The Security Ledger Podcasts

Companies are pursuing digital transformation at all costs. But do they really understand the risks lurking in their digital transformation strategies? In this Spotlight Podcast, sponsored by RSA,* we’re joined by RSA Portfolio Strategist Steve Schlarman for a discussion of managing the risks in digital transformation.  Scan through the pages of your favorite business publication or consultants report and the term “digital transformation” is likely to jump out at you. A broad term, digital transformation can mean the adoption of nearly any technology advancement: artificial intelligence, cloud based computing and micro services, DEVOPS methodologies for delivering new applications and features the application of machine learning, the use of automation and robotics…you name it. The focus of digital transformation narratives is almost always about the benefits of the transformation, measured in profits, productivity, market share – disrupting old and inefficient ways of doing business. But what about the risks that digital transformation strategies and technologies bring with them? A recent survey by Deloitte found that while organizations are prioritizing digital transformation initiatives, only 14 percent of cyber budgets are allocated to securing transformation efforts. Three Decades On: RSA Labs Sets Course for Future Our guest this week is here to sound the alarm about the digital risk inherent in digital transformation. Steve Schlarman is a portfolio manager at RSA. He was also my guest at a special webinar “Mastering Digital Risk: Taking on Digital Transformation.” In this conversation, Steve says that innovation opens new doors for organizations but that legacy security and risk management functions are not keeping pace with those changes. Re-Thinking Cyber Risk Steve Schlarman is a Risk Management Strategist at RSA. In this conversation, Steve and I talk about how digital transformation is changing the nature of cyber risk management from trying to prevent discrete events – like a data breach – to more business focused goals. The question now is how to both leverage digital transformation and keep data and assets secure, while protecting the organization’s reputation. We also take some time to respond to questions from the webinar. As always,

In this week’s episode, #145 Veracode CTO Chris Wysopal joins us to talk about the early days of the information security industry with L0pht and securing software supply chains. Also: we continue our series on life after the password by speaking to Ian Paterson, the CEO of behavioral authentication vendor Plurilock. Chris Wysopal (aka Weld Pond) is one of the most recognized and recognizable figures and voices in the information security space. As the co-founder of the seminal Boston hacking collective L0pht Heavy Industries, Wysopal was one of seven members of the L0pht who testified before the U.S. Senate’s Governmental Affairs Committee in 1998. More than two decades later, as co-founder and Chief Technology Officer at Veracode, he is a successful technology entrepreneur and one of the clearest voices calling for more attention to secure design and coding as a solution for endemic online problems like hacking and data theft. Chris Wysopal is the Chief Technology Officer of Veracode Abine says Blur Password Manager User Information Exposed In this interview, recorded on the floor of the RSA Conference in San Francisco in March, I had the opportunity to talk to Chris about his early days at L0pht and the information security industry, discovering the first stack overflow in Internet Explorer and the modern challenges of securing software supply chains. The Persistence of Passwords When the virtualization software firm Citrix said in March that it was the victim of a months long cyber espionage campaign, law enforcement attention focused on a so-called “password spraying” attack as the likely culprit. The low-tech hack simply requires criminals to attempt to remotely access Citrix accounts using known usernames in combination with weak passwords. Attacks like that are common – just one more proof point that single factor authentication, though vulnerable, remains incredibly common. Bank Attacks Put Password Insecurity Back in the Spotlight In our second segment, we sit down with someone who wants to change that. Ian Patterson is the CEO of the firm Plurilock – which is one of a slew of next-generation behavioral authentication firms to crop up in recent years. In this conversation, Patterson and I talk about why organizations cling to passwords and what – if anything – will replace them. He says that the writing is already on the wall for traditional passwords, as password managers are fast turning even alphanumeric passwords from something you know and can remember to something you have.

In this week’s podcast, Joe Grand of Grand Idea Studio and Kyle Wiens of iFixit join me to talk about the launch of securepairs.org and fighting cybersecurity FUD in the right to repair. In this week’s episode, #144: lawmakers in 20 states this year are considering right to repair laws that would guarantee the owners of everything from smart phones and watches to tablet computers and tractors access to service manuals, diagnostic software and replacement parts needed to service and maintain their stuff. There’s a very real chance that all 20 will be defeated – not with legislators voting them down in open session, but quietly, in committee hearings and closed leadership pow-wows where decisions to bring legislation to a vote are made. This after 17 nearly identical laws were killed off at the state level last year? In Granite State: Industry Groups Paint Dark Picture of Right to Repair What’s going on? A concerted lobbying effort by major technology, heavy equipment, telecommunications and electronics firms, that’s what. While the right to repair is pro-consumer and pro-competition legislation is widely supported by the public,in the hallways of power in Washington DC and state capitols it faces a withering headwind in the form of lobbyists and strategic PR firms intent on scaring lawmakers away from granting consumers the right to fix their digital stuff. One of their go-to arguments is cyber security. Using targeted “issue” groups like the Security Innovation Center, these firms and industry groups convey dire warnings about hackers, cyber criminals and other n’er do wells stealing consumers data or hacking into phones and other devices under the guise of “repair.” Are these arguments accurate? No. But they’re often enough to scare lawmakers off of right to repair, no matter how strong the economic and consumer rights arguments may be. What is needed is for the information security community to speak up – and loudly. Thats why this week, I helped to launch a new group: securepairs.org, with the mission of connecting cyber security experts with lawmakers and legislative staff who need accurate information about the security risks of connected devices and the security benefits of things like documentation, access to diagnostic tools, replacement parts and software. Podcast Episode 121: DMCA Exemptions Set Stage for Right to Repair Fight and DHS Cyber Makeover Joining me in this effort are some of the world’s top experts in cyber security: author and cryptographer Bruce Schneier of IBM and Harvard University. Jon Callas, an founder of PGP and now a technologist at the ACLU. Chris Wysopal the CTO at Veracode and bug bounty pioneer Katie Moussouris, and our guests this week: hardware hacker Joe Grand of Grand Idea Studio and the inimitable Kyle Wiens of the repair site iFixit. Together, we talk about our securepairs and its purpose – and how cyber security FUD is being used to derail right to repair laws. I also ask Kyle and Joe to de-FUDify industry arguments against right to repair.

Tufin (TUFN) became the latest cyber security firm to have an initial public offering. In our first segment, we speak to its co-founder and CEO Reuven Kitov. Also: as more and more applications and workloads shift to the cloud, securing high-performance Linux environments has become a priority. In our second segment, we speak with Kelly Shortridge of the firm Capsule8, a firm that is offering attack protection for product linux environments.  The massive IPO of ride hailing firm Lyft’s on March 28th got loads of media attention as the first “gig economy” IPO. But that company’s rapidly slumping stock price has thrown water on early investors and the prospects for other Gig economy offerings like competitor Uber. But what about the other big trend in IPOs- let’s call it the “cyber economy?” Indeed, as information security concerns continues to be top-of-mind across industries, more and more cyber security firms are finding their way to the public markets. Zscaler, the web security firm, was ranked the Top technology IPO of 2018. Forget the Gig Economy. What about the Cyber Economy? The latest example, just days after Lyft’s IPO was Tufin, a 15 year old Israeli firm that began its life as a tool for managing firewalls, but has evolved into a powerful security policy management and IT orchestration and automation platform.  Spotlight: Deepika Chauhan of Digicert on the Challenges of Securing the Internet of Things Ruvi Kitov is the CEO and co-Founder of TUFIN In our first segment in this week’s podcast, we speak with Reuven (Ruvi) Kitov, the CEO and co-founder of Tufin about the origin of his company and its journey from a bootstrapped startup selling a simple reporting tool to a publicly traded company. Ruvi says that Tufin’s journey hasn’t always been easy, and included a round of lay-offs in 2015. But the company survived and – eventually – thrived by taking very little outside money and by paying close attention to the needs of its customers. How Digital Transformation is forcing GRC to evolve In this conversation, Ruvi and I talk about Tufin’s big breakthrough: a vision for its technology that reached beyond just selling security and into the much bigger space of IT automation. Ruvi said the “aha” moment came after seeing how one customer who deployed all three of the company’s products had been able to knit them together into a powerful network change automation tool. “We started thinking: how far can this get? Where will this be in 5 years,” Ruvi told me. “And what we decided was that it will be zero touch automation. People will want to request a change and for the network to just re...

In this week’s episode, #142:  we continue our series on Life after Passwords: the Future of Online Identity as we are joined by Ophir Gaathon, the  CEO of the firm Dust Identity.  When the news outlet Bloomberg reported late last year that Super Micro, a US based maker of server motherboards, had been the victim of a hack, it sent both the technology and national security sectors into a frenzy. The alleged attack snuck a surreptitious monitoring chip onto Super Micro motherboards used by the likes of Amazon and Apple and sent Super Micro’s stock tumbling. The facts of the Bloomberg story were strenuously denied by both the company and its customers, including Amazon and Apple Computer, not to mention the US DHS and the UK’s GCHQ. In the intervening months, Bloomberg’s reporters and editors have stuck by their reporting and the issue has largely faded from the headlines. Super Micro’s stock, after falling sharply, has recovered nicely. Podcast Episode 140: passwords are dying. What will replace them? So did the Super Micro hack happen or not? True fiction? The answer may be irrelevant. That’s because while the specific hack Bloomberg described may or may not have happened in the way it was described, the potential for such a supply chain compromise clearly exists. Malicious or compromised hardware components, integrated into sensitive equipment, has long been the domain of ultra sophisticated nation-state intelligence operations. But these days, the culprits could include cyber criminal groups, disgruntled employees or competitors. Alas, our ability to monitor and secure complex supply chains lags – mostly because it is difficult to establish and track identities across such a vast population of components.  Podcast Episode 115: Joe Grand on Unicorn Spotting and Bloomberg’s Supply Chain Story Ophir Gaathon is the CEO of the firm Dust Identity Our guest this week thinks he has a solution to that problem. Ophir Gaathon is the CEO of Dust Identity, a start up that emerged from the Department of Defense’s DARPA program with a way to use diamond dust to create immutable identities for a wide range of commercial and industrial applications.  Establishing a strong, trusted physical identity is the critical element that underlies a wide range of modern problems related to identity and security.  Dust Identity emerged from stealth mode in November with a $2.3 million investment led by Kleiner Perkins. In this conversation, I start by asking Ophir to describe the origins of Dust Identity and where he got the idea to use diamond dust to create a strong identity.  As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You 

Supply chain hacks like ME Docs and ASUS aren’t inevitable. In this Spotlight Podcast, sponsored by Trusted Computing Group, I speak with Dennis Mattoon, a Principal Researcher at Microsoft Research and the Chairman of the Trusted Computing Group’s DICE Architectures Working Group* about how strong device identities for IoT endpoints can stop supply chain compromises. Software supply chain hacks are a growing problem. In just the latest example, it was reported earlier this month by Motherboard and Kaspersky Lab that hackers compromised a server of computer manufacturer ASUS’s live software update tool and used it to install a malicious backdoor on thousands of computers. The attackers distributed a malicious file that masqueraded as an authentic software update, signed with legitimate ASUS digital certificates. According to the reports, ASUS unwittingly pushed out the backdoor to customers for at least five months before its discovery last year. A worrying trend Supply chain attacks aren’t new. But they’re a worrying trend that appears to be gathering steam. Other examples include the outbreak of the NotPetya wiper malware in 2017, which initially spread as a signed update from the Ukrainian finance software ME Docs. As the Internet of Things takes shape and more Internet-connected devices require remote software updates, it is a safe bet that cyber criminals and nation-state actors will increasingly look to leverage software updates as a means to gain control over connected endpoints and targeted networks.  Dennis is a Principal Software Development Engineer at Microsoft Research But our guest this week, Dennis Mattoon of Microsoft Research, says that supply chain attacks only work because current approaches to verifying firmware updates rely entirely on cryptographic signatures on the file, without verifying the content of the update itself. Essentially, if the signature checks out, the update is “good to go,” Mattoon notes. That signature _is_ the identity of the file, regardless of what the file contains. So, hackers who can compromise the update server and its signing keys can push out whatever they like. Mattoon says there is a better way to do this. He is one of the engineers working on  the Device Identifier Composition Engine – or DICE- a new architecture for the Internet of Things promoted by The Trusted Computing Group. Using commodity hardware suitable for low-cost, low power endpoints, DICE creates cryptographically strong device identities. Those can be the foundation for attestation for software updates, patches and so on. With devices that use a DICE architecture, a signed-but-malicious software updates would not be installed. That’s because a wide range of measurements from the system generating the update would be used to create the cryptographic signature that attests to its authenticity. That sounds good – but how do we get IoT device makers to start implementing the DICE architecture? In this interview with Security Ledger, Dennis and I talk in detail about DICE and how it is different from the TCG’s other major technology The Trusted Platform Module.

Countless Congressional hearings, 48 state data privacy laws and GDPR and mega breaches like the discovery of data on 500 million Facebook users just keep happening. Why? In this episode of the podcast, Paul is joined by experts from the firm BitSight and BigID to discuss why we can’t seem to stop the breaches. “Never again” is a common refrain you hear uttered after tragedies like wars, financial scandals, famine or other man-made disasters. Alas: you don’t hear the phrase often after a data breach. That’s for good reason. As terrible and eye-popping as they may be, massive data breaches JUST. KEEP. HAPPENING, with a regularity and severity that are numbing.  Last week was a good example of what has become the new normal. In the space of a few days, the firm UpGuard Security disclosed the discovery of data on more than half a billion Facebook users that had been abandoned on Amazon’s S3 cloud based storage service. Around the same time, there was news of 300,000 more records from Voter Voice, a grassroots advocacy group , were left exposed on a misconfigured server. Also: FEMA, the federal emergency management agency leaked data on 2.5 million disaster victims. Asus ShadowHammer suggests Supply Chain Hacks are the New Normal Despite countless congressional hearings and data security and privacy laws in 48 states, and the advent of GDPR, data breaches show no signs of fading into memory like small pox or polio. Why? To find out, we invited two experts into the SL studio this week:  Jacob Olcott is the Vice President of Communications and Government Affairs at Bitsight, a firm that tracks third party cyber risk. Also joining us on this podcast is Dimitri Sirota, the CEO of the firm BigID, which does data governance for sensitive data. To hear Jake and Dimitri talk: the key to understanding why data breaches continue to happen, you have to understand the underlying causes of such breaches, including the difficulty organizations have understanding what sensitive data they own and how it is used. Data is the new oil, as the saying goes. But that metaphor may be more fitting than we know! Gushers of Data One major cause of breaches is simply a lack of sophistication among corporations and other organizations. Sirota notes that data is often described as “the new oil,” but there may to be more to that metaphor than meets the eye. Taking the Long View of Breach Fallout Data is an exploitable resource, yes. But like oil, its easy for data to leak and seep from one container to another. When it leaks, it can cause a big mess that’s difficult to clean up. And, increasingly, companies are having difficulty tracking those movements and keep...

Alpha-numeric passwords have been with us almost since the dawn of the computing age. But our guest this week, Phil Dunkelberger the CEO of Nok Nok Labs, says they’ve overstayed their welcome, and that the next few years may see them disappear altogether. We talk about what will replace them and how.  The birth of the computer password is generally traced back to the Massachusetts Institute of Technology (MIT) in the mid 1960s, when the university developed the Compatible Time Sharing System (CTSS) for managing access to a shared computer cluster at the university.  Phil Dunkelberger is the CEO of Nok Nok Labs. Half a century later, the password has long since outlived its usefulness. It’s imminent demise has been just around the corner for years – decades – now. So long, in fact, that our guest on this week’s podcast, Phil Dunkelberger, says he has stopped prognosticating.  Still, events have conspired to accelerate the shift away from passwords. Chief among them: a string of mega data breaches stretching back years. The sum of those can be found in online forums with names like Collection 1: huge agglomerations of stolen credentials that can be used for so-called credential stuffing attacks against popular online services or a range of other targets. (Check out Podcast Episode #130 with Troy Hunt, where we talk about Collection 1.) Episode 103: On the Voice-Controlled Internet, How Will We Authenticate? NOK NOK Labs is a pioneer in driving the adoption of password-less next generation authentication that includes biometric, token or wearable-based authentication of devices and users. The company’s technology works on mobile, PC & IoT platforms, delivering strong, multi-factor authentication. The first account passwords date to the mid 1960s, when MIT’s Computation Center developed the CTSS – the Compatible Time Sharing System. Phil has a long history in the authentication and data security space. He served for 8 years as co-founder and CEO of PGP Corporation until it was acquired by Symantec in 2010. Phil served as Entrepreneur-in-Residence at Doll Capital Management (DCM), served as President and CEO of Embark, and COO of Vantive Corporation. He has held senior management positions with Symantec, Apple Computer and Xerox Corporation.  Bank Attacks Put Password Insecurity Back in the Spotlight To start out, I asked Phil about the movement towards password-less security including FIDO, or Fast Identity Online, a protocol that NOK NOK helped develop and launch. Phil says that we stand on the cusp of major changes. Among them: the W3C will require FIDO support for all W3C certified browsers. Phil says that FIDO support will help to move users away from passwords and toward more secure login methods like biometrics of various sorts, smart phones and USB tokens. Paypal already uses FIDO, as does the Alibaba AliPay system. As always,

In this week’s episode, number 139: California became the latest state to bring forward right to repair legislation. We speak with Kyle Wiens (@kwiens) of iFixit about the state of right to repair legislation in the states. Also: researchers at North Carolina State University are sounding the alarm about leaked API and crypto keys on platforms like GitHub. In our second segment we talk with the host of the APISecurity.IO, Dmitry Sotnikov of the firm 42Crunch and APISecurity.io about the lurking threat of API insecurity. As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more.

In this exclusive interview with Security Ledger podcast, Reuters investigative technology journalist Joseph Menn talks about his upcoming book on the iconic hacking group Cult of the Dead Cow and his discovery that U.S. presidential candidate Beto O’Rourke of Texas was an early member. Presidents have followed many different paths to office. Sure, there have been countless lawyers and generals, there have been engineers like Herbert Hoover, a Hollywood actor (Ronald Reagan) and even a haberdasher (Harry Truman). Lately, if you haven’t  noticed, a real estate developer is occupying the Oval Office. But, to date, we haven’t had a hacker as president. That may soon change. In a blockbuster story released last week, Reuters reporter Joseph Menn let drop that one of the leading contenders in the crowded field of Democratic Party candidates for the Presidency, Beto O’Rourke, was a member of the iconic hacking group The Cult of the Dead Cow (or “CDC”) as a teenager growing up in El Paso, Texas. Joseph Menn is an investigative technology reporter at Reuters. Menn’s revelation is startling, if for no other reason than that it builds a bridge nobody thought could be built between the anarchic hacker and BBS online subculture of the 1980s and 1990s and button down Washington D.C., where O’Rourke served Texas’s 16th congressional district as a member of the House of Representatives. Podcast Episode 88: Inside Russia’s DragonFly Group and How Cyber Crooks Launder Money But to hear Joseph Menn tell it, Beto’s membership in Cult of the Dead Cow may not be that surprising, if you’ve been paying attention. Everything from O’Rourke’s positions on key policy issues to his uncanny knack for garnering media attention and an online following might be seen as the products of his formative years as a CDC member -where  he contributed as a writer, organizer and system administrator for a bulletin board system (or BBS), an early online forum. In Boston Exercise, Election Hackers Bypass Voting Machines A published author and one of the most respected technology journalists in the business, Menn got the O’Rourke scoop as part of extensive research on CDC for a forthcoming book, Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World, due out on June 4.  In this exclusive interview, I talk with Joe about how he first got wind about a CDC member walking the halls of congress, how he figured out that Beto was that guy and why CDC might just be a great preparation for Leader of the Free World. Menn discovered the O’Rourke connection to CDC as part of research on a forthcoming book, due out June 4. (Order a copy here.) Joseph and I also talk in depth about his new book, which charts the growth and evolution of Cult of the Dead Cow from a group of misfit teenagers and repository for fiction, poetry and angst to one of the foremost hacker colle...

Forget about Congress’s latest attempt to regulate IoT security. CTIAs new certification is the toothiest standard going. In this Spotlight Podcast, we talk with Sameer Dixit of Spirent * on the sidelines of RSA about why. The U.S. House of Representatives and the Senate both introduced new legislation this week to secure the burgeoning Internet of Things. Versions of the Internet of Things Cybersecurity Improvement Act would require connected devices for purchase by the U.S. Federal Government to meet strict information security standards. The proposed legislation is just the latest effort by lawmakers in Washington D.C. to reign in insecure IoT endpoints. While it doesn’t set a federal standard for private sector firms, it does look to use the Federal Government’s purchasing power as a lever to force changes on the private sector. IoT cyber security standards by CTIA require devices to have basic security features before connecting to cellular networks. Mobile, automation-industry leaders promote two new IoT security efforts A New Standard…with Some Teeth The fate of the legislation is uncertain. But while those bills work their way through Congress, a much more consequential standard is already taking root: this one backed by CTIA, the trade group that represents major telecommunications and Internet providers. Sameer Dixit is the Sr. Director- Security Consulting at Spirent Communications Introduced in August, 2018, the CTIA Cybersecurity Certification Program for Cellular Connected Internet of Things devices is being promoted as a way to protect consumers and the nation’s wireless infrastructure from harm caused by insecure IoT endpoints. But what does the standard entail and how are products evaluated? To find out, we sat down with Sameer Dixit, the Senior Director of Security Consulting at Spirent Communications. Spirent is one of just 5 CTIA authorized test labs operating around the world. Working together, the five labs helped develop the cybersecurity standard, which is intended to set minimum standards for IoT devices that use cellular networks. NIST Floats Internet of Things Cybersecurity Standards “We’re seeing a lot of demand for IoT security by the service providers across the globe, whether its APAC or the US or the UK,” Dixit told me. The new standards set a consistent measure across all the IoT testing labs. Setting a Bar on IoT Cyber Security Dixit tells me that the standards include basic features like password management features, a strong authentication scheme in place and provisions for patching and updating the device’s software (or “firmware.”) He said most connected device makers are most concerned with the cost and complexity of standards. Spirent and other labs worked to make the standards eas...

In this week’s episode (#137): Hewlett Packard Enterprise (HPE) Chief Information Security Officer Elizabeth Joyce joins us to talk about HPE’s collaboration with Girl Scouts of the USA* to bolster teenagers cyber security chops and encourage more young women to explore cyber security as a profession. Also: we talk with Vijay Ramanathan of Code42** about the evolving need for DLP. This week’s episode of the podcast is sponsored by Code42. Tune in to our second segment for a conversation with Senior Vice President Vijay Ramanathan taped on the sidelines of the RSA Security Conference. Vijay and I talk about the need for a new generation of data leak prevention tools to protect de-permiterized networks and hybrid cloud environments from advanced and insider threats. Girl Scouts to the Rescue on Cyber Talent Shortage But first, if there was one theme that dominated the discussion at this year’s RSA Security Conference in San Francisco, it was the shortage of cyber security professionals across industries. That and the burden on those few professionals who are in the field, who struggle with burnout and stress. At the end of the day, cool security tools and services are great. But without any boots on the ground to run the tools or manage the services, they’re not of much good, are they? Podcast Episode 111: Click Here to Kill Everybody and CyberSN on Why Security Talent Walks RSA showed the cyber security industry wrestling with this intractable problem. There were many responses to this: companies were talking increasingly of managed security offerings. Artificial intelligence and machine learning were promoted as a way to do more – or at least to do no less – with fewer people. Hewlett Packard Enterprise designed a cyber security badge for Girl Scouts who complete its cyber security awareness training. (Image courtesy of Girl Scouts of the USA.) But pretty much everyone agrees that the “big fix” for the cyber security skills shortage is to produce more information security professionals. Where will those people come from? Well, our first guest this week would argue that you may now find them going door to door in your neighborhood selling cookies. Elizabeth Joyce is the Chief Information Security Officer of the firm Hewlett Packard Enterprise. She joined me in the Security Ledger Studios to talk about a program that HPE launched with Girl Scouts Nation’s Capital  to empower young girls with crucial cybersecurity skills and knowledge. Scouts participating can earn a cybersecurity patch as part of the program. Elizabeth Joyce is the Chief Information Security Officer at Hewlett Packard Enterprise The collaboration is part of the Girl Scouts’ push to reduce the gender gap in technology via bringing 2.5 million girls into the STEM pipeline by 2025. The Cybersecurity industry is a particularly egregious ex...

How will the collapse of the North Korean summit affect that country’s malicious activity online? LookingGlass* joins us to discuss. Also: how to attract more technologists to public interest work. Note: this week’s podcast episode (#136) is sponsored by the firm LookingGlass Cyber Solutions. President Trump has been courting North Korea, while punishing Iran. In our second segment, we talk with Olga Polishchuk of the firm LookingGlass Cyber Solutions about how geopolitical tensions influence cyber activity online. But first: the information security industry is bigger and more diverse than ever. This week, it will converge on San Francisco for the 28th annual RSA Conference. The annual event, which started as a small, clubby gathering of cryptographers, now draws upwards of 40,000 people to downtown San Francisco. As always this year: there’s plenty of business to be done and deals to be struck at RSA on and off the show floor. But cyber security is about more than startups, VC rounds and IPOs. Information security, data security and individual privacy are areas of intense interest and from more than just investors. Lawmakers, civil liberties experts, human rights and non-governmental groups all have a role to play in protecting online privacy and individual rights in the 21st century. Podcast Episode 111: Click Here to Kill Everybody and CyberSN on Why Security Talent Walks Bridging the gap But convincing sought-after professionals to pass on a hot startup to do low paying work in the public interest is harder than it sounds. This year, show organizers at RSA have given over an entire track to explore  that problem. The Thursday session, dubbed “Bridging the Gap: Cybersecurity + Public Interest Tech” will bring together experts from firms like Mozilla, Electronic Frontier Foundation, the Ford Foundation and Harvard University’s Kennedy School of government to talk about the need for information security pros to work within government, NGOs and civil liberties groups. In our first session this week, I’m joined by two of the organizers of that event: Bruce Schneier is a fellow and Lecturer at  Harvard ‘sKennedy School and Michael Brennan is a program officer on the Technology and Society team. To start off I asked them to talk about how the idea came about to focus on the need to focus on public interest technologists in the cyber security industry. Bruce Schneier is a fellow at the Berkman Center for Internet and Society at Harvard University, a fellow at the Belfer Center at Harvard’s Kennedy School of Government. Michael Brennan is a program officer on the Technology and Society team. The Cyber Consequences of “America First” President Trump’s summit in Vietnam with North Korean leader Kim Jong Un went bust. But will the breakdown in talks reignite North Korean hacking activity against US targets?

In this Spotlight Podcast, sponsored by Synopsys* Ravi Iyer, the Head of Product Management talks to us about the “democratization” of software development, as more and more companies become software publishers. Ravi and I talk about Polaris, a new software integrity platform that integrates a wide range of software testing and analysis tools into a common platform. Thirty years ago, software engineering was limited to a few corporations. Companies like IBM, Microsoft, Apple, DEC or Oracle wrote software. Other companies made “stuff.” But it’s a truism these days that nearly every company is a software company. Whether your company makes jet engines, or automobiles or kitchen appliances or even watches and sneakers, the chances are that what you make is running software in some form. Increasingly, your “stuff” is also connected to the Internet, as well. All that software offers tremendous new opportunities for organizations. But it also harbors risk in the form of software vulnerabilities – some of them exploitable in ways that pose a risk to the integrity of applications, data, IT environments and even physical safety. Waiting for Federal Data Privacy Reform? Don’t Hold Your Breath. Software development has become a core competency of modern organizations and so has software security and secure software development. Ravi Iyer, Head of Product Management Security Products at Synopsys That’s where our guest this week comes in. Ravi Iyer is the senior director of product management at Synopsys and part of the software integrity group there, which is dedicated to helping companies build secure software and to do it in keeping with modern, agile DEV-OPS environments. The challenge, Ravi tells me, is that software development is a complex and multi faceted process – and is only becoming more-so. Modern development spans software design and development, quality assurance and testing, deployment and management. Increasingly, software integrity issues go all the way up to the C-Suite as executives consider how software based risks might affect their overall organizational risk. In this conversation, Ravi and talk about a new platform that Synopsys introduced this week. Dubbed Polaris, a software integrity platform that  integrates a wide range of software testing tools for static and dynamic testing, software composition analysis, interactive security testing and more into a common platform. Tread Lightly with Threat Intel Add-Ons In this conversation, Ravi and I discuss the changing dynamics of development organizations. This includes what Ravi calls the democratization of security. “It used to be that security was managed by a single organization that was the gatekeeper. That has proven to not be very effective.” Now, he says, security is the responsibility of an entire organization. That, in turn, requires more and more different types of roles in the software development process. Ironically, one of the areas of greatest needs in an organization is ...

In this week’s episode (#135):  we continue our series on the future of passwords as we are joined by Guemmy Kim, a group product manager at Google in charge of that company’s account security initiatives. Guemmy and I talk about Google’s fast evolving security program to protect user passwords and data. It goes without saying that Google is one of the Internet’s largest identity providers, alongside firms like Microsoft and Facebook. With billions of users of google products like YouTube, Gmail the G-Suite productivity applications, Google has its hands full protecting both high profile users and billions of ordinary Internet denizens. Phish talk In this conversation, Guemmy and I talk about one of the biggest threats to the security of online accounts: spear phishing and targeted account hacking. She gives us some insight into the trends Google is seeing as hackers look to circumvent account protections to gain control over victim identities and data. Massive Facebook Breach Affects 90 Million Accounts Securing the 1% and the 99% Guemmy Kim is a Group Product Manager at Google. Guemmy and I also talk about Google’s Advanced Account Protection program, which offers high risk users like politicians, human rights workers and journalists extra protections for their account. With fewer than 10% of Google users taking advantage of multi factor authentication, Among other things, I ask Guemmy whether we’ll ever see the end of the password and if so, what that future will look like. Four More Collections, 700 Million Stolen Passwords Discovered A note: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.