Episode E -- Just a bunch of hosers

Teh Podcast Warz Haz Begun!

It's another week in infosec. I can't get excited about it either. Too many news stories of note, breaches and a new section - the SCADAs. In the same way that we had too many breach stories so we broke them out, we're doing the same with SCADA. Expect a lot of derision from Dave and I -- there's a lot of bullshit and we're calling it.

We'd also like to wave hello to the team at Riskhose. We're sorry that you misinterpreted young Matt's question - we'll straighten you out when we do our Risk-tacular episode this fall. Also, we're starting to suspect that the Riskhose Utahian may be a closet Canadian - he knows too much about Canadian musicians and he does know all of the words to Romantic Traffic (and yes Alex, when you come to Toronto, we'll go visit all of the subway stations so that you can produce your fan version of the video.)

Interestingly, between the Riskhose podcast and some threats from the Southern Fried Security bunch, it's on - the Podcast Wars are here - expect that the next few months are going to be epic in the world of infosec podcasting. We may even take a swipe at NetSec!

  1. Syria
  2. SSL Certificate Hijinks
  3. Cyber
  4. Hackers
  5. OSX
  6. Canadianisms
  7. The WIFIs
  8. Google-ized
  9. …and then our discussion topic - Dumb Stories

And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.

In this episode:

Direct download: LSDPodcast-E.mp3
Category:LSD_Podcasts -- posted at: 12:36pm EDT

Episode D -- The Boys of Summer

Good News Everybody!

This is the longest one we've recorded yet -- by 0:59 -- and we will try to get these back down under an hour. Pinky swear. We've also gone over 10000 downloads from 63 countries. That's kinda cool - and thank you all very much. Lots of good stuff in this episode, it's totally worth the 74 minutes.

  1. Hackers
  2. The SCADAs
  3. Java
  4. Lawyers
  5. MOAR SCADAS!!!!
  6. Apple, Microsoft
  7. Stupid Employee Tricks
  8. …and then our discussion topic - Employee Tricks

And if you've got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good.

In this episode:

Creative Commons license: BY-NC-SA

Direct download: LSDPodcast-D.mp3
Category:LSD_Podcasts -- posted at: 3:13pm EDT

Episode C -- Brain Dump Semi-slow news week this week so we used the bulk of our time to talk about a topic most of us struggle with (even some of us on the show) productivity! A few stories and our opinions as usual and also a letter from a listener regarding our own Dave running for the ISC2 board. Again, if you have anything comments, questions, suggestions, hatred, bickering, cyberdouchery, please sent it to mailbag@liquidmatrix.org for us to check out. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

Creative Commons license: BY-NC-SA

Direct download: LSDPodcast-C.mp3
Category:LSD_Podcasts -- posted at: 2:33pm EDT

Episode B -- Artificial Intelligence Something pithy should probably be written here. All of us have so much on the go that we're saving our creativity for the podcast. Also, this one is pretty long. If you have thoughts or ideas, please send them to the MailBag (mailbag@liquidmatrix.org) and we'll talk about it here. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

Direct download: LSDPodcast-B.mp3
Category:LSD_Podcasts -- posted at: 3:29pm EDT

Episode A -- The Revolving Absence No James this week. Apparently, he's afraid of the Cylon^WBen invasion. Also, don't forget to throw something in the old email for us (mailbag@liquidmatrix.org), we're getting lonely - don't you still love us? DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

Direct download: LSDPodcast-A.mp3
Category:LSD_Podcasts -- posted at: 11:31am EDT

Episode 9 -- No Need For Syncizationhron So we find ourselves again again Mattless. We skipped out last week cause of bad hair, bad mojo, conflu and bad karma -- and $19.95 hotel internet (we have no budget and Canadian telco’s suck for roaming. )Also, this episode is a week late. The blame lies entirely with Ben's computer/ISP issues. Either that or Ben is a closet Cylon and doesn't want us to know. Notes etc. to mailbag@liquidmatrix.org -- we love to hear from you! DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

Direct download: LSDPodcast-9.mp3
Category:LSD_Podcasts -- posted at: 11:23am EDT

Episode 8 -- Bikini Troubles So we find ourselves again Mattless. What is it with security professionals and Hawaii? Good stuff in here, sorry about botching last week's episode link - this one should work better, also, go back and download last weeks. Notes etc. to mailbag@liquidmatrix.org -- we love to hear from you! DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

Direct download: LSDPodcast-8.mp3
Category:LSD_Podcasts -- posted at: 4:44pm EDT

Episode 7 -- Breach Week Special! Perfectionism is the enemy of publishing on time. It's another week and we've got a solid hour of discussion about the stuff that's important in the world of infosec this week. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 4 opinionated infosec pros who have sufficient opinions of their own they don't need to speak for anyone except themselves. Ok? Good. In this episode:

Creative Commons license: BY-NC-SA

Direct download: LSDPodcast-7.mp3
Category:LSD_Podcasts -- posted at: 10:30pm EDT

Episode 6 -- Anybody Know How Google Voice Works? MAGIC! Sorry for the delay in posting folks, someone (cough, @gattaca, cough) has a crappy ISP and someone (cough, SEACREST, cough) talks quietly and has a crappy mic, there's about 7 hours of editing and tweaking on this one -- and it still sounds like crap. DISCLAIMER: It's not that explicit, but you may want to use headphones if you're at work. In this episode:

  • News
    1. BREAKING NEWS: Liquidmatrix Security Male Model on COVER of SCMag (also talks about Risk Management or something)
    2. Debit/credit card photos in tweets -- This Twitter account proves the infinite stupidity of humans (and other stupid shit ways to post pictures of your douchetacularness NSFW)
    3. Amazon talks about what went wrong in US East & Leap second makes availability pain (Check out the funny Twitter @AmazonStatus & CAP theorem)
    4. Phisher faces 50 years in the slammer
    5. Alaska Department of Health and Social Services fined for breach & Appeals court calls bank’s security “commercially unreasonable”
    6. Pornoscanners go mobile
    7. Wireless Hacking Suspected in Air Raid Siren Miscues
    8. Comodo blacklists itself (truth in Certificate Selling)
    9. Something bad happened in the iOS App Store... twice. Which (considering the relative sizes of the install base of iOS vs. well, everything) is still pretty awesome.
  • Commentary
    1. Errata
    2. Foot In The Door
      • hire the right auditors
      • use them as a tool to raise issues up to the executive
      • tell them the problem areas
      • invest time in the auditors and point them to your pain
      • feed them recommendation
      • don’t let them position compliance as security
    3. Hardcore
      • The box kicking story
      • For example -- finding a way to get the answer they don’t want to give
      • The prevarication story
      • Another opportunity to learn from auditors/old people
      • Asking questions into negative space -- to find answers you need to find the place in the middle where the facts have not coalesced.
      • Peter Falk - Just one more thing...
      • Matlock - How to get the jury to see it your way...
  • Mailbag
    1. mailbag@liquidmatrix.org

      Long time listener, first time writing in...

      I find myself compelled to write inasmuch as I found myself shouting at my iPod yesterday. I, of course, am referring to "Liquid Matrix Security Digest Podcast Episode 2" where a conversation about "What Should You Do If You Are The CISO Of A Breached Company?" occurred. Forgive me as I left the Post-It note with the timestamps of the offending speech on the mirror in my bathroom so that I may focus my Daily Rage upon it as I carefully shave "I da CISO, bitch!" into my scalp each morning.

      In essence Ben argued that the role of the CISO in the event of a password breach is to stride confidently into the CEOs office and say "I told you this was going to happen, this is not my fault, and we need to force all users to change passwords - Damn The Consequences, Man!" (While this is not a direct quote it it was I very distinctly heard...)

      While this is a nice gedankenexperiment in that it is very cool to imagine ourselves in the role of "Captain Astounding: Protector Of Users" but the reality of a breached company has certain rules..

      1) If the breached company is a startup or new venture the Senior Management regards this event as an existential crisis. Not so much to the company itself - but to their exit plan (hey, who doesn't dream of being bought by Facebook or Microsoft for a billion dollars?) or to their about-to-be-so-far-underwater-they-implode stock options. Lose track of this fact and You Are Toast.

      2) If the breached company is an older company the critical component is the quality of business leadership available. If they take counsel of their fears - see Rule 1. If they take a more mature view you can actually get effective response but know that you have almost no influence on that outcome.

      3) If you were the CISO pre-breach you have to realize your credibility and professional competence is seriously in question by *everyone*. It matters not that you wrote 523 emails protesting storage of passwords in clear text, nor that you did not get the budget to keep your IPS under maintenance, nor that $Security_Requirement was ignored. If this offends your sensibilities I would simply refer you to the Book of Hezekiah, Chapter 9, Verse 27 where it is written "Yea, and the LORD spake unto the people, and the LORD spake "Life is not fair - never said it was, never said it will be - Get Over It!" and thus the people were greatly nonplussed".

      4) If you are the successor to the CISO who ran the shop pre-breach you have to realize that nobody believes anything you say without the Incident Response Consultants agreeing with you. You have not been around long enough for anyone to trust you or to accept your influence. You will not be seen having the same "at-risk" quotient as everyone else (See Rule 1 above).

      5) Almost everyone company that experiences a major breach turns a significant portion of the response and decision making to Outside Counsel and Incident Response Consultants. There are good and bad reasons for doing this - let's just accept that it happens. Fighting these folks - especially Outside Counsel - is generally a No Win situation (See Rule 3 & 4 above).

      So what do you do?

      You do what you can. You use whatever influence you have to try to do the right thing. But realize a breach response is *not* a Security Problem it is a Business Problem and that business folks are going to be in charge. If you cannot deal with that - you might want to become a Incident Response Consultant.

      Love, Uncle @armorguy

  • In Closing
    1. Tweetup - has to be pushed, sorry folks
    2. Bsides/BlackHat/DEF CON -- all but Ben / The Intern shall be there.
    3. Also, DEF CON has been cancelled - check status here
    4. Hacker Pyramid!
    5. Also, have a look at the Declaration of Internet Freedom. We like it. You should like it too. Although Liking it on Facebook shows that you don’t understand the fucking point of the Declaration.
    6. As of recording time, tomorrow is the day when the internet shuts down -- DNSchanger DNS servers are going down. So I guess you won’t ever hear this episode.
    7. THERE IS NO SEACREST.

Creative Commons license: BY-NC-SA

Direct download: LSDPodcast-6.mp3
Category:LSD_Podcasts -- posted at: 2:06pm EDT

We've been threatening to do something interesting and cool...

We're happy to announce that we will be producing a bi-weekly video podcast edition - tightly edited to a broadcast friendly 22 minutes in length. Perfect to watch while having lunch or between an episode of M*A*S*H and Barney Miller. 

Thanks for all of your support so far and we look forward to invading your space regularly to make some friends and maybe even learn a thing or two.

((PS: Based on comments from listeners, we're going to make some changes and give you a more granular set of RSS feeds so that you can select to receive exactly the version of our show that makes you the happiest. If you're subscribed to the general feed, this is the last full video episode you'll see.))

Direct download: LSD-TVepisode-1960x540.m4v
Category:LSD_Television -- posted at: 1:45pm EDT



-->

Syndication

Categories

Archives

July 2018
S M T W T F S
     
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31