Silver Bullet Security Show

Show 086

Wed, 5 Jun 2013 16:15:00 -0800

Gary chats with Wenyuan Xu, Associate Professor in the Department of Computer Science and Engineering at the University of South Carolina. They discuss the differences between American and Chinese technical culture, Wenyuan's work on automatic meter reading systems, whether electrical engineering is more advanced in terms of design than computer science, and why there are so few women in engineering and computer science. They close out the episode with a discussion of tailgating.

Show 085

Wed, 5 Jun 2013 16:14:00 -0800

Gary talks mobile security with two guests: Jim Routh, former global head of application security at JP Morgan Chase (and newly-appointed CSO), and Scott Matusmoto, Principal Consultant and head of the mobile security practice at Cigital. All three discuss the challenges of mobile security and how these challenges are exactly the same as and utterly different than software security concerns from across the years. They discuss use of new technologies including accelerometers in enhancing security (or compromising privacy), and the effect that massive phone rooting has on security. Is mobile security the same old same old or a brand new day?

Show 084

Fri, 12 Apr 2013 16:14:00 -0800

Gary chats with W. Hord Tipton, Executive Director of (ISC)2. They discuss how one gets into science and engineering when growing up in rural Tennessee, what insight being nuclear and chemical engineer gives Hord about modern control systems, whether or not certification can help advance software security, and the benefits of teaching software security to kids.

Show 083

Fri, 8 Mar 2013 16:14:00 -0800

On the 83rd episode of the Silver Bullet Security Podcast, Gary talks with Mark Graff, CISO at NASDAQ OMX. They discuss what exactly a CISO does all day, how corporate security posture at NASDAQ compares to the security posture at Lawrence Livermore National Laboratory, Enrico Fermi and the piano tuners (the "Fermi problem") and how it relates to estimation, and the most surprising cultural difference between the left and right coasts. They close out their conversation with talk about Mark’s favorite poem from the mid-19th century (and yet it still has a software security connection!).

Show 082

Mon, 21 Jan 2013 09:57:21 -0800

Gary talks with Kevin Fu, Associate Professor in the EECS Department at the University of Michigan. They discuss finding advisors and picking a grad school, the security implications of embedded medical devices, malware in hospital systems, the consumer trend toward analyzing one's own health data, and the difficulty of teaching design analysis to other humans. They close out the episode discussing lobster bisque.

Show 081

Fri, 4 Jan 2013 13:14:05 -0800

On the 81st episode of the Silver Bullet Security Podcast, Gary talks with Steve Bellovin, Professor of Computer Science at Columbia University, currently on leave and acting as CTO of the Federal Trade Commission. Gary and Steve discuss how often academic research finds its way into the real world versus research that’s done in a commercial lab, how code has gotten better overall but how the threat model has changed, whether mobile security is just a repackaging of the same security problem we've been dealing with for years, the state of computer security in the government, the very first days of Usenet and the famed Evil Bit.

Show 080

Mon, 3 Dec 2012 15:10:10 -0800

Thomas Rid, Reader in War Studies at King's College London and a non-resident fellow at the Center for Transatlantic Relations in the School for Advanced International Studies, Johns Hopkins University, in Washington, is Gary's guest. DC. In this episode, Gary and Thomas discuss how Thomas' life as a "wandering academic" influences his work at the War Studies Department, the inevitably (or otherwise) of cyber-war, attribution, and military dictionaries and the problem of jargon. They close out their chat talking about the Barbican cultural center.

Show 079

Thu, 1 Nov 2012 09:20:47 -0700

Gary talks with Per-Olof Persson (a.k.a. Peo), head of Global Software Security Operations at Sony Mobile and Board member of Sony Corporation. They discuss the importance of working different positions within the same company, Sony Mobile's software security initiative, the political concerns of software security, and the cultural challenges of working with international teams. They close out the show with a discussion of American Presidential politics.

Show 078

Wed, 10 Oct 2012 10:05:27 -0700

Gary McGraw talks with Jacob West, Director, Software Security Research for the Enterprise Security Products division of Hewlett-Packard and newly minted CTO. They discuss HP's acquisition of Fortify, the technical trade-offs that have to be made to allow a tool to become widely adopted, BSIMM4, and mobile security. They close out their discussion covering the impossibility of growing good tomatoes in San Francisco.

Show 077

Thu, 20 Sep 2012 09:28:37 -0700

Gary talks with Gary Warzala, CISO of Visa International. They discuss what a CISO's day-to-day job looks like, how companies can attract and retain good security employees, whether consumers need to understand the difference between software security and security software, and how one can measure security and discuss the results with upper management.

Show 076

Wed, 1 Aug 2012 10:51:11 -0700

Gary chats with David Evans, Associate Professor of Computer Science at the University of Virginia. They discuss the founding of the Interdisciplinary Major in Computer Science (BA) at UVa and why a broad approach to computer science and computer security is a good idea, why data privacy gets short shrift in the US, why people think (for no apparent reason) that their mobile devices are secure, groceries, David's research on secure computation, and the Udacity project. They close out their discussion with a story about David's trip to the World Cup in Korea and a choice between GEB and scheme.

Show 075

Wed, 1 Aug 2012 10:48:54 -0700

On the landmark 75th episode of Silver Bullet, Gary talks with Howard Schmidt, former Cybersecurity Coordinator for the Obama administration. They discuss the differences between doing security work in the public and private sectors, the difficulties of establishing cybersecurity in the government (especially when it comes to software security), the government's involvement in cyberespionage, and how the actions of Anonymous and Wikileaks square with the notion of free speech. They close the episode out with talk about Harleys.

Show 074

Wed, 13 Jun 2012 08:38:07 -0700

Gary talks for a second time with Bruce Schneier. They revisit Bruce's prediction in Episode 9 that insight into economics and security would help vendors sell their products more efficiently. In addition, they discuss Bruce's new book Liars and Outliers: Enabling the Trust that Society Needs to Thrive, how far behind the government is in terms of security, cloud computing, and Uncle Milton's ant farm.

Show 073

Wed, 13 Jun 2012 08:33:48 -0700

On the 73rd episode of The Silver Bullet Security Podcast, Gary talks with Robert Vamosi, senior analyst with Mocana, freelance security reporter, and author of When Gadgets Betray Us. They discuss whether we're doomed to idiocy as a species thanks to gadget dependency, and why designers ignore security and privacy issues in gadget design. Finally, they discuss Robert's use of the word "betray."

Show 072

Fri, 20 Apr 2012 14:12:14 -0700

Gary talks with Randy Sabett, a lawyer with the ZwillGen cyberlaw firm in Washington, DC. They discuss Microsoft's Zeus Botnet raid, alleged AT&T/NSA wiretapping, whether cyberlaw is full of loopholes, and if security always trades off against privacy and anonymity. They close out their chat discussing the books Randy is currently reading.

Show 071

Mon, 5 Mar 2012 12:17:09 -0800

Gary talks with Bill Arbaugh, Associate Professor of Computer Science at University of Maryland. They discuss how malware has evolved and changed over the last decade and how it's affected software security practices, BIOS-based attacks, academia vs. startup, and why the NSA doesn't play defense when it comes to cybersecurity.

Show 070

Fri, 3 Feb 2012 09:38:17 -0800

Gary chats with Ross Anderson, Professor of Security Engineering at the Computer Laboratory at Cambridge University and author of the book Security Engineering. Ross was a guest on episode 13 of The Silver Bullet Security Podcast and is our first return guest. They discuss the latest developments in Trusted Computing, the iterated "Prisoner's Dilemma" as an economic model and its relevance to computer security, information compartmentalization and Wikileaks, time and security, cyberwar versus cybercrime, and Stuxnet.

Show 069

Fri, 3 Feb 2012 09:35:54 -0800

Gary talks with Steve Myers, Assistant Professor of Informatics and Computing in the School of Informatics at Indiana University and a member of the Center for Applied Cybersecurity. They discuss the gap between "real world" computer security and "academic" computer security, the problem of cryptography, whether it's OK to use "the NASCAR effect" to draw students into security, and spear phishing.

Show 068

Fri, 2 Dec 2011 07:56:53 -0800

Gary is joined in the studio by John Steven, internal CTO at Cigital. They discuss how software architecture is being pulled by financial services instead of being pushed by technology firms, why architecture risk analysis is so important (and so hard to automate), the bias that developers and security practitioners show towards security features rather than software security Touchpoints, and enterprise use of static analysis tools. They close out the show discussing mixology.

Show 067

Fri, 2 Dec 2011 07:54:46 -0800

Gary talks with Bill Pugh, professor at the University of Maryland College Park. They discuss the Marmoset and FindBugs projects, how to teach kids to code and whether coding is an innate ability or is something that can be taught. They also geek out regarding Bill's favorite programming languages for coding and teaching about coding. They also discuss the relationship between coding and fire eating.

Show 066

Fri, 28 Oct 2011 08:12:17 -0700

Gary chats with Shari Lawrence Pfleeger, Director of Research for the Institute for Information Infrastructure Protection at Dartmouth College. They discuss the difference between safety-critical software and security-critical software, why measuring software is hard (security notwithstanding), how to speed up tech transfer, and why there are so few women in computer science.

Show 065

Wed, 14 Sep 2011 10:38:01 -0700

Gary is joined by Giovanni Vigna, professor of Computer Science at UC Santa Barbara. They discuss DEFCON’s classic Capture the Flag contest as well as UCSB's international version. They ponder how the notion of "build security in" might be integrated into a CTF-type contest. Giovanni talks about his favorite course to teach, the challenge of communicating security issues with non-technical people, and the role of blackbox testing in security. They close out the show discussing how to teach a toddler to pick locks.

Show 064

Wed, 17 Aug 2011 14:58:16 -0700

Gary McGraw chats with Markus Schumacher, co-founder and CEO of Virtual Forge. They discuss the difference between working for a large corporation and a startup, why Virtual Forge built a code scanning tool for SAP's ABAP code, whether security people understand the notion of security patterns, and Markus' favorite beverage in Heidelberg.

Show 063

Fri, 15 Jul 2011 14:49:01 -0700

On the 63rd episode of The Silver Bullet Security Podcast, Gary talks with Craig Miller, principal at the MAPA Group. Gary and Craig discuss entrepreneurship, the pluses and minuses of working for start-ups and very large corporations, smart grid security, and working with NRECA. They close out the show discussing movies and books.

Show 062

Fri, 3 Jun 2011 09:11:48 -0700

Gary chats with Halvar Flake (a.k.a. Thomas Dullien), founder of reverse engineering consultancy, Zynamics, which was recently purchased by Google. They discuss the acquisition, Zynamics' product BinDiff, whether the "bad guys" are using code understanding tools (including decompilers) better than developers, static versus dynamic analysis, international politics meets computer security, and the growing complexity of malware. They close out with a discussion of music.

Show 061

Fri, 3 Jun 2011 09:07:19 -0700

On this episode, Gary talks with Carl Landwehr, Director of Trustworthy Computing at the National Science Foundation and a Senior Research Scientist at the Institute for Systems Research within the University of Maryland. They discuss the most important changes in information security that have developed over the course of Carl's career, the academic perspective of the state of commercial computer security, how to balance security and privacy, and the reason behind the leaking of government documents to Wikileaks. They close out the episode discussing books.

Show 060

Mon, 4 Apr 2011 10:29:18 -0700

On the 5th anniversary, 60th episode of The Silver Bullet Security Podcast, Gary talks with Neil Daswani, CTO and co-founder of Dasient. Gary and Neil discuss Neil's previous work at Google and how the "start-up like"” atmosphere at Google compares with an actual start-up. They also discuss bad ads (aka malvertising), Clickbot.A, the software security related emphasis on testing at Google, and sushi in San Jose.

Show 059

Mon, 4 Apr 2011 10:24:57 -0700

Gary chats with Ralph Langner, founder and CEO of Langner Communications. Langer Communications is a German company specializing in control systems security. Ralph was the first to determine that Stuxnet is a directed cybersecurity attack against the kinds of Siemens control systems used to control nuclear centrifuges in Iran. They discuss what's involved in introducing the concept of cybersecurity to control systems engineers, how anti-virus vendors originally responded to the Stuxnet, as well as plenty of detailed technical info about the worm with an emphasis on its payload.

Show 058

Fri, 25 Feb 2011 09:08:42 -0800

On the 58th episode of The Silver Bullet Security Podcast, Gary talks with John Savage, professor of Computer Science at Brown University and Jefferson Science Fellow for the State Department. They discuss whether Wikileaks is a terrorist organization, if the use of a cyber weapon like Stuxnet can be a morally justified act, and the implications of computational nanotechnology on cybersecurity.

Show 057

Fri, 25 Feb 2011 09:05:55 -0800

On the 57th Silver Bullet Security Podcast, Gary talks with Elinor Mills, senior writer at CNET's news.com. At CNET, Elinor covers Internet technology and security. They discuss how writing about technology for news organizations has changed over the past 20 years, how technology adoption in Portugal differs from the States, WikiLeaks and the First Amendment, avoiding FUD when covering a breaking news story about security, and Burning Man. They close the episode with a brief discussion of Elinor's favorite books.

Show 056

Mon, 13 Dec 2010 10:24:36 -0800

Gary sits down with Sammy Migues, Principal and Director of Knowledge Management at Cigital. They discuss how Sammy's southern upbringing affects his approach to security, his experience speaking to the National Rural Electric Cooperative Association, the advantages of defensive programming versus "the bug parade" and the BSIMM. They close the show out discussing bourbon. As a bonus, Sammy may be the first person to ever use the phrase "flips my bogometer" on a podcast.

Show 055

Mon, 13 Dec 2010 10:21:27 -0800

Gary chats with Deborah Frincke, Chief Scientist, Cybersecurity at Pacific Northwest National Laboratory. They discuss the differences between being a professor and a researcher, whether a professional certification is better than an academic degree, and how a woman's reasons for getting into the computer security field might differ from a man's. They close out the episode by talking flowers.

Show 054

Tue, 28 Sep 2010 09:34:13 -0700

On the 54th Silver Bullet Security Podcast, Gary interviews Dr. Marc Donner, engineering director for Google Health and Google Finance. They discuss science-fiction books from the past decade, why Americans like to talk about cyberwarfare, and security issues and privacy concerns as related to Google Health initiatives. They finish up their discussion by talking about the Syrup Wars.

Show 053

Wed, 25 Aug 2010 08:26:53 -0700

Gary interviews Richard Bejtlich, Director of Incident Response for General Electric and Principal Technologist for GE's Global Infrastructure Services division. They discuss whether it's better to look for known problems or anomalies when performing network security monitoring, how to explain security incidents to "business guys," the notion of "building visibility in," and the difference between working as an independent consultant in a very small shop and working in a large corporation.

Show 052

Wed, 25 Aug 2010 08:24:16 -0700

On the 52nd episode of The Silver Bullet Security Podcast, Gary chats with Paul Kocher, President and Chief Scientist of Cryptography Research. Gary and Paul discuss the first system that Paul ever broke, whether engineers and architects need to think like the "bad guys," the decision to put content protection on Blu-Ray discs rather than the player, and whether P=NP.

Show 051

Thu, 8 Jul 2010 14:24:29 -0700

On the 51st episode of The Silver Bullet Security Podcast, Gary talks with former co-worker Dr. Anup Ghosh. Ghose has authored three books on e-commerce security and over 40 peer-reviewed articles and is founder and chief scientist of Invincea. They discuss the difference between working in a startup and in goverment research, why antivirus doesn't work against the ZeuS botnet and what businesses should do to protect themselves, and the relevance of the desktop in the future of computing.

Show 050

Tue, 1 Jun 2010 15:30:59 -0700

On the landmark 50th episode of Silver Bullet, Gary talks with Richard A. Clarke. Richard Clarke is an internationally-recognized expert on security, including homeland security, national security, cyber security, and counterterrorism. They discuss what needs to change in order for the United States to focus more attention on defense against cyber war (as opposed to offense). They also discuss the importance of software security in preventing cyber crime and cyber war, network scanning as a part of Dick's "Defensive Triad," and balancing cybersecurity against individual liberty. This special edition of Silver Bullet was also captured on video and can be seen at http://www.computer.org/portal/web/computingnow/silverbullet.

Show 049

Fri, 30 Apr 2010 14:27:05 -0700

On the 49th episode of The Silver Bullet Security Podcast, Gary talks with Ivan Arce, co-founder and CTO of Core Security Technologies. They discuss whether teaching builders to think like attackers is worthwhile, how living in Argentina both helps and hinders a career in computer security, the current state of embedded systems attacks, and Ivan’s ongoing disagreement with Microsoft about Virtual PC vulnerabilities. They close things out with a discussion of science fiction books and whether scotch trumps bourbon.

Show 048

Wed, 14 Apr 2010 15:21:50 -0700

Gary interviews Andrew Jaquith, senior analyst at Forrester. They discuss how security has become overrun by compliance in the biggest change to corporate security in 15 years, the battle between social networking technology use in the workplace (think Twitter, Facebook, AIM) and security, security metrics (or lack of such), and Andy's latest musical find.

Show 047

Mon, 8 Mar 2010 08:12:29 -0800

Gary and Greg Morrisett discuss the relationship between security and programming languages, why the choice of a good programming language (and/or VM) is more important than code review, sensor networks and security, and information control.

Show 046

Wed, 3 Feb 2010 09:46:14 -0800

Gary talks with David Rice, Executive Director of the Monterey Group and author of Geekonomics: The Real Cost of Insecure Software.

Show 045

Wed, 20 Jan 2010 11:10:46 -0800

On the 45th episode of The Silver Bullet Security Podcast, Gary chats with Lorrie Cranor, Associate Professor of Computer Science and Engineering and Public Policy at Carnegie Melon University. They discuss how everyday people think about privacy and what we can do to get them to care about it, the relationship between trust and privacy, and why the US is lagging behind the EU on privacy-related issues. They close out the discussion by talking about women in computing.

Show 044

Wed, 20 Jan 2010 11:05:45 -0800

Gary chats with Steve Kent, Chief Scientist - Information Security, for BBN Technologies, a division of Raytheon. They discuss the history of network security, secure transport and base Internet protocols, the role of politics in the adoption of security on the Internet, applied cryptography, and whether security and individual liberty co-exist. They finish by discussing extremely high end wine.

Show 043

Mon, 9 Nov 2009 15:45:46 -0800

On the 43rd episode of The Silver Bullet Security Podcast, Gary chats with Christofer Hoff, Director of Cloud and Virtualization Solutions at Cisco. Hoff is well known for his colorful blog posts and presentations on cloud security and other complex security issues. Suffice it to say, the cloud was a big topic for this issue.

Show 042

Wed, 30 Sep 2009 16:04:43 -0700

On the 42nd episode of The Silver Bullet Security Podcast, Gary chats with Gillian Hayes, Assistant Professor in Informatics at the Bren School of Information and Computer Sciences at UC Irvine. They discuss how much people really need to know about security going on behind the scenes, how usability affects the health records security, whether surveillance changes how 20-somethings act in public (including on the Net), and how having more women technologists positively impacts the humanization of technology.

Show 041

Mon, 24 Aug 2009 15:15:20 -0700

On the 41st episode of The Silver Bullet Security Podcast, Gary talks with Fred Schneider, Samuel B. Eckert Professor of Computer Science at Cornell University and author of Trust in Cyberspace. Gary and Fred discuss the relationship between security and reliability, diversity as a security mechanism, and the continuum of attack categories from configuration problems, to bugs, to flaws, to trust issues.

Show 040

Fri, 17 Jul 2009 10:28:54 -0700

For the 40th episode of The Silver Bullet Security Podcast, Gary interviews Bob Blakley, VP and research director of The Burton Group's Identity and Privacy Strategies. Gary and Bob discuss the importance of liberal arts degrees, the (over) complications of CORBA security, whether computer security requires a complete shift in approach, cybersecurity and governments, and the movie Perils in Nude Modeling (really).

Show 039

Fri, 19 Jun 2009 14:21:11 -0700

On the 39th episode of The Silver Bullet Security Podcast, Gary chats with Matt Blaze, Associate Professor of Computer and Information Science at the University of Pennsylvania. Gary and Matt start the show off discussing the Obama administration's "cyber coordinator" plan and the large number of cyber plans that are never cyber realized. They also discuss key escrow, warrantless wiretapping, the responsibility we have to stay engaged with issues surrounding individual liberty and privacy, and the similarities between physical locks and computer security.

Show 038

Fri, 19 Jun 2009 14:17:27 -0700

For the 38th episode of The Silver Bullet Security Podcast, Gary talks privacy with Kay Connelly, Associate Professor of Computer Science at Indiana University and Senior Associate Director of IU’s Center for Applied Cybersecurity Research. Gary and Kay discuss why in situ usability study is important, the E.T.H.O.S. living lab (including the "presence clock" and the portal monitor), and Kay's advice to women interested in pursuing a career in computer science.

Show 037

Wed, 22 Apr 2009 14:04:26 -0700

On the 37th episode of The Silver Bullet Security Podcast, Gary interviews Virgil Gligor, Professor at Carnegie Mellon University in the Department of Electrical and Computer Engineering and co-director of CyLab. Gary and Virgil discuss how information security has changed over the last 35 years, why software security will be with us forever, and how Virgil’s childhood in Romania has shaped his views on security.

Show 036

Wed, 8 Apr 2009 17:53:43 -0700

Things are switched up for this special third anniversary episode of Silver Bullet. This time around, Gary is the victim, being interviewed by James McGovern, Enterprise Architect for The Hartford Financial Services Group, Inc. and OWASP maven. Gary and James discuss the recently released Building Security In Maturity Model, how companies with Software Security Groups retain their best and brightest, Microsoft’s trustworthy computing initiative/SDL program, and what less expensive tools small organizations with only a few developers can use.

Show 035

Tue, 24 Feb 2009 09:00:04 -0800

On the 35th episode of The Silver Bullet Security Podcast, Gary talks with Daniel Suarez, independent consultant and author of Daemon, a new techno-thriller about a gamer that reaches from beyond the grave to declare war on all of humanity. They talk about Daniel's new book and the movie options attached to it, the use of MMORPGs and flash mobs for nefarious means in the form of a distributed emergent attack, the current state of AI, and the follow-up to Daemon, Freedom.

Show 034

Fri, 16 Jan 2009 09:42:23 -0800

On the 34th episode of The Silver Bullet Security Podcast, Gary interviews Bill Brenner, senior editor at CSO Online and CSO Magazine. Gary and Bill discuss how delivering the security message changes based on the audience (executives versus geeks and CSOs versus CIOs), the much-exaggerated death of print media, and balancing headline-grabbing sensationalism with solid security business coverage.

Show 033

Mon, 12 Jan 2009 14:44:12 -0800

On the 33rd episode of The Silver Bullet Security Podcast, Gary talks with Laurie Williams, Associate Professor of Computer Science at North Carolina State University. Gary and Laurie discuss Laurie’s nine years at IBM, Agile’s adoption in the commercial space, XP and software security, and what changes Laurie would make to the standard computer science curriculum to better prepare students.

Show 032

Tue, 18 Nov 2008 11:51:29 -0800

The 32nd episode of The Silver Bullet Security Podcast features founder and Chief Technology Officer of WhiteHat Security, Jeremiah Grossman. Gary and Jeremiah discuss clickjacking, cross-site request forgery, and why 50 percent of Web problems can’t be discovered reliably automatically.

Show 031

Tue, 28 Oct 2008 09:48:31 -0700

On the 31st episode of The Silver Bullet Security Podcast, Gary talks with Matt Bishop, professor of Computer Science at UC Davis and author of the book Computer Security: Art and Science. Gary and Matt discuss Matt's plan to work security analysis and secure coding into a wider computer science cirriculum, Matt's early work with Mike Dilger on TOCTOU, whether or not progress is being made in the field of software security, and the role of tr21aining in large-scale software security initiatives.

Show 030

Tue, 28 Oct 2008 09:47:10 -0700

On the 30th episode of The Silver Bullet Security Podcast, Gary talks with Ken van Wyk, principal and founder of KRvW Associates. Ken was the first employee of CERT and has been an active member of FIRST. Ken and Gary discuss why the discipline of computer science doesn't learn from failure like mechanical engineering does, how we're making steps backwards in computer security, and whether focusing on Web applications is a good or bad thing for software security.

Show 029

Fri, 10 Oct 2008 10:43:02 -0700

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current "BS factor" in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack.

Show 028

Fri, 1 Aug 2008 08:35:05 -0700

On the 28th episode of The Silver Bullet Security Podcast, Gary interviews Bill Cheswick, a lead member of technical staff at AT&T Research and all around security guru. Bill has been working in computer security for over 35 years. He coined the term "proxy" in 1990 with reference to firewalls, and co-authored the book Firewalls and Internet Security which was used to train an entire generation of sys admins. Gary and Bill discuss whether we’re winning or losing the computer security war, how security threats have evolved from pimply-faced teenagers to organized crime, whether we should move security into the cloud, and whether re-naming Christmas lights to solstice lights would bypass NJ holiday decoration ordinances.

Show 027

Fri, 11 Jul 2008 13:00:28 -0700

On the 27th episode of The Silver Bullet Security Podcast, Gary interviews software security expert Gunnar Peterson, a Managing Principal at Arctec Group. Gary and Gunnar begin with the age-old question, "What is security?" They go on to discuss how Web 2.0 and SOA security is progressing, the big idea behind "federated identity," and whether all market verticals can follow the software security lead of the financial services industry.

Show 001

Thu, 11 May 2006 13:00:00 -0700

Gary McGraw speaks with Avi Rubin, professor of computer science at Johns Hopkins University and director of the US National Science Foundation-funded ACCURATE Center, which focuses on secure electronic voting. His latest book, Brave New Ballot (Random House, 2006), will be published later this year.

Show 002

Thu, 15 Jun 2006 13:00:00 -0700

In this episode of the Silver Bullet Security Podcast, Gary McGraw chats with Dan Geer, chief scientist at Verdasys. They discuss the need to understand both technology and business in order to be a good security practitioner, Dan's take on monoculture, his "Cyber Insecurity" paper, and work on Project Athena.

Show 003

Sat, 15 Jul 2006 13:00:00 -0700

This time out, Gary McGraw chats with Marcus Ranum, who is widely credited with inventing the proxy firewall. They discuss Richard Feynman, power tools for home repair and improvement, why Marcus thinks we're not making progress in the computer security field, and how common sense would help computer security.

Show 004

Tue, 15 Aug 2006 13:00:00 -0700

In the fourth episode, Gary talks to Dana Epp, CEO and founder of Scorpion Software. Dana also runs a popular software security blog. On this show, Dana and Gary talk about past programming disasters, the security implications of systems with ever-increasing complexity, suggestions for new developers interested in learning about software security, and regulation's role in information security.

Show 005

Mon, 28 Aug 2006 13:00:00 -0700

The fifth edition features Ed Felten, professor of computer science and public affairs at Princeton University. Gary and Ed take a look at Ed's predictions for 2006 and how he's faring so far. They also discuss the difficulty of addressing technology issues with lawmakers and the importance of public policy and the law to computer scientists.

Show 006

Wed, 25 Oct 2006 13:00:00 -0700

In the sixth episode, Gary chats with Michael Howard, senior security program manager of Microsoft's Security Technology Unit. Michael discusses what it's been like watching the company come to grips with software security. Gary and Michael also discuss the security features of Windows Vista and Michael's recommendations for the two most important best practices when developing secure software.

Show 007

Wed, 25 Oct 2006 13:00:00 -0700

Gary interviews Cisco Chief Security Officer John Stewart. Gary and John discuss what CSOs do all day, how John got started in computer security, and the infamous Morris worm from 1988 (which John was deeply involved with while a student at Syracuse). John and Gary also revisit Cisco-gate, and talk about how John's identity was stolen.

Show 008

Fri, 17 Nov 2006 13:00:00 -0700

In the eighth episode, Gary chats with Brian Chess, co-founder and chief scientist of Fortify Software. Gary and Brian discuss what commercial developers and academics have to learn from each other, what it's like to work for a Kleiner-Perkins startup, and how mystifying it is that some developers are fine with XSS vulnerabilities in their web applications.

Show 009

Thu, 14 Dec 2006 13:00:00 -0700

In the ninth episode of The Silver Bullet Podcast, Gary interviews Bruce Schneier, founder and CTO of Counterpane. Gary and Bruce discuss the connection between physical security and its technological component, the idea of risk management, the intersection of economics and security, and the ideas of "wholesale surveillance" and "security theater."

Show 010

Mon, 22 Jan 2007 13:00:00 -0700

The tenth episode of The Silver Bullet Security Podcast features a panel discussion with the Fortify Software Technical Advisory Board. The group discusses what commercial software tools can learn from academic research, software security in China, real-world lessons learned while using static analysis tools, and software security pedagogy.

Show 011

Thu, 15 Feb 2007 16:59:00 -0700

Gary talks with Dorothy Denning, a professor in the Department of Defense Analysis at the Naval Portgraduate School. Gary and Dorothy discuss her involvement in the Clipper Chip controversy (which earned Dorothy the moniker "clipper chick"), the concept of geo-encryption, and a famous 1990 paper she wrote describing a series of interviews with malicious hackers.

Show 012

Wed, 14 Mar 2007 12:11:00 -0700

In the latest edition of The Silver Bullet Security Podcast, Gary chats with Becky Bace about her 12 years at the US National Security Agency, where she worked on intrusion detection and cryptography. Gary and Becky also discuss the evolution of security curricula in academia, the rampant commercialization of computer security, and Becky's involvement in tracking down the notorious Kevin Mitnick.

Show 013

Fri, 13 Apr 2007 12:11:00 -0700

Gary chats with Ross Anderson, professor of security engineering at the Computer Laboratory at Cambridge University and author of Security Engineering. Gary and Ross discuss the simple reasons why most systems fail, the economic imbalance between engineers/developers and a system's users (with respect to who should address security), and why publicly describing attacks is essential to security engineering.

Show 014

Tue, 22 May 2007 12:17:00 -0700

The 14th episode of The Silver Bullet Security Podcast features Peter Neumann, designer of the Multics OS file system, moderator of comp.RISKS, and Principal Scientist at the SRI Computer Science Laboratory. Gary and Peter discuss the most important changes in computer security since the 1960s, the discipline involved in early Multics engineering, and why DRM is the "wrong solution to the wrong problem."

Show 015

Tue, 19 Jun 2007 17:37:00 -0700

On the 15th episode of The Silver Bullet Security Podcast, Gary interviews Annie Antón, associate professor of software engineering at North Carolina State University and director of theprivacyplace.org. Annie and Gary focus on privacy, airline privacy policies, the impact that a Google/Doubleclick deal would have on consumer privacy, and EULAs.

Show 016

Thu, 12 Jul 2007 16:37:00 -0700

The 16th episode of The Silver Bullet Security Podcast features Greg Hoglund, who runs the popular rootkit.com, is CEO of HB Gary, and coauthor of Rootkits: Subverting the Windows Kernel and Exploiting Software. Gary and Greg discuss the natural tendency of certain types of code to allow exploits, how disclosure is a good thing when it comes to revealing exploits, and the use of rootkits by the "good guys."

Show 017

Fri, 24 Aug 2007 14:02:00 -0700

Gary chats with Eric Cole, CEO of Secure Anchor. Eric has written seven books on computer security, including books on steganography and network security. Gary and Eric discuss how to demostrate security ROI in different types of organizations, the academic approach to security versus practitioner certification models, and what kinds of training makes for good network security practitioners. They also discuss the difficulty of certifying software developers.

Show 018

Wed, 26 Sep 2007 14:43:00 -0700

The 18th episode of The Silver Bullet Security Podcast has Gary talking with Eugene Spafford, better known as Spaf. Spaf is the executive director of the Center for Education and Research in Information Assurance and Security (CERIAS). They also discuss the role of software testing in computer security, whether commercial certifications obviate the need for academic training, ethical hacking, and why auditing and compliance is an area of emerging specialization.

Show 019

Thu, 18 Oct 2007 14:43:00 -0700

On the 19th episode of The Silver Bullet Security Podcast, Gary interviews Mikko Hyppönen, Chief Research Officer at F-Secure. Gary and Mikko discuss whether mobile viruses are all hype or a legitimate threat, if the iPhone as a closed system is good or bad for security, and Mikko's prediction for the appearance of the first mobile botnet.

Show 020

Mon, 19 Nov 2007 10:02:00 -0700

On the landmark 20th episode of The Silver Bullet Security Podcast, Gary interviews Markus Jakobsson, associate professor of informatics and associate director of the Center for Applied Cybersecurity Research at Indiana University. Gary and Markus discuss the difference between academic and corporate research, the idea of "perfect privacy," and how cartoons can be used to teach security.

Show 021

Thu, 24 Jan 2008 10:02:00 -0700

Gary hosts a panel discussion with Cigital's principals. Participants include Sammy Migues (Director of Training and Knowledge Management), John Steven (Principal Consultant), and Pravir Chandra (Principal Consultant). The group discusses several topics, including the best ways for large companies to get started with software security and�how much of the security testing burden should fall on QA.

Show 022

Thu, 24 Jan 2008 10:02:00 -0700

On the 22nd episode, Gary interviews Ed Amoroso, Chief Information Security Officer of AT&T. They discuss how Peter Neumann influenced Ed, the difference between bugs and flaws, whether bugs are getting too much attention, and the propensity for confusion around how security actually works.

Show 023

Wed, 20 Feb 2008 10:02:00 -0700

Gary talks with Chris Wysopal, founder and CTO of Veracode and author of The Art of Software Security Testing. Chris was one of the seven original members of the L0pht hacker collective (operating under the hacker handle Weld Pond) and later went on to work for @stake. Gary and Chris discuss the role of security researchers now versus in the mid-to-late 90s. They also talk about the current state of the software security market and its continued growth.

Show 024

Fri, 14 Mar 2008 10:02:00 -0700

Oracle Chief Security Officer Mary Ann Davidson is the guest on the 24th episode of The Silver Bullet Security Podcast. Gary and Mary Ann discuss how an MBA helps in the CSO role, Oracle's "Unbreakable" campaign, why everyone needs training in secure coding, and how military history informs computer security.

Show 025

Wed, 30 Apr 2008 10:02:00 -0700

Jon Swartz, USA Today's award-winning technology reporter and Pulitzer Prize nominee, is Gary's guest. They discuss Jon's new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity. Gary and Jon also cover how cybercrime is driven by capitalist principals and why the general public's attitude is so lax about software security.

Show 026

Thu, 15 May 2008 10:02:00 -0700

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft's Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam's current work, and the main ideas behind Adam's new book, The New School of Information Security. They also chat about Adam's aversion to the term "best practices," the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI.