Episode Archive

143 episodes of Security Conversations since the first episode, which aired on December 6th, 2017.

  • Ep2: A deep-dive on disrupting and exposing nation-state malware ops

    June 29th, 2024  |  1 hr 8 mins
    apt, google, microsoft, nation-state, polyfill, russia, teamviewer

    The 'Three Buddy Problem' Podcast Episode 2: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade go all-in on the discussion around Google Project Zero disrupting counter-terrorism malware operations. A deep dive on disruption vs exposure, the effects of US government sanctions on private mercenary hacking companies, hypocricy and the tricky relationship between malware researchers are the intelligence community, and the lack of 'success stories' from so-called benevolent malware.

    We also discuss the implications of the TeamViewer breach by a skilled Russian APT, new Microsoft notifications to Midnight Blizzard victims and share thoughts on the Polyfill.io supply chain compromise.

  •

    Ep1: The Microsoft Recall debacle, Brad Smith and the CSRB, Apple Private Cloud Compute

    June 22nd, 2024  |  46 mins 55 secs
    ai, apple, csrb, microsoft

    Welcome to Episode 1 of a brand new cybersecurity podcast discussing the biggest news stories of the week. Ryan Naraine hosts a fast-moving conversation with Juan Andres Guerrero-Saade (LABScon) and Costin Raiu (Art of Noh) on the Microsoft Recall debacle, the dark patterns emerging as big-tech embraces AI, Brad Smith's testimony and the lingering effects of the CSRB report, Apple's new Private Cloud Compute (PCC) infrastructure and Cupertino's long game. Oh, we also discuss the KL ban.

  •

    Cris Neckar on the early days of securing Chrome, chasing browser exploits

    April 11th, 2024  |  54 mins 36 secs
    chrome, investments, pwn2own, supply chain, venture capital

    Episode sponsors:

    Cris Neckar is a veteran security researcher now working as a partner at Two Bear Capital. In this episode, he reminisces on the early days of hacking at Neohapsis, his time on the Google Chrome security team, shenanigans at Pwn2Own/Pwnium and the cat-and-mouse battle for browser exploit chains. We also discuss the zero-day exploit marketplace, the hype and promise of AI, and his mission to help highly technical founders bring products to market.

  •

    Costin Raiu joins the XZ Utils backdoor investigation

    April 5th, 2024  |  51 mins 33 secs
    apt, apt29, lazarus, solarwinds, stuxnet, xz utils

    Episode sponsors:

    Malware paleontologist Costin Raiu returns for an emergency episode on the XZ Utils software supply chain backdoor. We dig into the timeline of the attack, the characteristics of the backdoor, affected Linux distributions, and the reasons why 'Tia Jan' is the handiwork of a cunning nation-state.

    Based on all the clues available, Costin pinpoints three main suspects -- North Korea's Lazarus, China's APT41 or Russia's APT29 -- and warns that there are more of these backdoors lurking in modern software supply chains.

  •

    Katie Moussouris on building a different cybersecurity businesses

    January 19th, 2024  |  29 mins 50 secs

    Episode sponsors:

    Katie Moussouris founded Luta Security in 2016 and bootstrapped it into a profitable business with a culture of equity and healthy boundaries, proving that businesses can be profitable by putting people first. She is a pioneer in the world of bug bounties and vulnerability disclosure and serves in multiple advisory roles for the U.S. government, including the new CISA Cyber Safety Review Board (CSRB).

    On this episode, Moussouris discusses Luta Security's new Workforce Platform profit-sharing initiative, the changing face of the job market, criticisms of the CSRB's lack of enforcement authority, and looming regulations around zero-day vulnerability data.

  •

    Costin Raiu: The GReAT exit interview

    January 15th, 2024  |  1 hr 32 mins
    apt research, nation-state, zero-day

    Episode sponsors:

    Costin Raiu has spent a lifetime in anti-malware research, working on some of the biggest nation-state APT cases in history, including Stuxnet, Duqu, Equation Group, Red October, Turla and Lazarus.

    In this exit interview, Costin digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state malware attribution game, technically impressive APT attacks, and the 'dark spots' where future-thinking APTs are living.

  •

    Danny Adamitis on an 'unkillable' router botnet used by Chinese .gov hackers

    January 5th, 2024  |  34 mins 7 secs
    china, danny adamitis, lumen technologies, volt typhoon

    Episode sponsors:

    Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. On this episode of the show, we discuss his team's recent discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.

    Danny digs into the inner workings of the botnet, the global problem end-of-life devices becoming useful tools for malicious actors, and the things network defenders can do today to mitigate threats at this layer.

  •

    Allison Miller talks about CISO life, protecting identities at scale

    December 21st, 2023  |  38 mins 12 secs
    ciso, iam, identity, ransomware

    Episode sponsors:

    Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International.

    In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implementations, the post-pandemic labor market, the evolving role of CISOs and new realities around CISO exposure to personal liability, thoughts on the 'build vs buy' debate and the nuance and dilemma of paying ransomware demands.

  • Rob Ragan on the excitement of AI solving security problems

    December 7th, 2023  |  51 mins 16 secs
    artificial intelligence, automation, bug bounties, generative-ai, llms

    Episode sponsors:

    Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation explores the leapfrog potential of AI models and their impact on various aspects of technology and society.

  •

    Seth Spergel on venture capital bets in cybersecurity

    November 21st, 2023  |  28 mins 56 secs
    artificial intelligence, investments, merlin ventures, venture capital

    Episode sponsors:

    Seth Spergel is managing partner at Merlin Ventures, where he is responsible for identifying cutting-edge companies for Merlin to partner with and invest in. In this episode, Seth talks about helping startups target US federal markets, the current state of deal sizes and valuations, and the red-hot sectors in cybersecurity ripe for venture investment.

  •

    Dan Lorenc on fixing the 'crappy' CVE ecosystem

    November 14th, 2023  |  41 mins 45 secs
    chainguard, cve, sboms, supply chain, venture capital

    Episode sponsors:

    Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are framing cybersecurity issues in strange ways.

  •

    Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers

    November 7th, 2023  |  31 mins 27 secs
    cisco talos, nation-state apts, psoas, ransomware

    Episode sponsors:

    Nick Biasini has been working in information security for nearly two decades. In his current role as head of outreach for Cisco Talos Intelligence Group, he leads a team of threat researchers tasked with tracking nation-state APTs, mercenary hacker groups and ransomware cybercriminals. In this episode, Biasini talks about the cryptic world of threat actor attribution, the rise of PSOAs (private sector offensive actors) and why network edge devices are a happy hunting ground for attackers.