About the show

Security Conversations is a series of podcasts covering threat intelligence and the business of cybersecurity, from the lens of veteran journalist and storyteller Ryan Naraine. The Three Buddy Problem show features conversations and debates on nation-state APTs, cyberespionage, spy tradecraft, cryptocurrency theft, advancements in offensive research and targeted malware espionage activity.

Connect with Ryan on Twitter (Open DMs).

Security Conversations on social media

Episodes

  • Allison Nixon on disturbing elements in cybercriminal ecosystem

    November 1st, 2023  |  48 mins 39 secs
    lapsu$, ransomware, scattered spider, the-com

    Episode sponsors:

    Allison Nixon is Chief Researcher at Unit 221B and a trailblazer in the world of cybercrime research. In this episode, we deep-drive into the shadowy dynamics of underground criminal communities, high-profile ransomware attacks, teenage hacking groups breaking into big companies, and the challenges of attribution and law enforcement. Allison sheds light on why companies continue to be vulnerable targets and what they're often missing in their cybersecurity strategies.

  •

    Dakota Cary on China's weaponization of software vulnerabilities

    September 15th, 2023  |  55 mins 48 secs
    apts, atlantic council, china, nation-state

    Episode sponsors:

    Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub, conducting research on China’s efforts to develop its hacking capabilities, artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline.

    In this episode, Cary expands on a new report -- 'Sleight of Hand' -- that delves into the changing legal landscape for vulnerability disclosure in China, the PRC's weaponization of software vulnerabilities, nation state-backed threat actors in China and that infamous Bloomberg 'rice grain' spy chip story.

  •

    Abhishek Arya on Google's AI cybersecurity experiments

    September 12th, 2023  |  33 mins 27 secs
    google, open source software, openssf, oss-fuzz, supply chain

    Episode sponsors:

    Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB.

    In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software supply chains.

  •

    Dr Sergey Bratus on the 'citizen science' of hacking

    August 31st, 2023  |  40 mins 2 secs
    amp, darpa, dartmouth, parsers, pdf, safedocs

    Episode sponsors:

    Dr Sergey Bratus is a Research Associate Professor of Computer Science at Dartmouth College and a program manager at DARPA. In this episode, he discusses his pioneering work on securing parsers and patching long-forgotten devices. He also puts the AI hype into context and showers praise on the labor-of-love "citizen science" of hacking all the things.

  •

    DARPA's Perri Adams on CTF hacking, new $20M AI Cyber Challenge

    August 20th, 2023  |  26 mins 47 secs
    ai cyber challenge, aixcc, darpa, def con ctf, rpisec

    Episode sponsors:

    DARPA program manager Perri Adams joins the conversation to chat about her love for CTF hacking competitions, the hunt for leapfrog security technologies in DARPA’s Information Innovation Office (I2O), and the goal of the new AI Cyber Challenge (AIxCC) offering $20 million in prizes to teams competing to develop AI-driven systems to automatically secure critical code.

  •

    Ryan Hurst on tech innovation and unsolved problems in security

    August 16th, 2023  |  42 mins 24 secs
    ai, bgp, encryption, google, key management, microsoft, startups

    Episode sponsors:

    Peculiar Ventures chief executive Ryan Hurst joins the show to talk about a career that spanned 20 years at Microsoft and Google, his work building the plumbing for encryption on the web, unsolved problems in BGP security, the hype and promise of AI, and Microsoft's ongoing cloud security hiccups.

  •

    Jason Chan on Microsoft's security problems, layoffs and startups

    August 7th, 2023  |  27 mins 7 secs
    ciso, entrepreneurship, generative ai, layoffs, microsoft, open source software, transparency, vc funding

    Episode sponsors:

    Bessemer Venture Partner's Jason Chan returns to the show for a frank discussion on the state of cyber, including thoughts on Microsoft's prominent security failures, the meaning of layoffs hitting security teams, the excitement around AI, and the long road ahead. The former Netflix security chief also talks about merging of the IT and security functions and the importance of cybersecurity proving its value to the business.

  •

    GitHub security chief Mike Hanley on secure coding, AI and SBOMs

    August 2nd, 2023  |  40 mins 29 secs
    github, open source, sbom, shift-left, supply chain

    Episode sponsors:

    GitHub security chief Mike Hanley joins the show to discuss merging the CSO and SVP/Engineering roles, securing data and code in an organization under constant attack, the thrilling promise of AI to the future of secure code, the dangers of equating SBOMs to supply chain security, and new SEC reporting rules for CISOs.

  •

    Jason Shockey, Chief Information Security Officer, Cenlar FSB

    July 26th, 2023  |  33 mins 47 secs

    Episode sponsors:

    Cenlar FSB security chief Jason Shockey joins the show to discuss the task of securing a financial institution, pivoting from a career in the military to the private sector, the current state of the job market, managing risk from APTs, and the mission of his My Cyberpath project.

  •

    Federico Kirschbaum on a life in the Argentina hacking scene

    July 19th, 2023  |  42 mins 1 sec
    argentina, core security, ekoparty, exploits, zero-day

    Episode sponsors:

    Faraday chief executive Federico 'Fede' Kirschbaum joins the show to talk about building a startup in the vulnerability management space, the intricacies of the Argentinian hacking culture, stories of exploit writers and mercenary hackers, and the overwhelming U.S.-centric view of the cybersecurity industry.

  •

    Kymberlee Price reflects on life at the MSRC, hacker/vendor engagement, bug bounties

    July 12th, 2023  |  48 mins 38 secs
    appsec, bug bounties, microsoft, msrc, pen-testing

    Episode sponsors:

    Product security executive Kymberlee Price joins the show to gab about life in the trenches at the Microsoft Security Response Center (MSRC), the challenges of maintaining healthy hacker/vendor relationships, the harsh realities of bug-bounty programs, and thoughts on the cybersecurity job market.

  •

    OpenSSF GM Omkhar Arasaratnam on open-source software security

    July 5th, 2023  |  36 mins 11 secs
    log4j, open source, supply chain

    Episode sponsors:

    New General Manager of the Open Source Security Foundation (OpenSSF) Omkhar Arasaratnam joins the podcast for a candid conversation on the challenges surrounding open-source software security, lessons from the Log4j crisis, the value of SBOMs, and the U.S. government efforts at securing America's software supply chains.