About the show
The Three Buddy Problem is a popular Security Conversations podcast that goes beyond industry talking points to discuss what others won’t -- nation-state malware, attribution, cyberwar, ethics, privacy, and the messy realities of securing computers and corporate networks.
Hosted by three veteran security pros -- journalist Ryan Naraine and malware paleontologists Costin Raiu and Juan Andres Guerrero-Saade -- the weekly show attracts a highly engaged audience of security researchers, corporate defenders, CISOs, and policymakers.
Connect with Ryan on Twitter (Open DMs).
Three Buddy Problem on social media
Episodes
-
Costin Raiu joins the XZ Utils backdoor investigation
April 5th, 2024 | 51 mins 33 secs
apt, apt29, lazarus, solarwinds, stuxnet, xz utils
Episode sponsors:
- Binarly, the supply chain security experts (https://binarly.io)
- XZ.fail backdoor detector (https://xz.fail)
Malware paleontologist Costin Raiu returns for an emergency episode on the XZ Utils software supply chain backdoor. We dig into the timeline of the attack, the characteristics of the backdoor, affected Linux distributions, and the reasons why 'Tia Jan' is the handiwork of a cunning nation-state.
Based on all the clues available, Costin pinpoints three main suspects -- North Korea's Lazarus, China's APT41 or Russia's APT29 -- and warns that there are more of these backdoors lurking in modern software supply chains.
-
Katie Moussouris on building a different cybersecurity businesses
January 19th, 2024 | 29 mins 50 secs
Episode sponsors:
- Binarly, the supply chain security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Katie Moussouris founded Luta Security in 2016 and bootstrapped it into a profitable business with a culture of equity and healthy boundaries, proving that businesses can be profitable by putting people first. She is a pioneer in the world of bug bounties and vulnerability disclosure and serves in multiple advisory roles for the U.S. government, including the new CISA Cyber Safety Review Board (CSRB).
On this episode, Moussouris discusses Luta Security's new Workforce Platform profit-sharing initiative, the changing face of the job market, criticisms of the CSRB's lack of enforcement authority, and looming regulations around zero-day vulnerability data.
-
Costin Raiu: The GReAT exit interview
January 15th, 2024 | 1 hr 32 mins
apt research, nation-state, zero-day
Episode sponsors:
- Binarly, the supply chain security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Costin Raiu has spent a lifetime in anti-malware research, working on some of the biggest nation-state APT cases in history, including Stuxnet, Duqu, Equation Group, Red October, Turla and Lazarus.
In this exit interview, Costin digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state malware attribution game, technically impressive APT attacks, and the 'dark spots' where future-thinking APTs are living.
-
Danny Adamitis on an 'unkillable' router botnet used by Chinese .gov hackers
January 5th, 2024 | 34 mins 7 secs
china, danny adamitis, lumen technologies, volt typhoon
Episode sponsors:
- Binarly, the supply chain security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. On this episode of the show, we discuss his team's recent discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.
Danny digs into the inner workings of the botnet, the global problem end-of-life devices becoming useful tools for malicious actors, and the things network defenders can do today to mitigate threats at this layer.
-
Allison Miller talks about CISO life, protecting identities at scale
December 21st, 2023 | 38 mins 12 secs
ciso, iam, identity, ransomware
Episode sponsors:
- Binarly, the supply chain security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International.
In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implementations, the post-pandemic labor market, the evolving role of CISOs and new realities around CISO exposure to personal liability, thoughts on the 'build vs buy' debate and the nuance and dilemma of paying ransomware demands.
-
Rob Ragan on the excitement of AI solving security problems
December 7th, 2023 | 51 mins 16 secs
artificial intelligence, automation, bug bounties, generative-ai, llms
Episode sponsors:
- Binarly, the firmware security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation explores the leapfrog potential of AI models and their impact on various aspects of technology and society.
-
Seth Spergel on venture capital bets in cybersecurity
November 21st, 2023 | 28 mins 56 secs
artificial intelligence, investments, merlin ventures, venture capital
Episode sponsors:
- Binarly, the firmware security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Seth Spergel is managing partner at Merlin Ventures, where he is responsible for identifying cutting-edge companies for Merlin to partner with and invest in. In this episode, Seth talks about helping startups target US federal markets, the current state of deal sizes and valuations, and the red-hot sectors in cybersecurity ripe for venture investment.
-
Dan Lorenc on fixing the 'crappy' CVE ecosystem
November 14th, 2023 | 41 mins 45 secs
chainguard, cve, sboms, supply chain, venture capital
Episode sponsors:
- Binarly, the firmware security experts (https://binarly.io)
- FwHunt (https://fwhunt.run)
Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are framing cybersecurity issues in strange ways.
-
Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers
November 7th, 2023 | 31 mins 27 secs
cisco talos, nation-state apts, psoas, ransomware
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
Nick Biasini has been working in information security for nearly two decades. In his current role as head of outreach for Cisco Talos Intelligence Group, he leads a team of threat researchers tasked with tracking nation-state APTs, mercenary hacker groups and ransomware cybercriminals. In this episode, Biasini talks about the cryptic world of threat actor attribution, the rise of PSOAs (private sector offensive actors) and why network edge devices are a happy hunting ground for attackers.
-
Allison Nixon on disturbing elements in cybercriminal ecosystem
November 1st, 2023 | 48 mins 39 secs
lapsu$, ransomware, scattered spider, the-com
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
Allison Nixon is Chief Researcher at Unit 221B and a trailblazer in the world of cybercrime research. In this episode, we deep-drive into the shadowy dynamics of underground criminal communities, high-profile ransomware attacks, teenage hacking groups breaking into big companies, and the challenges of attribution and law enforcement. Allison sheds light on why companies continue to be vulnerable targets and what they're often missing in their cybersecurity strategies.
-
Dakota Cary on China's weaponization of software vulnerabilities
September 15th, 2023 | 55 mins 48 secs
apts, atlantic council, china, nation-state
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub, conducting research on China’s efforts to develop its hacking capabilities, artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline.
In this episode, Cary expands on a new report -- 'Sleight of Hand' -- that delves into the changing legal landscape for vulnerability disclosure in China, the PRC's weaponization of software vulnerabilities, nation state-backed threat actors in China and that infamous Bloomberg 'rice grain' spy chip story.
-
Abhishek Arya on Google's AI cybersecurity experiments
September 12th, 2023 | 33 mins 27 secs
google, open source software, openssf, oss-fuzz, supply chain
Episode sponsors:
- Binarly (https://binarly.io)
- FwHunt (https://fwhunt.run)
Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB.
In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software supply chains.