About the show

The Three Buddy Problem is a popular Security Conversations podcast that goes beyond industry talking points to discuss what others won’t -- nation-state malware, attribution, cyberwar, ethics, privacy, and the messy realities of securing computers and corporate networks.

Hosted by three veteran security pros -- journalist Ryan Naraine and malware paleontologists Costin Raiu and Juan Andres Guerrero-Saade -- the weekly show attracts a highly engaged audience of security researchers, corporate defenders, CISOs, and policymakers.

Connect with Ryan on Twitter (Open DMs).

Three Buddy Problem on social media

Episodes

  • Seth Spergel on venture capital bets in cybersecurity

    November 21st, 2023  |  28 mins 56 secs
    artificial intelligence, investments, merlin ventures, venture capital

    Episode sponsors:

    Seth Spergel is managing partner at Merlin Ventures, where he is responsible for identifying cutting-edge companies for Merlin to partner with and invest in. In this episode, Seth talks about helping startups target US federal markets, the current state of deal sizes and valuations, and the red-hot sectors in cybersecurity ripe for venture investment.

  •

    Dan Lorenc on fixing the 'crappy' CVE ecosystem

    November 14th, 2023  |  41 mins 45 secs
    chainguard, cve, sboms, supply chain, venture capital

    Episode sponsors:

    Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are framing cybersecurity issues in strange ways.

  •

    Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers

    November 7th, 2023  |  31 mins 27 secs
    cisco talos, nation-state apts, psoas, ransomware

    Episode sponsors:

    Nick Biasini has been working in information security for nearly two decades. In his current role as head of outreach for Cisco Talos Intelligence Group, he leads a team of threat researchers tasked with tracking nation-state APTs, mercenary hacker groups and ransomware cybercriminals. In this episode, Biasini talks about the cryptic world of threat actor attribution, the rise of PSOAs (private sector offensive actors) and why network edge devices are a happy hunting ground for attackers.

  •

    Allison Nixon on disturbing elements in cybercriminal ecosystem

    November 1st, 2023  |  48 mins 39 secs
    lapsu$, ransomware, scattered spider, the-com

    Episode sponsors:

    Allison Nixon is Chief Researcher at Unit 221B and a trailblazer in the world of cybercrime research. In this episode, we deep-drive into the shadowy dynamics of underground criminal communities, high-profile ransomware attacks, teenage hacking groups breaking into big companies, and the challenges of attribution and law enforcement. Allison sheds light on why companies continue to be vulnerable targets and what they're often missing in their cybersecurity strategies.

  •

    Dakota Cary on China's weaponization of software vulnerabilities

    September 15th, 2023  |  55 mins 48 secs
    apts, atlantic council, china, nation-state

    Episode sponsors:

    Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub, conducting research on China’s efforts to develop its hacking capabilities, artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline.

    In this episode, Cary expands on a new report -- 'Sleight of Hand' -- that delves into the changing legal landscape for vulnerability disclosure in China, the PRC's weaponization of software vulnerabilities, nation state-backed threat actors in China and that infamous Bloomberg 'rice grain' spy chip story.

  •

    Abhishek Arya on Google's AI cybersecurity experiments

    September 12th, 2023  |  33 mins 27 secs
    google, open source software, openssf, oss-fuzz, supply chain

    Episode sponsors:

    Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB.

    In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software supply chains.

  •

    Dr Sergey Bratus on the 'citizen science' of hacking

    August 31st, 2023  |  40 mins 2 secs
    amp, darpa, dartmouth, parsers, pdf, safedocs

    Episode sponsors:

    Dr Sergey Bratus is a Research Associate Professor of Computer Science at Dartmouth College and a program manager at DARPA. In this episode, he discusses his pioneering work on securing parsers and patching long-forgotten devices. He also puts the AI hype into context and showers praise on the labor-of-love "citizen science" of hacking all the things.

  •

    DARPA's Perri Adams on CTF hacking, new $20M AI Cyber Challenge

    August 20th, 2023  |  26 mins 47 secs
    ai cyber challenge, aixcc, darpa, def con ctf, rpisec

    Episode sponsors:

    DARPA program manager Perri Adams joins the conversation to chat about her love for CTF hacking competitions, the hunt for leapfrog security technologies in DARPA’s Information Innovation Office (I2O), and the goal of the new AI Cyber Challenge (AIxCC) offering $20 million in prizes to teams competing to develop AI-driven systems to automatically secure critical code.

  •

    Ryan Hurst on tech innovation and unsolved problems in security

    August 16th, 2023  |  42 mins 24 secs
    ai, bgp, encryption, google, key management, microsoft, startups

    Episode sponsors:

    Peculiar Ventures chief executive Ryan Hurst joins the show to talk about a career that spanned 20 years at Microsoft and Google, his work building the plumbing for encryption on the web, unsolved problems in BGP security, the hype and promise of AI, and Microsoft's ongoing cloud security hiccups.

  •

    Jason Chan on Microsoft's security problems, layoffs and startups

    August 7th, 2023  |  27 mins 7 secs
    ciso, entrepreneurship, generative ai, layoffs, microsoft, open source software, transparency, vc funding

    Episode sponsors:

    Bessemer Venture Partner's Jason Chan returns to the show for a frank discussion on the state of cyber, including thoughts on Microsoft's prominent security failures, the meaning of layoffs hitting security teams, the excitement around AI, and the long road ahead. The former Netflix security chief also talks about merging of the IT and security functions and the importance of cybersecurity proving its value to the business.

  •

    GitHub security chief Mike Hanley on secure coding, AI and SBOMs

    August 2nd, 2023  |  40 mins 29 secs
    github, open source, sbom, shift-left, supply chain

    Episode sponsors:

    GitHub security chief Mike Hanley joins the show to discuss merging the CSO and SVP/Engineering roles, securing data and code in an organization under constant attack, the thrilling promise of AI to the future of secure code, the dangers of equating SBOMs to supply chain security, and new SEC reporting rules for CISOs.

  •

    Jason Shockey, Chief Information Security Officer, Cenlar FSB

    July 26th, 2023  |  33 mins 47 secs

    Episode sponsors:

    Cenlar FSB security chief Jason Shockey joins the show to discuss the task of securing a financial institution, pivoting from a career in the military to the private sector, the current state of the job market, managing risk from APTs, and the mission of his My Cyberpath project.