Podcasts about Synack

Podcast: WE'RE IN! (LS 32 · TOP 5% what is this?)Episode: Mike Witt on NASA's cybersecurity mission in spacePub date: 2024-12-12Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationMike Witt, NASA's Senior Agency Information Security Officer and Chief Information Security Officer for Cybersecurity and Privacy, has a long history of public service. In addition to serving 10 years in the U.S. Army, Mike was the director of the United States Computer Emergency Readiness Team (US-CERT) at the Department of Homeland Security and a key cybersecurity official at the IRS. Now, he's leading NASA's efforts to secure spaceflight centers nationwide and their missions to the final frontier.Tune in to the latest episode of WE'RE IN! to hear more about how NASA balances its out-of-this-world mission with real-world concerns about cybersecurity resulting from increased activity from other space agencies and commercial interests alike.Listen to learn more about: How NASA responded to the Log4j vulnerabilities revealed in 2021Why the SAISO position was created How NASA's stellar reputation helps it address the cybersecurity talent shortageThe podcast and artwork embedded on this page are from Synack, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Katie Bowen, VP & GM Global Public Sector and Defense at Synack is sharing her thoughts on CISA's new guidance on Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan & federal vulnerability management practices. Ben does a deep dive into one of the biggest misconceptions about the First Amendment. Dave looks at the fallout from an alleged Chinese hack of a US telecom surveillance program. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Please take a moment to fill out an audience survey! Let us know how we are doing! Links to the stories: Yes, Tim Walz, You Can Shout 'Fire' In A Crowded Theatre Lawmakers press agencies, telecoms for more details on Salt Typhoon hacks Get the weekly Caveat Briefing delivered to your inbox. Like what you heard? Be sure to check out and subscribe to our Caveat Briefing, a weekly newsletter available exclusively to N2K Pro members on N2K CyberWire's website. N2K Pro members receive our Thursday wrap-up covering the latest in privacy, policy, and research news, including incidents, techniques, compliance, trends, and more. This week's Caveat Briefing covers the growing collaboration between Russia, China, and Iran with criminal networks for cyberespionage and hacking against the U.S. Microsoft's report highlights instances where these state-sponsored activities blur the lines with criminal motives, raising concerns among national security officials as adversaries leverage cybercriminals for enhanced cyber capabilities. Curious about the details? Head over to the Caveat Briefing for the full scoop and additional compelling stories. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you. Learn more about your ad choices. Visit megaphone.fm/adchoices

Podcast: WE'RE IN! (LS 32 · TOP 5% what is this?)Episode: Mara Winn on protecting America's critical infrastructure from cyberthreatsPub date: 2024-05-01A first-of-its-kind 2016 cyberattack on Ukraine's power grid was a wake-up call for countries around the world to shore up protection of vulnerable energy resources. Mara Winn, Deputy Director for Preparedness, Policy, and Risk Analysis at the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESAR), is in charge of acting on just that. From securing electric vehicles to safeguarding electric substations, Mara and her team help to ensure the resilience of the energy sector against cyber, physical and climate-based disruptions.Mara takes a holistic approach to risk management, considering both physical and cyber threats. In the latest episode of WE'RE IN!, she cautions against focusing too much on the "flashy object of the day" and describes why she imbues diversity in risk management for the best outcomes.Listen to hear more about: Why early implementation of security measures in product development is necessary for distributed energy resources like solar, wind and battery technologies How to educate investors, entrepreneurs and designers about understanding the full risk picture in business decisionsThe role of the National Association of Regulatory Utility Commissioners and the Federal Power Act in defining federal and state responsibilities in the energy systemThe podcast and artwork embedded on this page are from Synack, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Podcast: WE'RE IN! (LS 32 · TOP 5% what is this?)Episode: Mara Winn on protecting America's critical infrastructure from cyberthreatsPub date: 2024-05-01A first-of-its-kind 2016 cyberattack on Ukraine's power grid was a wake-up call for countries around the world to shore up protection of vulnerable energy resources. Mara Winn, Deputy Director for Preparedness, Policy, and Risk Analysis at the Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER), is in charge of acting on just that. From securing electric vehicles to safeguarding electric substations, Mara and her team help to ensure the resilience of the energy sector against cyber, physical and climate-based disruptions.Mara takes a holistic approach to risk management, considering both physical and cyber threats. In the latest episode of WE'RE IN!, she cautions against focusing too much on the "flashy object of the day" and describes why she imbues diversity in risk management for the best outcomes.Listen to hear more about: Why early implementation of security measures in product development is necessary for distributed energy resources like solar, wind and battery technologiesHow to educate investors, entrepreneurs and designers about understanding the full risk picture in business decisionsThe role of the National Association of Regulatory Utility Commissioners and the Federal Power Act in defining federal and state responsibilities in the energy systemThe podcast and artwork embedded on this page are from Synack, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Ready to hear from top cybersecurity newsmakers, executives and storytellers? Eager for advice on how to launch a successful cyber career? Curious about hacking threats that seem to grow more menacing by the day? Get ready for Season 3 of WE'RE IN!Hosted by Synack's Head of Communications and longtime cybersecurity journalist Blake Thompson Heuer (Sobczak), WE'RE IN! takes you inside the brightest minds in cybersecurity for unique insights and colorful stories from the front lines of our digital transformation. Don't miss the latest season of this breakout podcast, sponsored by Synack!

In this episode of the Retail & Hospitality ISAC podcast, host Luke Vander Linden is joined by Blake Sobczak, Synack's head of communications and README's editor-in-chief, to discuss the latest news impacting the cybersecurity world. Keep an eye out for Synack at the upcoming RH-ISAC Cyber Intelligence Summit. Then, Luke sits down with Natura &Co's CISO, Jonathan Lloyd White, to expand upon his background, current role, and Natura &Co's founding principles. Thank you to Fortinet for their sponsorship of the Retail & Hospitality ISAC podcast.

The next generation of cybersecurity leaders have a vision for the future of cybersecurity. Facing advanced nation-state threats, the breakneck speed of tech innovation and a deluge of zero days, Lauren Zabierek is moving the dial on workforce diversity to tackle these challenges. Lauren, senior policy advisor for Cybersecurity and Infrastructure Security Agency and co-founder of #ShareTheMicInCyber, is also helping organizations “shift left” by integrating security principles into the innovation process.   Don't miss the latest episode of WE'RE IN! to hear Lauren's insights into why cybersecurity job descriptions are broken and how talking to everyday people can build the pipeline of cyber talent.----------Listen to learn more about: * Which cybersecurity story she'd like to see made into a Christopher Nolan movie* Why she believes “diversity is national security”* How she ended up with Ms. magazine bylines

Pentesting is in Jeremiah Roe's DNA. He has worked for a traditional pentesting consultancy, conducted clever physical penetration tests over the years (as documented in his episode on the Darknet Diaries podcast), and he now finds himself at the cutting edge of security testing as field CISO for North America at Synack.Jeremiah is a fan of escape rooms and brings his creativity and strategic thinking to some of the cybersecurity industry's toughest challenges. Don't miss the latest episode of WE'RE IN! to hear Jeremiah weigh in on topics such as:----------Listen to learn more about: * Budding API security challenges and how to address them* Techniques for transitioning from the armed services to a role in cybersecurity* How to think like an attacker to conquer high-risk vulnerabilities

Podcast: WE'RE IN! (LS 28 · TOP 10% what is this?)Episode: Demystifying OT Cybersecurity with Danielle JablanskiPub date: 2023-06-29The operational technology (OT) computer networks that support life as we know it are increasingly coming under threat. But despite the proliferation of malware aimed at critical infrastructure, Danielle Jablanski isn't running for the hills. As an OT cybersecurity strategist for Nozomi Networks, Danielle helps critical infrastructure organizations understand and prioritize digital risks, whether they stem from a lack of visibility into industrial environments or a sophisticated cyberattack from a foreign nation-state. Don't miss the latest episode of WE'RE IN! to hear Danielle's insights into industrial control systems (ICS) risk management, including the recently disclosed COSMICENERGY ICS-focused cyberthreat. ----------Listen to learn more about: * What makes the ICS security field “niche but not nebulous”* How Danielle's background in nuclear weapons policy informs her approach to cyber incident planning* Why so few critical infrastructure operators know where equipment with known vulnerabilities may exist on their networks* Hacking satellites in spaceThe podcast and artwork embedded on this page are from Synack, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

First and foremost, Jay Kaplan is a technical security expert. He has served in many high-profile cybersecurity roles—including at the Department of Defense and the National Security Agency. Jay was also selected as Forbes 30 Under 30 in Enterprise Technology. After seeing a gap in the cybersecurity space, Jay started his own cybersecurity company in 2013, ultimately co-founding Synack. Synack is an organization that strives to unite technology and human intelligence to revolutionize the cybersecurity world. With this approach, Synack has developed a premier security testing platform that protects federal agencies, DoD classified assets, and a growing list of Global 2000 customers.In today's episode, Jay talks about the rise of ransomware and how to protect yourself and your company against it. He also discusses the evolution of cybersecurity over the last decade and how consumers can secure their accounts. Press play to hear Jay's thoughts on…How people started working in the cybersecurity"People that transitioned into the cybersecurity field generally were doing something else. They were handling infrastructure, they were system administrators, they were software developers, etc., and they just became fascinated in this subject."The complicated nature of cybersecurity"I think there really is no manual to have a comprehensive security strategy. It's not like you go read the Security for Dummies book and go through the pages and you're good. So it makes things very complicated.”

An Iranian threat actor exploits N-day vulnerabilities. CSC exposes subdomain hijacking vulnerabilities. More on the Discord Papers. An update on Russia's NTC Vulkan. Joe Carrigan on the aftermath of a $98M online investment fraud. Our guest is Blake Sobczak from Synack , host of the podcast WE'RE IN! And threat actor nomenclature: a scorecard, and a Periodic Table no more. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/74 Selected reading. Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets (Microsoft Security) An Iranian hacking group went on the offensive against U.S. targets, Microsoft says (Washington Post)  New CSC Research Finds One in Five DNS Records are Susceptible to Subdomain Hijacking Due to Insufficient Cyber Hygiene | CSC (CSC) DOD Assessing Document Disclosures and Implementing Mitigation Measures (U.S. Department of Defense) After leak, Pentagon purges some users' access to classified programs, launches security review (Breaking Defense) Why Did a 21-Year-Old Guardsman Have Access to State Secrets? (Vice) U.S. officials have examined whether alleged doc leaker had foreign links (POLITICO)  The Air Force Loves War Gamers Like Alleged Leaker Teixeira (Military.com)  FBI Investigating Ex-Navy Noncommissioned Officer Linked to Pro-Russia Social-Media Account (Wall Street Journal) Pentagon leak suggests Russia honing disinformation drive – report (the Guardian) Dragos Analyzes Russian Programs Threatening Critical Civilian Infrastructure (Dragos)  Microsoft shifts to a new threat actor naming taxonomy (Microsoft)

Hudney Piquant kicked off his cybersecurity career working for a startup out of a garage in Michigan. He has since uncovered critical vulnerabilities as a Synack Red Team member, joined Synack full time as a solutions architect and been honored with a Most Inspiring Up And Comer award by CyberScoop last fall. Tune into the latest episode of WE'RE IN! to hear Hudney share his insights into getting started with the Synack Red Team, the importance of mentorship in the cybersecurity community and his “sixth sense” that helps him to find creative workarounds for tough security challenges. ---------More topics covered in the podcast:* Why we haven't seen the last of the blockbuster Log4j vulnerability * The importance of applying an adversary's perspective on your networks* How to build trust among professionals skeptical of ethical hackers

Cybersecurity CMO is a Cybercrime Magazine podcast series where we are joined by some of the top Chief Marketing Officers in cyber to discuss how they got to where they are, how they help differentiate the companies they work for, how they help those organizations grow, and more. Joining host Hillarie McClure on today's episode is Claire Trimble, Chief Marketing Officer at Synack. • For more on cybersecurity, visit us at https://cybersecurityventures.com/

Ready to hear from top cybersecurity newsmakers, executives and storytellers? Eager for advice on how to launch a successful cyber career? Curious about hacking threats that seem to grow more menacing by the day? Get ready for Season 2 of WE'RE IN! Co-hosted by Synack security operations engineer Bella DeShantz-Cook and longtime cybersecurity journalist Blake Sobczak, WE'RE IN! takes you inside the brightest minds in cybersecurity for unique insights and colorful stories from the front lines of our digital transformation. Don't miss the latest season of this breakout podcast, sponsored by Synack! 

About ClintonClinton Herget is Field CTO at Snyk, the leader is Developer Security. He focuses on helping Snyk's strategic customers on their journey to DevSecOps maturity. A seasoned technnologist, Cliton spent his 20-year career prior to Snyk as a web software developer, DevOps consultant, cloud solutions architect, and engineering director. Cluinton is passionate about empowering software engineering to do their best work in the chaotic cloud-native world, and is a frequent conference speaker, developer advocate, and technical thought leader.Links Referenced: Snyk: https://snyk.io/ duckbillgroup.com: https://duckbillgroup.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is brought to us in part by our friends at Pinecone. They believe that all anyone really wants is to be understood, and that includes your users. AI models combined with the Pinecone vector database let your applications understand and act on what your users want… without making them spell it out.Make your search application find results by meaning instead of just keywords, your personalization system make picks based on relevance instead of just tags, and your security applications match threats by resemblance instead of just regular expressions. Pinecone provides the cloud infrastructure that makes this easy, fast, and scalable. Thanks to my friends at Pinecone for sponsoring this episode. Visit Pinecone.io to understand more.Corey: This episode is bought to you in part by our friends at Veeam. Do you care about backups? Of course you don't. Nobody cares about backups. Stop lying to yourselves! You care about restores, usually right after you didn't care enough about backups.  If you're tired of the vulnerabilities, costs and slow recoveries when using snapshots to restore your data, assuming you even have them at all living in AWS-land, there is an alternative for you. Check out Veeam, thats V-E-E-A-M for secure, zero-fuss AWS backup that won't leave you high and dry when it's time to restore. Stop taking chances with your data. Talk to Veeam. My thanks to them for sponsoring this ridiculous podcast.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. One of the fun things about establishing traditions is that the first time you do it, you don't really know that that's what's happening. Almost exactly a year ago, I sat down for a previous promoted guest episode much like this one, With Clinton Herget at Snyk—or Synic; however you want to pronounce that. He is apparently a scarecrow of some sorts because when last we spoke, he was a principal solutions engineer, but like any good scarecrow, he was outstanding in his field, and now, as a result, is a Field CTO. Clinton, Thanks for coming back, and let me start by congratulating you on the promotion. Or consoling you depending upon how good or bad it is.Clinton: You know, Corey, a little bit of column A, a little bit of column B. But very glad to be here again, and frankly, I think it's because you insist on mispronouncing Snyk as Synic, and so you get me again.Corey: Yeah, you could add a couple of new letters to it and just call the company [Synack 00:01:27]. Now, it's a hard pivot to a networking company. So, there's always options.Clinton: I acknowledge what you did there, Corey.Corey: I like that quite a bit. I wasn't sure you'd get it.Clinton: I'm a nerd going way, way back, so we'll have to go pretty deep in the stack for you to stump me on some of this stuff.Corey: As we did with the, “I wasn't sure you'd get it.” See that one sailed right past you. And I win. Chalk another one up for me and the networking pun wars. Great, we'll loop back for that later.Clinton: I don't even know where I am right now.Corey: [laugh]. So, let's go back to a question that one would think that I'd already established a year ago, but I have the attention span of basically a goldfish, let's not kid ourselves. So, as I'm visiting the Snyk website, I find that it says different words than it did a year ago, which is generally a sign that is positive; when nothing's been updated including the copyright date, things are going really well or really badly. One wonders. But no, now you're talking about Snyk Cloud, you're talking about several other offerings as well, and my understanding of what it is you folks do no longer appears to be completely accurate. So, let me be direct. What the hell do you folks do over there?Clinton: It's a really great question. Glad you asked me on a year later to answer it. I would say at a very high level, what we do hasn't changed. However, I think the industry has certainly come a long way in the past couple years and our job is to adapt to that Snyk—again, pronounced like a pair of sneakers are sneaking around—it's a developer security platform. So, we focus on enabling the people who build applications—which as of today, means modern applications built in the cloud—to have better visibility, and ultimately a better chance of mitigating the risk that goes into those applications when it matters most, which is actually in their workflow.Now, you're exactly right. Things have certainly expanded in that remit because the job of a software engineer is very different, I think this year than it even was last year, and that's continually evolving over time. As a developer now, I'm doing a lot more than I was doing a few years ago. And one of the things I'm doing is building infrastructure in the cloud, I'm writing YAML files, I'm writing CloudFormation templates to deploy things out to AWS. And what happens in the cloud has a lot to do with the risk to my organization associated with those applications that I'm building.So, I'd love to talk a little bit more about why we decided to make that move, but I don't think that represents a watering down of what we're trying to do at Snyk. I think it recognizes that developer security vision fundamentally can't exist without some understanding of what's happening in the cloud.Corey: One of the things that always scares me is—and sets the spidey sense tingling—is when I see a company who has a product, and I'm familiar—ish—with what they do. And then they take their product name and slap the word cloud at the end, which is almost always codes to, “Okay, so we took the thing that we sold in boxes in data centers, and now we're making a shitty hosted version available because it turns out you rubes will absolutely pay a subscription for it.” Yeah, I don't get the sense that at all is what you're doing. In fact, I don't believe that you're offering a hosted managed service at the moment, are you?Clinton: No, the cloud part, that fundamentally refers to a new product, an offering that looks at the security or potentially the risks being introduced into cloud infrastructure, by now the engineers who were doing it who are writing infrastructure as code. We previously had an infrastructure-as-code security product, and that served alongside our static analysis tool which is Snyk Code, our open-source tool, our container scanner, recognizing that the kinds of vulnerabilities you can potentially introduce in writing cloud infrastructure are not only bad to the organization on their own—I mean, nobody wants to create an S3 bucket that's wide open to the world—but also, those misconfigurations can increase the blast radius of other kinds of vulnerabilities in the stack. So, I think what it does is it recognizes that, as you and I think your listeners well know, Corey, there's no such thing as the cloud, right? The cloud is just a bunch of fancy software designed to abstract away from the fact that you're running stuff on somebody else's computer, right?Corey: Unfortunately, in this case, the fact that you're calling it Snyk Cloud does not mean that you're doing what so many other companies in that same space do it would have led to a really short interview because I have no faith that it's the right path forward, especially for you folks, where it's, “Oh, you want to be secure? You've got to host your stuff on our stuff instead. That's why we called it cloud.” That's the direction that I've seen a lot of folks try and pivot in, and I always find it disastrous. It's, “Yeah, well, at Snyk if we run your code or your shitty applications here in our environment, it's going to be safer than if you run it yourself on something untested like AWS.” And yeah, those stories hold absolutely no water. And may I just say, I'm gratified that's not what you're doing?Clinton: Absolutely not. No, I would say we have no interest in running anyone's applications. We do want to scan them though, right? We do want to give the developers insight into the potential misconfigurations, the risks, the vulnerabilities that you're introducing. What sets Snyk apart, I think, from others in that application security testing space is we focus on the experience of the developer, rather than just being another tool that runs and generates a bunch of PDFs and then throws them back to say, “Here's everything you did wrong.”We want to say to developers, “Here's what you could do better. Here's how that default in a CloudFormation template that leads to your bucket being, you know, wide open on the internet could be changed. Here's the remediation that you could introduce.” And if we do that at the right moment, which is inside that developer workflow, inside the IDE, on their local machine, before that gets deployed, there's a much greater chance that remediation is going to be implemented and it's going to happen much more cheaply, right? Because you no longer have to do the round trip all the way out to the cloud and back.So, the cloud part of it fundamentally means completing that story, recognizing that once things do get deployed, there's a lot of valuable context that's happening out there that a developer can really take advantage of. They can say, “Wait a minute. Not only do I have a Log4Shell vulnerability, right, in one of my open-source dependencies, but that artifact, that application is actually getting deployed to a VPC that has ingress from the internet,” right? So, not only do I have remote code execution in my application, but it's being put in an enclave that actually allows it to be exploited. You can only know that if you're actually looking at what's really happening in the cloud, right?So, not only does Snyk cloud allows us to provide an additional layer of security by looking at what's misconfigured in that cloud environment and help your developers make remediations by saying, “Here's the actual IAC file that caused that infrastructure to come into existence,” but we can also say, here's how that affects the risk of other kinds of vulnerabilities at different layers in the stack, right? Because it's all software; it's all connected. Very rarely does a vulnerability translate one-to-one into risk, right? They're compound because modern software is compound. And I think what developers lack is the tooling that fits into their workflow that understands what it means to be a software engineer and actually helps them make better choices rather than punishing them after the fact for guessing and making bad ones.Corey: That sounds awesome at a very high level. It is very aligned with how executives and decision-makers think about a lot of these things. Let's get down to brass tacks for a second. Assume that I am the type of developer that I am in real life, by which I mean shitty. What am I going to wind up attempting to do that Snyk will flag and, in other words, protect me from myself and warn me that I'm about to commit a dumb?Clinton: First of all, I would say, look, there's no such thing as a non-shitty developer, right? And I built software for 20 years and I decided that's really hard. What's a lot easier is talking about building software for a living. So, that's what I do now. But fundamentally, the reason I'm at Snyk, is I want to help people who are in the kinds of jobs that I had for a very long time, which is to say, you have a tremendous amount of anxiety because you recognize that the success of the organization rests on your shoulders, and you're making hundreds, if not thousands of decisions every day without the right context to understand fully how the results of that decision is going to affect the organization that you work for.So, I think every developer in the world has to deal with this constant cognitive dissonance of saying, “I don't know that this is right, but I have to do it anyway because I need to clear that ticket because that release needs to get into production.” And it becomes really easy to short-sightedly do things like pull an open-source dependency without checking whether it has any CVEs associated with it because that's the version that's easiest to implement with your code that already exists. So, that's one piece. Snyk Open Source, designed to traverse that entire tree of dependencies in open-source all the way down, all the hundreds and thousands of packages that you're pulling in to say, not only, here's a vulnerability that you should really know is going to end up in your application when it's built, but also here's what you can do about it, right? Here's the upgrade you can make, here's the minimum viable change that actually gets you out of this problem, and to do so when it's in the right context, which is in you know, as you're making that decision for the first time, right, inside your developer environment.That also applies to things like container vulnerabilities, right? I have even less visibility into what's happening inside a container than I do inside my application. Because I know, say, I'm using an Ubuntu or a Red Hat base image. I have no idea, what are all the Linux packages that are on it, let alone what are the vulnerabilities associated with them, right? So, being able to detect, I've got a version of OpenSSL 3.0 that has a potentially serious vulnerability associated with it before I've actually deployed that container out into the cloud very much helps me as a developer.Because I'm limiting the rework or the refactoring I would have to do by otherwise assuming I'm making a safe choice or guessing at it, and then only finding out after I've written a bunch more code that relies on that decision, that I have to go back and change it, and then rewrite all of the things that I wrote on top of it, right? So, it's the identifying the layer in the stack where that risk could be introduced, and then also seeing how it's affected by all of those other layers because modern software is inherently complex. And that complexity is what drives both the risk associated with it, and also things like efficiency, which I know your audience is, for good reason, very concerned about.Corey: I'm going to challenge you on aspect of this because on the tin, the way you describe it, it sounds like, “Oh, I already have something that does that. It's the GitHub Dependabot story where it winds up sending me a litany of complaints every week.” And we are talking, if I did nothing other than read this email in that day, that would be a tremendously efficient processing of that entire thing because so much of it is stuff that is ancient and archived, and specific aspects of the vulnerabilities are just not relevant. And you talk about the OpenSSL 3.0 issues that just recently came out.I have no doubt that somewhere in the most recent email I've gotten from that thing, it's buried two-thirds of the way down, like all the complaints like the dishwasher isn't loaded, you forgot to take the trash out, that baby needs a change, the kitchen is on fire, and the vacuuming, and the r—wait, wait. What was that thing about the kitchen? Seems like one of those things is not like the others. And it just gets lost in the noise. Now, I will admit to putting my thumb a little bit on the scale here because I've used Snyk before myself and I know that you don't do that. How do you avoid that trap?Clinton: Great question. And I think really, the key to the story here is, developers need to be able to prioritize, and in order to prioritize effectively, you need to understand the context of what happens to that application after it gets deployed. And so, this is a key part of why getting the data out of the cloud and bringing it back into the code is so important. So, for example, take an OpenSSL vulnerability. Do you have it on a container image you're using, right? So, that's question number one.Question two is, is there actually a way that code can be accessed from the outside? Is it included or is it called? Is the method activated by some other package that you have running on that container? Is that container image actually used in a production deployment? Or does it just go sit in a registry and no one ever touches it?What are the conditions required to make that vulnerability exploitable? You look at something like Spring Shell, for example, yes, you need a certain version of spring-beans in a JAR file somewhere, but you also need to be running a certain version of Tomcat, and you need to be packaging those JARs inside a WAR in a certain way.Corey: Exactly. I have a whole bunch of Lambda functions that provide the pipeline system that I use to build my newsletter every week, and I get screaming concerns about issues in, for example, a version of the markdown parser that I've subverted. Yeah, sure. I get that, on some level, if I were just giving it random untrusted input from the internet and random ad hoc users, but I'm not. It's just me when I write things for that particular Lambda function.And I'm not going to be actively attempting to subvert the thing that I built myself and no one else should have access to. And looking through the details of some of these things, it doesn't even apply to the way that I'm calling the libraries, so it's just noise, for lack of a better term. It is not something that basically ever needs to be adjusted or fixed.Clinton: Exactly. And I think cutting through that noise is so key to creating developer trust in any kind of tool that scanning an asset and providing you what, in theory, are a list of actionable steps, right? I need to be able to understand what is the thing, first of all. There's a lot of tools that do that, right, and we tend to mock them by saying things like, “Oh, it's just another PDF generator. It's just another thousand pages that you're never going to read.”So, getting the information in the right place is a big part of it, but filtering out all of the noise by saying, we looked at not just one layer of the stack, but multiple layers, right? We know that you're using this open-source dependency and we also know that the method that contains the vulnerability is actively called by your application in your first-party code because we ran our static analysis tool against that. Furthermore, we know because we looked at your cloud context, we connected to your AWS API—we're big partners with AWS and very proud of that relationship—but we can tell that there's inbound internet access available to that service, right? So, you start to build a compound case that maybe this is something that should be prioritized, right? Because there's a way into the asset from the outside world, there's a way into the vulnerable functions through the labyrinthine, you know, spaghetti of my code to get there, and the conditions required to exploit it actually exist in the wild.But you can't just run a single tool; you can't just run Dependabot to get that prioritization. You actually have to look at the entire holistic application context, which includes not just your dependencies, but what's happening in the container, what's happening in your first-party, your proprietary code, what's happening in your IAC, and I think most importantly for modern applications, what's actually happening in the cloud once it gets deployed, right? And that's sort of the holy grail of completing that loop to bring the right context back from the cloud into code to understand what change needs to be made, and where, and most importantly why. Because it's a priority that actually translates into organizational risk to get a developer to pay attention, right? I mean, that is the key to I think any security concern is how do you get engineering mindshare and trust that this is actually what you should be paying attention to and not a bunch of rework that doesn't actually make your software more secure?Corey: One of the challenges that I see across the board is that—well, let's back up a bit here. I have in previous episodes talked in some depth about my position that when it comes to the security of various cloud providers, Google is number one, and AWS is number two. Azure is a distant third because it figures out what Crayons tastes the best; I don't know. But the reason is not because of any inherent attribute of their security models, but rather that Google massively simplifies an awful lot of what happens. It automatically assumes that resources in the same project should be able to talk to one another, so I don't have to painstakingly configure that.In AWS-land, all of this must be done explicitly; no one has time for that, so we over-scope permissions massively and never go back and rein them in. It's a configuration vulnerability more than an underlying inherent weakness of the platform. Because complexity is the enemy of security in many respects. If you can't fit it all in your head to reason about it, how can you understand the security ramifications of it? AWS offers a tremendous number of security services. Many of them, when taken in some totality of their pricing, cost more than any breach, they could be expected to prevent. Adding more stuff that adds more complexity in the form of Snyk sounds like it's the exact opposite of what I would want to do. Change my mind.Clinton: I would love to. I would say, fundamentally, I think you and I—and by ‘I,' I mean Snyk and you know, Corey Quinn Enterprises Limited—I think we fundamentally have the same enemy here, right, which is the cyclomatic complexity of software, right, which is how many different pathways do the bits have to travel down to reach the same endpoint, right, the same goal. The more pathways there are, the more risk is introduced into your software, and the more inefficiency is introduced, right? And then I know you'd love to talk about how many different ways is there to run a container on AWS, right? It's either 30 or 400 or eleventy-million.I think you're exactly right that that complexity, it is great for, first of all, selling cloud resources, but also, I think, for innovating, right, for building new kinds of technology on top of that platform. The cost that comes along with that is a lack of visibility. And I think we are just now, as we approach the end of 2022 here, coming to recognize that fundamentally, the complexity of modern software is beyond the ability of a single engineer to understand. And that is really important from a security perspective, from a cost control perspective, especially because software now creates its own infrastructure, right? You can't just now secure the artifact and secure the perimeter that it gets deployed into and say, “I've done my job. Nobody can breach the perimeter and there's no vulnerabilities in the thing because we scanned it and that thing is immutable forever because it's pets, not cattle.”Where I think the complexity story comes in is to recognize like, “Hey, I'm deploying this based on a quickstart or CloudFormation template that is making certain assumptions that make my job easier,” right, in a very similar way that choosing an open-source dependency makes my job easier as a developer because I don't have to write all of that code myself. But what it does mean is I lack the visibility into, well hold on. How many different pathways are there for getting things done inside this dependency? How many other dependencies are brought on board? In the same way that when I create an EKS cluster, for example, from a CloudFormation template, what is it creating in the background? How many VPCs are involved? What are the subnets, right? How are they connected to each other? Where are the potential ingress points?So, I think fundamentally, getting visibility into that complexity is step number one, but understanding those pathways and how they could potentially translate into risk is critically important. But that prioritization has to involve looking at the software holistically and not just individual layers, right? I think we lose when we say, “We ran a static analysis tool and an open-source dependency scanner and a container scanner and a cloud config checker, and they all came up green, therefore the software doesn't have any risks,” right? That ignores the fundamental complexity in that all of these layers are connected together. And from an adversaries perspective, if my job is to go in and exploit software that's hosted in the cloud, I absolutely do not see the application model that way.I see it as it is inherently complex and that's a good thing for me because it means I can rely on the fact that those engineers had tremendous anxiety, we're making a lot of guesses, and crossing their fingers and hoping something would work and not be exploitable by me, right? So, the only way I think we get around that is to recognize that our engineers are critical stakeholders in that security process and you fundamentally lack that visibility if you don't do your scanning until after the fact. If you take that traditional audit-based approach that assumes a very waterfall, legacy approach to building software, and recognize that, hey, we're all on this infinite loop race track now. We're deploying every three-and-a-half seconds, everything's automated, it's all built at scale, but the ability to do that inherently implies all of this additional complexity that ultimately will, you know, end up haunting me, right? If I don't do anything about it, to make my engineer stakeholders in, you know, what actually gets deployed and what risks it brings on board.Corey: This episode is sponsored in part by our friends at Uptycs. Attackers don't think in silos, so why would you have siloed solutions protecting cloud, containers, and laptops distinctly? Meet Uptycs - the first unified solution that prioritizes risk across your modern attack surface—all from a single platform, UI, and data model. Stop by booth 3352 at AWS re:Invent in Las Vegas to see for yourself and visit uptycs.com. That's U-P-T-Y-C-S.com. My thanks to them for sponsoring my ridiculous nonsense.Corey: When I wind up hearing you talk about this—I'm going to divert us a little bit because you're dancing around something that it took me a long time to learn. When I first started fixing AWS bills for a living, I thought that it would be mostly math, by which I mean arithmetic. That's the great secret of cloud economics. It's addition, subtraction, and occasionally multiplication and division. No, turns out it's much more psychology than it is math. You're talking in many aspects about, I guess, what I'd call the psychology of a modern cloud engineer and how they think about these things. It's not a technology problem. It's a people problem, isn't it?Clinton: Oh, absolutely. I think it's the people that create the technology. And I think the longer you persist in what we would call the legacy viewpoint, right, not recognizing what the cloud is—which is fundamentally just software all the way down, right? It is abstraction layers that allow you to ignore the fact that you're running stuff on somebody else's computer—once you recognize that, you realize, oh, if it's all software, then the problems that it introduces are software problems that need software solutions, which means that it must involve activity by the people who write software, right? So, now that you're in that developer world, it unlocks, I think, a lot of potential to say, well, why don't developers tend to trust the security tools they've been provided with, right?I think a lot of it comes down to the question you asked earlier in terms of the noise, the lack of understanding of how those pieces are connected together, or the lack of context, or not even frankly, caring about looking beyond the single-point solution of the problem that solution was designed to solve. But more importantly than that, not recognizing what it's like to build modern software, right, all of the decisions that have to be made on a daily basis with very limited information, right? I might not even understand where that container image I'm building is going in the universe, let alone what's being built on top of it and how much critical customer data is being touched by the database, that that container now has the credentials to access, right? So, I think in order to change anything, we have to back way up and say, problems in the cloud or software problems and we have to treat them that way.Because if we don't if we continue to represent the cloud as some evolution of the old environment where you just have this perimeter that's pre-existing infrastructure that you're deploying things onto, and there's a guy with a neckbeard in the basement who is unplugging cables from a switch and plugging them back in and that's how networking problems are solved, I think you missed the idea that all of these abstraction layers introduced the very complexity that needs to be solved back in the build space. But that requires visibility into what actually happens when it gets deployed. The way I tend to think of it is, there's this firewall in place. Everybody wants to say, you know, we're doing DevOps or we're doing DevSecOps, right? And that's a lie a hundred percent of the time, right? No one is actually, I think, adhering completely to those principles.Corey: That's why one of the core tenets of ClickOps is lying about doing anything in the console.Clinton: Absolutely, right? And that's why shadow IT becomes more and more prevalent the deeper you get into modern development, not less and less prevalent because it's fundamentally hard to recognize the entirety of the potential implications, right, of a decision that you're making. So, it's a lot easier to just go in the console and say, “Okay, I'm going to deploy one EC2 to do this. I'm going to get it right at some point.” And that's why every application that's ever been produced by human hands has a comment in it that says something like, “I don't know why this works but it does. Please don't change it.”And then three years later because that developer has moved on to another job, someone else comes along and looks at that comment and says, “That should really work. I'm going to change it.” And they do and everything fails, and they have to go back and fix it the original way and then add another comment saying, “Hey, this person above me, they were right. Please don't change this line.” I think every engineer listening right now knows exactly where that weak spot is in the applications that they've written and they're terrified of that.And I think any tool that's designed to help developers fundamentally has to get into the mindset, get into the psychology of what that is, like, of not fundamentally being able to understand what those applications are doing all of the time, but having to write code against them anyway, right? And that's what leads to, I think, the fear that you're going to get woken up because your pager is going to go off at 3 a.m. because the building is literally on fire and it's because of code that you wrote. We have to solve that problem and it has to be those people who's psychology we get into to understand, how are you working and how can we make your life better, right? And I really do think it comes with that the noise reduction, the understanding of complexity, and really just being humble and saying, like, “We get that this job is really hard and that the only way it gets better is to begin admitting that to each other.”Corey: I really wish that there were a better way to articulate a lot of these things. This the reason that I started doing a security newsletter; it's because cost and security are deeply aligned in a few ways. One of them is that you care about them a lot right after you failed to care about them sufficiently, but the other is that you've got to build guardrails in such a way that doing the right thing is easier than doing it the wrong way, or you're never going to gain any traction.Clinton: I think that's absolutely right. And you use the key term there, which is guardrails. And I think that's where in their heart of hearts, that's where every security professional wants to be, right? They want to be defining policy, they want to be understanding the risk posture of the organization and nudging it in a better direction, right? They want to be talking up to the board, to the executive team, and creating confidence in that risk posture, rather than talking down or off to the side—depending on how that org chart looks—to the engineers and saying, “Fix this, fix that, and then fix this other thing.” A, B, and C, right?I think the problem is that everyone in a security role or an organization of any size at this point, is doing 90% of the latter and only about 10% of the former, right? They're acting as gatekeepers, not as guardrails. They're not defining policy, they're spending all of their time creating Jira tickets and all of their time tracking down who owns the piece of code that got deployed to this pod on EKS that's throwing all these errors on my console, and how can I get the person to make a decision to actually take an action that stops these notifications from happening, right? So, all they're doing is throwing footballs down the field without knowing if there's a receiver there, right, and I think that takes away from the job that our security analysts really shouldn't be doing, which is creating those guardrails, which is having confidence that the policy they set is readily understood by the developers making decisions, and that's happening in an automated way without them having to create friction by bothering people all the time. I don't think security people want to be [laugh] hated by the development teams that they work with, but they are. And the reason they are is I think, fundamentally, we lack the tooling, we lack—Corey: They are the barrier method.Clinton: Exactly. And we lacked the processes to get the right intelligence in a way that's consumable by the engineers when they're doing their job, and not after the fact, which is typically when the security people have done their jobs.Corey: It's sad but true. I wish that there were a better way to address these things, and yet here we are.Clinton: If only there were better way to address these things.Corey: [laugh].Clinton: Look, I wouldn't be here at Snyk if I didn't think there were a better way, and I wouldn't be coming on shows like yours to talk to the engineering communities, right, people who have walked the walk, right, who have built those Terraform files that contain these misconfigurations, not because they're bad people or because they're lazy, or because they don't do their jobs well, but because they lacked the visibility, they didn't have the understanding that that default is actually insecure. Because how would I know that otherwise, right? I'm building software; I don't see myself as an expert on infrastructure, right, or on Linux packages or on cyclomatic complexity or on any of these other things. I'm just trying to stay in my lane and do my job. It's not my fault that the software has become too complex for me to understand, right?But my management doesn't understand that and so I constantly have white knuckles worrying that, you know, the next breach is going to be my fault. So, I think the way forward really has to be, how do we make our developers stakeholders in the risk being introduced by the software they write to the organization? And that means everything we've been talking about: it means prioritization; it means understanding how the different layers of the stack affect each other, especially the cloud pieces; it means an extensible platform that lets me write code against it to inject my own reasoning, right? The piece that we haven't talked about here is that risk calculation doesn't just involve technical aspects, there's also business intelligence that's involved, right? What are my critical applications, right, what actually causes me to lose significant amounts of money if those services go offline?We at Snyk can't tell that. We can't run a scanner to say these are your crown jewel services that can't ever go down, but you can know that as an organization. So, where we're going with the platform is opening up the extensible process, creating APIs for you to be able to affect that risk triage, right, so that as the creators have guardrails as the security team, you are saying, “Here's how we want our developers to prioritize. Here are all of the factors that go into that decision-making.” And then you can be confident that in their environment, back over in developer-land, when I'm looking at IntelliJ, or, you know, or on my local command line, I am seeing the guardrails that my security team has set for me and I am confident that I'm fixing the right thing, and frankly, I'm grateful because I'm fixing it at the right time and I'm doing it in such a way and with a toolset that actually is helping me fix it rather than just telling me I've done something wrong, right, because everything we do at Snyk focuses on identifying the solution, not necessarily identifying the problem.It's great to know that I've got an unencrypted S3 bucket, but it's a whole lot better if you give me the line of code and tell me exactly where I have to copy and paste it so I can go on to the next thing, rather than spending an hour trying to figure out, you know, where I put that line and what I actually have to change it to, right? I often say that the most valuable currency for a developer, for a software engineer, it's not money, it's not time, it's not compute power or anything like that, it's the right context, right? I actually have to understand what are the implications of the decision that I'm making, and I need that to be in my own environment, not after the fact because that's what creates friction within an organization is when I could have known earlier and I could have known better, but instead, I had to guess I had to write a bunch of code that relies on the thing that was wrong, and now I have to redo it all for no good reason other than the tooling just hadn't adapted to the way modern software is built.Corey: So, one last question before we wind up calling it a day here. We are now heavily into what I will term pre:Invent where we're starting to see a whole bunch of announcements come out of the AWS universe in preparation for what I'm calling Crappy Cloud Hanukkah this year because I'm spending eight nights in Las Vegas. What are you doing these days with AWS specifically? I know I keep seeing your name in conjunction with their announcements, so there's something going on over there.Clinton: Absolutely. No, we're extremely excited about the partnership between Snyk and AWS. Our vulnerability intelligence is utilized as one of the data sources for AWS Inspector, particularly around open-source packages. We're doing a lot of work around things like the code suite, building Snyk into code pipeline, for example, to give developers using that code suite earlier visibility into those vulnerabilities. And really, I think the story kind of expands from there, right?So, we're moving forward with Amazon, recognizing that it is, you know, sort of the de facto. When we say cloud, very often we mean AWS. So, we're going to have a tremendous presence at re:Invent this year, I'm going to be there as well. I think we're actually going to have a bunch of handouts with your face on them is my understanding. So, please stop by the booth; would love to talk to folks, especially because we've now released the Snyk Cloud product and really completed that story. So, anything we can do to talk about how that additional context of the cloud helps engineers because it's all software all the way down, those are absolutely conversations we want to be having.Corey: Excellent. And we will, of course, put links to all of these things in the [show notes 00:35:00] so people can simply click, and there they are. Thank you so much for taking all this time to speak with me. I appreciate it.Clinton: All right. Thank you so much, Corey. Hope to do it again next year.Corey: Clinton Herget, Field CTO at Snyk. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry comment telling me that I'm being completely unfair to Azure, along with your favorite tasting color of Crayon.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

In this episode I interview Jeremiah Roe of SynAck and Jeremy Blevins from Calhoun Community College from the National Cyber Summit floor.  We talk a wide range of topics from pentesting to the personnel shortage in cybersecurity. I start the podcast referencing this article (5 cybersecurity mistakes that will haunt you | VentureBeat) that seems appropriate since I am recording this episode on Halloween.  Give a listen, tell a friend. Feel free to email me at darren@thecyburguy.com or follow me at linkedin.com/in/darrenmott. 

Synack joins the Two-Sixteen podcast to talk about his ALTTPR  origins, becoming a mod in the ALTTPR Discord, and his rise as a bot overlord. He chats about his love of rollercoasters, the history of all of his Discord bots including Sahabot creation, and the reality of burnout. Follow Synack on TwitchFollow fearagent on TwitchJoin the 216 Discord!

This is the story of Joseph Harris (https://twitter.com/akad0c). When he was a young teen he got involved with stealing video game accounts and selling them for money. This set him on a course where he flew higher and higher until he got burned. Joseph sometimes demonstrates vulnerabilities he finds on his YouTube channel https://www.youtube.com/channel/UCdcuF5Zx6BiYmwnS-CiRAng. Listen to episode 112 “Dirty Coms” to hear more about what goes on in the communities Joseph was involed with. Sponsors Support for this show comes from Axonius. Securing assets — whether managed, unmanaged, ephemeral, or in the cloud — is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Support for this show comes from Synack. Synack is a penetration testing firm. But they also have a community of, people like you, who earn regular money by legally hacking. If you're interested in getting paid to hack, visit them now at synack.com/red-team, and click ‘apply now.'

In today's show we talk to Synack, a trusted Crowdsourced Security Platform, and how they use Google Cloud VMware Engine. Our guests today are Friend of the Show, Ken Drachnik from Google, to tell us about Google Cloud VMware Engine, as well as Mark Kuhr, the CTO and Co-Founder of Synack. We discuss how Synack has used the Google Cloud service to build a distributed, crowd-sources security platform for penetration testing and digital vulnerability analysis. Mark shares how and why they decided to go with Google Cloud VMware Engine, how their deployment went, and roughly how large it was. For more information, check out this blog.   More info on Synack: https://www.synack.com/ https://www.synack.com/red-team/ https://www.synack.com/were-in-synack-podcast/   Sr. Producer: Cheryl Young Editor: Bill Roth  

Links: Principals in AWS IAM: https://ben11kehoe.medium.com/principals-in-aws-iam-38c4a3dc322a You Don't Need to Burn off Your Fingertips (and Other Biometric Authentication Myths): https://www.troyhunt.com/you-dont-need-to-burn-off-your-fingertips-and-other-biometric-myths/ Amazon Detective offers Splunk integration: https://aws.amazon.com/about-aws/whats-new/2021/09/amazon-detective-splunk-integration/ IAM Vulnerable - An AWS IAM Privilege Escalation Playground: https://labs.bishopfox.com/tech-blog/iam-vulnerable-an-aws-iam-privilege-escalation-playground TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these are empowered to do is alert you whenever someone attempts to use them. It's an awesome approach to detecting breaches. I've used something similar for years myself before I found them. Check them out. But wait, there's more because they also have an enterprise option that you should be very much aware of: canary.tools. Take a look at this: what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can even get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It's awesome. If you don't do something like this, instead you're likely to find out that you've gotten breached the very hard way. So, check it out. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You'll know which one of those you fall into. Take a look. I'm a big fan. More to come from Thinkst Canary in the weeks ahead.Corey: Ben Kiko, cloud robotics research scientist at iRobot—motto: “All IoT sucks, but ours is supposed to”—walks us through Principles in AWS IAM. It's short, it's concise, and it's definitely worth taking the time to dig into what he has to say. If you only hunt down one thing from this podcast this week, this is the one.[Version three of OpenSSL was released 00:03:19], so expect a few conversations around that. There's also apparently a Rusttls, which is ostensibly OpenSSL rewritten in Rust for the modern era but is in practice just another talking point for the Rust evangelism strikeforce, who is actively encouraged not to find a way to leave a comment on this episode.Sneak or Snack or Synack raised—however they're pronounced—[raised a big funding round last week 00:03:19] and still stubbornly refuses to buy a vowel. More interestingly, they report that 50% of security jobs are unfilled. Further, any solution predicated on devs becoming security experts is doomed, which is exactly the point of this podcast. What you need to know about cloud security, minus the fluff and gatekeeping. Okay fine, yes, and some snark added to keep it engaging because my God, is it dull without that.Another week, another [Azure Security failure 00:03:19]. This time a flaw existed that could leak data between users of Azure Container Services. Look, this whole thing is about AWS, so why do I talk about Azure issues like this? Simply put, people are going to bring it up in a cloud isn't secure context, and you should be aware of what they're talking about when they do. Azure, please get it together. Stuff like this hurts all cloud providers.Corey: Troy Hunt has a post informing you that despite what your AWS bill may have you believe in the moment, self-immolation is unnecessary. Okay, that's not actually his point, but specifically, You Don't Need to Burn off Your Fingertips (and Other Biometric Authentication Myths) doesn't hit quite the same way. It's a super handy reminder that for most of you folks, adversaries are not going to steal your fingerprints to get into your systems. They're either going to bribe you or hit you with a wrench until you tell them your password.From the mouth of AWS horse—or from the horse's AWS—Amazon Detective offers Splunk integration. Amazon Detective and the Case of the Missing Mountain of Money is apparently this month's hot comic book.And AWS—motto: “Opinions my own”—has a [security checklist 00:03:19], and it's worth taking a look at because a few of these items that they issue from time to time are, like, “Use multiple AWS accounts,” directly contravenes older guidance. It's always good to check on things like this around best practices that AWS is putting out there because even if you don't make changes to your systems as a result, you should know where AWS's head is at with respect to where the future of the industry is going.And lastly, there was an interesting tool that came out called IAM Vulnerable. It's an IAM privilege escalation playground that lets you muck around with exploiting improperly set IAM policies. It's a good way to kill an hour on an afternoon when you're not particularly motivated to do other things. Another good ‘I need a distraction' task is rotating reused or weak passwords that you have in your password manager. And that's what happened.Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That's goteleport.com.Corey: I have been your host, Corey Quinn, and if you remember nothing else, it's that when you don't get what you want, you get experience instead. Let my experience guide you with the things you need to know in the AWS security world, so you can get back to doing your actual job. Thank you for listening to the AWS Morning Brief: Security Editionwith the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcasts, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

Ryan Rutan has worked in tech support, as a computer repairman, application developer, software engineer, entrepreneur, and head of community…and most recently, fiction writer. Listen to this episode to hear what inspired Fork This Life, a novel that follows the life of a teenager growing up with the early internet of the 90s who eventually gets into hacking, and how it relates to today's cybersecurity challenges.--------Why You Should Listen:Hear about Ryan's approach to hacking the fiction writing process.* Get the inside story of how working in tech support informed Ryan's career in cybersecurity. * Nerd out on nostalgia about the nineties tech scene.* Pick up tips for developing your creative voice.  * Get tips for how you can help spread a culture of good security hygiene. --------Key Quotes:* “I'm a technical person, therefore I create.” * “I need a computer but why? I want to get online, but why? Everyone knew they needed it and wanted it but they didn't know why.”* “The people who know and understand what it means to keep things secure... It's incumbent upon them to pay if forward as much as possible.” * “Security back in the 90s.. your death was going to come from a swift sledgehammer to the head...now it's death by a thousand cuts from a million different websites.” --------Related Links:* Synack.com* https://www.synack.com/lp/enterprise-security-testing-101/* Forkthislife.com* https://twitter.com/ryanrutan

ShadowTalk hosts Adam, Chris, and Kim bring you the latest in threat intelligence. This week they cover: - Malicious use of TDS and the newly reported Prometheus TDS - Ransomware updates: Synack release decryption key and Vice Society targets PrintNightmare - The Microsoft phishing campaign that utilized morse code as an encryption mechanism Get this week's intelligence summary at: https://resources.digitalshadows.com/weekly-intelligence-summary/weekly-intelligence-summary-august-20 ***Resources from this week's podcast*** The Phight Against Phishing: https://www.digitalshadows.com/blog-and-research/the-phight-against-phishing/
 Leveraging Digital Shadows Premium Services: https://www.digitalshadows.com/blog-and-research/leveraging-digital-shadows-premium-services/ Prometheus TDS: https://blog.group-ib.com/prometheus-tds Sync Ransomware Releases Decryption Keys: https://www.bleepingcomputer.com/news/security/synack-ransomware-releases-decryption-keys-after-el-cometa-rebrand/ PrintNightmare Attacks: https://www.bleepingcomputer.com/news/security/vice-society-ransomware-joins-ongoing-printnightmare-attacks/ Microsoft Attackers Use Morse Code: https://www.microsoft.com/security/blog/2021/08/12/attackers-use-morse-code-other-encryption-methods-in-evasive-phishing-campaign/ Subscribe to our threat intelligence email: https://info.digitalshadows.com/SubscribetoEmail-Podcast_Reg.html  Also, don't forget to reach out to - shadowtalk@digitalshadows.com- if you have any questions, comments, or suggestions for the next episodes.

You are responsible for your LinkedIn profile. What are you contributing? Share your unique contribution. Take responsibility and change your life. Menu: Take ownership: 0:00 Everyone has a contribution to make: 0:34 Best time to get into cyber: 1:05 Tips for experience on LinkedIn: 2:03 Bryon Adams example: 2:36 What have you contributed to the company? 2:57 Neal's Truth Bomb! 4:28 Write in your voice: 5:38 Chase Golden example: 6:11 What is a Ground Support Techican: 6:41 Neal's example: 7:12 Content Production: 8:20 Blog posts / articles: 8:45 What did you do that will help my business? 9:47 Picking on Chase: 10:38 Leadership examples: 11:32 Extreme Ownership example: 12:30 Chase got leadership experience? 13:43 My business is under attack! 15:22 Bryon Adams presentation skills? 15:55 We want you to succeed: 16:37 Service Technician: 17:00 Sales example: 18:42 Give yourself credit: 19:50 Educational value: 20:23 Extreme Ownership book: https://amzn.to/3sd5fio Previous video: https://youtu.be/QE6E9ZxBAwc ================ Connect with me: ================ Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal ================ Connect with Neal: ================ LinkedIn: https://www.linkedin.com/in/nealbridges/ Twitter: https://twitter.com/ITJunkie Twitch: https://www.twitch.tv/cyber_insecurity ================ Links: ================ Battleship Security: https://battleshipsecurity.com/ Hacker One: https://www.hackerone.com/ Bug Crowd: https://www.bugcrowd.com/ Cobalt: https://cobalt.io/ Synack: https://www.synack.com/ INE: https://bit.ly/freeinetraining OSCP: https://www.offensive-security.com/co... eLearn Security: https://elearnsecurity.com SANS: https://www.sans.org/ Hack the box: https://www.hackthebox.eu/ Try Hack Me: https://tryhackme.com/ CTF Time: https://ctftime.org/ctf-wtf/ CEH: https://www.eccouncil.org/programs/ce... Cyber Blue: https://securityblue.team/ Cyber Defenders: https://cyberdefenders.org/ Did I miss something? Please comment. linkedin linkedin profile hacking hacking linkedin cybersecurity cyber jobs jobs linkedin jobs hacking jobs nsa nsa hacker nsa hacking ethical hacking ceh oscp ine try hack me hack the box ethical hacker ethical hacking oscp certification ctf for beginners Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! #hacking #cybersecurity #jobs

Útočníci začali zneužívat zranitelné Exchange servery s pomocí útoku ProxyShell; Microsoft publikoval workaround pro další závažnou zranitelnost v tiskových službách; Provozovatelé ransomwaru SynAck publikovali šifrovací klíče. Sledujte nás na Twitteru @AlefSecurity a @Jk0pr.

ReverseRat is back and better, and it's sniffing at Afghanistan. LockBit wants $50 million from Accenture. When employees leave, do they take your data with them? (Survey, or rather, telemetry, says yes.) Unpatched Apex One instances are under active attack. PrintNightmare continues to resist patching. Google bans SafeGraph. Apple explains what's up with iCloud privacy. Caleb Barlow wonders if ransomware payments financing criminal infrastructure in Russia. Our guest is Oliver Rochford from Securonix on the notion of cyberwar. And the SynAck ransomware gang rebrands. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/156

LinkedIn is so important. Use it wisely so you can get ahead in your career. Menu: Hack LinkedIn: 0:00 Bryon Adams: 2:49 David disagrees with Neal: 4:00 Neal replies to David: 5:58 Three second rule and tagline: 7:22 Chase Golden: 9:39 Advice for military veterans: 12:30 Is Chase's picture good? 14:10 How to get experience: 15:10 Neal's answer about getting real world experience: 16:00 Don't use the word aspiring: 17:30 Bryon Adams About Page: 18:45 Neal's bio / about page: 19:45 Chase Golden About Page: 21:17 Don't do this: 22:35 Don't downplay your skills: 22:58 Imposter Syndrome: 23:57 This is the right place to boast: 24:17 Two opposite people: 24:51 You need to convince someone: 25:39 Crazy stat: 25:52 ================ Connect with me: ================ Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal ================ Connect with Neal: ================ LinkedIn: https://www.linkedin.com/in/nealbridges/ Twitter: https://twitter.com/ITJunkie Twitch: https://www.twitch.tv/cyber_insecurity ================ Links: ================ Battleship Security: https://battleshipsecurity.com/ Hacker One: https://www.hackerone.com/ Bug Crowd: https://www.bugcrowd.com/ Cobalt: https://cobalt.io/ Synack: https://www.synack.com/ INE: https://bit.ly/freeinetraining OSCP: https://www.offensive-security.com/co... eLearn Security: https://elearnsecurity.com SANS: https://www.sans.org/ Hack the box: https://www.hackthebox.eu/ Try Hack Me: https://tryhackme.com/ CTF Time: https://ctftime.org/ctf-wtf/ CEH: https://www.eccouncil.org/programs/ce... Cyber Blue: https://securityblue.team/ Cyber Defenders: https://cyberdefenders.org/ Did I miss something? Please comment. linkedin linkedin profile nsa nsa hacker nsa hacking ethical hacking cybersecurity ceh oscp ine try hack me hack the box hacking ethical hacker ethical hacking oscp certification ctf for beginners Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!

In this episode, Brittany Yoon, Principal at NFX talks to us about her career at startups and how she navigated growth most recently at Ethos and Uber. She touches on her transition from startups to investing and shares the themes and sectors she is most interested in post-pandemic. Brittany concludes with some important next steps to promote a culture of inclusivity in VC and the subsequent improvement in the business as a whole.

Based in Silicon Valley, Rashmi Gopinath is General Partner at B Capital Group, the global VC firm that specializes in equity investing in growth-stage companies that have achieved traction with customers. With a focus in horizontal enterprise software (cloud infrastructure, cybersecurity, devops, database SaaS for F500), she’s invested in and/or served on the Boards of: Synack, Yalo, Labelbox, Clari, Phenom People. Prior, Rashmi served at Intel Capital and M12, Microsoft’s venture fund. And now she invests in the growth stage (Series B thru D), writing checks between $30-60M. After more than a decade of VC investing, Rashmi says “The team is the #1 factor” In this 20-minute conversation, she reveals why & how to build a Rockstar team every time.

In the wild west of cyber security, Jay Kaplan the CEO of Synack tells Bradley, the key to safety is understanding “the adversarial perspective.” Which for Synack means deputizing hackers all over the world to try and break into their clients’ systems. Crowdsourcing, says Kaplan, is the smartest way to defend yourself.

This week we get to take a look into some basic heap grooming techniques as we examine multiple heap overflows. We also briefly discuss the hand-on (by the DoD and Synack) assessment of the "unhackable" morpheus chip, and briefly discuss the new-ish paper claiming to defeat RSA. [00:00:53] "This destroys the RSA cryptosystem." - Fast Factoring Integers by SVP Algorithms https://eprint.iacr.org/2021/232https://github.com/lducas/SchnorrGate [00:06:55] DARPA pitted 500+ hackers against this computer chip. The chip won. https://cse.engin.umich.edu/stories/morpheus-vs-everybodyhttps://www.reddit.com/r/HowToHack/comments/bl9qo3/morpheus_chip/empsclt/?context=10 [00:18:10] SaltStack API vulnerabilities https://dozer.nz/posts/saltapi-vulnshttps://github.com/saltstack/salt/blob/08fe46365f92583ea875f9e4a8b2cb5305b34e4b/salt/client/ssh/client.py#L72 [00:22:57] An Interesting Feature in the Samsung DSP Driver https://www.synacktiv.com/en/publications/an-interesting-feature-in-the-samsung-dsp-driver.html [00:30:50] Pre-Auth Remote Code Execution in VMware ESXi [CVE-2020-3992 CVE-2021-21974] https://www.thezdi.com/blog/2021/3/1/cve-2020-3992-amp-cve-2021-21974-pre-auth-remote-code-execution-in-vmware-esxi [00:39:05] Defeating the TP-Link AC1750 https://www.synacktiv.com/en/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html [00:44:52] Anatomy of an Exploit: RCE with CVE-2020-1350 SIGRed https://www.graplsecurity.com/post/anatomy-of-an-exploit-rce-with-cve-2020-1350-sigred [00:57:11] Yet another RenderFrameHostImpl UAF https://microsoftedge.github.io/edgevr/posts/yet-another-uaf/ [01:03:16] Webkit AudioSourceProviderGStreamer use-after-free vulnerability https://talosintelligence.com/vulnerability_reports/TALOS-2020-1172 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@dayzerosec)

timp. Daaanty. Hurfydurfy. ...Synack?! That's right! ALTTPR "Superadmin" Synack joins the GMP Crew for the entire episode this time! In Episode 62, these four discuss the new Advent CalenDoor Festive, the League, the new v31.0.7 hotfix, and the standard GMP Community Update fare consisting of the Overworld Glitches Mentor Tournament and some Bi-weekly Seed talk. And despite being down a Hurf at the end, they finish strong with lots of sub-submitted questions for Synack. FEATURE: The boys offer up the stage to Synack to discuss Community Tech, including SahahrahBot, Mystery Seed generation, and other ways that technical integrations make ALTTPR so easy to play and race. 1:50 - Advent CalenDoor Pt. 1 13:15 - League S3 Regular Season Ending 22:25 - v31.0.7 Hotfix 35:05 - New NMG Tournament 38:05 - GMP Community Updates COMMUNITY TECH 44:25 - Meet Synack 50:00 - What is Community Tech? 52:25 - A History of Seed Rolling Bots 1:07:10 - How a Seed is Generated 1:12:55 - SahasrahBot 1:19:55 - .yaml and you 1:24:35 - Generating Spoiler Races 1:29:55 - SahaBot + Community 1:45:30 - Questions for Synack LINKS (visit gomodepodcast.com for full urls) Advent CalenDoor Festive ALTTPR League krelbel's Sprite Shuffler krelbel's MSU Shuffler 2021 NMG Tournament Document SahasrahBot Create your own .yaml mystery weights Synack Github | Twitch Follow Us on Twitter | Join Our Discord to discuss the Bi-Weekly Seed Enjoy the show? Consider donating to GMP: https://paypal.me/gomodepodcast

timp. Daaanty. Hurfydurfy. ...Synack?! That's right! ALTTPR "Superadmin" Synack joins the GMP Crew for the entire episode this time! In Episode 62, these four discuss the new Advent CalenDoor Festive, the League, the new v31.0.7 hotfix, and the standard GMP Community Update fare consisting of the Overworld Glitches Mentor Tournament and some Bi-weekly Seed talk. And despite being down a Hurf at the end, they finish strong with lots of sub-submitted questions for Synack. FEATURE: The boys offer up the stage to Synack to discuss Community Tech, including SahahrahBot, Mystery Seed generation, and other ways that technical integrations make ALTTPR so easy to play and race. 1:50 - Advent CalenDoor Pt. 1 13:15 - League S3 Regular Season Ending 22:25 - v31.0.7 Hotfix 35:05 - New NMG Tournament 38:05 - GMP Community Updates COMMUNITY TECH 44:25 - Meet Synack 50:00 - What is Community Tech? 52:25 - A History of Seed Rolling Bots 1:07:10 - How a Seed is Generated 1:12:55 - SahasrahBot 1:19:55 - .yaml and you 1:24:35 - Generating Spoiler Races 1:29:55 - SahaBot + Community 1:45:30 - Questions for Synack LINKS (visit gomodepodcast.com for full urls) Advent CalenDoor Festive ALTTPR League krelbel's Sprite Shuffler krelbel's MSU Shuffler 2021 NMG Tournament Document SahasrahBot Create your own .yaml mystery weights Synack Github | Twitch Follow Us on Twitter | Join Our Discord to discuss the Bi-Weekly Seed Enjoy the show? Consider donating to GMP: https://paypal.me/gomodepodcast

In this episode of the Dudes n Beer podcast host Christopher Jordan welcomes Ryan Rutan, leader of a group of white hat hackers and digital penetration specialists known as the Synack Red Team and author of the new book Fork This Life: Volume One to the show to discuss the world of the “White Hat Hacker” as well as what led him to begin writing books about the life and world of hackers.“A computer savvy teenage boy is uprooted by his parents' abrupt divorce and forced to relocate from the East Coast to small-town Texas. He traverses his way through high school, relationships and early adulthood in search of his place in a world ensnared by the rise of personal computing, technology and the Internet in the 1990's.” This is the preamble to the book Fork This Life: Volume One.Join the Dudes n Beer podcast as we are joined by author Ryan Rutan to discuss the pros and cons of hacking in a modern day society as well as what brought him to venture into the world of novel writing.The Dudes n Beer podcast is a proud member of the HC Universal Network family of podcasts. Download the FREE Dudes n Beer Podcast app for Android and iDevices or visit our LISTEN LIVE page and join the conversation.

In this episode of the Dudes n Beer podcast host Christopher Jordan welcomes Ryan Rutan, leader of a group of white hat hackers and digital penetration specialists known as the Synack Red Team and author of the new book Fork This Life: Volume One to the show to discuss the world of the “White Hat Hacker” as well as what led him to begin writing books about the life and world of hackers. “A computer savvy teenage boy is uprooted by his parents' abrupt divorce and forced to relocate from the East Coast to small-town Texas. He traverses his way through high school, relationships and early adulthood in search of his place in a world ensnared by the rise of personal computing, technology and the Internet in the 1990's.” This is the preamble to the book Fork This Life: Volume One. Join the Dudes n Beer podcast as we are joined by author Ryan Rutan to discuss the pros and cons of hacking in a modern day society as well as what brought him to venture into the world of novel writing. The Dudes n Beer podcast is a proud member of the HC Universal Network family of podcasts. Download the FREE Dudes n Beer Podcast app for Android and iDevices or visit our LISTEN LIVE page and join the conversation.

In this episode of the Dudes n Beer podcast host Christopher Jordan welcomes Ryan Rutan, leader of a group of white hat hackers and digital penetration specialists known as the Synack Red Team and author of the new book Fork This Life: Volume One to the show to discuss the world of the “White Hat Hacker” as well as what led him to begin writing books about the life and world of hackers. “A computer savvy teenage boy is uprooted by his parents’ abrupt divorce and forced to relocate from the East Coast to small-town Texas. He traverses his way through high school, relationships and early adulthood in search of his place in a world ensnared by the rise of personal computing, technology and the Internet in the 1990’s.” This is the preamble to the book Fork This Life: Volume One. Join the Dudes n Beer podcast as we are joined by author Ryan Rutan to discuss the pros and cons of hacking in a modern day society as well as what brought him to venture into the world of novel writing. The Dudes n Beer podcast is a proud member of the HC Universal Network family of podcasts. Download the FREE Dudes n Beer Podcast app for Android and iDevices or visit our LISTEN LIVE page and join the conversation.

Ever wondered just how vulnerable you are to a cyber-attack? This week on You Should Know This, I sit down with Jay Kaplan, the co-founder and CEO of Synack, a cybersecurity company. Bringing a unique twist to an established industry is a big ask, but that is exactly what Synack is doing with their crowdsourced solutions to ongoing digital security attacks. We discuss what it's like working for the NSA, what it means to be an ‘ethical hacker,' how the cybersecurity industry has been impacted by COVID-19 and more. For more details on the episode as well as resources on the cybersecurity industry, check out the show notes for this episode.

Are you a woman in leadership? Or are you curious about how women in leadership view the world? Aisling MacRunnels is the Chief Business & Growth Officer at Synack, a cybersecurity company located in Silicon Valley. In today's episode, she talks about her journey to the c-suite, the challenges women face in developing a strong career and family life, and how business owners and other leaders can overcome their natural bias toward working with people who are like them and make space for women to have a position and a voice on their teams.

There are a lot of juicy targets for hackers these days, with millions of people working from home and companies working on valuable COVID-19 drugs. One of the ways companies fight attacks is to try to fix bugs in their software before they can be exploited. They do it by hiring ethical hackers. Molly Wood speaks with Jesse Kinser who works as the chief information security officer for the precision health care company LifeOmic. She also moonlights as a hacker, finding jobs using the crowdsourced hack platform Synack.

There are a lot of juicy targets for hackers these days, with millions of people working from home and companies working on valuable COVID-19 drugs. One of the ways companies fight attacks is to try to fix bugs in their software before they can be exploited. They do it by hiring ethical hackers. Molly Wood speaks with Jesse Kinser who works as the chief information security officer for the precision health care company LifeOmic. She also moonlights as a hacker, finding jobs using the crowdsourced hack platform Synack.

There are a lot of juicy targets for hackers these days, with millions of people working from home and companies working on valuable COVID-19 drugs. One of the ways companies fight attacks is to try to fix bugs in their software before they can be exploited. They do it by hiring ethical hackers. Molly Wood speaks with Jesse Kinser who works as the chief information security officer for the precision health care company LifeOmic. She also moonlights as a hacker, finding jobs using the crowdsourced hack platform Synack.

Greg McCord, Sr. Director, Information Security at CalAmp & Nick Harrahill, Vice President Operations at Synack, Inc joined the podcast for our virtual summit.Sign up for our newsletter to make sure you never miss any of The CyberHub Podcast Content! 

Ryan Rutan, Director of Community, Synack Red Team joined the podcast for our virtual summit.Sign up for our newsletter to make sure you never miss any of The CyberHub Podcast Content! 

Mark Kuhr, CTO and Co-Founder at Synack & Jake Braun, CEO Company NameCambridge Global joined the podcast for our virtual summit.Sign up for our newsletter to make sure you never miss any CyberHub Engage Content! 

Synack invited us to Fogo de Chão during #RSA2020 to record their brilliant panels for our communityThis episode is sponsored by SynackView the Trusted Synack Experience at RSA here!

Synack invited us to Fogo de Chão during #RSA2020 to record their brilliant panels for our community.This episode is sponsored by SynackView the Trusted Synack Experience at RSA here!

We hosted Jay Kaplan, CEO at Synack on the podcast at Fogo de Chão during #RSA2020. Synack rented out the restaurant for two days during the conference to host security practitioners with amazing food and providing them with engaging content and activities.This episode is sponsored by: SynackView the Trusted Synack Experience at RSA here!

Mark Kuhr, CTO and Co-Founder at Synack & Jake Braun, CEO Company NameCambridge Global joined the podcast for our virtual summit. Sign up for our newsletter to make sure you never miss any CyberHub Engage Content! 

Synack invited us to Fogo de Chão during #RSA2020 to record their brilliant panels for our community This episode is sponsored by Synack View the Trusted Synack Experience at RSA here!

We hosted Mark Kuhr, CTO and Co-Founder at Synack on the podcast at Fogo de Chão during #RSA2020. Synack rented out the restaurant for two days during the conference to host security practitioners with amazing food and providing them with engaging content and activities. This episode is sponsored by: SynackView the Trusted Synack Experience at RSA here!

We hosted Mark Kuhr, CTO and Co-Founder at Synack on the podcast at Fogo de Chão during #RSA2020. Synack rented out the restaurant for two days during the conference to host security practitioners with amazing food and providing them with engaging content and activities. This episode is sponsored by: Synack View the Trusted Synack Experience at RSA here!

We hosted Jay Kaplan, CEO at Synack on the podcast at Fogo de Chão during #RSA2020. Synack rented out the restaurant for two days during the conference to host security practitioners with amazing food and providing them with engaging content and activities. This episode is sponsored by: Synack View the Trusted Synack Experience at RSA here!

Synack invited us to Fogo de Chão during #RSA2020 to record their brilliant panels for our community. This episode is sponsored by Synack View the Trusted Synack Experience at RSA here!

Ryan Rutan, Director of Community, Synack Red Team joined the podcast for our virtual summit. Sign up for our newsletter to make sure you never miss any of The CyberHub Podcast Content! 

Greg McCord, Sr. Director, Information Security at CalAmp & Nick Harrahill, Vice President Operations at Synack, Inc joined the podcast for our virtual summit. Sign up for our newsletter to make sure you never miss any of The CyberHub Podcast Content! 

In this episode of the Future 1 web show & podcast, we meet Jordan Shapiro. Jordan joined NEA in 2017 and is an Associate on the Tech Team focusing on enterprise and consumer technology investments. Prior to NEA, Jordan worked in cross-border China/US venture capital and led multiple development teams in Silicon Valley as a product manager for Samsung SmartThings, Intuit, and Synack. In this episode, we talk about how we transitioned into VC, what it takes to evaluate & differentiate a good vs. great company, and how the process varies from an established VC vs. a smaller one The material contained on this web series & podcast is for informational purposes only and should not be construed as an offer or a recommendation to buy or sell any security nor is it to be construed as investment advice. Music credits: Clouds by MBB | https://soundcloud.com/mbbofficial , Music promoted by https://www.free-stock-music.com , Creative Commons Attribution-ShareAlike 3.0 Unported, https://creativecommons.org/licenses/by-sa/3.0/deed.en_US IMPORTANT NOTICE: This web series and podcast is intended for informational purposes only. The views expressed are not, and should not be construed as investment advice or recommendations. Recipients of this should do their own due diligence, taking into account their specific financial circumstances, investment objectives and risk tolerance (which are not considered in this web series and podcast) before investing. None of this information communication is an offer, nor the solicitation of an offer, to buy or sell any of the assets mentioned herein. --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app Support this podcast: https://anchor.fm/joelpalathinkal/support

The US Defense Information Agency discloses a data breach affecting personal information of up to two-hundred thousand individuals. More international reprobation for the alleged GRU hack of Georgian websites. Trolls move from creation to curation. Stalkerware data exposure. And a look at how the UK might actually implement its compromise position on high-risk 5G vendors. Joining us in studio, a surprise new addition to the CyberWire team, guest is Aisling MacRunnels from Synack on women in cyber. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_21.html Support our show

Roller blading. Techno music. Hacking. All activities are heavily associated with the 1990s, a time when personal computers were for tech nerds only and hacking was a relatively recent phenomenon. No movie encompasses the hacking subculture better than 1995’s Hackers, a film starring Angelina Jolie, Jonny Lee Miller and Lorraine Braco, among others. After they’re framed by an evil cybersecurity officer, a group of high-school hackers must prove themselves innocent using their incredible computer skills. It has it all: hacktivism, tiny sunglasses that have somehow come back in style, and the kind of unbridled confidence that only people who have never supported themselves financially could have. Oh, high schoolers! In this episode, Gabe and Aliza discuss hacking: how it’s changed since 1995, hacktivism, and the Hacker’s Manifesto referenced in the film. Companies still hire ethical hackers, otherwise known as white hat hackers, in order to find security vulnerabilities before black hat hackers do. This practice is incredibly necessary, as so many companies have had breaches (I’m thinking NordVPN, Nest, and Capital One, to name a few recent examples). Even with the growing need for cybersecurity, especially for IoT devices, some reports suggest that there will be 3.5 million unfilled cybersecurity jobs by 2021. And these jobs are highly-paying. One hacker working for cybersecurity company Synack made over $1 million this year alone. Time Stamps0:57 Movie Trivia/ Fun Facts 1:35 Movie Recap 8:00 Gabe and Aliza discuss what hacking looks like nowadays and how it’s changed since 1995 when the movie takes place, including ethical hacking.14:40 Discussion of the Hacker’s Manifesto 16:40 Discussion of hacktivism24:18 Gabe and Aliza ask the titular question, are we in the future?

Guest -Mitchell Grimes Host-Ashwath Athreya (Ampliz) Synack is a security company revolutionizing how enterprises view cybersecurity: through a hacker’s eyes. Synack’s privately managed hacker-powered security solution arms clients with hundreds of the world's most skilled, highly vetted ethical hackers who provide a truly adversarial perspective to clients’ IT environments. Ampliz SalesBuddy is a B2B Sales Intelligence platform to meet your Lead generation needs. We help you understand and identify your prospects with enriched data-driven insights in seconds. Ampliz Buddy is a podcast focused on Sales, Digital Marketing, Business Development executives, and Growth specialist. We focus on the issues of young salesperson faces and what can be done to resolve them.

Cyber crises are everywhere you turn now – from Russia’s interference in the 2016 U.S. presidential elections to company-wide data breaches. But as technology and bad actors keep shifting, governments around the world are struggling to keep up. Dr. Mark Kuhr, former advisor to the National Security Agency and co-founder of Synack, an industry-leading security platform, explains the challenges for cybersecurity – and why the solution doesn’t have to be Big Brother.   More at https://altamar.us/the-future-of-cybersecurity/ Follow us on Twitter and Facebook  ----- Produced by Simpler Media

In addition to CEO at RedSeal, seed investor mostly in cyber companies. Those include Area 1 Security, Synack, Tala, dTex, NS8, Mark43, Qwilt, RigUp, Planet, LumaHealth, Unbound Tech, Virgil, Cybrary, Halo Tech, and others. Also, Rothrock is the author of “Digital Resilience” published by Harper Collins. It is a non-technical book for management, leaders and really just about anyone interested in getting control of their cyber threat and response in this age of the bad guys are in, now what? What you'll learn from this episode: How Rothrock found a mentor at Texas A&M who helped him change industries and pursue technology in CA Rothrock's journey and the career path he ended up taking How to become a leader in anything you do The importance of tenacity, camaraderie, and celebrating together Education's role in Rothrock's life, and how he is trying to pay it forward Ray's motivational keynote speech, Compound Interest The importance of cybersecurity and how Red Seal is taking it a step further Rothrock's book, Digital Resilience, and what resilience means to him What it takes to leave a legacy Additional resources: Website: www.redseal.net LinkedIn: https://www.linkedin.com/in/ray-rothrock-75b9403 Twitter: @rayrothrock

This week, Paul and Matt Alderman talk Enterprise News, to discuss 5 tips on how testers can collaborate with software developers, Imperva discloses a data breach affecting some firewall users, VMware unveils security enhancements in Virtual Cloud Network Offering, and how Veristor and Synack partner to apply Ethical Hackers and AI Technology! In our second segment, we air three pre-recorded interviews from BlackHat 2019 with Chris Kennedy from AttackIQ, Balaji Prasad of BlueHexagon, and Mike Weber of Coalfire! In our final segment, we air three more pre-recorded interviews from BlackHat 2019 with Brett Wahlin of Respond Software, Andrew Homer of Morphisec, and Mat Gangwer from Sophos!   Full Show Notes: https://wiki.securityweekly.com/ES_Episode151 Visit https://www.securityweekly.com/esw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, Paul and Matt Alderman talk Enterprise News, to discuss 5 tips on how testers can collaborate with software developers, Imperva discloses a data breach affecting some firewall users, VMware unveils security enhancements in Virtual Cloud Network Offering, and how Veristor and Synack partner to apply Ethical Hackers and AI Technology! In our second segment, we air three pre-recorded interviews from BlackHat 2019 with Chris Kennedy from AttackIQ, Balaji Prasad of BlueHexagon, and Mike Weber of Coalfire! In our final segment, we air three more pre-recorded interviews from BlackHat 2019 with Brett Wahlin of Respond Software, Andrew Homer of Morphisec, and Mat Gangwer from Sophos!   Full Show Notes: https://wiki.securityweekly.com/ES_Episode151 Visit https://www.securityweekly.com/esw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

In the news, we discuss 5 tips on how testers can collaborate with software developers, Imperva discloses a data breach affecting some firewall users, VMware unveils security enhancements in Virtual Cloud Network Offering, and how Veristor and Synack partner to apply Ethical Hackers and AI Technology! Full Show Notes: https://wiki.securityweekly.com/ES_Episode151 Visit https://www.securityweekly.com/esw for all the latest episodes!

In the news, we discuss 5 tips on how testers can collaborate with software developers, Imperva discloses a data breach affecting some firewall users, VMware unveils security enhancements in Virtual Cloud Network Offering, and how Veristor and Synack partner to apply Ethical Hackers and AI Technology! Full Show Notes: https://wiki.securityweekly.com/ES_Episode151 Visit https://www.securityweekly.com/esw for all the latest episodes!

Oops! Like so many inept workers in the Captain Crunch factory, timp, Axeil, & Hurfydurfy accidentally fill their entire podcast with only one of its two primary ingredients: NEWS! There's so much to cover. GMP:MT Week 2, Speed Gaming Live 2019 (featuring a VERY exciting GMP announcement), the ALTTPR Racing Council, a new glitch, and a thorough recap of Rando events at SGDQ 2019, plus the past and future of Rando's presence at GDQs, with Rando AND GDQ veteran Synack. OOPS!! 3:30 - Go Mode Podcast Mentor Tournament - Week 2 Complete 26:20 - Unofficial GMP:MT “Bunny Bracket” 29:05 - Speed Gaming Live 2019 41:50 - New Glitch Discovered 49:35 - ALTTPR Racing Council 1:02:05 - 2019 Plando Tournament Winner 1:02:35 - Rando at SGDQ 2019 Prepper 1:04:25 - Rando at SQDQ 2019 with Synack 1:42:50 - Fetch Question & Wrap-up LINKS GO MODE PODCAST MENTOR TOURNAMENT Match Schedule (updated daily): https://tinyurl.com/y5m4r4bx (includes links to past race VoDs and YouTube uploads when applicable) Discord (for spectating): https://discordapp.com/invite/KHTyEc5 Challonge: https://challonge.com/GMPMT Week 2 GMP:MT Race, TheDaddyGamers vs. elias5891: https://www.youtube.com/watch?v=RQuuT55OlHg Speed Gaming Live 2019 Flyer: http://speedgaming.org/sglive/ Speed Gaming Live 2019 Discord: https://discord.gg/YGzQsUp SGDQ 2019 2v2 Tournament Challonge: https://challonge.com/u62sr5bh SGDQ 2019 Randomizer Community Discord: https://discord.gg/zM7hsyc Explanation of New (Ancilla) Glitches: https://alttp-wiki.net/index.php/Ancilla_glitches Rando Multiworld @ SGDQ 2019: https://twitter.com/GamesDoneQuick/status/1144450827773468673 Follow The Go Mode Podcast on Twitter: @GoModePodcast Watch GMP:MT Races on Twitch: https://twitch.tv/gomodepodcast Join The Go Mode Podcast Discord: https://discordapp.com/invite/KHTyEc5

Oops! Like so many inept workers in the Captain Crunch factory, timp, Axeil, & Hurfydurfy accidentally fill their entire podcast with only one of its two primary ingredients: NEWS! There’s so much to cover. GMP:MT Week 2, Speed Gaming Live 2019 (featuring a VERY exciting GMP announcement), the ALTTPR Racing Council, a new glitch, and a thorough recap of Rando events at SGDQ 2019, plus the past and future of Rando’s presence at GDQs, with Rando AND GDQ veteran Synack. OOPS!! 3:30 - Go Mode Podcast Mentor Tournament - Week 2 Complete 26:20 - Unofficial GMP:MT “Bunny Bracket” 29:05 - Speed Gaming Live 2019 41:50 - New Glitch Discovered 49:35 - ALTTPR Racing Council 1:02:05 - 2019 Plando Tournament Winner 1:02:35 - Rando at SGDQ 2019 Prepper 1:04:25 - Rando at SQDQ 2019 with Synack 1:42:50 - Fetch Question & Wrap-up LINKS GO MODE PODCAST MENTOR TOURNAMENT Match Schedule (updated daily): https://tinyurl.com/y5m4r4bx (includes links to past race VoDs and YouTube uploads when applicable) Discord (for spectating): https://discordapp.com/invite/KHTyEc5 Challonge: https://challonge.com/GMPMT Week 2 GMP:MT Race, TheDaddyGamers vs. elias5891: https://www.youtube.com/watch?v=RQuuT55OlHg Speed Gaming Live 2019 Flyer: http://speedgaming.org/sglive/ Speed Gaming Live 2019 Discord: https://discord.gg/YGzQsUp SGDQ 2019 2v2 Tournament Challonge: https://challonge.com/u62sr5bh SGDQ 2019 Randomizer Community Discord: https://discord.gg/zM7hsyc Explanation of New (Ancilla) Glitches: https://alttp-wiki.net/index.php/Ancilla_glitches Rando Multiworld @ SGDQ 2019: https://twitter.com/GamesDoneQuick/status/1144450827773468673 Follow The Go Mode Podcast on Twitter: @GoModePodcast Watch GMP:MT Races on Twitch: https://twitch.tv/gomodepodcast Join The Go Mode Podcast Discord: https://discordapp.com/invite/KHTyEc5

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. We're comparing ourselves to media you already know in hopes you'll better understand our product and listen to our show. It's our first self-produced live recording of the CISO/Security Vendor Relationship Podcast from San Francisco and it came out awesome. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest for this live show is Andy Steingruebl (@asteingruebl), CSO of Pinterest. Check out all the awesome photos from our first self-produced live recording. Thanks to our sponsors The Synack Crowdsourced Security platform delivers effective penetration testing at scale. Synack uses the world’s top security researchers and AI-enabled technology to find what scanners and regular testing do not. It’s used by US Dept of Defense and leading enterprises for better security. To learn more, go to synack.com. New Context helps fortune 500s build secure and compliant data platforms. New Context created “Lean Security”, a set of best practices designed to help enterprises manage and secure data for critical infrastructure, and offers professional services and a software solution, LS/IQ, to help enterprises build a secure and compliant data platforms for their business.  Create an economical and secure private network for your company with OpenVPN. Used by Fortune 500 companies and IT, Access Server keeps your internal data safe with end-to-end encryption, secure remote access, and extension for your centralized unified threat management. Go to openvpn.net/ciso-series to test drive Access Server for free.   Why is everybody talking about this now? Chris Roberts with Attivo Networks caused a flurry of discussion when he argued that using the term "security" is meaningless. He said, "There is no such thing as security. There is just a measurement of risk." He went on to say we shouldn't be talking about security risk, but only business risk. Would it be a good idea to change the terminology? How are CISOs are digesting the latest security news? France’s data protection regulator, CNIL, issued Google a $57 million fine for failing to comply with its GDPR obligations. Not the first GDPR fine, but it's first big tech giant. And it's not nearly as much as it could have been. But it's the biggest fine so far. Are GDPR fines starting to get real? Will this embolden even more fines? Hey, you're a CISO, what's your take on this? On LinkedIn Mike Johnson brought up the discussion of security vendors marketing what they're not. He claimed that this tactic is doomed to fail, and should just stop. Why is it a failed tactic? It's time to play, "What's Worse?!" We get a little philosophical in this round of "What's Worse?!" Um...What do they do? I read the copy from a vendor's website and the two CISOs try to figure out, "What do they do?" Ask a CISO A listener asks, "What are the signs that tell you that a vendor is serious about improving the security of their product?" How are CISOs are digesting the latest security news? A caustic attendee to DerbyCon brings down the entire event because the organizers didn't know how to handle his behavior. How can event producers in the security space avoid this happening in the future? And now this... We take questions from our audience.  

CISO/Security Vendor Relationship Podcast and Series is available at CISOSeries.com. Be afraid. Be very afraid of the latest episode of the CISO/Security Vendor Relationship Podcast where it's possible that 90 percent of your security breaches are coming from within your own company. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson, CISO of Lyft. Our guest this week is Leon Ravenna, CISO, KAR Auction Services. Synack provides crowdsourced security testing that provides more than older style penetration testing. Instead of using a few researchers who output a final report, Synack uses a globally-sourced crowd of researchers backed by a purpose-built hacking platform. This gives organizations access to security talent that is not available from any one company, and data and insights into the testing process. All Synack security testing is recorded, measured, and analyzed to not only output results like new vulnerabilities and compliance checks, but displays attack patterns and quantities in real-time. By using bug bounties as incentives, researchers are rewarded for the great finds that Synack verifies and shares with its customers. To find out more about the Hacker-Powered Security used by the Internal Revenue Service and many other organizations, go to synack.com. On this episode How CISOs are digesting the latest security news According to a new report from Kroll, "Human Error, Not Hackers, to Blame for Vast Majority of Data Breaches." They report that 2,124 incidents could be attributed to human error, compared to just 292 that were deliberate cyber incidents, They say that's a 75% increase over the past two years but that could be because reporting breaches wasn't mandatory before GDPR. One user commented, these numbers seem to conflict with what the Verizon Breach report says. According to this data it appears a security leader should be spending close to 90 percent of their budget and effort trying to prevent inside data leakage. How would your security plan change if that was your charge? Hey, you're a CISO, what's your take on this?' An article and video published last week on this site written and featuring Elliot Lewis, CEO of Encryptics, talks about the need to get cozy with your legal team because when a breach occurs, you're going to need to have possession, custody, and control of your data. If you can't answer those questions you're putting your legal team in a bind. Mike and our guest talk about being able to answer these questions and building relations with the legal team. It's time to play, "Um... What Do They Do?" It's a brand new game where I read copy from a vendor's website, and Mike and our guest try to guess, "What do they do?" What's a CISO to do? Kip Boyle, past guest, friend of the show, and author of a new book, "Fire Doesn't Innovate," which comes out today asks this question, "Could good cyber risk management be the basis for a competitive differentiator for your business? How?" Kip's book is available at firedoesntinnovate.com and for the first week it's out it's only $.99 via Kindle. Ask a CISO Thomas Torgerson of Blue Cross/Blue Shield of Alabama asks, "How do CISO's feel about presenting webinars or speaking at other events regarding products that they use in their environment?" Are there incentives promoting a vendor solution? Or is it too risky to let threat actors know your security toolsets?   

Your vote counts. But will your vote be counted? Alia and Bob team up again for a very special election episode to get to the bottom of Alia’s democratic anxiety: Are voting machines even the easiest way to hack an election? At what stage is your vote most vulnerable? And is democracy doomed in the digital age?!?! Hear from a whole slew of experts – hackers, cyber-security specialists, the team at DefCon’s “Voting Village”, and more – as we break out the full lifecycle of your vote and every hackable step along the way. We'll cover: DefCon presenting their Voting Village findings in DC. Hacking into voting machines 15 years ago with Harri Hursti (Black Box Voting hacker, originator of “The Hursti Hacks”). The vulnerability of voting systems and consequences of HAVA (Help America Vote Act) with tech journalist Kim Zetter (“The Crisis of Election Security”, New York Times). Disinformation and trolling campaigns with researcher Nick Monaco (Oxford Internet Institute, The Computational Propaganda Project; Google’s Jigsaw). The diversity of election systems with election expert Maggie MacAlpine (Nordic Innovation Labs). The impossibility of securing voting software with cryptography and system security researcher Matt Blaze (University of Pennsylvania). Vulnerability of voter registration and long lines with Jake Braun (Cambridge Global, University of Chicago’s Cyber Policy Initiative, Former Deputy National Field Director for President Obama, Organizer of Def Con’s Voting Village). Hacking demonstrations on electronic DRE voting machines with J. Alex Halderman (Michigan Center for Computer Security and Society). Transmitting votes and enlisting white-hat hackers with Mark Kuhr (crowd-sourcing cybersecurity company Synack). Auditing your local Secretary of State’s election security with Adam Levin (CyberScout). Breach is sponsored by Carbonite, how businesses protect their data. www.carbonite.com

Jay started his career at the NSA and brought his love of uncovering cyber vulnerabilities to the private sector through Synack. In this interview, Jay gives his perspective on how to find product-market fit in cyber security, how early customers shape the product, and how to balance the sales and leadership responsibilities of being a CEO. Jay Kaplan is the CEO and Co-Founder of Synack, the hacker-powered security platform for the enterprise. Prior to founding Synack, Jay served in a number of cyber-related positions at the Department of Defense and NSA, as a member of the DoD’s Incident Response and Red Team and as a Senior Computer Network Exploitation and Vulnerability Analyst at the National Security Agency. He received multiple accolades for classified work conducted while at the NSA, where his focus was supporting counterterrorism-related intelligence operations. Jay was a former member of the Commission on Cyber Security for the 44th President. He received a BS in Computer Science with a focus on Information Assurance and a MS in Engineering Management from George Washington University while studying under a DoD/NSA-sponsored fellowship. Highlights from the episode: 4:02 How do you go from the NSA to building a hacking company? 6:21 How did you find your cofounder? 9:33 How did you find product-market fit? 11:03 How did you launch your go-to-market strategy and break into a new geography? 13:01 Why did you choose to launch your business in SF? 13:45 How did you win your first customers? 16:33 How did early customers change what you are building? Did you change certain things you weren’t expecting to in those early days? 17:46 How have you thought about building your team and what’s important when you’re hiring somebody new? What’s worked well for you and what are some pitfalls to avoid? 20:27 How do you balance the job of selling the product with the other responsibilities of being a CEO? 22:05 When building your team, how did you decide it was the right time to bring on execs? 24:07 How did you generate demand around a new product? 26:35 What’s the worst moment you’ve had in a meeting? 27:55 Tell us about your hiring philosophy 29:18 What’s the best thing you’ve done to maintain the spirit and culture of your company? 30:59 What is the best book that you’ve read recently?

We explain the physics behind ZFS, DTrace switching to the GPL, Emacs debugging, syncookies coming to PF & FreeBSD's history on EC2. This episode was brought to you by Headlines 128 bit storage: Are you high? (https://blogs.oracle.com/bonwick/128-bit-storage:-are-you-high) For people who have heard about ZFS boiling oceans and wonder where that is coming from, we dug out this old piece from 2004 on the blog of ZFS co-creator Jeff Bonwick, originally from the Sun website. 64 bits would have been plenty ... but then you can't talk out of your ass about boiling oceans then, can you? Well, it's a fair question. Why did we make ZFS a 128-bit storage system? What on earth made us think it's necessary? And how do we know it's sufficient? Let's start with the easy one: how do we know it's necessary? Some customers already have datasets on the order of a petabyte, or 2^50 bytes. Thus the 64-bit capacity limit of 2^64 bytes is only 14 doublings away. Moore's Law for storage predicts that capacity will continue to double every 9-12 months, which means we'll start to hit the 64-bit limit in about a decade. Storage systems tend to live for several decades, so it would be foolish to create a new one without anticipating the needs that will surely arise within its projected lifetime. If 64 bits isn't enough, the next logical step is 128 bits. That's enough to survive Moore's Law until I'm dead, and after that, it's not my problem. But it does raise the question: what are the theoretical limits to storage capacity? Although we'd all like Moore's Law to continue forever, quantum mechanics imposes some fundamental limits on the computation rate and information capacity of any physical device. In particular, it has been shown that 1 kilogram of matter confined to 1 liter of space can perform at most 10^51 operations per second on at most 10^31 bits of information [see Seth Lloyd, "Ultimate physical limits to computation." Nature 406, 1047-1054 (2000)]. A fully-populated 128-bit storage pool would contain 2^128 blocks = 2^137 bytes = 2^140 bits; therefore the minimum mass required to hold the bits would be (2^140 bits) / (10^31 bits/kg) = 136 billion kg. That's a lot of gear. To operate at the 1031 bits/kg limit, however, the entire mass of the computer must be in the form of pure energy. By E=mc^2, the rest energy of 136 billion kg is 1.2x1028 J. The mass of the oceans is about 1.4x1021 kg. It takes about 4,000 J to raise the temperature of 1 kg of water by 1 degree Celcius, and thus about 400,000 J to heat 1 kg of water from freezing to boiling. The latent heat of vaporization adds another 2 million J/kg. Thus the energy required to boil the oceans is about 2.4x106 J/kg * 1.4x1021 kg = 3.4x1027 J. Thus, fully populating a 128-bit storage pool would, literally, require more energy than boiling the oceans. Best part of all: you don't have to understand any of this to use ZFS. Rest assured that you won't hit any limits with that filesystem for a long time. You still have to buy bigger disks over time, though... *** dtrace for Linux, Oracle relicenses dtrace (https://gnu.wildebeest.org/blog/mjw/2018/02/14/dtrace-for-linux-oracle-does-the-right-thing/) At Fosdem we had a talk on dtrace for linux in the Debugging Tools devroom. Not explicitly mentioned in that talk, but certainly the most exciting thing, is that Oracle is doing a proper linux kernel port: ``` commit e1744f50ee9bc1978d41db7cc93bcf30687853e6 Author: Tomas Jedlicka tomas.jedlicka@oracle.com Date: Tue Aug 1 09:15:44 2017 -0400 dtrace: Integrate DTrace Modules into kernel proper This changeset integrates DTrace module sources into the main kernel source tree under the GPLv2 license. Sources have been moved to appropriate locations in the kernel tree. ``` That is right, dtrace dropped the CDDL and switched to the GPL! The user space code dtrace-utils and libdtrace-ctf (a combination of GPLv2 and UPL) can be found on the DTrace Project Source Control page. The NEWS file mentions the license switch (and that it is build upon elfutils, which I personally was pleased to find out). The kernel sources (GPLv2+ for the core kernel and UPL for the uapi) are slightly harder to find because they are inside the uek kernel source tree, but following the above commit you can easily get at the whole linux kernel dtrace directory. The UPL is the Universal Permissive License, which according to the FSF is a lax, non-copyleft license that is compatible with the GNU GPL. Thank you Oracle for making everyone's life easier by waving your magic relicensing wand! Now there is lots of hard work to do to actually properly integrate this. And I am sure there are a lot of technical hurdles when trying to get this upstreamed into the mainline kernel. But that is just hard work. Which we can now start collaborating on in earnest. Like systemtap and the Dynamic Probes (dprobes) before it, dtrace is a whole system observability tool combining tracing, profiling and probing/debugging techniques. Something the upstream linux kernel hackers don't always appreciate when presented as one large system. They prefer having separate small tweaks for tracing, profiling and probing which are mostly separate from each other. It took years for the various hooks, kprobes, uprobes, markers, etc. from systemtap (and other systems) to get upstream. But these days they are. And there is now even a byte code interpreter (eBPF) in the mainline kernel as originally envisioned by dprobes, which systemtap can now target through stapbpf. So with all those techniques now available in the linux kernel it will be exciting to see if dtrace for linux can unite them all. Debugging Emacs or: How I Learned to Stop Worrying and Love DTrace (http://nullprogram.com/blog/2018/01/17/) For some time Elfeed was experiencing a strange, spurious failure. Every so often users were seeing an error (spoiler warning) when updating feeds: “error in process sentinel: Search failed.” If you use Elfeed, you might have even seen this yourself. From the surface it appeared that curl, tasked with the responsibility for downloading feed data, was producing incomplete output despite reporting a successful run. Since the run was successful, Elfeed assumed certain data was in curl's output buffer, but, since it wasn't, it failed hard. Unfortunately this issue was not reproducible. Manually running curl outside of Emacs never revealed any issues. Asking Elfeed to retry fetching the feeds would work fine. The issue would only randomly rear its head when Elfeed was fetching many feeds in parallel, under stress. By the time the error was discovered, the curl process had exited and vital debugging information was lost. Considering that this was likely to be a bug in Emacs itself, there really wasn't a reliable way to capture the necessary debugging information from within Emacs Lisp. And, indeed, this later proved to be the case. A quick-and-dirty work around is to use condition-case to catch and swallow the error. When the bizarre issue shows up, rather than fail badly in front of the user, Elfeed could attempt to swallow the error — assuming it can be reliably detected — and treat the fetch as simply a failure. That didn't sit comfortably with me. Elfeed had done its due diligence checking for errors already. Someone was lying to Elfeed, and I intended to catch them with their pants on fire. Someday. I'd just need to witness the bug on one of my own machines. Elfeed is part of my daily routine, so surely I'd have to experience this issue myself someday. My plan was, should that day come, to run a modified Elfeed, instrumented to capture extra data. I would have also routinely run Emacs under GDB so that I could inspect the failure more deeply. For now I just had to wait to hunt that zebra. Bryan Cantrill, DTrace, and FreeBSD Over the holidays I re-discovered Bryan Cantrill, a systems software engineer who worked for Sun between 1996 and 2010, and is most well known for DTrace. My first exposure to him was in a BSD Now interview in 2015. I had re-watched that interview and decided there was a lot more I had to learn from him. He's become a personal hero to me. So I scoured the internet for more of his writing and talks. Some interesting operating system technology came out of Sun during its final 15 or so years — most notably DTrace and ZFS — and Bryan speaks about it passionately. Almost as a matter of luck, most of it survived the Oracle acquisition thanks to Sun releasing it as open source in just the nick of time. Otherwise it would have been lost forever. The scattered ex-Sun employees, still passionate about their prior work at Sun, along with some of their old customers have since picked up the pieces and kept going as a community under the name illumos. It's like an open source flotilla. Naturally I wanted to get my hands on this stuff to try it out for myself. Is it really as good as they say? Normally I stick to Linux, but it (generally) doesn't have these Sun technologies available. The main reason is license incompatibility. Sun released its code under the CDDL, which is incompatible with the GPL. Ubuntu does infamously include ZFS, but other distributions are unwilling to take that risk. Porting DTrace is a serious undertaking since it's got its fingers throughout the kernel, which also makes the licensing issues even more complicated. Linux has a reputation for Not Invented Here (NIH) syndrome, and these licensing issues certainly contribute to that. Rather than adopt ZFS and DTrace, they've been reinvented from scratch: btrfs instead of ZFS, and a slew of partial options instead of DTrace. Normally I'm most interested in system call tracing, and my go to is strace, though it certainly has its limitations — including this situation of debugging curl under Emacs. Another famous example of NIH is Linux's epoll(2), which is a broken version of BSD kqueue(2). So, if I want to try these for myself, I'll need to install a different operating system. I've dabbled with OmniOS, an OS built on illumos, in virtual machines, using it as an alien environment to test some of my software (e.g. enchive). OmniOS has a philosophy called Keep Your Software To Yourself (KYSTY), which is really just code for “we don't do packaging.” Honestly, you can't blame them since they're a tiny community. The best solution to this is probably pkgsrc, which is essentially a universal packaging system. Otherwise you're on your own. There's also openindiana, which is a more friendly desktop-oriented illumos distribution. Still, the short of it is that you're very much on your own when things don't work. The situation is like running Linux a couple decades ago, when it was still difficult to do. If you're interested in trying DTrace, the easiest option these days is probably FreeBSD. It's got a big, active community, thorough documentation, and a huge selection of packages. Its license (the BSD license, duh) is compatible with the CDDL, so both ZFS and DTrace have been ported to FreeBSD. What is DTrace? I've done all this talking but haven't yet described what DTrace really is. I won't pretend to write my own tutorial, but I'll provide enough information to follow along. DTrace is a tracing framework for debugging production systems in real time, both for the kernel and for applications. The “production systems” part means it's stable and safe — using DTrace won't put your system at risk of crashing or damaging data. The “real time” part means it has little impact on performance. You can use DTrace on live, active systems with little impact. Both of these core design principles are vital for troubleshooting those really tricky bugs that only show up in production. There are DTrace probes scattered all throughout the system: on system calls, scheduler events, networking events, process events, signals, virtual memory events, etc. Using a specialized language called D (unrelated to the general purpose programming language D), you can dynamically add behavior at these instrumentation points. Generally the behavior is to capture information, but it can also manipulate the event being traced. Each probe is fully identified by a 4-tuple delimited by colons: provider, module, function, and probe name. An empty element denotes a sort of wildcard. For example, syscall::open:entry is a probe at the beginning (i.e. “entry”) of open(2). syscall:::entry matches all system call entry probes. Unlike strace on Linux which monitors a specific process, DTrace applies to the entire system when active. To run curl under strace from Emacs, I'd have to modify Emacs' behavior to do so. With DTrace I can instrument every curl process without making a single change to Emacs, and with negligible impact to Emacs. That's a big deal. So, when it comes to this Elfeed issue, FreeBSD is much better poised for debugging the problem. All I have to do is catch it in the act. However, it's been months since that bug report and I'm not really making this connection yet. I'm just hoping I eventually find an interesting problem where I can apply DTrace. Bryan Cantrill: Talks I have given (http://dtrace.org/blogs/bmc/2018/02/03/talks/) *** News Roundup a2k18 Hackathon preview: Syncookies coming to PF (https://undeadly.org/cgi?action=article;sid=20180207090000) As you may have heard, the a2k18 hackathon is in progress. As can be seen from the commit messages, several items of goodness are being worked on. One eagerly anticipated item is the arrival of TCP syncookies (read: another important tool in your anti-DDoS toolset) in PF. Henning Brauer (henning@) added the code in a series of commits on February 6th, 2018, with this one containing the explanation: ``` syncookies for pf. when syncookies are on, pf will blindly answer each and every SYN with a syncookie-SYNACK. Upon reception of the ACK completing the 3WHS, pf will reconstruct the original SYN, shove it through pf_test, where state will be created if the ruleset permits it. Then massage the freshly created state (we won't see the SYNACK), set up the sequence number modulator, and call into the existing synproxy code to start the 3WHS with the backend host. Add an - somewhat basic for now - adaptive mode where syncookies get enabled if a certain percentage of the state table is filled up with half-open tcp connections. This makes pf firewalls resilient against large synflood attacks. syncookies are off by default until we gained more experience, considered experimental for now. see http://bulabula.org/papers/2017/bsdcan/ for more details. joint work with sashan@, widely discussed and with lots of input by many ``` The first release to have this feature available will probably be the upcoming OpenBSD 6.3 if a sufficient number of people test this in their setups (hint, hint). More info is likely to emerge soon in post-hackathon writeups, so watch this space! [Pale Moon] A Perfect example of how not to approach OS developers/packagers Removed from OpenBSD Ports due to Licensing Issues (https://github.com/jasperla/openbsd-wip/issues/86) FreeBSD Palemoon branding violation (https://lists.freebsd.org/pipermail/freebsd-ports/2018-February/112455.html) Mightnight BSD's response (https://twitter.com/midnightbsd/status/961232422091280386) *** FreeBSD EC2 History (http://www.daemonology.net/blog/2018-02-12-FreeBSD-EC2-history.html) A couple years ago Jeff Barr published a blog post with a timeline of EC2 instances. I thought at the time that I should write up a timeline of the FreeBSD/EC2 platform, but I didn't get around to it; but last week, as I prepared to ask for sponsorship for my work I decided that it was time to sit down and collect together the long history of how the platform has evolved and improved over the years. Normally I don't edit blog posts after publishing them (with the exception of occasional typographical corrections), but I do plan on keeping this post up to date with future developments. August 25, 2006: Amazon EC2 launches. It supports a single version of Ubuntu Linux; FreeBSD is not available. December 13, 2010: I manage to get FreeBSD running on EC2 t1.micro instances. March 22, 2011: I manage to get FreeBSD running on EC2 "cluster compute" instances. July 8, 2011: I get FreeBSD 8.2 running on all 64-bit EC2 instance types, by marking it as "Windows" in order to get access to Xen/HVM virtualization. (Unfortunately this meant that users had to pay the higher "Windows" hourly pricing.) January 16, 2012: I get FreeBSD 9.0 running on 32-bit EC2 instances via the same "defenestration" trick. (Again, paying the "Windows" prices.) August 16, 2012: I move the FreeBSD rc.d scripts which handle "EC2" functionality (e.g., logging SSH host keys to the console) into the FreeBSD ports tree. October 7, 2012: I rework the build process for FreeBSD 9.1-RC1 and later to use "world" bits extracted from the release ISOs; only the kernel is custom-built. Also, the default SSH user changes from "root" to "ec2-user". October 31, 2012: Amazon launches the "M3" family of instances, which support Xen/HVM without FreeBSD needing to pay the "Windows" tax. November 21, 2012: I get FreeBSD added to the AWS Marketplace. October 2, 2013: I finish merging kernel patches into the FreeBSD base system, and rework the AMI build (again) so that FreeBSD 10.0-ALPHA4 and later use bits extracted from the release ISOs for the entire system (world + kernel). FreeBSD Update can now be used for updating everything (because now FreeBSD/EC2 uses a GENERIC kernel). October 27, 2013: I add code to EC2 images so that FreeBSD 10.0-BETA2 and later AMIs will run FreeBSD Update when they first boot in order to download and install any critical updates. December 1, 2013: I add code to EC2 images so that FreeBSD 10.0-BETA4 and later AMIs bootstrap the pkg tool and install packages at boot time (by default, the "awscli" package). December 9, 2013: I add configinit to FreeBSD 10.0-RC1 and later to allow systems to be easily configured via EC2 user-data. July 1, 2014: Amazon launches the "T2" family of instances; now the most modern family for every type of EC2 instance (regular, high-memory, high-CPU, high-I/O, burstable) supports HVM and there should no longer be any need for FreeBSD users to pay the "Windows tax". November 24, 2014: I add code to FreeBSD 10.2 and later to automatically resize their root filesystems when they first boot; this means that a larger root disk can be specified at instance launch time and everything will work as expected. April 1, 2015: I integrate the FreeBSD/EC2 build process into the FreeBSD release building process; FreeBSD 10.2-BETA1 and later AMIs are built by the FreeBSD release engineering team. January 12, 2016: I enable Intel 82599-based "first generation EC2 Enhanced Networking" in FreeBSD 11.0 and later. June 9, 2016: I enable the new EC2 VGA console functionality in FreeBSD 11.0 and later. (The old serial console also continues to work.) June 24, 2016: Intel 82599-based Enhanced Networking works reliably in FreeBSD 11.0 and later thanks to discovering and working around a Xen bug. June 29, 2016: I improve throughput on Xen blkfront devices (/dev/xbd*) by enabling indirect segment I/Os in FreeBSD 10.4 and later. (I wrote this functionality in July 2015, but left it disabled by default a first because a bug in EC2 caused it to hurt performance on some instances.) July 7, 2016: I fix a bug in FreeBSD's virtual memory initialization in order to allow it to support boot with 128 CPUs; aka. FreeBSD 11.0 and later support the EC2 x1.32xlarge instance type. January 26, 2017: I change the default configuration in FreeBSD 11.1 and later to support EC2's IPv6 networking setup out of the box (once you flip all of the necessary switches to enable IPv6 in EC2 itself). May 20, 2017: In collaboration with Rick Macklem, I make FreeBSD 11.1 and later compatible with the Amazon "Elastic File System" (aka. NFSv4-as-a-service) via the newly added "oneopenown" mount option (and lots of bug fixes). May 25, 2017: I enable support for the Amazon "Elastic Network Adapter" in FreeBSD 11.1 and later. (The vast majority of the work — porting the driver code — was done by Semihalf with sponsorship from Amazon.) December 5, 2017: I change the default configuration in FreeBSD 11.2 and later to make use of the Amazon Time Sync Service (aka. NTP-as-a-service). The current status The upcoming FreeBSD release (11.2) supports: IPv6, Enhanced Networking (both generations), Amazon Elastic File System, Amazon Time Sync Service, both consoles (Serial VGA), and every EC2 instance type (although I'm not sure if FreeBSD has drivers to make use of the FPGA or GPU hardware on those instances). Colin's Patreon' page if you'd like to support him (https://www.patreon.com/cperciva) X network transparency X's network transparency has wound up mostly being a failure (https://utcc.utoronto.ca/~cks/space/blog/unix/XNetworkTransparencyFailure) I was recently reading Mark Dominus's entry about some X keyboard problems, in which he said in passing (quoting himself): I have been wondering for years if X's vaunted network transparency was as big a failure as it seemed: an interesting idea, worth trying out, but one that eventually turned out to be more trouble than it was worth. [...] My first reaction was to bristle, because I use X's network transparency all of the time at work. I have several programs to make it work very smoothly, and some core portions of my environment would be basically impossible without it. But there's a big qualification on my use of X's network transparency, namely that it's essentially all for text. When I occasionally go outside of this all-text environment of xterms and emacs and so on, it doesn't go as well. X's network transparency was not designed as 'it will run xterm well'; originally it was to be something that should let you run almost everything remotely, providing a full environment. Even apart from the practical issues covered in Daniel Stone's slide presentation, it's clear that it's been years since X could deliver a real first class environment over the network. You cannot operate with X over the network in the same way that you do locally. Trying to do so is painful and involves many things that either don't work at all or perform so badly that you don't want to use them. In my view, there are two things that did in general X network transparency. The first is that networks turned out to not be fast enough even for ordinary things that people wanted to do, at least not the way that X used them. The obvious case is web browsers; once the web moved to lots of images and worse, video, that was pretty much it, especially with 24-bit colour. (It's obviously not impossible to deliver video across the network with good performance, since YouTube and everyone else does it. But their video is highly encoded in specialized formats, not handled by any sort of general 'send successive images to the display' system.) The second is that the communication facilities that X provided were too narrow and limited. This forced people to go outside of them in order to do all sorts of things, starting with audio and moving on to things like DBus and other ways of coordinating environments, handling sophisticated configuration systems, modern fonts, and so on. When people designed these additional communication protocols, the result generally wasn't something that could be used over the network (especially not without a bunch of setup work that you had to do in addition to remote X). Basic X clients that use X properties for everything may be genuinely network transparent, but there are very few of those left these days. (Not even xterm is any more, at least if you use XFT fonts. XFT fonts are rendered in the client, and so different hosts may have different renderings of the same thing, cf.) < What remains of X's network transparency is still useful to some of us, but it's only a shadow of what the original design aimed for. I don't think it was a mistake for X to specifically design it in (to the extent that they did, which is less than you might think), and it did help X out pragmatically in the days of X terminals, but that's mostly it. (I continue to think that remote display protocols are useful in general, but I'm in an usual situation. Most people only ever interact with remote machines with either text mode SSH or a browser talking to a web server on the remote machine.) PS: The X protocol issues with synchronous requests that Daniel Stone talks about don't help the situation, but I think that even with those edges sanded off X's network transparency wouldn't be a success. Arguably X's protocol model committed a lesser version of part of the NeWS mistake. X's network transparency was basically free at the time (https://utcc.utoronto.ca/~cks/space/blog/unix/XFreeNetworkTransparency) I recently wrote an entry about how X's network transparency has wound up mostly being a failure for various reasons. However, there is an important flipside to the story of X's network transparency, and that is that X's network transparency was almost free at the time and in the context it was created. Unlike the situation today, in the beginning X did not have to give up lots of performance or other things in order to get network transparency. X originated in the mid 1980s and it was explicitly created to be portable across various Unixes, especially BSD-derived ones (because those were what universities were mostly using at that time). In the mid to late 1980s, Unix had very few IPC methods, especially portable ones. In particular, BSD systems did not have shared memory (it was called 'System V IPC' for the obvious reasons). BSD had TCP and Unix sockets, some System V machines had TCP (and you could likely assume that more would get it), and in general your safest bet was to assume some sort of abstract stream protocol and then allow for switchable concrete backends. Unsurprisingly, this is exactly what X did; the core protocol is defined as a bidirectional stream of bytes over an abstracted channel. (And the concrete implementation of $DISPLAY has always let you specify the transport mechanism, as well as allowing your local system to pick the best mechanism it has.) Once you've decided that your protocol has to run over abstracted streams, it's not that much more work to make it network transparent (TCP provides streams, after all). X could have refused to make the byte order of the stream clear or required the server and the client to have access to some shared files (eg for fonts), but I don't think either would have been a particularly big win. I'm sure that it took some extra effort and care to make X work across TCP from a different machine, but I don't think it took very much. (At the same time, my explanation here is probably a bit ahistorical. X's initial development seems relatively strongly tied to sometimes having clients on different machines than the display, which is not unreasonable for the era. But it doesn't hurt to get a feature that you want anyway for a low cost.) I believe it's important here that X was intended to be portable across different Unixes. If you don't care about portability and can get changes made to your Unix, you can do better (for example, you can add some sort of shared memory or process to process virtual memory transfer). I'm not sure how the 1980s versions of SunView worked, but I believe they were very SunOS dependent. Wikipedia says SunView was partly implemented in the kernel, which is certainly one way to both share memory and speed things up. PS: Sharing memory through mmap() and friends was years in the future at this point and required significant changes when it arrived. Beastie Bits Grace Hopper Celebration 2018 Call for Participation (https://www.freebsdfoundation.org/news-and-events/call-for-papers/grace-hopper-celebration-2018-call-for-participation/) Google Summer of Code: Call for Project Ideas (https://www.freebsdfoundation.org/blog/google-summer-of-code-call-for-project-ideas/) The OpenBSD Foundation 2018 Fundraising Campaign (https://undeadly.org/cgi?action=article;sid=20180129190641) SSH Mastery 2/e out (https://blather.michaelwlucas.com/archives/3115) AsiaBSDcon 2018 Registration is open (https://2018.asiabsdcon.org/) Tarsnap support for Bitcoin ending April 1st; and a Chrome bug (http://mail.tarsnap.com/tarsnap-announce/msg00042.html) Feedback/Questions Todd - Couple Questions (http://dpaste.com/195HGHY#wrap) Seth - Tar Snap (http://dpaste.com/1N7NQVQ#wrap) Alex - sudo question (http://dpaste.com/3D9P1DW#wrap) Thomas - FreeBSD on ARM? (http://dpaste.com/24NMG47#wrap) Albert - Austria BSD User Group (http://dpaste.com/373CRX7#wrap)

In this episode, Dan talks to Jay Kaplan, founder & CEO of Synack, about cybersecurity, the hacker mentality, and exactly how vulnerable our connected world is today.   Dan Costa - Host Weston Almond - Producer/Director Kirsten Cluthe - Producer Pete Haas - Social Media Manager Paul Maljak - Stills Photographer Jamie Lendino - Original Music   In PCMag's Fast Forward video series, editor-in-chief Dan Costa talks to industry leaders about ground-breaking technology that will shape our future. Check out some of Dan's previous interviews here: https://goo.gl/rLPrCk   PCMag.com is your ultimate destination for tech reviews and news. Subscribe to our videos here: https://goo.gl/JfBShr   Like us on Facebook: https://www.facebook.com/PCMag Follow us on Twitter: https://twitter.com/PCMag Gawk at our photos on Instagram: https://www.instagram.com/pcmagofficial Get our latest tips and tricks on Pinterest: http://www.pinterest.com/pcmag

Black Hat 2017 has wrapped up, and by all accounts it was another successful conference, with an active trade show floor, exciting keynotes and engaging, informative educational sessions on a variety of topics. There was business being done, with hopeful entrepreneurs and investors alike looking to identify the next big thing in cyber security.  In this CyberWire special edition, we’ve rounded up a handful of presenters and one investor for a taste of Black Hat, to help give you a sense of the event.    Patrick Wardle is Chief Security Researcher at Synack, and creator of objective-see, an online site where he publishes the personal tools he’s created to help protect Mac OS computers. He’ll be telling us about his research on the FruitFly malware recently discovered on Mac OS.  https://objective-see.com/   Hyrum Anderson is technical director of data science at Endgame, he will discuss research he released on stage at Black Hat showing the pros and cons of using machine learning from both a defender and attacker perspective.  https://www.endgame.com/our-experts/hyrum-anderson   Zack Allen, Manager of Threat Operations, and Chaim Sanders, Security Lead, of ZeroFOX will be speaking about their Black Hat presentation on finding regressions in web application firewall (WAF) deployments.  https://www.linkedin.com/in/zack-allen-12749a76 https://www.linkedin.com/in/chaim-sanders-a7a23713/   And we’ll wrap it up with some insights from Alberto Yepez, founder and managing director of Trident Cybersecurity, on the investment environment and the changes he’s seen in the market in the last year.  https://www.linkedin.com/in/albertoyepez/

Entrepreneur Jay Kaplan, co-founder and CEO of Synack, describes how the idea of creating a cybersecurity service for enterprise businesses by crowdsourcing hackers went from sounding like a long shot to launching as a venture capital-backed startup. Kaplan, previously a senior analyst at the National Security Administration, talks about the virtues of government work and the nuances of “white hat” hacking.

Entrepreneur Jay Kaplan, co-founder and CEO of Synack, describes how the idea of creating a cybersecurity service for enterprise businesses by crowdsourcing hackers went from sounding like a long shot to launching as a venture capital-backed startup. Kaplan, previously a senior analyst at the National Security Administration, talks about the virtues of government work and the nuances of “white hat” hacking.

Entrepreneur Jay Kaplan, co-founder and CEO of Synack, describes how the idea of creating a cybersecurity service for enterprise businesses by crowdsourcing hackers went from sounding like a long shot to launching as a venture capital-backed startup. Kaplan, previously a senior analyst at the National Security Administration, talks about the virtues of government work and the nuances of “white hat” hacking.

In today's podcast, we hear about some lawful intercept tools that have been found prospecting Android. Synack calls shenanigans on Shazam, but maybe no harm, no foul. Carbanak turns from banks to hospitality. Insider threats and how to mitigate them—if you've got a facility clearance, you've got a deadline coming up, and Steven Grossman from Bay Dynamics explains what it means. Arlington Capital merges three of its companies into a new cyber shop, Polaris Alpha. Symantec is rumored to be sniffing at LifeLock. Cyber policy discussions in Germany and the US sound a lot alike. Jonathan Katz from the University of Maryland explains the pros and cons of photonic encryption. A teenager cops to the TalkTalk hack, and, if you're asking for a friend, the tally of accounts affected by the AdultFriendFinder breach hits 412 million.

Cybercriminals are brilliant, relentless, and ruthless. So how can organizations hope to fight them? One way is to hire people just like them (minus the ruthless part). A growing wave of companies are using hackers to foil hackers. They unleash “researchers” (aka hackers) to “attack” an organization’s defenses. Some of these companies create their own elite Red Teams of ethical, or white hat, hackers, as they are known. Others commandeer virtual armies of crowd-sourced hackers. The goal is the same: probe for weaknesses that may have escaped the internal security team’s best efforts. Kevin Delaney, senior writer for Connected Futures is joined by Jay Kaplan, CEO of the ethical hacking firm Synack.

Materials Available here:https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Patrick-Wardle-Stick-that-in-your-(Root)Pipe-and-Smoke-it-UPDATED.pdf Stick That In Your (root)Pipe & Smoke It Patrick Wardle Director of R&D, Synack You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea! The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now. Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes OS X security tools. Both can be found on his website Objective-See.com

Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Patrick-Wardle-DLL-Hijacking-on-OSX-UPDATED.pdf 'DLL Hijacking' on OS X? #@%& Yeah! Patrick Wardle, Director of R&D, Synack Remember DLL hijacking on Windows? Well, turns out that OS X is fundamentally vulnerable to a similar attack (independent of the user's environment). By abusing various 'features' and undocumented aspects of OS X's dynamic loader, this talk will reveal how attackers need only to plant specially-crafted dynamic libraries to have their malicious code automatically loaded into vulnerable applications. Through this attack, adversaries can perform a wide range of malicious actions, including stealthy persistence, process injection, security software circumvention, and even 'remote' infection. So come watch as applications fall, Gatekeeper crumbles (allowing downloaded unsigned code to execute), and 'hijacker malware' arises - capable of bypassing all top security and anti-virus products! And since "sharing is caring" leave with code and tools that can automatically uncover vulnerable binaries, generate compatible hijacker libraries, or detect if you've been hijacked. Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes OS X security tools. Both can be found on his website Objective-See.com

Slides Here; https://defcon.org/images/defcon-22/dc-22-presentations/Moore-Wardle/DEFCON-22-Colby-Moore-Patrick-Wardle-Synack-DropCam-Updated.pdf Optical Surgery; Implanting a DropCam Patrick Wardle DIRECTOR OF RESEARCH, SYNACK Colby Moore SECURITY RESEARCH ENGINEER, SYNACK Video Monitoring solutions such as DropCam aim to provide remote monitoring, protection and security. But what if they could be maliciously subverted? This presentation details a reverse-engineering effort that resulted in the full compromise of a DropCam. Specifically, given physical access and some creative hardware and software hacks, any malicious software may be persistently installed upon the device. Implanting a wireless video monitoring solution presents some unique opportunities, such as intercepting the video stream, ‘hot-micing’, or even acting as persistent access/attack point within a network. This presentation will describe such an implant and well as revealing a method of infecting either Windows or OS X hosts that are used to configure a subverted DropCam. Patrick Wardle is Director of Research at Synack, where he leads Research and Development efforts. His current focus is on identifying emerging threats in OSX and mobile malware. In addition, Patrick is an experienced vulnerability and exploitation analyst and has found multiple exploitable 0days in major operating systems and popular client applications. In his limited spare time he writes iOS apps for fun (and hopefully one day, for profit). Patrick’s prior roles include security research work with VRL and the NSA. Colby Moore is Security Research Engineer at Synack where he focuses on identifying critical vulnerabilities in various products and services. Ever since setting eyes on a computer he has had a burning desire to hack anything in sight, but prefers to focus on where hardware and software meet. He has been involved in the computer security community for as long as he can remember and has identified countless 0-day vulnerabilities in embedded systems, major social networks, and consumer devices. Some might say Colby has an unhealthy obsession for spontaneous adventure, things that go fast, and the occasional mischief.