Martin, Rich and Zach are joined tonight by none other than Josh Corman from the 451 Group to talk about the recent RSA breach. Actually, he was on more to talk about the industries reaction to the breach more than the breach itself. The reality is that we still know almost nothing about what happened, though Rich has a little insight that goes beyond the press release, since he’s actually talked to folks at RSA. Which means we know just a little more than nothing, which is not a significant improvement.
Another reason Josh wanted to join us was to talk about one of Rich’s recent articles, called Table Stakes. We clarify what Rich meant in the original post as well as talking about some of the more touchy feely aspects of the industry. Except Zach, who doesn’t do touchy feely so much. And finally we end up with a little rant about those hacks over at the Southern Fried Security Podcast and how they’re always imitating us. They even have they’re own Bizarro Zack, @jsokoly.
Network Security Podcast, Episode 234, March 22, 2011
My friend Adrian Lane, over at Securosis, finds the best toys to play with. This one, called Spokeo, lets you search on a name and see what sort of personal information is out there about that person. Like Adrian, I always search on myself first, wanting to see what sort of information is out there about me. And there’s a lot of it; even someone like myself who wishes they had some privacy leaks a lot of information, even if its just in public records. Luckily I have a father with the same name, so our information is a little mixed up, with a sprinkling of misinformation added in. If I can’t have privacy, having false information available to search engines is a good second.
The funniest part of looking up myself was finding my house in Streetview, which is offered directly in the Spokeo interface, then turning the camera around to see myself getting out of the car. The picture’s about two years old, but it still jogged some memories of seeing the Google car drive by. The picture is blurring and it’d be hard to recognize me from it, but there it is. Being in a public place (the road), I’m not surprised to be photographed, but it does serve as a reminder of how often we’re being photographed in public, even if we are seldom aware of it. That is to say that people who don’t live with a mild form of paranoia are seldom aware of.
Waking up on the Sunday morning of Defcon to be on a panel about PCI after having been in Las Vegas for 5 days takes a lot of commitment. Waking on Sunday morning to attend a panel on PCI, takes something else entirely. Which is why I was so surprised to see a ton of people looking back at me from the audience when I took the stage with Jack Daniel, Dave Shackleford, Josh Corman, Alex Hutton and James Arlen. And a book by Anton Chavakin (you have to watch the video to understand). I consider every one of the gentlemen on stage with me to be a friend and it was a great honor to be in front of the crowd with them. Even if we do look like a bunch of hung over, middle age, geeks. There was more interest in PCI and what it means to us than I would ever have expected. With any luck we’ll be able to get this gang together to talk again, perhaps without the hangovers.
DEFCON 18: PCI – Compromising Controls and Compromising Security from James Arlen on Vimeo.
Last week I joined Chris Hoff, aka Beaker, and Team Squirrel down in Palo Alto to play v0dgeball for the evening. I can’t say I was of much use, but it was awesome to watch Kim shimmy and twist her way out of almost every ball thrown at her. And when it came down to the final game, Trey Ford did an awesome job of taking on the other team by himself. Truly an epic performance. For more video and pictures, you can visit Virtual Geek. In the mean time, here’s a small sample of what we went through. Great game guys!
Do you remember those old School House Rock commercials from the 70′s? I do, in part because someone gave my kids a DVD set with all of them on it. And apparently the folks at the PCI Council remember them too, because they’ve created a video that looks a lot like those old commercials. My favorite part is the fact that Bob Russo let a cartoon version of himself be part of the video. I wonder if the real Mr. Russo can sing and play the guitar?
Unluckily, the only time I was able to make it down to SF Bsides was for the Great PCI Debate, part 2. Luckily, all the rest of the presentations that went on there are available via Ustream. Of course, I still say the Great PCI debate was the most important presentation, partly because it contains guest spot by me (and several examples of me yelling from the sidelines). There was a momentary glitch where the video stream was lost for a minute or two, which is why it’s in two separate parts. In any case, watch my friends, Jack Daniel, Josh Corman, Andy Ellis, Michele Klinger and Anton Chuvakin discuss compliance in general, not just PCI.
I’d almost forgotten that David Spark ambushed Ben Tomhave, Andrew Storms and me with a video camera on the first day of RSA last week. I think we literally hadn’t even had the time to get more than 10 steps beyond the escalator when David found us. Which is my way of saying none of us had any idea what was gong on at the convention yet, we were just talking off the top of our head. Was this really only a week and a half ago? I didn’t end up seeing a lot of tokenization at RSA, though I did get to talk to some of the key players about end to end encryption.
Anti-virus discussions are always fun. AV is one of the baseline tools almost everyone in the industry agrees you need to have, but is it an effective tool? And if it’s not effective why are we still using it? This is another in the series of discussions with Amrit Williams, Mike Murray and Richard Stiennon.
I am a little late to post this video, since it was available last week. We’ve already received a couple of comments from Finjan and ESET. We’ll see if either of these companies is willing to respond on video.
Demos on Demand video: Anti-Virus
This is a repost. I hadn’t realized the link to the video was broken in the original post. I blame the WYSIWYG editor.
This is the latest in a series of video discussions with my friends Richard Stiennon, Amrit Williams and Mike Murray. I have a hard time watching myself on video, so I haven’t watched the whole thing, but everyone who’s reviewed it says it’s a fun, lively discussion. Enterprise Security Management and Security Event Management for anyone who’s not up on their latest acronyms. I think this was the last shoot of the day, which you can tell because we all let loose a little more than we had earlier in the day.
Demos on Demand: ESM & SEM
Once again the topic is something I make no claim to be an expert on, Messaging Security. Not that I’ve ever let it stop me, but I thought I’d make it clear before the video does. I think this is the final of the original series of discussions Richard Stiennon, Mike Murray, Amrit Williams and I had, but there might be one more hiding in the wings. I have a few more discussions with Richard coming up, which may have some feedback from other security professionals.