Episode Archive

138 episodes of Security Conversations since the first episode, which aired on December 6th, 2017.

  • Costin Raiu: The GReAT exit interview

    January 15th, 2024  |  1 hr 32 mins
    apt research, nation-state, zero-day

    Episode sponsors:

    Costin Raiu has spent a lifetime in anti-malware research, working on some of the biggest nation-state APT cases in history, including Stuxnet, Duqu, Equation Group, Red October, Turla and Lazarus.

    In this exit interview, Costin digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state malware attribution game, technically impressive APT attacks, and the 'dark spots' where future-thinking APTs are living.

  • Danny Adamitis on an 'unkillable' router botnet used by Chinese .gov hackers

    January 5th, 2024  |  34 mins 7 secs
    china, danny adamitis, lumen technologies, volt typhoon

    Episode sponsors:

    Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. On this episode of the show, we discuss his team's recent discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.

    Danny digs into the inner workings of the botnet, the global problem end-of-life devices becoming useful tools for malicious actors, and the things network defenders can do today to mitigate threats at this layer.

  • Allison Miller talks about CISO life, protecting identities at scale

    December 21st, 2023  |  38 mins 12 secs
    ciso, iam, identity, ransomware

    Episode sponsors:

    Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International.

    In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implementations, the post-pandemic labor market, the evolving role of CISOs and new realities around CISO exposure to personal liability, thoughts on the 'build vs buy' debate and the nuance and dilemma of paying ransomware demands.

  • Rob Ragan on the excitement of AI solving security problems

    December 7th, 2023  |  51 mins 16 secs
    artificial intelligence, automation, bug bounties, generative-ai, llms

    Episode sponsors:

    Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation explores the leapfrog potential of AI models and their impact on various aspects of technology and society.

  • Seth Spergel on venture capital bets in cybersecurity

    November 21st, 2023  |  28 mins 56 secs
    artificial intelligence, investments, merlin ventures, venture capital

    Episode sponsors:

    Seth Spergel is managing partner at Merlin Ventures, where he is responsible for identifying cutting-edge companies for Merlin to partner with and invest in. In this episode, Seth talks about helping startups target US federal markets, the current state of deal sizes and valuations, and the red-hot sectors in cybersecurity ripe for venture investment.

  • Dan Lorenc on fixing the 'crappy' CVE ecosystem

    November 14th, 2023  |  41 mins 45 secs
    chainguard, cve, sboms, supply chain, venture capital

    Episode sponsors:

    Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are framing cybersecurity issues in strange ways.

  • Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers

    November 7th, 2023  |  31 mins 27 secs
    cisco talos, nation-state apts, psoas, ransomware

    Episode sponsors:

    Nick Biasini has been working in information security for nearly two decades. In his current role as head of outreach for Cisco Talos Intelligence Group, he leads a team of threat researchers tasked with tracking nation-state APTs, mercenary hacker groups and ransomware cybercriminals. In this episode, Biasini talks about the cryptic world of threat actor attribution, the rise of PSOAs (private sector offensive actors) and why network edge devices are a happy hunting ground for attackers.

  • Allison Nixon on disturbing elements in cybercriminal ecosystem

    November 1st, 2023  |  48 mins 39 secs
    lapsu$, ransomware, scattered spider, the-com

    Episode sponsors:

    Allison Nixon is Chief Researcher at Unit 221B and a trailblazer in the world of cybercrime research. In this episode, we deep-drive into the shadowy dynamics of underground criminal communities, high-profile ransomware attacks, teenage hacking groups breaking into big companies, and the challenges of attribution and law enforcement. Allison sheds light on why companies continue to be vulnerable targets and what they're often missing in their cybersecurity strategies.

  • Dakota Cary on China's weaponization of software vulnerabilities

    September 15th, 2023  |  55 mins 48 secs
    apts, atlantic council, china, nation-state

    Episode sponsors:

    Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub, conducting research on China’s efforts to develop its hacking capabilities, artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline.

    In this episode, Cary expands on a new report -- 'Sleight of Hand' -- that delves into the changing legal landscape for vulnerability disclosure in China, the PRC's weaponization of software vulnerabilities, nation state-backed threat actors in China and that infamous Bloomberg 'rice grain' spy chip story.

  • Abhishek Arya on Google's AI cybersecurity experiments

    September 12th, 2023  |  33 mins 27 secs
    google, open source software, openssf, oss-fuzz, supply chain

    Episode sponsors:

    Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB.

    In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software supply chains.

  • Dr Sergey Bratus on the 'citizen science' of hacking

    August 31st, 2023  |  40 mins 2 secs
    amp, darpa, dartmouth, parsers, pdf, safedocs

    Episode sponsors:

    Dr Sergey Bratus is a Research Associate Professor of Computer Science at Dartmouth College and a program manager at DARPA. In this episode, he discusses his pioneering work on securing parsers and patching long-forgotten devices. He also puts the AI hype into context and showers praise on the labor-of-love "citizen science" of hacking all the things.

  • DARPA's Perri Adams on CTF hacking, new $20M AI Cyber Challenge

    August 20th, 2023  |  26 mins 47 secs
    ai cyber challenge, aixcc, darpa, def con ctf, rpisec

    Episode sponsors:

    DARPA program manager Perri Adams joins the conversation to chat about her love for CTF hacking competitions, the hunt for leapfrog security technologies in DARPA’s Information Innovation Office (I2O), and the goal of the new AI Cyber Challenge (AIxCC) offering $20 million in prizes to teams competing to develop AI-driven systems to automatically secure critical code.