will be attending Black Hat, DEF CON, Secure Asia in Manila and Security Congress 2013 in Chicago and Hackfest in Quebec City. Matt and Wil will be at Blackhat/DEF CON and James, Ben and Dave will be joined by Mike Rothman for SecTor 2013's return of the (canadian) fail panel. In Closing Word of the Week -- Cyberlympics - I think it means CTF, but I'm not sure. Check it out here. Movie Review -- Firewall! Because you know that Harrison Ford can type 120 words per minute. everyday is CTF! go set up a team Hackfest registration is open Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course Use discount code liquidmatrix-2013 to receive 10% off the registration price. Can't attend the full conference? Use code liquidmatrix-expo2013 to gain free access to the expo ($50 value).SecTor 2013 Seacrest Says: Good night Kitten Creative Commons license: BY-NC-SA

Episode 0x2C This is the 49th time! All I can hear is the voice of Edward R. Rooney saying "Nine Times"... well, that and the 49th parallel (which is 6 parallels north of where 3/5ths of the gang is hanging out). No one reads the notes so I know that I'm just talking to myself here. It's probably bad when you start talking to yourself. Perhaps. Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag and There will be a DEEP DIVE And there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary OWASP Top 10 for 2013 is out What the NSA doesn’t have: iMessages and FaceTime chats Woz: This is not my America This is some cold ass James Bond shit (Countries are upset) (they even setup fake internet cafes) NSA leaks hint Microsoft may have lied about Skype security Breaches Head of U.S. Nuclear Security Agency hacked by "Guccifer" SCADA / Cyber, cyber... etc @c7five tweets on Cyberwar US FDA calls on medical device makers to focus on cybersecurity Trove of medical devices found to have password problems DERP Zamfoo gets a derp for responsible fail disclosure (also in the mailbag from Graham S) (and a reddit thread) TSA agent tells teen to 'cover herself' Sys-admin selfies courtesy of The Grugq Mailbag I'd like to start by saying that I thoroughly enjoy your podcast. It's a great combination of security news, comedy, and tragedy. It's great, keep it up. I'm emailing about your podcast to you rather than posting on the appropriate Facebook page, as I find email to be a preferred method of communication. I hope that's okay. Now, my question. I'm a young, ambitious Engineer who finds the topic of Network Security to be exciting and interesting. I work in a network security team in a large company and I am always trying to expand my skills and abilities. Simply put, I'm wondering what advice you have for an inspiring individual in this industry. Also, what resources did you rely on when you were starting out. What resources do you find to be the most valuable now? Specifically I struggle with finding friends, co-workers, or online buddies that share the same career interests and passion. After I spend a day troubleshooting a particular security issue I want to have a group of individuals I can spit ball ideas with. I find myself feeling like I am in a silo. This is particularly odd because I know for a fact that the world is full of brilliant network security minds. I'm thinking of attending one of the upcoming security conferences this year just to make some like minded friends. It's just annoying/expensive because I'd likely have to fly to the US. Any guidance that you could provide would be helpful. Anonymous By Request The Deep Dive -- SETEC ASTRONOMY We Should All Have Something To Hide Briefly -- NO ARGUING OR DISCUSSION ALLOWED Disconnect raises 3.5mil Pimp My Own Matt - Doing a webinar 6/20 CycleOverRide - Security Nerds on Wheels Sixth Annual Movie-Plot Threat Contest Semifinalists Hardvard Business Review talks infosec I'm hiring Loon How to make The Internet (from The IT Crowd) Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- You've asked when and where - that'd be "We don't know yet" and "The week of Blackhat/BSides/DEFCON". You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org. The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org The Security Conference Library Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James Training (with Rich Mogull) and Matt Speaking at BHUSA. Dave is attending Black Hat, DEF CON, Secure Asia in Manila and Security Congress 2013 in Chicago. Matt and Wil will be at Blackhat/DEF CON and James, Ben and Dave will be joined by Mike Rothman for SecTor 2013's return of the (canadian) fail panel. In Closing Word of the Week -- Cybercentrifuge: vendors spinning stories fast enough to refine uranium. @jack_daniel Movie Review -- Time to see Hackers again. And read The Conscience of a Hacker again. Trust me. everyday is CTF! go set up a team Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course Seacrest Says: Double ROT13 is NSA proof Creative Commons license: BY-NC-SA

Episode 0x2B -- Or !2b Nothin that we can't fix Infosec news is pretty light this week. Let's have a good start for year two of Liquidmatrix Security Digest Podcast. Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag and There will be a DEEP DIVE And there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary Microsoft seizes malware search domains Jude says child porn suspect does not need to decrypt his files... Or maybe yes he does. The Chinese hack Israel Hetzner web hosting service hacked Breaches / Cyber / DERP Wired says NSA is on all Verizon calls Meet PRISM and 9 big internet companies EFF's handy timeline Tech Companies Concede to Surveillance Program Boundless Informant: the NSA's secret tool to track global surveillance data Director of National Intelligence declassifies PRISM info to clear up 'inaccuracies' Why Canadians Should Be Demanding Answers About Secret Surveillance Programs It's in Canada too - Data-collection program got green light from MacKay in 2011 Whistleblower / future rendition candidate Why Prism kills Cloud (wow, wtf is wrong w/ people) More Links Briefly - NO ARGUING OR DISCUSSION ALLOWED Google Upping their XSS Bounty on a few key domains. $7,500 Let's all weigh in on how these thugs are steeling cars... Modern IE - browsers + HTML = weirdness Bradley Manning trial transcripts Using lotsa data to make web apps secure No security without maturity O Hai - I haz new job Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- You've asked when and where - that'd be "We don't know yet" and "The week of Blackhat/BSides/DEFCON". You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org. The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org The Security Conference Library  Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James Training (with Rich Mogull) and Matt Speaking at BHUSA. Dave will be speaking at SC Congress Toronto and attending Black Hat, DEF CON, Secure Asia in Manila and Security Congress 2013. Matt and Wil will be at Blackhat/DEF CON and James, Ben and Dave will be joined by Mike Rothman for SecTor 2013's return of the (canadian) fail panel. In Closing Movie Review Enemy of the State everyday is CTF! go set up a team Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course Seacrest Says: Hi NSA, I didn't mean all those things I said about you in private Creative Commons license: BY-NC-SA

Episode 0x2A -- Happy One Year Later And we still suck at scheduling Despite efforts to the contrary... we're still not good at this. We should be getting better. Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag and There will be a DEEP DIVE And there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary IE 10 Most Secure Browser according to NSS Labs ....Really? Privacy commissioner baffled about gas plant emails Google says 7 days! The Canadian Government's Embarrassing Opposition to Security Breach Disclosure Legislation (actual details on the opposition) Breaches Drupal France learns e-voting is Haaarrdddd SCADA / Cyber, cyber... etc BBC: Smart meters need to be harder to hack, experts say China blamed after ASIO blueprints stolen in major cyber attack on Canberra HQ Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies DERP Woman Brags About Hitting Cyclist, Discovers Police Also Use Twitter (a hurr durr) Twitter is evil!!! Paypal bounty program FAIL Mailbag So I was listening to 0x29 and a thought came to me during the part about Moxie and the line that the Saudi recruiter used on him which was the standard refrain of: "You either stand with us, or you stand with the terrorists!" Or "You either stand for surveillance or you stand with the child pornographers." Can we not just turn that on its head using their own logic and say: "You either stand for privacy and security or you stand with the human rights abusers." Since the people pushing the big brother agenda only chose to use black and white in their pictures of the world, what happens when the colours are reversed? Bob The Deep Dive The Case For A Government Bug Bounty Program Briefly - NO ARGUING OR DISCUSSION ALLOWED Facebook Bug Bounty 4500.. Blackhats say worth $800k Google forbids facial recognition in Google Glass for privacy reasons Wintersmith - another static site generator The global cyber game Lahana!!! Getting started with login verification (Twitter 2FA) Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- You've asked when and where - that'd be "We don't know yet" and "The week of Blackhat/BSides/DEFCON". You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org. The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org The Security Conference Library  Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James Training (with Rich Mogull) and Matt Speaking at BHUSA. Dave will be speaking at SC Congress Toronto and attending Black Hat, DEF CON, Secure Asia in Manila and Security Congress 2013. Matt and Wil will be at Blackhat/DEF CON and James, Ben and Dave will be joined by Mike Rothman for SecTor 2013's return of the (canadian) fail panel. In Closing Movie Review -- GoldenEye: The answer is always send a SPIKE everyday is CTF! go set up a team Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course Seacrest Says: I can't say Z properly Creative Commons license: BY-NC-SA

Episode 0x29 -- Not just CrO2, but now with Dolby Does anyone read show notes? So last week had a really annoying failure in the workflow that gets this podcast from a bad Skype conference call to your ears oh precious listener. In this case, it was the failure to apply the noise canceller magic. This means that if you downloaded the podcast from the time that it was posted until I overheard the Liquidmatrix Intern listening to the podcast, you got to hear all of the background noise from each recording. Including Wil's unfortunately loud Bermuda frogs. I can't promise that it won't happen again, mostly because so much of the production workflow is human-based and not automatically awesome like it could be. Sigh. I suppose all of those automation people can't be wrong. Or something. Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. But there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary Microsoft YouTube app DERP Bang with Friends Facebook glitch APPLE MULTIFACTOR FOR TEH CANADAZ!!!!! PayPal Exec vows to go thermonuclear on passwords. Data breach leads to lots of many Privacy Breach on Bloomberg’s Data Terminals Breaches In Hours, Thieves Took $45 Million in A.T.M. Scheme (also covered by Ars) (and the krebs) Name.com got p0wned SCADA / Cyber, cyber... etc The police need an app for that DERP Saudi's tried to hire Moxie to spy on their citizens mobile app traffic Briefly - NO ARGUING OR DISCUSSION ALLOWED Troy Hunt on Clickjacking Interesting note from David Seah on Procrastination. Mainframes can be hacked and backdoored Why certificate revocation doesn't work Cory Doctrow talking about freedom, society, computers and the internet Cmdr. Hadfield bids adieu to ISS with “Space Oddity” cover. Government subpoenas, obtains wide set of AP phone records in investigation Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- You've asked when and where - that'd be "We don't know yet" and "The week of Blackhat/BSides/DEFCON". You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org. The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org The Security Conference Library  Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James Training (with Rich Mogull) at BHUSA. Dave will be at Black Hat, DEF CON, Secure Asia. Matt and Wil will be at Blackhat/DEF CON and James, Ben and Dave will be joined by Mike Rothman for SecTor 2013's return of the (canadian) fail panel. In Closing Movie Review Big: All about authentication and authorization when biometrics won't work anymore. everyday is CTF! go set up a team Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course Seacrest Says: This is ground control to Major Seacrest... Creative Commons license: BY-NC-SA

Episode 0x28 -- For Reals... it's here. I SAID it's a weekly podcast Life gets in the way of art. There's five of us, we are operating from 3 time zones and several of us have a whole lot more than just one job, and then parenting duties as well. This negatively contributes to the possibility of getting all of us together at the same time for a recording. We're trying to figure out what to do about it. It may be that we go for more frequent recordings of whomever is available and stuff together the rest of us when we can. Sigh. Or something. Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag and There will be a DEEP DIVE But there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary Stonesoft bought by McAfee/Intel How I got here: Hoff Thotcon / BSidesChicago - Jericho says I did a good job Is the U.S. Government Recording and Saving All Domestic Telephone Calls? Systems manager arrested for hacking former employer's network Breaches Study: Utah Health Breach Could Approach $406M The Onion Hacked by Syrians and the Onion responds 1 million dollars (Kreb's said "cyberheist" drink!) SCADA / Cyber, cyber... etc Many MANY sources: Your inability to understand Google Earth is entertaining DERP This time, the DERP is on us. With five schedules spread across 3 time zones and about 12 different jobs (not including parenting)... the Liquidmatrix Crew takes the DERP of the week. We promise we will attempt to get back on ye olde horse. Although it may be in the form of us no longer trying to have all hands on deck. What say you dear listener? Hide a bitcoin miner in your code vendor just called me, offered "a great solution for cyber defense by securing end points using DoD standards" #salesFail Mailbag / Bizarro Land Hey, I'm stupid busy at work. Can't keep up. People know where I sit. The email. The phone calls. I'm trying to use the damn bathroom now. Please help? SRSLYBizzay Secpro DEEP DIVING - Productivity In The Security Hotseat Interupt driven lifestyle for the win? Rage Quit Plan to be interupted - get in earlier or stay later than most of your co-workers Use a trick to determine how much productive time you have (Carmack and his CD player) Arrange a "cover" for the day Emergent Time Planner & Task Order Up kanban Trello (free) Lean Kit (not Free) Atlassian (jira) Greenhopper ($) Time Management for System Administrators Trusted Systems "Heroes are Zeroes" - Identify and Manage Failure to document makes you a team liability Briefly - NO ARGUING OR DISCUSSION ALLOWED Notch says practice your typing skills Cyber Observable Expression from MITRE OpenBSD 5.3 Released. Teacher 'powerless' to stop ex-girlfriend's cyberstalking Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- You've asked when and where - that'd be "We don't know yet" and "The week of Blackhat/BSides/DEFCON". You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org. The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org The Security Conference Library  Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James Training (with Rich Mogull) at BHUSA. Dave will be at Black Hat, DEF CON (AMFYOYO), Secure Asia. Matt and Wil will be at Blackhat/DEF CON and James, Ben and Dave will be joined by Mike Rothman for SecTor 2013's return of the (canadian) fail panel. In Closing Movie Review Terminator 2: All your PINs belong in my Atari handheld HSM everyday is CTF! go set up a team Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course Seacrest Says: She sells sea shells on the sea shore. Creative Commons license: BY-NC-SA

Episode 0x27 -- Wednesday is the new Monday It's the podcast that never ends We've collected up something like 4 times more stories than we can use. We need to find a sponsor who will pay us to do this twice a week. Anyone got some money they're not using? Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag and There will be no DEEP DIVE -- our SCUBA gear is in the shop But there are weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary Kim Jong Un needs a snickers!!! Linksys Routers Screwed Bitcoin dDoS destroy world economy... nah (also bitcoin social engineering) (and skype bitcoin mining malware bot) Security BSides - Rochester Windows XP Security Updates ending in one year IE6 Countdown Windows XP still maintains 39% overall market share. Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight. DEA Accused Of Leaking Misleading Info Falsely Implying That It Can't Read Apple iMessages Breaches Vudu resets user passwords after hard drives lost in office burglary SCADA / Cyber, cyber... etc NIST CyberSecurity Framework Recordings Anonymous hacks DPRNK Twitter and Flickr Anonymous launches massive cyber assault on Israel Israel says: "Anonymous doesn't have the skills to damage the country's vital infrastructure" And fixes things up so that Anonymous' C&C plays "Hatikvah" USAF designates some of their software as CYBERWEAPONS Apparently there are CYBER-WEAPONS in the Korean Conflict Fast-Talking Computer Hacker Just Has To Break Through Encryption Shield Before Uploading Nano-Virus DERP Papa, m'entends tu? French Government discovers Streisand Effect on Wikipedia (without actually looking up) The Streisand Effect Interesting to note: The Wikipedia article on The Streisand Effect DOES link to the communication from WIkimedia Foundation. IRS Doesn’t Deny Snooping Emails Without A Warrant Dongle-gate - this makes it so much clearer Mailbag / Bizarro Land Subject:OMG, Arlen was right... I thought Jamie was just whining about how bad Blackboard is, but now that I have to use it... IT SUUUUUUCKS. It feels like an application that was rather forward thinking for its time, assuming it was built in 1997! I take it back. Anything coded in 1997 would be faster than Blackboard is today. Would it be wrong of me to try to find flaws in this thing, to try to get them to make it less... suck? Thanks,-Jim Briefly - NO ARGUING OR DISCUSSION ALLOWED Deutsche Telecom SOC big board Ingress - check it out Non-SSL active content on SSL pages is blocked by default in FireFox 18 Montreal police arrest a 20 year old woman after she posts a photo of graffiti to her instagram feed The ATF Wants ‘Massive’ Online Database to Find Out Who Your Friends Are Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- You've asked when and where - that'd be "We don't know yet" and "The week of Blackhat/BSides/DEFCON". You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org. The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org The Security Conference Library  Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James speaking at Thotcon, BSidesChicago, and Training (with Rich Mogull) at BHUSA. Dave will be at Secure Dusseldorf, Infosecurity Europe (including European Security Bloggers Meetup), Black Hat, DEF CON, Secure Asia. Matt speaking at Adelphi University Cyber Security Educational Panel. In Closing Movie Review Die Hard 4 - It's a blast. Seriously. Quick, there's a fire sale. everyday is CTF! go set up a team Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course Seacrest Says: I have no mouth with which to scream Creative Commons license: BY-NC-SA

Episode 0x26 -- The First Rule... Ministry of Information Bulletin: Liquidmatrix is a weekly podcast. While we'd like to be able to say that the Ministry of Information is always correct, that would not necessarily be the case. The past few weeks of Infosec have certainly been interesting. The echo chamber is at an all time echo stratosphere and the daily slog of infosec professionals remains at an all time crappiness. Anyone want to join our "Infosec Anonymous" program? Perhaps we should go with a different name: searching "infosec anonymous" gives me about 210,000 results. Upcoming this week... Lots of News SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag and THE DEEP DIVE Our new weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary To hack back or to not hack back The Grugg on Opsec for Hackers (how not get p0wned while p0wning) The dDoS to end all dDosssses that almost broke the ENTIRE internet, then again maybe not, but maybe sorta it did Uptime = 16 years = AWESOME. Feature parity with Netware 16 years later = STILL CAN'T HAVE IT. FBI Pursuing Real-Time Gmail Spying Powers as “Top Priority” for 2013 SCADA / Cyber, cyber... etc DHS Warns of ‘TDos’ Extortion Attacks on Public Emergency Networks FERC U MAD BRO ???? (PDF) Cyber Divers take Egypt offline (except it might have been a ship's anchor) First time that it looks like actual details were stolen The Reality of Attribution about Cyber Attacks Cyber Security: The Digital Arms Trade Cyber RFI for the Space Race Fukushima Cooling Knocked Offline By... a Rat... that ended badly DERP Security hole allows anyone to reset an Apple ID with email and DOB Mailbag / Bizarro Land My official statement of begging for getting onto the Vegas party list. Thank you for your consideration. Kris Hello! Any chance I can get a couple of tickets to the party? I'm an infosec "professional" from Vancouver BC. I've met some of you guys at various cons, Hope, Defcon, Derbycon. thanks! Kevin The Deep Dive - Security Awareness Training Is Bruce ALWAYS right? Briefly - NO ARGUING OR DISCUSSION ALLOWED Is OwnCloud Good Enough? Monitoring for humans Pimp myself - Top 10 Web Hacks Attempted child abduction thwarted when girl asks stranger for code word Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- We threatened more news. There will be passes distributed. You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org. The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org The Security Conference Library Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James speaking at Thotcon, BSidesChicago, BSidesRochester and Training (with Rich Mogull) at BHUSA. Dave will be at Secure Dusseldorf, Infosecurity Europe, Black Hat, DEF CON, Secure Asia In Closing Movie Review: Wargames everyday is CTF! go set up a team Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course Seacrest Says: "I kinda really wanted to jump in and slam him!" Creative Commons license: BY-NC-SA

Episode 0x25 -- The one with ALL the cybers We're not sure why this keeps happening. As is the new normal around here, we've spent more time arguing about the show instead of actually doing the show. Add to that Dave's issues with (a)using a computer, and (b)having a decent ISP. It took a whole lot of goofing about to get this episode into the realm of "listenable". But hey, it's done now. Enjoy! Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag and THE DEEP DIVE Our new weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary Krebs gets whacked And does some digging Forbes magazine internet thingy talks about cracking crypto (so does Sophos) (and a lawsuit on the use of RC4 - so another reason to stop using it) Hacked retailers up in arms over $13 million 'fine', Visa lands up in court It's Kali Time MCMC probes The Malaysian Insider over spyware story The Breach Report Second Factor FTW Philippines National Telecom Commission Defaced by Anon CCTV hack wins gamblers $33*10^6 (cue Ocean's 11/12/13) SCADA / Cyber, cyber... etc You Say: Cyber. I Say: Unsubscribe North Korea restores Internet access, blames US hackers Queensland police to use surveillance drones to combat crime ahead of G20 conference Federal Judge Finds National Security Letters Unconstitutional, Bans Them NERC 2012 Annual Report (pdf) Medical device hacking: The 6 lines of code that could bring down a hospital US Cyber Command Admits Offensive Cyberwarfare Capabilities, Fundamental Shift In US Doctrine U.S. Demands China Crack Down on Cyberattacks Who’s Really Attacking Your ICS Devices? DERP EC-Council goes off the deep end Mailbag / Bizarro Land Question: Anyway, anyway, guys guys guys, come on. I'm in this computer, right. So I'm looking around, looking around, you know, throwing commands at it, I don't know where it is or what it does or anything. It's like, it's like choice, it's just beautiful, okay. Like four hours I'm just messing around in there. Finally I figure out, that it's a bank. Right, okay wait, okay, so it's a bank. So, this morning, I look in the paper, some cash machine in like Bumsville Idaho, spits out seven hundred dollars into the middle of the street. That was me. That was me. I did that. Answer: What are you, stoned or stupid? You don't hack a bank across state lines from your house, you'll get nailed by the FBI. Where are your brains, in your ass? Don't you know anything? The Deep Dive - Security Research and the Law Internet troll “weev” sentenced to 41 months for AT&T/iPad hack. Briefly - NO ARGUING OR DISCUSSION ALLOWED The Matrix in less than 600 bytes of JavaScript Branching breach impact model Top 10 Web Hacks of 2012 Webinar (Matt is hosting it with Jeremiah Grossman) Hackers play Space Invaders on Belgrade billboard, get rewarded with iPads. Microsoft to push Windows 7 Service Pack 1 to users starting March 19 Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- We threatened more news. There will be passes distributed. You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org. The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org The Security Conference Library  Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James speaking at Thotcon, BSidesChicago, BSidesRochester and Training (with Rich Mogull) at BHUSA. Dave will be at Secure Dusseldorf, Infosecurity Europe, Black Hat, DEF CON, Secure Asia In Closing Movie Review Hackers everyday is CTF! go set up a team Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course Seacrest Says: Dave says "screw you Cogeco" Creative Commons license: BY-NC-SA

Episode 0x24 -- The Robot Uprising You'd think those worthless meatbag humans would be more respectful. It looks like we will have a limited incidence of Robots in tonights episode. Of course, nothing in life can be ACTUALLY robot free. That's just silly talk. Also, pro-tip: make grilled cheese sandwiches in the George Foreman after making steak - better than butter. Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag and THE DEEP DIVE Our new weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary Pwn2Own: IE, Firefox, Chrome and Java go down ...and Adobe Flash, Reader and Oracle Java exploits Chrome hack details (threat post link) Thanks Ben! Indian .gov puts bounty on botnet takedown China's internet backbone will have security features (also censorship) (SAVA) How Facebook Prepared to Be Hacked Having the MD5 hash of "123456" is probably not the best way to store passwords in your publicly searchable code on github... /via Thierry Zoller. (also don't put your twitter oauth keys in github) International Womens' Day - Don't forget Admiral Grace Freeze All The Robots: Put Android ICS in the freezer to break crypto Harvard sneaks through 16 Deans' email Deja vote: Iran blocks VPN use ahead of elections The Breach Report Another bitcoin exchange gets p0wned Ausie Ausie Ausia Bank Oy Oy Oy (Reserve Bank of Australia gets infected, then found out) Pakistan .gov gets hacked SCADA / Cyber, cyber... etc Metasploit releases exploit module for Honeywell ICS that has a patch available Formal Paper (pdf) from Ralph Langner Bound to Fail: Why Cyber Security Risk Cannot Be "Managed" Away US Military Advisory Panel Says Nuke a Cyber Attacker Reasons to depend on Kaspersky for ICS/SCADA operating systems -- EXCELLENT IPv6 STACKS BP Fights Off Up to 50,000 Cyber-Attacks a Day: CEO Cyberwar: you lack imagination DERP TELUS releases qualitive security survey (pdf link) - completely ignores science, math and proper research Survival of the fittest: Some data-breach victims can't be helped - but they enjoy reacharounds China points at USA and cries "you're stinky and mean" Mailbag / Bizarro Land Dear Dudes of the Liquid I found a vuln when I was browsing a company's website with w3af? Should I report it? Yimmy, Warsaw Briefly - NO ARGUING OR DISCUSSION ALLOWED From Space Rogue - The Infinite Daft Loop - productivity in a can Play Donkey Kong as the Princess Browser sec Tripwire aquires nCircle Click to play!!!! Microsoft preps UPDATE EVERYTHING patch batch Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- We threatened more news. There will be passes distributed. You can beg your way onto the list by sending an email to vegas2013party@liquidmatrix.org. The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. Email your submission to bsideslv2013@liquidmatrix.org The Security Conference Library  Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James speaking at Thotcon, BSidesChicago, BSidesRochester and Training (with Rich Mogull) at BHUSA. Dave will be at Secure Dusseldorf, Infosecurity Europe, Black Hat, DEF CON, Secure Asia In Closing Movie Review Moon (it's all about clones - BTW spoiler alert) everyday is CTF! go set up a team Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! And Liquidmatrix_5 for 5% off a course Seacrest Says: "Here's to a hoopy frood who really knew where his towel was." RIP Douglas Adams Creative Commons license: BY-NC-SA

Episode 0x23 -- Post RSA Actual News Recovery takes time. There has not been enough time. There's really not anything significant to note off the top. There's much going on in the world of infosec. I wish that it weren't as true, but even with the wildness of RSA, the cybers never sleep. You might want to stay until the end of the show to hear about a CONTEST and something even cooler... Upcoming this week... Lots of News Breaches SCADA / Cyber, cyber... etc. finishing it off with DERPs/Mailbag and THE DEEP DIVE Our new weekly Briefs - no arguing or discussion allowed And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode: News and Commentary Miniduke is older than we thought (Miniduke tells time in China) Cloudflare dDoS post mortem Google services should not require real names: Vint Cerf Oracle Issues Emergency Java Update Wireless brain sensor pack. Future - here we come! The Lightning Digital AV Adapter Surprise When will we trust robots? The Breach Report Evernote Security Notice: Service-wide Password Reset Evernote hacked: Emails, encrypted passwords stolen But it's ok, there will be 2 factor auth someday Critics say Evernote breach was avoidable. Envelopes mailed to 26k retired government employees in N.C. exposes SSNs Encrypted laptop, casino reports belonging to federal agency stolen from rental car in Calgary City of Owen Sound websites offline due to porn hack SCADA / Cyber, cyber... etc Information Assurance Certification Review Board: Certified SCADA Security Architect (CSSA) NEWS TO NO ONE: SANS SCADA and Process Control Security Survey - the state of the industry is discouraging Recent 10-Ks mentioning "cyber" incidents Canadian Anti-hacking agency slow to learn about Chinese cyberattack Symantec: work on Stuxnet worm started two years earlier than first thought SCADA 'Sandbox' Tests Real-World Impact Of Cyberattacks On Critical Infrastructure DERP Jailed hacker allowed into IT class, hacks prison computers Nearly Every NYC Crime Involves Cyber, Says Manhattan DA Mailbag / Bizarro Land Dearest Son, Why do you people always talk about "the echo chamber"? What is the echo chamber for? Love, Mom Deep Dive - Government Malware! discuss (Finfisher, Hacking Team)Zero Day Doc Briefly - NO ARGUING OR DISCUSSION ALLOWED Recon 2013 CFP opened APT 1 goes back years There's a vuln in sudo (yes, that sudo) Quick and dirty pcap slicing with tshark and friends Liquidmatrix Staff Projects The Liquidmatrix Vegas Party- More news to follow The BSidesLV Ticket Give-away- Three tickets up for grabs: best original piece of artwork incorporating a security rock star; bonus points for using a unicorn best rap song about a major breach best poem describing a vendor DERP Judging will be done by The Liquidmatrix Intern. Mocking will be done by us. I'd suggest you start buying a vote early. The Security Conference Library  Contribute to the Strategic Defense Execution Standard (#SDES) and you'll be Doing Infosec Right in no time. If you're interested in helping out with openCERT.ca, drop a line to info@openCERT.ca Upcoming Appearances: James speaking at Thotcon, BSidesChicago, BSidesRochester and Training (with Rich Mogull) at BHUSA. Dave will be at Secure Dusseldorf, Infosecurity Europe, Black Hat, DEF CON, Secure Asia In Closing RIP Stompin' Tom We'll leave a light on. everyday is CTF! go set up a team Signing up for a SANS course? Be sure to use the code "Liquidmatrix_150" and save $150 off the course fee! Seacrest Says: I'm drinking beer at HouSec bitches! Creative Commons license: BY-NC-SA

The Loop's Jim Dalrymple and Macworld editor Lex Friedman discuss Apple's new, all-encompassing touchscreen patents and what that means to the company's competitors. Security guru Rich Mogull talks about cyber criminals, their efforts to hack government and financial institution sites, and gives you sage advice on protecting yourself.

Columnist Jim Dalrymple, of The Loop, speculates about the next iPhone; security expert Rich Mogull on whether it's possible for the U.S. government to shutter the Internet in times of a national crisis; Laptop magazine’s Online Editorial Director, Avram Piltch, discusses the troubles at RIM.

Live from SANS Las Vegas Network Security 2007! I'd like to thank SANS for having us back, Dave Cool, Rich Mogull for helping out, props to Mike Poor (C.E.O Chief Entertainment Officer), and Eliot from Hack A Day for hanging out and providing t-shirts. Also, our sponsors gave us TONS of free stuff to give away, such as iPod Nanos, Amex and Starbucks Gift cards, t-shirts, and a really cool light saber. Want to register for any SANS conference? Please visit http://www.securityweekly.com/sans/ for our referral program and sign up for SEC535 - Embedded Device Hacking Today! Sponsored by Core Security, listen for the new customer discount code at the end of the show Sponsored by Tenable Network Security, creators of Nessus and makers of the Tenable Security Center, software that extends the power of Nessus through sophisticated reporting, remediation workflow, IDS event correlation and much more. Want some cool Security Weekly Gear? Do you hack naked? Check out our Cafepress Store! Full Show Notes Hosts: Larry "Uncle Larry" Pesce, Paul Asadoorian Email: psw@securityweekly.com