As you’re probably aware, life changes and the Security Justice crew has changed as well. Between jobs, family and other things called “life” we can’t dedicate the time to crank out podcasts like we used to. Tom still has his blog and the Social Media Security Podcast, Dave will most likely start a new podcast. Chris and Matt will still be around the InfoSec community and hiding behind suits and ties. Podcasts will still be available for download on this site as well as on iTunes for historical purposes. Don’t forget about our YouTube page which has classics like “Surviving the Zombie Apocalypse” and other fun conference hijinks.

Since we couldn’t end the podcast with a blog post, Dave has put together somewhat of a “best of” podcast which will be our last episode.  This is episode 37 linked in this post.

Special thanks to all our previous guests over the years, supporters and to the fans that have helped us out (sorry if we missed anyone):

Tyler Hudak (@secshoggoth, co-host before Chris Clymer), Dave Kennedy (@ReL1K – one of our most frequent guests), Phone Losers of America, PaulDotCom, Exotic Liability, Securabit, Southern Fried Security Podcast, Eurotrash Podcast, Network Security Podcast, Int0x80 of DualCore, the Hak5 crew, SecureState, InGuardians, SpiderLabs, HurricaneLabs, Cincinnati/Cleveland 2600, Cleveland Locksport, David McCartney (our bouncer), Steve Ocepek, The Confused Greenies, Rob Fuller, Josh Abraham (@jabra), Rafal Los (@Wh1t3Rabbit), Nick Owen (@wikidsystems), Chris John Riley (@ChrisJohnRiley), Robin Wood (@digininja), Frank Breedijk (@autonessus), Jayson Street (@jaysonstreet), James Arlen (@myrcurial), Kevin Johnson (@secureideas), Chris Gerling, Mick Douglas, Jay Beale, ghostnomad, quine, Greg Feezel, Ohio Linux Fest, Information Security Summit, THOTCON, DEFCON, ShmooCon, Bruce and Heidi Potter, Tiffany Radd, Chris Nickerson, Ryan Jones, dotzero, Notacon, Froggy, Tyger, Brandon Knight (@kaospunk), Alex Hammerstone, Great Lakes Christmas Ale, The wives of Tom/Matt/Dave for putting up with us, Mavis Winkles Irish Pub (where it all began- also the first bar we got kicked out of), Damons, IronGeek, Rogueclown, Jason Scott, Wesley McGrew, 0ph3lia, Jimmy Chan, Bill Gardner, Alex Hutton, Jack Daniel, Richard Bejtlich (@taosecurity), Brian Brushwood (Scam School), John Doe the Locksmith, Woot.com and Turtles.

Thanks again for the good times!

The Security Justice Crew
Tom, Dave, Matt and Chris

• The crew is alive and actually plan on recording on our regular schedule….! We have a nice new location thanks to SecureState!
• Notacon 8 update.  You must watch Matt’s Pentesting Talk! It will change pentesting forever!!!!
• Updates on crap we are doing…Neely’s book announcement, Tom’s talk at Black Hat USA and DEFCON 19.
• Chris and the ISO turtle
• Everyone should go to DerbyCon!

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• Matt and Dave interview all sorts of interesting speakers and attendees from the hacker con in Chicago known as THOTCON!

PODCAST UPDATE: Please note…the bar we usually record the monthly podcast in has CLOSED and is out of business!  That’s correct…CLOSED.  No, we didn’t get kicked out like last time.  We are currently searching for a new home so there may be a delay in new podcasts.  Thanks for listening..we will be back on our regular schedule soon!!!

http://www.ustream.tv/channel/security-justice

• Two awesome conferences coming up!  THOTCON in Chicago and Notacon in Cleveland!  Security Justice will be at both!  We will be streaming live over UStream at THOTCON and most likely on Notacon Radio with some VERY special guests (hint: 0ph3lia and hopefully Jimmy Chan)
• BSides Cleveland UStream is posted!
• Check out Dave Kennedy’s Offensive Security Class…prepare your mind for MELTDOWN!
• Brandon talks about the Penetration Testing Execution Standard (PTES) and what it means to the security industry.
• Join the PTES LinkedIn group and get involved!

Please send show feedback to feedback [aT] securityjustice.com or comment below.

Where: TDL Bar inside Hilton
When: Friday January 28, 2011 9:00PM-11:00PM

There will be giveaways, prizes and of course drinks!

You’ll need a ticket and you need to get one from one of the hosts/co-hosts of the following podcasts:

PaulDotCom, Exotic Liability, SecuraBit, Eurotrash, Southern Fried Security, Security Justice

There are a limited number of tickets available so you need to get one from one of us soon!  See you at Shmoocon and safe travels!

• It’s the super security conference episode!
• Bruce and Heidi Potter from ShmooCon January 28-31
• Tom Eston from BSides Cleveland February 18th
• Dave Lauer talks about Notacon April 14-17th
• THOTCON April 15th (Security Justice will be podcasting LIVE from THOTCON)
• Andy from the Ohio Information Security Conference February 9th
• Bill Gardner from AIDE February 17-18th
• Dave Kennedy from DerbyCon September 30-October 2nd

Please send show feedback to feedback [aT] securityjustice.com or comment below.

Alex Hutton has been involved in InfoSec in some capacity since 1994 when he was asked to educate customers as to why they needed these expensive “firewall things”.  Sometimes his role has been marketing, sometimes management, sometimes consultant, sometimes analyst.  Alex likes blogging about risk and security management (both in their more traditional, non-industry connotations).  He works in Risk Intelligence for a Fortune-something company.

He is a co-author of the Verizon Data Breach Investigation, writes regularly for the Verizon Security Blog and the New School of Information Security blog. Alex also contributes to the Cloud Security Alliance, ISM3 security management standard, the CIS metrics project and the Open Group Security Forum.

• What is the difference between GRC and security?
• Risk metrics
• VERIS (Verizon Enterprise Risk & Incident Sharing)
• Data Breach Incident Report (DBIR)
• OSSTMM 3
• Matt Neely will be speaking at AIDE
• Turtles and much more!

Thanks again to Alex for joining us on the podcast!  Please send show feedback to feedback [aT] securityjustice.com or comment below.

• We interview Kevin Johnson who is a SANS instructor (SEC542), master of social media pwnage and the man who runs multiple open source projects including Samurai-WTF, Yokoso! and Laudanum.  We also ask the hard questions including what really is the Samurai password?
• Kevin talks about many of the open source projects he maintains, Zombies, his new venture SecureIdeas, Shmoocon, OWASP AppSecDC 2010, No Script and much more!
• Be sure to check out Matt Neely on WEWS-TV!

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• Dave, Raf and the crew have some great discussions about goal oriented penetration testing, KPI and more!
• Check out Dave’s new website and of course follow the Wh1t3Rabbit and read his great blog.
• We also interview Steve Ocepek from SpiderLabs about his BlackHat talk.
• Stay tuned for some good advice from our resident locksmith (John Doe) as well!

• Alex discusses his talk at the Northeast Ohio Information Security Forum: Building Blocks for Building Docs.  We delve into one of the most forgotten topics in InfoSec…documentation <gasp>.
• Derby Con is coming!  Be there! September 30-October 2, 2011
• The Information Security Summit is October 14-15th in Cleveland Ohio.  Tom, Matt and Chris will all be speaking!
• Check-in to random locations just like Alex by using Tom’s guide.
• Tom Eston and Kevin Johnson will be presenting the third Social Zombies talk (lite version) at OWASP AppSec DC: Social Zombies Gone Wild: Totally Exposed and Uncensored
• Alex explains how information security relates to “The Bridges of Madison County”. Seriously.
• Check out Gary’s blog about SSL Wars!
• Schuyler Towne and the Open Locksport project
• Stay tuned for some very special live dualCORE!

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• We interview the InfoSec curmudgeon: Jack Daniel.  Jack talks about a certain security certification organization, BSides, Vegas updates, PCI, getting free drinks because you look like ZZ Top and much more! Also, there are some interesting updates from Defcon provided by dotzero.  Be sure to check out Jack’s blog!
• Don’t forget about Ohio Linux Fest September 10-12th and the Hurricane Labs Hack Challenge September 22nd.

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• We interview Brian Brushwood the host of “Scam School” on Revision3.  From the Revision3 website: Brian is the author of The Professional’s Guide to Fire Eating; Pack the House; and Cheats,Cons, Swindles, and Tricks. He has appeared on dozens of television and radio broadcasts, including “The Tonight Show,” and programs on ABC, NBC, FOX, the BBC, E! and more.  He eats FIRE, knows a thing or two about magic and gives us some great advice on social engineering and techniques on how to pick up girls in a bar.

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• Interview with Joshua “Jabra” Abraham.  Jabra contributes to the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ.  You probably have seen his talks at BlackHat, DefCon, ShmooCon, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG.  He also codes in Perl! Yeah baby!
• Check out Jabra’s blog.  Great resource for scripts and pentest tools.
• Jabra gave a really good talk at the SANS Pentest Summit “Goal Oriented Pentesting”.  Information on the upcoming release of Fierce 2.
• “Unmasking You” talk with Rsnake and Jabra from Defcon 17
• Be sure to check out everything Dave Kennedy is up to at BlackHat and Defcon this year.  Dave gives an update on the Social Engineering contest at Defcon as well.  Let’s pray for no heart attacks this year Dave!

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• We have our very first out of town guest!  Rafal Los from HP joins us for some *very* lively conversation.  You should really read his blogs.
• Rafal gives an update on THOTCON.  Yes, we want to podcast LIVE from THOTCON next year! It’s in Chicago.  We like Chicago.
• Rafal also did 30 disasters in 30 days (this is the first one). Awesome read!
• Check out Rafal’s talk from Source Boston: Into the Rabbit Hole: Execution Flow-Based Web Application Testing. We have some great discussion about this on why we are failing at web app testing.  Can QA do security?  Should developers be licensed like other industries?
• We end with a discussion on security certifications, degrees, red team vs. blue team and the word “Cyber”….oh my.
• Stay tuned after the podcast for some exclusive LIVE dualCORE and an interesting collection of bumpers.  Enjoy!

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• We interview Steve Ocepek from SpiderLabs about his recent talk at BlackHat EU and NEOISF “Oracle, Interrupted: Stealing Sessions and Credentials“.  Steve talks about his job as head of security research for SpiderLabs, penetration testing Oracle, Layer 2 attacks and much more!
• Chris and Tom provide our Notacon 7 updates.  Notacon was awesome as usual!  We hope to release the audio from our session from Notacon Radio…it was EPIC! If anything you should listen to it just for our interview of 0ph3lia. RAGE!
• Check out our pictures from “Surviving the Zombie Apocalypse”.  We posted some video (you must see the Zombie Q&A from the video), and outtakes from the presentation.  Full video can be downloaded via Torrent (with the other Notacon 7 videos).

Please send show feedback to feedback [aT] securityjustice.com or comment below.

Don’t forget…Tom, Matt and Chris will be presenting “Surviving the Zombie Apocalypse” at Notacon 5pm this Saturday with the Confused Greenies.  Be there for live zombie carnage!! Oh, be sure to watch our exclusive preview.

• Froggy and Tyger talk about Notacon 7.  Security Justice will be there…hopefully on Notacon radio.  Come see our talk “Surviving the Zombie Apocalypse” with our friends The Confused Greenies.  See our exclusive preview here! Also, come see Ghostnomad’s talk and all three talks with Myrcurial.
• You should really come to Notacon…April 15-18th in Cleveland Ohio! Other talks worth checking out (besides all of them) include…Int Eighty, dave_rel1k, Tiffany Rad, Rogueclown, Kaospunk, Irongeek and Mick Douglas from Pauldotcom Security Weekly.
• Interview with Ghostnomad who is a real, live, breathing IT Auditor (don’t worry…he’s actually pretty cool ).  We go one-on-one to find out what IT auditors do and how they are really not out to destroy us…or eat our children.  Myrcurial also joins the conversation…with NO Skype fail! Srsly..way to go Dave!

Please send show feedback to feedback [aT] securityjustice.com or comment below.

• A few Shmoocon updates! There was snow! Dave’s pictures posted soon…
• Interview with “John Doe” the Locksmith.  John Doe talks about some of the biggest physical security fails he has seen as well as some great stories of alarm bypass.  He also talks about what are good consumer grade locks, what are his favorite lock picks, the rise of fake locksmiths and more.

Please send show feedback to feedback [aT] securityjustice.com or comment below.

Security Justice Shields for Rent!
We also want you to know that if you feel the need for “protection” from the potential barrage of incoming Shmooballs (especially you speakers), Security Justice is here to help! Rent yourself an official Security Justice protection shield for only $20 per hour.  Your donation of $20 goes to support the EFF (Electronic Frontier Foundation) or Hackers for Charity, your choice.  If your interested, look for Dave Lauer (he is also one of the Shmoocon staff and also will have a *large* Shmooball Launcher with him) at the con and he will hook you up with your protection needs.  Please note that Security Justice co-hosts cannot be purchased to be used as shields (except for Dave Kennedy…he always has a price).

Podcaster Meetup – Saturday @7:30pm
Security Justice will be participating in the Podcaster Meetup which takes place 7:30 – 8:30pm on Saturday in the hallway of the main con area (same as last year).  Be sure to stay for Firetalks after the meetup! More information about the Podcaster Meetup is here and more info about Firetalks is here.

Talks and more!
Check out the Shmooball Launcher contest sponsored by Woot.com, Dave Kennedy speaking about and releasing the new version of SET at the Firetalks on Friday night and don’t miss Social Zombies II: Your Friends Need More Brains with Tom Eston, Robin Wood and Kevin Johnson.  Their talk is Saturday at 11am in the “Break It!” track.

See you all at Shmoo!

• Chris announces this months open source project worth supporting! Chris recommends donating to pfSense, which is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router.  Each month Chris is going to highlight an awesome open source project worth giving some cash to.
• Hurricane Labs in Cleveland, Ohio is having another awesome Hack Challenge taking place on February 3, 2010.  Special guest Jordan Wiens (DEFCON CTF champion) will be in attendance (he will not be participating in the challenge so don’t worry about getting pwnd).  Hurricane Labs talks about what’s different from last year and how a CTF (Capture The Flag) works.
• Shawn Miller from Woot.com talks about bags of crap and how Woot.com is sponsoring the Shmooball Cannon Contest this year at Shmoocon!  He also talks about the history of Woot.com and how they do Woot off’s and more.
• Dave Kennedy gives us an overview of his Social Engineer Toolkit (SET) as well as a sneak peak of some new things being released for SET during his firetalk at Shmoocon. Also, listen to Dave *butcher* @myrcurial.  Remember Dave…my-cur-i-al.
• Tom is bringing the social zombie apocalypse to Shmoocon with Kevin Johnson and Robin Wood Saturday, February 6th at 11am.
• Be sure to check out the Podcaster Meetup and the Firetalks at Shmoocon.  Security Justice will be there.  More details will be posted soon!
• Remember kids: If you’re going to Shmoocon…do not eat at Trattoria across the street from the Wardman Park!! See this video for more information.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks to Dave and Shawn for being guests on the show!

Bruce talks to us about Shmoocon 2010, the ticketing process, talks, events and everything else related to Shmoocon 2010.  Just a reminder that the last round of Shmoocon tickets go on sale January 1st at noon EST!  This is your last chance to get a ticket to Shmoocon.  If you don’t get one, Bruce says you can blame our very own Chris Clymer.  Thanks again to Bruce for being our guest on the show and for everyone participating in the live chat via IRC and on the live stream (very special thanks to aricon from PaulDotCom for letting use their Icecast server for the stream).

Jason is probably the most interesting person you will ever meet.  His long list of accomplishments include speaking at pretty much every hacker conference known to man, hosting the fantastic Blockparty for the last three years at Notacon, archiver of the Internet, proprietor of textfiles.com, computer historian, producer of BBS: The Documentary, creator of sockington (the most famous cat on Twitter with well over 1 million followers) and also known as the guy who goatse’d all of MySpace.  We talk to Jason about pretty much everything listed above.  This is truly a EPIC episode going into the two hour mark but well worth the listen!

Thanks again to Jason for being our guest on the show and for everyone participating in the live chat via IRC and on the live stream (it was our largest audience yet)!  Please send show feedback to feedback [aT] securityjustice.com or comment below.

Knowledge + Malice = Chaos: When Awareness Doesn’t Work – John O’Leary
Corporate Honeypots: Hackers Can’t Believe What They See - L. Brent Huston
Enterprise Open Source Intelligence Gathering – Tom Eston
Network Security Monitoring and Incident Response – Richard Bejtlich
Anti-Virus is Dead – Dave Kennedy
Radio Reconnaissance and Pen Testing: All Your RF Are Belong to Us – Matt Neely
Vulnerability Management in a Post Apocalytic World – Bill Mathews

Richard began his digital security career as a military intelligence officer at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote “The Tao of Network Security Monitoring” and “Extrusion Detection,” and co- authored “Real Digital Forensics.” He also writes for his blog (taosecurity.blogspot.com) and TechTarget.com, and teaches for Black Hat.

Thanks again to Richard for being our guest on the show!

“Movember” participants have 30 days to grow a moustache from a clean shave, while earning support from friends and family in the form of donations. All money raised supports men’s health issues including prostate cancer research and anti-depression initiatives.

For some, participation in the event will involve significant sacrifice in the name of altruism. PaulDotCom Security Weekly co-host Larry Pesce has agreed to shave his entire face on November 1st.

Well known as a technology podcaster, Pesce is also renowned as the custodian of one of the finest facial forests ever seen in Rhode Island. It’s rumoured Pesce’s chin hasn’t seen sunlight since he hit puberty.

“My wife has told me I’m not getting any play until the goatee grows back,” Pesce says. “So I want this to be worth it.”

For Pesce’s colleague, fellow host Paul Asadoorian, the challenge will be actually growing a moustache in only one month. “I’m considering dosing up on synthetic horse testosterone,” says Asadoorian. “I know a veterinarian with a gambling problem, so I should be able to get my hands on something.”

Asadoorian, Pesce, Exotic Liability’s Chris Nickerson, Dave Lauer from Security Justice, SecuraBit’s Chris Gerling and Australia’s Patrick Gray– the host of the Risky Business podcast — are all on board.  More security podcasters have also been added recently.  You can see the full list here.

Gray hopes the charity drive will solicit donations from both listeners and security technology vendors. “We’re all really hoping the vendors will come to the party,” Gray says. “If we can get good participation from our listeners and the security industry itself, then we’re confident we’ll be able to raise a decent amount of money for a good cause.”

Supporters based in the USA are urged to make their donations to the Security Podcasters Alliance team (or individuals) on us.movember.com [1], while Australian supporters can donate to the Risky Business team or its members at au.movember.com [2].

[1] http://us.movember.com/mospace/members/search/q/security+podcasters
[2] http://au.movember.com/mospace/members/search/q/risky+business

Oh…and as a bonus we have the very first “cross-over of the streams” with PaulDotCom Security Weekly!  Listen to it towards the end of the podcast.  Thanks to Paul and Larry for skyping us in!

Special Announcements:
We will be podcasting live at the Ohio Information Security Summit October 29-30.  We should be streaming some of the talks and select interviews with some of the speakers.  Be sure to follow our Twitter feed for updates on when we will be live!  Tom, Matt, Dave Kennedy, Alex Hutton, Richard Bejtlich and Wikid Systems (Nick Owen) will all be speaking.

Tom Eston and Kevin Johnson will be speaking at OWASP AppSec DC November 10-13th.  Tom and Kevin will be presenting “Social Zombies: Your Friends Want to Eat Your Brains”

Website Plug(s) of the Month:

Shmoocon CFP is open! Canadian Web Techno Conference CFP is open, ConFoo!

The Social-Engineer.org Podcast.  Be sure to check out the first episode on interrogation and interview tactics.  Really good stuff.  We are hoping that these guys put out more episodes soon!

• The Louisville Metro InfoSec Capture the Flag recap by Dave Kennedy
• Ohio LinuxFest Recap.  Link to the geek wedding here.
• T-Shirt contest design winners!  Rodolfo and ghostnomad…your designs will be incorporated into the t-shirt design!  Congratz!
• Rapid7 Acquires Metasploit.  Dave Kennedy has the strangest analogy about this we have ever heard!
• Poken update
• Wi-Fi signals used to see through walls
• Internet as a Basic Right
• Interview with Wesley McGrew. We talk to Wesley about some of his notable achievements including Yousif Yalda, Script Kiddies in the Mist, Vulnerabilities in SCADA Human-Machine Interface Software, Jesse “GhostExodus” McGraw/ETA and the f0rb1dd3n book review.  Wesley has a great blog over at mcgrewsecurity.com that we highly recommend you add to your daily reading list!  You can also follow Wesley on Twitter.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks to Wesley for being a guest on the show!

Nick Owen is CEO of WiKID Systems a open source two-factor authentication solution.  Nick talks to us about the WiKID solution, how it works and why it’s better then most expensive two-factor authentication solutions.  Be sure to check out the rockin’ Python based command line software token for use with WiKID (created by our friends over at Hurricane Labs)!

Nick is also speaking at the Ohio Information Security Summit October 29-30th on “Securing Network Access with Open Source Solutions”.

Thanks again to Nick for being on the show!

Chris John Riley is a penetration tester and well known security blogger currently located in Austria.  Robin Wood is from the UK and is the creator of many well known open source security projects including Jasager, the Interceptor and KreiosC2. Find out more about Chris on his awesome blog.  You can find out more about Robin and his projects on his website.  Chris and Robin talk to us about Cider, HAR, blogging, BruCON, security/pentest certifications, metasploit modules, Jasager updates, talks at security conferences and more!

Thanks again to Chris and Robin for being on the show!

Frank Breedijk is the creator of AutoNessus which automates regular Nessus scans and provides delta reporting.  Frank also talks about good beer, the European hacking scene, HAR, international hacking/privacy laws and more!  If you want to find out more about Frank you can find him on Twitter and the CupFighter.net blog.

Thanks again to Frank for being on the show!

Special Announcements:
We will be podcasting at the Ohio Linux Fest with dualCORE! September 25-27th.  Dave and Chris will be streaming live on Saturday 9/26 and dualCORE will be performing live Saturday night.  Stay tuned to our website and Twitter feed for more information this weekend.

Cleveland Locksport is forming!  If your local to the Cleveland area, hit up Chris for information on the next meeting.

If you near the Cleveland, Ohio area check out the Information Security Summit October 29-30

MiniSoOnCon! MiniSoOnCon is a Southern Ontario Hackerspaces / Makers Mini-Conference October 2nd and 3rd, 2009 in Hamilton, Ontario.

Website Plug(s) of the Month:

Social Engineering Framework
Learn all about social engineering!  Put together by an awesome crew including Dave Kennedy who is the creator of the Social Engineer Toolkit (SET).  Check it out!  Really good stuff! http://social-engineer.org/

Malwarebytes is a site dedicated to fighting malware. Malwarebytes has developed a variety of tools that can identify and remove malicious software from your computer.

Here are the topics covered and show notes:

• Interview with Tony Macisco who is a physical security expert.  He has a impressive resume working for the Department of Homeland Security. US Customs and a large financial institution.  If your looking for someone that knows physical security, Tony is your man.  Connect with him on LinkedIn!
• Matt talks about cracking passwords with CUDA video cards and why cracking passwords with video cards is incredibly faster then traditional methods.  CUDA FTW!
• Want to crack passwords with a CUDA supported card?  Check out Pyrit which allows you to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff.  Pyrit also hooks into CoWPAtty.  If you want to brute force MD4/MD5 or NTLM check out CUDA Multiforcer (noted as the worlds fastest password cracker).  If you want a setup for CUDA that works out of the box, check out Backtrack 4…CUDA support is built in!
• Sharing files on a social network might be the end of the world
• POKENS. What are they? Are they secure? Will they catch on?  We have some Pokens for prizes thanks to PokenZoo.com!  See Dave or Chris at Ohio Linux Fest this weekend to find out how to win one!  Congrats to Paul from PaulDotCom Security Weekly for winning a Poken during our live show!
• Want to know how Pokens work and related security?  Check out this really awesome, detailed article created by Didier Stevens.
• Did you know we have a t-shirt design contest?  Neither did we!  Send your ideas to feedback[aT]securityjustice.com and you could win a Poken and MORE! (we just don’t know what “more” is yet)
• What is a Makerbot?  We have a good discussion about basic hardware hacking and hackerspaces…we also wonder why we still don’t have one in Cleveland..<sigh>
  
• Go to MiniSoOnCon! It’s only a 3.5 hour drive from Cleveland.
• Ignore the “hawt chick” on the Security Justice Twitter account (and the base64 encoded messages).  We are not part of a Twitter botnet! Srsly.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

This special edition was recorded during our 1st annual International BBQ podcast.  This is our second attempt interviewing James Arlen (@myrcurial) who is a Infosec Geek, Hacker, Social Activist, Author, Speaker and Parent.  James was recently a speaker at Notacon 6, DEFCON 17 and HAR.  You can watch his recent talks on Vimeo.  In this interview James talks about hacker pyramid at DEFCON this year, his experience at HAR, his recent speaking engagements, Hackerspaces, hardware hacking and much more.

Oh, don’t forget to check out MiniSoOnCon! MiniSoOnCon is a Southern Ontario Hackerspaces / Makers Mini-Conference October 2nd and 3rd, 2009 in Hamilton, Ontario.

Special thanks to James for his patience in our convoluted editing process (@securid)….

3pm – Setup, welcome and begin drinking/grilling
4pm – Frank Breedijk (@autonessus)
5pm – Chris John Riley (@ChrisJohnRiley) and Robin Wood (@digininja)
6pm – James Arlen (@myrcurial)
7pm – Nick Owen (@wikidsystems)
8pm – Clean-up and the usual banter…

So if your out grilling your own toxic BBQ listen in on some of the great interviews and the usual hi-jinks and surprises!

Special Announcements:
We will be podcasting at the Ohio Linux Fest with dualCORE! September 25-27th
If you near the Cleveland, Ohio area check out the Information Security Summit October 29-30

Website Plug(s) of the Month:

Irongeek.com
The source for security videos on tools and more! (just don’t look at the robots.txt file, k?)
SocialMediaSecurity.com
New website dedicated to the security and insecurity of social media.  Join the volunteer mailing list to help out!

Here are the topics covered and show notes:

• DEFCON 17 Updates! Pics are posted! Also more stuff on our Facebook fan page.
• BSides in Vegas was awesome
• Cliq locks owned
• New SSL Vulns
• Hacker Pyramid, check out the pics!
• Sky talks
• Podcaster Meetup at DEFCON, we were there..with lots of debauchery
• ATMs haxed
• Great guide with real pictures of multiple ATM skimmers..some really hard to detect
• Zombies ate your brains! Tom and Kevin’s video is up.  If you missed us at DEFCON, we are doing it again at OWASP AppSec DC in November.
• Goatse Lasers
• Oracle Pwned
• Good stuff about “anti-sec”
• Twitter botnet? We told you so…
• On the big breach(s) (Heartland/Hannaford/etc.)
• TSA “Training”
• Social Engineering Framework soon to be released by Dave Kennedy..stay tuned!
• Sockington…the most popular cat on Twitter! Now you can follow Jason Scott’s cat!
• We want t-shirts!! Send your ideas to feedback [at] securityjustice.com.

Open Discussion Topic: The term “hacker”.  What does it mean and why does the media focus on the negative aspects?

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Opening intro by RBCP from Phone Losers of America…please don’t hate us PaulDotCom crew!  We really do love you guys! Music provided by dualCORE!  Thanks to everyone listening to the live stream and for participating in the chat via IRC.

Podcaster Meetup details @DEFCON 17: Tom, Chris and Matt from Security Justice will be at the Podcasters Meetup once again live from DEFCON!  It’s going to take place Saturday night @8pm in Skyboxes 207 and 208.  Even if you won’t be at DEFCON you can listen and watch the podcast live via ustream!  The Podcasters Meetup is sponsored by SquareSpace (use coupon code “defcon” for 10% off the lifetime of your account) and Astaro.  We will post more details as we get them but check out the Podcasters Meetup website for the latest details.

Website Plug of the Month:

dualCORE Music – Get the latest album from dualCORE “Next Level” for only $10! Check out the awesome video preview here.

Here are the topics covered and show notes:

• Lots of epic FAIL with getting the stream up this time…
• HurricaneLabs Hack Challenge Recap.  Special thanks to the guys at HurricaneLabs for hooking us up with space to record…and the special configs to allow us to Skype!
• Tom speaking at DEFCON 17 with Kevin Johnson “Social Zombies: Your Friends Want to Eat Your Brains” 4pm Sunday
• You must go to Hacker Pyramid!  Win 10,000 cents!
• Other talks to see at DEFCON: RogueClown, “Hackerspaces: The Legal Bases”…James Arlen and Tiffany Radd, “Your Mind: Legal Status, Rights and Securing Yourself”
• Intuit support FAIL Twitter story…Twitter can rock for customer support.
• dualCORE interview with int0x80 and his hacker girlfriend…oh, and we like turtles!
• Check out the new Cincinnati hackerspace, Hive13.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Special Announcement: Tom and Chris from Security Justice will be at the Podcasters Meetup once again live from DEFCON 17!  Even if you won’t be at DEFCON you can listen and watch the podcast live via ustream!  The Podcasters Meetup is sponsored by SquareSpace (use coupon code “defcon” for 10% off the lifetime of your account) and Astaro.  We will post more details as we get them but check out the Podcasters Meetup website for the latest details.

Website Plug of the Month:

The new and improved Carnal0wnage blog! Chris Gates and Valsmith (Attack Research) have combined forces. Check out this awesome security and penetration testing blog!

Here are the topics covered and show notes:

• The SJ Crew get’s $2.50 + a virtual beer in sponsorship! w00t!
• dualCORE is releasing a new album!  More details coming soon…
• Interview with James Arlen (@myrcurial) went awesome!  Will be released as a special edition once Dave fixes the audio.
• Tom is speaking at DEFCON 17 with Kevin Johnson- Social Zombies: Your Friends Want To Eat Your Brains
• Matt’s super secret zombie night, DEFCON party invites and “Sushi Deployed!”
• Northeast Ohio Information Security Forum update
• SIEM Implementation: Real World Pitfalls to Watch Out For by Michael Buckwell
• WiKID Commercial Open Source Two-Factor Authentication by Matt Yonchak, Hurricane Labs
• (your monthly web2.0 security update….ha) Short URL service Cli.gs hacked and 2.2 million URLs affected
• Yes, there are dangers to short URL services! *gasp*
• Before getting into our open discussion..we recommend you listen to the IBM Fight Song.  Yeah, srsly!

Security Justice Open Discussion: Hacking the dinosaurs!  Breaking AS400, PBX/VM systems and more! (20:42)

• General IBM hacking tips (If you want to go after mainframes or iSeries/AS400 you will need a TN3270 client)
  IBM Redbooks – Required resource when looking at any IBM product
• Hacking iSeries/AS400 (Commonly referred to as midrange systems.  AS/400 are NOT mainframes!)
  Good book on this called “Hacking iSeries” by Shalom Carmel and his whitepapers.
  Stankdawgs Hope5 AS/400 Talk – AS/400: Lifting the veil of obscurity.
  Be sure to check for default accounts and passwords Commonly have SMTP XPND and VRFY enabled which makes account enumeration easier.  Most have a modem attached for remote diagnostics. Sometimes can be insecure. Same thing goes for accessories such as drive arrays.
• Hacking Mainframes (often a critical system so tread lightly)
  Keep in mind a “Test” mainframe might just be an LPAR (Logical Partition) off the production system. So disruptions to the “test” system could impact production.
• General penetration testing tips
  Users manually sync passwords – If you get a users password from another system try it on the target system.
  Clear text protocols abound. MITM attacks can be your friend. Just don’t take the companies mainframe offline, they probably need that.
• PBX/VM
  Check for default usernames/passwords on voicemail and phone systems and never under estimate wardialing!
  PBX’s often run UNIX-based OS’s
  PBX’s tend to be treated as “appliances” which is a fancy way of saying “we’re not going to patch it”
• TANDEM Security
• Crusty UNIX
  Older AIX versions use crypt() for password hashing, and only support 8 character unsalted passwords.  It will let users set longer passwords, it just only uses the first 8 chars!
  Telnet, rhosts, rlogin, rsh are all commonplace on older big iron UNIX
  Clustered UNIX boxes work by allowing password-less root login between each cluster member.  This can happen over SSH, but often happens over telnet, rsh, rlogin, etc.  Some vendors even still reccomend this!  Own one box, own them all.  Even better, spoof one of the hosts (easy for rtools) and you have root.
• HVAC Systems
  Some connected via modem, others on the network.  Default credentials almost guaranteed bacause they are usually set up by non-security aware HVAC mechanics.  Newer web based management consoles give you full control of the HVAC system.  Use caution when pentesting HVAC systems as messing with these can cause human safety issues!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Website Plug of the Month: Liquidmatrix Security Digest is a fantastic security blog/news site.  Created by Dave Lewis (@gattaca) with guest posts by James Arlen (@myrcurial, creator of the term “cyberdouchery“) , Security Intern (@Securityintern), Matt Johansen (@mattj) and Zach Lanier (@quine).

Here are the topics covered during the podcast and show notes:

• Notacon 6 recap!
• Become our fan on Facebook…it’s a real Facebook page, not designed to pwn you.  We promise!
• Northeast Ohio Information Security Forum update
• New School Man-in-the-Middle
• Finding and detecting Malicious PDF’s. Tyler’s Snort signature. Didier Steven’s fantastic PDF analysis tools.
• Your deleted Tweets are not deleted
• Interview FAIL – You never know who is watching or listening!
• Chris’ adventure with his Dell Mini9
• Census GPS-tagging your home’s front door
• Security Justice Open Discussion(s): Security certifications/training, Microsoft pirated software..not helping the patching problem?  Interesting Apple Mac discussion…Apple security research, patches, iPhone presenter FAIL and more!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

“You don’t have to be David Hasselhoff in Knight Rider to have your car talk to you. OpenOtto is a platform for developing vehicle aware products for the consumer and industrial markets. While it will not ask you how you’re doing this evening, most people don’t realize how much information your car’s computer can tell you. OpenOtto consists of a hardware interface to your car’s OBD II connector as well as an extensible software platform for communicating with all networked electronic devices in the car. Designed for flexibility and scalability, it is easily expandable to future vehicle capabilities.”

Tiffany Rad is president of ELCnetworks, LLC., a technology and business development consulting firm and is also a part-time professor in the computer science department at the University of Southern Maine teaching computer law and ethics.

You can find out more about the OpenOtto project via Tiffany’s blog and the official OpenOtto web site.  Thanks again to Tiffany for being a guest on our show.  Please send show feedback to feedback[aT]securityjustice.com or comment below.

Website Plug of the Month: Check out a new security podcast called Exotic Liability.  Hosts are Chris Nickerson, Ryan Jones and DJ Jackalope.  You may remember Chris and Ryan from the Tiger Team TV show.  We actually did a special edition podcast with Chris last year.  Good stuff…be sure to check it out!

Here are the topics covered during the podcast and show notes:

• June 22-26 ISC2 will be in Cleveland, Ohio offering a CISSP Bootcamp at Corporate College East.  Registration info is here.
• Speaker Recap – NEO Infosec Forum
• Buffer Overflows – It’s not as hard as you think by David Kennedy, SecureState
• Want to take an awesome class on writing exploits?  Check out the Cracking the Perimeter course offered by Offensive Security.
• Karmetasploit and Jasager – by Matt Neely, SecureState
• Verizon 2009 Data Breach Report Released
• Twitter StalkDaily Worm Postmortem
• Targeted Blackhat SEO Attack against Ford Motor Co.
• Security Justice Open Discussion: Pentesting…Over Hyped? (New idea we are trying…15-20 minutes of open discussion on one hot topic in the security community.  Bitching, complaining, rants and more…anything goes!) Have a suggestion for the Security Justice Open Discussion?  Comment here or send it to us via email!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Security Justice will be at Notacon this year in full effect!  Almost the entire podcast crew is speaking or volunteering (Matt, Tom, Dave and Chris) at Notacon this year.  Here is a schedule of where you can find us as well as some other talks we recommend you attend given by some of the friends of the show:

Friday, April 17th
Noon (West Ballroom)
Injection Rejection, or How I Learned To Stop Worrying and Love Bobby Tables – Mark W. Schumann (catfood)

2pm (East Ballroom)
Time To Replicate The Real Threat: Client Side Penetration Testing- Chis Gates (CG) & g0ne

3pm (East Ballroom)
Fast-Track: Advanced penetration techniques made easy – Dave Kennedy (ReL1K)

7:30pm (East Ballroom)
Notacon Mythbusters: Is Personal Data Stored on Hotel Keys? Using Magstripe Analysis Tools to Discover the Answer – Matt Neely (Zamboni)

Saturday, April 18th
Noon (East Ballroom)
The State of Apple Security – Chris Clymer

1pm (East Ballroom)
From a Black Hat to a Black Suit – The Econopocalypse Now Edition – James Arlen (Myrcurial)

5pm (East Ballroom)
The Rise of the Autobots: Into the Underground of Social Network Bots – Tom Eston (agen0x0)

6pm (West Ballroom)
Building, Securing, and Living With Game Servers – Bruce Potter

Security Justice Live on Notacon Radio
We should be recording special interviews and also will be live on Notacon Radio this year!  Follow us on twitter or check out our site for updates on when we will be live.

Lock Picking Village
Bring your picks and your lock picking skillz to Notacon this year at the Lock Picking Village presented by the Fraternal Order of Locksport (FOOLS).  Gringo Warrior will also be taking place!

DualCORE Live Saturday @9pm
Our friends and podcast sponsors DualCORE will also be performing live at Notacon starting at 9pm on Saturday night.  They always rock the house!  Don’t miss it!

These are just a few of the highlights of Notacon…but there is so much more!  For more details on the full line up of speakers and events check out the Notacon web site.  If you are not registered you can get a ticket at the door.  Listen live on Hak5Radio tomorrow night at 9pm EST (4/15) for special details about some of the talks and where you can find Security Justice at Notacon.  Hope to see you there!

Listen to the podcast live on Hak5radio.com and chat with us on IRC at irc.freenode.net #securityjustice or follow us on Twitter during the podcast.  IRC n00b? Follow this guide to get started.  We should be live around 9PM EST.

Join us for security talk, beer and audience participation! Thanks for listening and supporting the Cleveland security community!

Website Plug of the Month: DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation’s DataLossDB.org, asks for contributions of new incidents and new data for existing incidents.

Local in the Cleveland area and looking for Web Application Security training? Check out the great course by Dave Kennedy of SecureState offered at Corporate College East!

Here are the topics covered during the podcast and show notes:

• Speaker Recap – NEO InfoSec Forum
  Coding For Security by Mark W. Schumann, Top 10 Security Breaches of 2008 by Tom
• HD Moore Releases WarVOX Telephonic Security Research Tool
• Rogue Wireless Gets Sneakier
• How to get free wireless in airports and hotels IP-over-DNS or IP-over-ICMP
• The Interceptor released by @digininja
  The Interceptor is a wireless wired network tap. Basically, a network tap is a way to listen in to network traffic as it flows past.
• Diebold malware
• Breaches of the month!
• djbdns pays out
• Security Metrics
• Infragard update
• Chris talks about the Mac Hackers Handbook
• Notacon interview with Froggy!  Don’t forget about Notacon 6!  Chris, Tom and Matt are all speaking!  Security Justice will also be doing a bunch of live stuff with Notacon radio this year.
• Torrent Search – Bit Che searches 60 popular torrent sites
• NSA offering ‘billions’ for Skype eavesdrop solution
• BlueScanner – Bluetooth Scanner for Blackberry Storm
• Mormons demand ICANN plugs net smut hole? what? srsly?
• iWobble for iPhone (possibly NSFW).  Yeah, lots of possibilities…
• iPhone vs. Blackberry Storm. iPhone wins.
• Destroying mobile phones with liquid..even a 1990 Motorola StarTac!
• Dave Kennedy can drink beer…fast.  Really fast!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Website Plug(s) of the Month: A local Cleveland startup called iGuiders is looking for beta testers that work in Information Security!  The Information Security Guider is live and ready to be tested.  Check out the the iGuiders website and watch a quick tutorial on what this Guider is all about.  Your feedback is requested!

Local in the Cleveland area and looking for Web Application Security training?  Check out the great course by Dave Kennedy of SecureState offered at Corporate College East!

Here are the topics covered during the podcast and show notes:

• Notacon 6!  Chris, Tom and Matt are all speaking!  Security Justice will also be doing a bunch of live stuff with Notacon radio this year.
• Shmoocon update! Matt and Tom talk about some of the great talks.  Chris knows how to “brute force” high security locks.  Tom talks about roaches.  Yum!  Don’t eat at Trattoria across the street from the Wardman Park Marriott.  Seriously.
• We posted pictures and videos from Shmoocon.  Hey…where is the hackerspace in Cleveland?  The one that HacDC has is really impressive.
• Reminder: Don’t use hotel kiosks or ATM’s in the hotel during a hacker conference.
• Some updates from the NEO InfoSec Forum February meeting.
• phpbb hacked via third party application.  Don’t forget about third-party apps installed on a web server!
• The Middler is released!
• JanusPA Hardware Privacy Adapter now available.  Check out the JanusVM…route your traffic through Tor/Privoxy in a VM…sweet!
• Chris gives the fastest news update…ever.
• Backtrack 4 released.  Check out this guide to install it on a USB drive with persistent changes.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Listen to the podcast live on Hak5radio.com (note the new link) and chat with us on IRC at irc.freenode.net #securityjustice or follow us on Twitter during the podcast.  IRC n00b? Follow this guide to get started.  We should be live around 9PM EST.

Join us for security talk, the Shmoocon recap, beer and audience participation! Thanks for listening and supporting the Cleveland security community!

Dave and Tom interview two of the Notacon founders, Froggy and Tyger.  Froggy and Tyger talk about what Notacon is, some of the cool talks this year and why you need to go!  Froggy also gives some details on the new venue and what you can expect this year.

Want more information about Notacon and how to register?  Check out the Notacon web site for all the details.  Security Justice will be there!

• Website Plug of the Month: Sick of teaching your friends and family about PC security issues?  Send them to The Academy Home!  They have great videos showing installations and configurations of security products and a lot of other great content.  We recommend the cool video on how to install and use KeePass, a fantastic open source password manager.
• Tom, Dave and Matt will be at ShmooCon!  Dave is speaking…so let the Shmoo Ball Cannon carnage begin!  Full details on Security Justice at ShmooCon are here.  Join us at the Podcaster Meetup!  We might be renting out Dave’s Shmoo Ball Cannon to support the EFF at ShmooCon.  Stay tuned for the announcement!
• Payment Processor Breach May Be Largest Ever
• Security at Obama inauguration is tight and high-tech
  
• Throw your hard drive away, Google’s Gdrive arriving in 2009.  All your data is going to the “cloud”…
• Twitter haz been hacked…Tom and Dave talk about it on SecuraByte 5
• Looking for good security podcasts focused on security awareness and business? Checkout The Streetwise Security Zone and The Security Catalyst
• Matt tells us what DECT is and the about the DECT presentation at CCC
• Matt’s magstripe analysis blog series.  Part 1 and Part 2.
• Chris tells us about penetration testing without your toolbox
• New massive Oracle patch release.  Oracle hacking via Carnal0wnage.
• MD5 and rouge CA’s.  200 Playstation 3′s were used not 200 Wii’s!
• Mystery girl hijacks the podcast and says we are a “think tank”.  Dotzero interviews her and Tom argues the merits of the Playstation 3.  She asks some good security questions!  Sorry SecuraBit crew…shes ours.
• Angela our waitress is a geek.  More from her next episode!
• Check out the new videos on our YouTube channel.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

First, the big news….

Our very own co-host Dave Lauer is speaking at ShmooCon with Larry Pesce from PaulDotCom on Building the 2008 and 2009 ShmooBall Launchers at 4:30pm on Friday, February 6th!  There are more details about this talk in the soon to be released Episode 9.  This is one presentation you don’t want to miss!

Security Justice will also be participating in the 3rd annual Podcasters Meetup.  If you are at the con stop by and check out the events that will be taking place on Friday and Saturday night.  If you are not at the con, tune in for the live stream on Friday night at 6pm.  Looks like there will be prizes and as always a great lineup of podcasts to include:

Hak5
PaulDotCom
CyberSpeak
Securabit
SploitCast
Unpersons
Phone Losers of America
SMBMinute

There will be a live podcast starting at 6pm with FireTalks and a party afterwards.  What are FireTalks?  From the Podcasters Meetup web stite:

“Have a talk that didn’t get accepted? Want the chance to share a project that you are working on? Think of FireTalks as a verbal blog post.

The human experience is built on the ability to tell and learn from stories. At SchmooCon 2009, “FireTalks” is a supportive environment in which to either share insights or learn from others. Whether polishing a presentation (story) for conferences, meetings or training, FireTalks are the way to share, learn and improve.

The inaugural FireTalks take place Friday night — following the Podcasters Meetup. Talks are limited to 10-15 minutes with four (4) scheduled talks and four (4) open slots. Open slots will be filled on a first come, first serve basis.

Saturday night will be more relaxed. Come join us and present, listen and learn.”

Be sure to check out the Podcasters Meetup web site for more details and the latest updates.  As always, thanks to Rob Fuller (aka Mubix) for putting together this great event.

Tom, Dave and Matt will be hanging around the entire weekend handing out Security Justice stickers, recording short video interviews and trying to stay out of trouble….we have a feeling that the Shmoo Ball launcher will be getting a lot of use!

Follow us on Twitter and send us a tweet if you are around at the con and want to hang out.  We hope to see some of you there!

Listen to the podcast live on Hak5radio.com (note the new link) and chat with us on IRC at irc.freenode.net #securityjustice or follow us on Twitter during the podcast.  IRC n00b? Follow this guide to get started.  We should be live around 9PM EST.

Join us for security talk, food, beer and audience participation! Thanks for listening and supporting the Cleveland security community!

You can download the podcast by subscribing to the Securabit iTunes feed or directly off of the Securabit web site.

Thanks again to the Securabit crew for inviting us to the podcast! It was a blast!

(Twitter FAIL picture courtesy of A Journal of Fine Hatery)

Trivia Contest Details
For this episode we did a special holiday “dual” live podcast with SecuraBit to win a copy of the new Nmap Network Scanning book and a $25 gift card to Chili’s/Macaroni Grill/Maggiano’s Restaurants.  There were two trivia questions you needed to answer.  One was given on SecuraBit Episode 17 and the other on Security Justice Episode 8 (and during the live podcasts on December 17th).  Listen for the first trivia question on SecuraBit Episode 17 and the second trivia question on Security Justice Episode 8.  Send your answers to feedback[aT]securabit.com.  The first listener to correctly answer both questions will win both the book and the gift card.

Here are the topics covered and show notes:

• Penetration Testing Dead in 2009? Many don’t think so (including us).  There are lots of different opinions.
• Dave’s Shmooball Cannon test fire!  See what happened to Bruce Potter at Notacon this year!
• Core Impact Essential and new XSS/Blind SQL Injection modules
• Secure State SQL Injection Tool released at Defcon
• The story of the fired accountant…resetting the domain admin account in a Windows Server 2003 domain.  Use the ophcrack livecd to get the local admin account on the domain controller first.
• Did you check out the new VMware vCenter Converter? It’s really cool! Correction..Tom actually converted several Windows boxes to VM’s..converting Linux is not supported *yet*.
• Chris provides details of his experience with the TSA and “security theater”.  He observed with pictures.
• Chris and his SANS DC class.  Anyone want to be a SANS instructor?  Chris tells you how and what SANS requires.
• Dave talks about his new Asus EEE PC.  Here is a great guide done by @kriggins to install Backtrack 3 to USB/SD with persistant changes.  How to install XP to an SD card.
• Dave got his Fon router…shout out to Hak5 for the idea!  Dave is looking for something other then a pineapple…perhaps a lamp?
• New IE 0day.  Out of band patch released!  Awesome article on how the vulnerability works and is exploited.  Thanks to @geekgrrl for the link!
• Greg on the impact of malware
• Check out this blog post if you want to know what all the hype is about Christmas Ale here in Cleveland!

Stay tuned after the podcast for some special holiday tunes and outtakes.  Leave feedback by commenting below or via Twitter.  Happy Holiday’s from Security Justice!

How’s the contest going to work?
There will be two trivia questions you will need to answer.  One will be given on SecuraBit and the other on Security Justice during the live podcasts on Wednesday night.  The first listener to correctly answer both questions will win both the book and the gift card.  Details on where to submit the correct answers will be given on the SecuraBit podcast beginning at 8PM EST.

Details for listening to the SecuraBit podcast at 8PM EST
Click here to listen live
Join the chat on IRC: irc.freenode.net #securabit

Details for listening to the Security Justice podcast at 9PM EST
Click here to listen live
Join the chat on IRC: irc.freenode.net #securityjustice

Local to the Cleveland, OH area?
We will be recording Security Justice Episode 8 live at Mavis Winkle’s Irish Pub (Independence location) on Wednesday, December 17th beginning around 9pm EST right after the Northeast Ohio Information Security Forum meeting.  Come join us for security talk and Christmas Ale!

Happy Holidays from SecuraBit and Security Justice!

• Speaker recap from the Northeast Ohio InfoSec Forum
• PCI Fact or Fiction or Why Compliance is Not American by Bill Mathews, Lead Geek, Hurricane Labs
• Malware Analysis Competition by Tyler Hudak & Greg Feezel…Results released!
• New WPA cracking technique and WEP is even easier to crack!
• Exploit-MS08-067 Bundled in Commercial Malware Kit
• Metasploit 3.2 Released
• Cool stuff to install on your iPhone
• Software program duplicates physical keys…without the key
• Social Network Anti-Patterns
• Lotus Notes sux…If you use or have used Notes, check this out!
• New Facebook phish
• Facebook Launches Registration for Application Verification Program
• LinkedIn adds applications…becomes more like Facebook/MySpace. Let’s not forget OpenSocial was hacked in 45 minutes!
• Default r00t access on your Android G1 phone, thanks Google!
• Extortion used in Express Scripts database breach
• Shut down of EST Domains and McColo
• White House Networks accessed by Chinese Hackers?
• A radioactive cheese grater at landfill points out toxic dangers from Chinese products
• Shut down blogs.pi.edu
• Kevin Mitnick detained, released after Colombia trip
• Some discussion about the old “Hackers” movie.  Matt is really “Zero Cool“, (you didn’t know?) and Angelina Jolie (Acid Burn) was really not that hot in the movie (Tom’s opinion…).  What’s the true story behind Emmanuel Goldstein a.k.a. Cereal Killer?
• If you really want to know what “Lemon Party” means (NOT recommended)…then search for it on your own if you feel like you must.  Lemon Party is NSFW! We will not be responsible for your eyes burning!  You have been warned!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Listen to the podcast live on Hak5radio.com (note the new link) and chat with us on IRC at irc.freenode.net #securityjustice or follow us on Twitter during the podcast.  IRC n00b? Follow this guide to get started.  We should be live around 9PM EST.

Join us for security talk, food, beer and audience participation! Thanks for listening and supporting the Cleveland security community!

ShmooCon is February 6th – 8th 2009 at the Wardman Park Marriott in Washington DC.  Registration begins November 1st at noon eastern standard time!  Check out the ShmooCon website for more details.  Bruce talks about some of the background of ShmooCon, the Shmoo Group and of course Shmoo Ball’s and associated launching devices (aka: cannons)!  Bruce also talks about some of the new things at this years ShmooCon and the need for new speakers.

Thanks again to Bruce for being our guest on the show!

Chris is currently the owner of Lares Consulting which is a vendor-independent security consulting firm that helps companies secure electronic, physical, intellectual and financial assets through a unique blend of assessment, testing, and coaching.  He is also a frequent speaker at various security conferences, most recently at OWASP NY.

Chris describes what it was like filming the TV show, how the show got started and also talks about interesting things when working with a reality TV show crew!  He also talks about how he got into the security industry and some of the interesting things Lares Consulting is doing.

Thanks again to Chris for being our guest on the show!

• Ohio Linux Fest Recap. Pictures posted here.
• Greg Feezel from the Ohio Information Security Summit
• Malware Challenge update
• Speaker Recap – NEO InfoSec Forum
• Information Gathering with Maltego – Tom Eston
• Protecting website users from each other – Brian Shura
• Facebook dataset released.  How anonymous is it?
• Elcomsoft Claims WPA/WPA2 Cracking “Breakthrough”…not really
• What’s on your Simcard? Check out Larry Pesce’s Simcard Forensics Presentation
• Scammers introduce ATM skimmers with built-in SMS notification
• OWASP NY update.  Videos now online!
• Chris Nickerson special edition recorded…ready to launch.  Check out Chris in the latest issue of Information Security Magazine (page 56).
• Oops, teacher mistakenly messages cop for pot buy
• Conspiracy Goes Mainstream: CNBC’s Big Brother, Big Business
• RoboDump 1.0
• Encrypt your Ubuntu 8.04 installation…It’s easy when creating a fresh install and with a separate “snapshot” volume
• McCain burps like Quagmire? hmmm….
• Yes, Matt is getting married! Congrats to Matt!

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

Listen to the podcast live on Hak5radio.com and chat with us on IRC at irc.freenode.net #securityjustice or follow us on Twitter during the podcast.  IRC n00b? Follow this guide to get started.  We should be live around 9PM EST.

Join us for security talk, food, beer and audience participation! Thanks for listening and supporting the Cleveland security community!

You will be able to listen to the stream on Hak5radio.com and chat in our IRC channel (freenode.net #securityjustice) during the stream.

If for some reason we can’t stream live it should make for a cool special edition either way.  We plan on interviewing folks from the Linux community as well as hanging out with the Notacon folks.

Stop by the Notacon table and say hi if you are at the conference!

“In all, their music is more than a collection inside jokes for nerds. It is the culmination of their passion for hip-hop and hacking. We need more music like this.”

“Dual Core … so good you don’t have to be nerdcore to like it.”

“Honestly, there’s nothing that mainstream music has that can top this in music, lyrics, production or overall quality.”

Check out the latest happenings with DualCORE and if you are going to the following con’s…they will be playing live!

October, 11 2008 09:00 PM – Ohio Linux Fest
Columbus Convention Center, Columbus, Ohio 43215 – Free
Playing the OLF after-party again. Woo woo!

October, 11 2008 11:00 PM – Day-Con
33 East Fifth Street, Dayton, Ohio 45402 – TBD

October, 24 2008 08:00 PM – Phreaknic 12
211 N First St, Nashville, Tennessee 37213

You can buy DualCORE’s albums online: Zero-One, Lost Reality, and Super Powers.

Additional links mentioned in the show…Penny Arcade and Lactose Intolerance.  Link to DualCORE videos!

Thanks again to DualCORE for being our guest and for providing the great tunes for our podcast!

Please send feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

• We have stickers! W00t!  They will be distributed at OWASP NY and Ohio LinuxFest.
• Tom and Dave will be podcasting live at the Ohio LinuxFest on October 11th.
• NEO InfoSec Forum Speaker Recap…
• Showing Up Uninvited: 4 years of being the bearer of bad news by Ryan Macfarlane
• SANS Virtualization Summit Briefing by Tom Evans
• What’s Tom up to?
• Dan Kaminsky chimes in…you can now get all the Dan you want, anytime!
• Sarah Palin’s Yahoo Email Account Hacked.  Full details here.
• Google enters the Browser Wars with Chrome.  Vulnerabilities already found.
• United Airlines Stock Crash (Sherri Davidoff/philosecurity)
• Malware Challenge officially released!  The contest begins October 1st!  Winners announced at the Ohio Information Security Summit.
• Tyler talks about stupid botmasters
• Dumb but funny picture – Opens you up for an attack
• Big Brother wants every single e-mail, text
• Real punishment: Russian Viagra spammer murdered
• Killer app: Game consoles contain hazardous chemicals
• Tom’s Tech Segment- Dradis: Information sharing for security testers
• Dradis installation notes on Ubuntu.

Please send show feedback to feedback [aT] securityjustice.com or comment below.  The next live podcast will hopefully be broadcast over Hak5 radio!  We will post/tweet about the next live audio stream.  We can also sometimes be found in our IRC chatroom at irc.freenode.net #securityjustice.  Thanks for listening!

We will also be streaming the podcast live on Hak5radio.com starting at 9PM EST!  Listen to the podcast on Hak5radio.com and join us for live chat on irc.freenode.net #securityjustice during the podcast.

Join us for security talk, food, beer and audience participation! Thanks for listening and supporting the Cleveland security community!

Via Room362.com:

“A packer, also known as a run time packer, is a program which compresses another executable to a smaller size on disk.  When executed, the packed executable is uncompressed in memory and executes.  The time to uncompress the executable in memory is usually not noticeable, making it very advantageous to use one.”

Check out Tyler’s article over at Room362.com.

• NEO InfoSec Forum Speaker recap…
• Mitigating Phishing through Email Authentication: SPF, SIDF, DK, DKIM, SSP and ADSP
• Matt solidifies our “explicit” rating and Tom talks about his childhood fantasies of Carrie Fisher in her Slave Leia outfit.
• Hacking Without Tools Part 1: Linux/UNIX
• Tom’s Black Hat/Defcon recap (talk recap, sexyhacking.com girls exposed, Hofbrahaus beat down, Gringo Warrior, parties with Chris and Jay from Securabit and others, our one fan becomes Tom’s bodyguard and more…)
• Defcon storytime with dotzero: Swag whores, Bunnies for priest and priests’ balls…it’s not explicit…honest!
• High level security pro’s being targeted
• Lock vulnerabilities released at Defcon, Hope and Blackhat
• Matt talks about creating a medecoder
• New information gathering attack against Axis cameras
• Tyler talks about recent CNN/MSNBC malspam
• Dave talks about “diversion safes” and the TSA searching through your dirty clothes (yuck)
• You want to see the lettuce safe! (scroll down to the middle of the page)

Stay tuned after the podcast for some classic SJ bloopers.  Please send show feedback to feedback [aT] securityjustice.com or comment below.  The next live podcast will be broadcast over Hak5 radio!  Stay tuned for an announcement of our IRC channel as well.  Thanks for listening!

Participants included Sploitcast, Securabit, PaulDotCom, Network Security Podcast and of course…Security Justice.  Thanks to Rob Fuller (Mubix) for organizing the event.

You can view the video stream here.

Also, check out the Security Justice Flickr Photostream for pictures of the event.

In this podcast Jay talks about the DNS vulnerability and (in Jay’s opinion) why Dan Kaminsky went about releasing the vulnerability the way he did.  Jay also talks about his two upcoming talks at Defcon 16:

Owning the Users with The Middler – Saturday, August 9th @ Noon
They’re Hacking Our Clients! Introducing Free Client-side Intrusion Prevention – Sunday, August 10th @ Noon

If you are going to Defcon this year be sure to check out Jay’s talks!  Our sponsor DualCore will also be playing live at theSummit EFF/THF Fund Raiser on Thursday, August 7th @ 9pm at the top of the Riviera!

Thanks again to Jay for being a guest on our podcast!

Please send feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

• PaulDotCom
• CyberSpeak
• Network Security Podcast
• Security Justice
• Securabit
• SploitCast
• Security Catalyst (possible)

Looks to be like a great time and good opportunity to hang out with your favorite podcast hosts!  Thanks to Rob Fuller (mubix) for organizing this event.  Hope to see some of you there!

The Fast-Track tool combines multiple attacks and gives menu driven automation to pentesting.  Fast-Track automates several different types of attacks including Metasploit’s “AutoPwn” and MSSQL brute forcing as well as updates for BackTrack 3.

Dave Kennedy will also be speaking on a panel at Defcon 16 titled Black vs. White: The complete life cycle of a real world breach.

Please send feedback to feedback [aT] securityjustice.com or comment below.  Thanks for listening!

• Speaker Recap – NEO InfoSec Forum
• NEO InfoSec Myth Busters: Is Personal Data Stored on Hotel Keys? Using Magstripe Analysis Tools to Discover the Answer by Matt Neely, SecureState
• Unetbootin, FreeSBIE, miniBSD
• CF cards and photo booth hacking
• Massive DNS vulnerability
• eWaste and China
• New low budget independent hacker film: Insecurity
• “Hackers are people too” premier at DefCon 16!
• WarGames 25th Anniversary
• “Sexy Hacking” (Thanks to PaulDotCom for finding this site! WARNING: NSFW!)
• Sexyhacking.com censorship FAIL! (Blog post by McGrew Security)
• Moan My IP…also NSFW!
• Bill Gate’s enjoys the same issues as the rest of us
• Audience magstripe results
• WSUS issue mentioned by Dave

Please send show feedback to feedback [aT] securityjustice.com or comment below.  Stay tuned for announcements on special edition podcasts that will be recorded before our next monthly podcast.  Thanks for listening!

More information below:

http://ascii.textfiles.com/archives/000278.html

http://ascii.textfiles.com/archives/000645.html

This commentary was made the same night as Episode #2 of the Security Justice podcast.

• Welcome and what is Security Justice drinking?
• Web site launch
• Mavis Winkle’s Network Night
  
• Dual Core latest album (correction from the podcast…album is called “Super Powers“)
• Speaker recap from the Northeast Ohio Information Security Forum meeting
• Announcement about special edition podcast with Dave Kennedy of SecureState (Fast-Track developer for Backtrack 3) coming soon!
• Online Social Networks: 5 threats and 5 ways to use them safely
• Evolved Badware, Joe Kovacic from ITSoftware
• Security Hot Topics
• Verizon Data-Breach Study
• Updated ransomware (correction…that’s a 1,024-bit key!), malware that takes control of your router via default passwords
• Beer break!
• Stumbling upon security issues and vulnerability disclosure
• Dave comments on the 2003 blackout
• Stupid human tricks seen by Dave and Tom
• Audience participation!

Please send show feeback to feedback@securityjustice.com (might not work yet) or comment below.  Stay tuned for announcements on special edition podcasts that will be recorded before our next monthly podcast.  Thanks for listening!

• Introducing the Security Justice team
• Dave talks about social engineering
• Tom talks about recent website hijacks (Comcast, Metasploit.com)
• Phone Losers of America – Voice Authentication
• Matt talks about his voice authentication research
• Interesting local ATM theft and other ATM goodies
• What’s up with these Chinese hackers? Hackers on an island?!?
• Chinese hackers pwn Dave’s watch…
• Picture frames used for hacking
• Projects and research Security Justice is working on
• Shout outs to PaulDotCom, Hak5, Securabit, and thanks!

Music for Security Justice is provided by Dual Core! Check out Dual Core for some of the coolest nerdcore music around!

You can listen to the podcast right from this web site by clicking the “play” button below…or download our podcast into any podcatcher (iTunes, Podnova, Odeo, etc…) via our FeedBurner feed.

Next podcast will be recorded live at Mavis Winkle’s Irish Pub in Independence, Ohio right after the Northeast Ohio Information Security Forum on June 18th. Come on out for some great brew and join our live audience!