Never Mind the Ears, Here’s Security Nation

Post Syndicated from Tod Beardsley original https://blog.rapid7.com/2022/12/21/never-mind-the-ears-heres-security-nation/

Never Mind the Ears, Here's Security Nation

It’s another year down and another season down for Security Nation. With the close of our fifth season, I wanted to take a minute here to reflect on who we spoke with and what we talked about. The show titles focus (as you would expect) on the individual interview subjects, but there’s a bunch of good stuff in there on fresh-at-the-time news stories, published papers, and other goings on in the cybers.

The Theme: Open Source Security

We set out with an aim to focus on open source security in 2022, and we kind of succeeded!

In Season 5, we talked to:

  • Fyodor, aka Gordon Lyon, about the 25th (!!) anniversary of nmap. I admit, I got a little misty on this one. We’ve been pals with Gordon for a while, and he has had a weirdly outsized influence on my career—stretching back to the 1990s. If you weren’t aware, peak infosec was 1996-1997, so if you want some historical perspective on this crazy industry, you could do worse than starting with nmap.
  • Curt Barnard, about Defaultinator. On the other end of the historical spectrum, we talked to Curt about Defaultinator, which a) should be pronounced in a Doctor Doofenshmirtz style, and b) is an open source solution for tracking default credentials across all sorts of things, released at Black Hat Arsenal in 2022. It’s also secretly a pure-Javascript implementation of the Common Platform Enumeration dictionary, and it’s extensible to cover your own custom CPEs. Check it out!
  • Steve Micallef, about Open Source Intelligence (OSI). While there’s an open source community around SpiderFoot, we talked mostly about the kinds of things you can find out in the world and how it can help on all sorts of cyber investigations. Since we recorded this, SpiderFoot got itself acquired by Intel471, so congrats on that!
  • Phillip Maddux, about HoneyDB, which is a fun and educational way to get yourself in the business of setting up and maintaining an extensible honeypot network. It’s pretty neat, and you can get started with his Honeypots 101 blog.
  • Jim O’Gorman and g0tmi1k (aka Ben Wilson) on Kali Linux, which is pretty much the standard all-the-bells-and-whistles-and-drivers Linux distribution for offensive security. Kali Linux is a massive undertaking, and is a great way to get exposure to a whole lot of security tooling all at once. It’s coming up on its 10th anniversary, if you don’t count Backtrack Linux (but you should, and that’s from 2006).
  • Kate Stewart, about the Linux Foundation. Honestly, you can’t get much more open sourcey than the LF, and Kate is here to talk specifically about how open source is literally all over the place in all kinds of embedded systems we depend on for, well, everything.
  • Matthew Kienow on Recog, which is central to Rapid7’s open source strategy. Recog gives practitioners standard and quality-checked methods to fingerprint devices all over the internet, is integrated in pretty much every Rapid7 product, and is super fun and easy to contribute to. Even a tourist like me is able to contribute! Plus, it’s multilingual, with implementations in Ruby, Java, and Go, which is quite a feat for an open source project.
  • Mike Hanley, about GitHub’s unique role as a platform for zillions of open source projects, and how they help make the open source world a better place with projects like Dependabot. We also talked to Mike about the nuance and peril that comes with running a hugely popular platform and how they deal with hosting live exploit code (which, in turn, does help researchers, but also can help bad guys). It was the first interview of the season, and really, one of the best. Check it.

Also: Not Open Source

While that’s a pretty thorough bullet list of open source punditry, it’s only eight episodes out of 22. In Season 4, we talked to quite a few government and government-adjacent people, and this year, we managed to rope in more of them, such as Chris Levendis from MITRE (along with Lisa Olsen from Microsoft), Pete Cooper and Irene Pontisso from the UK Cabinet Office, and Bob Lord of CISA (and formerly of the DNC).

Trending
138 AWS services achieve CSA STAR Level 2 certification

We also talked to a bunch of in-the-field practitioners, like John Rouffas, CISO at Intelliflo, Amit Serper, Director of Security Research at Akamai, David Rogers of Copper Horse, Whitney Merrill of the Crypto & Privacy Village, Jacques Chester of Shopify, Taki Uchiyama of Panasonic, and James Kettle of PortSwigger.

TODO: Academics

Finally, we talked to Omer Akgul and Richard Roberts, both of the University of Maryland, about their paper, “Investigating Influencer VPN Ads on YouTube.” This was a super fun paper I stumbled across while researching for a Rapid Rundown segment a few weeks earlier, and I have to say, we don’t talk to academics nearly enough.

We have our own conferences and paper submission norms and all that here in cybersecurity, but we would do well to pay more attention to formal academic research when it comes to the pressing issues of the day. Hopefully in Season 6 of Security Nation, we can spend a little more time in the cloistered halls of academia, and bring some of that discipline and rigor back to the hack-as-you-can world of infosec.

Thanks For Listening!

If you’re among the dozens listening to Security Nation, thank you so much for listening! If this is all news to you, just head on over to securitynationpodcast.com and binge on your next roadtrip. It’s the holidays, after all, and podcasts are a pretty great way to pass the travel time. And, have a great New Year! 2023! It can’t possibly be worse than the last few!