Security Voices

After 5 seasons, it’s curtain call for Security Voices. In this final episode, Jack and I reflect on half a decade of podcasting together through times that were both extraordinary for the world and for each of us personally. We discuss some of our favorite moments, most memorable guests, and the lessons learned from roughly 60 episodes of exploring the unique personalities and stories of cybersecurity. At around 40 minutes, our last pod is more short and sweet than long, tearful farewell. The Security Voices website will continue to be up for the foreseeable future so that it can be happily devoured by generative AI and any humans sticking around who want to know what things we’re like in the beforetimes. Jack and I hope that we left the industry a little better than when we started this project back in the winter of 2019. Thanks for listening.

The ascendancy of India in Silicon Valley is undeniable. From top executives such as Satya Nadella (Microsoft) and Nikesh Arora (Palo Alto Networks) to leading investors, we’ve become well accustomed to working with and often for people who have immigrated from India. Given the wave of immigration from India started decades ago, our Indian coworkers, investors and leaders are such an established part of the tech industry that we often give little thought to the cultural differences that underlie our daily interactions. Nonetheless, the move to remote work strips away much of the high fidelity, in person interactions that make understanding each other easier, even if we were raised on different continents, speaking different languages, etc. In simple terms, while the stakes for understanding each other have never been higher, our actual means of communicating have gotten worse.This episode of Security Voices combines the perspectives of two experienced security leaders, Ashish Popli of Spotnana and Jason Loomis of Freshworks along with Jack and Dave. Ashish has been working in the U.S. since he completed his Masters at Stony Brook in ‘02 whereas Jason took the role of CISO for the Chennai-based Freshworks a little over a year ago. Their combined perspectives provide a 360 degree view of both what it takes for an Indian security leader to adapt and how a Los Angeles-based security leader has navigated the unique challenges of having a team based in India. Jack explains how B-Sides conferences in India also bear the clear imprint of the country’s culture.Over our roughly 60 minute discussion, Ashish and Jason share their stories of what works, what doesn’t, and perhaps most importantly, we explore the “why” behind those moments when something seems to be lost in translation. We hope you have a few “aha” moments like we did during the conversation and that this episode serves as a practical reminder that while much unites in the tech industry, we can go even further when we understand and respect our differences as well.

The classic mindset of cyber security unmistakably originates from its early leaders: financial services, the defense industrial complex, and big companies that had too much to lose from ignoring what was called at the time “information security risk”. They tried to calculate largely unknowable risks to explain digital concepts to analog executives. They leaned on medieval metaphors such as castles and moats to make formerly arcane technology like firewalls understandable to people who just got their first AOL email address. And Sun Tzu quotes were used to make it absolutely clear that we were in a war against a shadowy, determined enemy that demanded our attention (and a generously sized budget).The cybersecurity landscape now bears little resemblance today to those early days, but far too much of how we reason about our industry is still clearly traceable back to those early days. Kelly Shortridge’s Security Chaos Engineering is a sneakily titled book that has less to do with testing technical boundaries and much more to do with modernizing our headspace to accommodate the new, incredibly complex environment we find ourselves in today. Sun Tzu quotes are replaced by Ursula K. Le Guin and Buckminster Fuller. Jurassic park analogies take center stage. Ice cream metaphors and decision trees supported by open source projects make the formerly esoteric approachable. Practical even.Our 1 hour conversation with Kelly covers many of the core ideas in the book she recently published along with Aaron Rhinehart, centering on adopting a mindset of evaluation and experimentation. A common thread running through the dialogue is that of empowerment: we live in a privileged time where much of what we do now can be stress tested to build resiliency. And that this is a far more sane approach given modern complexity than attempting to comprehensively model risk and prevent attacks. Cat and mouse? No, we and our adversaries are peers on equal footing who are capable of both offense and defense. The future, and the present for those who lean into it, is much more Spy vs. Spy than Tom and Jerry. We hope this dialogue takes you at least one step closer to it.

This past weekend, the New York Times posted an article explaining the United States is scrambling to clean government systems from a deep, pervasive infiltration of the country’s infrastructure by the Chinese. Much like the Russian attacks on Ukrainian infrastructure, the intent appears to be to disrupt any U.S. action that would be a response to Chinese military action in Taiwan. The role of nation state actors in driving the threat landscape has brought us to a place where the lines between physical and cybersecurity are no longer blurry, but simply erased.Galina Antova, founder and Chief Business Officer of Claroty, shares her expertise in operational technology (OT) security with us in an hour long interview in the latest episode of Security Voices. We begin by walking through the recent industrial security threat landscape with an emphasis on INCONTROLLER/Pipedream and discuss the impact of the Russian/Ukrainian war, tracing its origins back to a landmark attack in 2015.Galina and Dave explain the uncomfortable truths about the current state of OT security, starting with the fact that, other than nuclear energy facilities, air gaps are as common unicorns and other mythological beasts. Galina explains why OT security teams necessarily have to operate with older equipment and more caution than conventional IT security teams. Further, while we have not seen massive infrastructure disruptions to date, the real reason behind this offers us little comfort.In the second half of our interview, Galina describes her journey as a founder of Claroty and what it took to build a $100M ARR company over 8 years. For a category decades in the making with notoriously long sales cycles and risk averse buyers, she takes us through the playbook she and her co-founders used to establish a beachhead and expand into a global OT security juggernaut. We pinpoint why the pandemic was a breakthrough moment for OT security, catapulting solutions providers to new heights and why this had little to do with new threats and everything to do with enabling digital transformation.We bring the episode to a close with a dialogue on gender equity in cybersecurity and specifically how men can do their part by adjusting a couple key assumptions when interacting with women in business.

"Any country that intervenes in Taiwan will face serious consequences, including cyber attacks."This statement in January by the Chinese Ministry of Foreign Affairs made clear that the United States must be ready to defend itself in what many assume to be an inevitable conflict over Taiwan’s independence. It begs the question, how will we defend ourselves from such a powerful adversary with one of the best cyber armies in the world?At the heart of the answer is the United States infrastructure: an interconnected web of both government and for profit companies that provide core services to the citizens. This public / private partnership is most evident where it matters most: energy and communications. Mary Haynes, Group Vice President of Charter Communications and industry cybersecurity veteran, has worked with presidential administrations across her multi-decade career to serve the twin goals of protecting her customers and making the country more resilient to attacks. Our 72 minute conversation with Mary starts with how our communications industry is responding to the threat and the Biden administration’s somewhat unique approach. We explore two critical areas to mounting a credible defense: 1) Ensuring the security of consumer managed connectivity hardware and 2) Addressing traffic hijacking and route misadvertisements by shoring up BGP with RPKI. Throughout the conversation, we get a clear view into the combination of big picture thinking, technical acumen and diplomacy that have taken Mary to one of the top roles in defending the U.S. communications backbone.While the first part of the conversation discusses her and the communications industry’s readiness to defend against nation state adversaries, the remainder of our interview serves as a brief career retrospective for Mary as she plans to start her transition into retirement later this year. On the topic of dealing with seismic technology shifts, she reflects on our response to the public cloud and how that should inform the cybersecurity industry’s response to the current advancements in artificial intelligence. As we wrap up, Mary explains where we’ve made progress with regards to diversity and her advice for women considering a career in cybersecurity. Mary’s optimism and clarity of vision leave a strong impression throughout the dialogue; we wish her the very best as she moves from leader and practitioner to advisor and board member later this year.

The breakaway success of ChatGPT is hiding an important fact and an even bigger problem. The next wave of generative AI will not be built by trawling the Internet but by mining hordes of proprietary data that have been piling up for years inside organizations. While Elon Musk and Reddit may breathe a sigh of relief, this ushers in a new set of concerns that go well beyond prompt injections and AI hallucinations. Who is responsible for making sure our private data doesn’t get used as training data? And what happens if it does? Do they even know what’s in the data to begin with?We tagged in data engineering expert Josh Wills and security veteran Mike Sabbota of Amazon Prime Video to go past the headlines and into what it takes to safely harness the vast oceans of data they’ve been responsible for in the past and present. Foundational questions like “who is responsible for data hygiene?” and “what is data governance?” may not be nearly as sexy as tricking AI into saying it wants to destroy humanity but they arguably will have a much greater impact on our safety in the long run. Mike, Josh and Dave go deep into the practical realities of working with data at scale and why the topic is more critical than ever.For anyone wondering exactly how we arrived at this moment where generative AI dominates the headlines and we can’t quite recall why we ever cared about blockchains and NFTs, we kick off the episode with Josh explaining the recent history of data science and how it led to this moment. We quickly (and painlessly) cover the breakthrough attention-based transformer model explained in 2017 and key events that have happened since that point.

Continuing from our dialogue with Tomas Maldonado who has the unique job of securing the NFL, we have a conversation with Allen Ohanian whose day job is to protect the Los Angeles Department of Child and Family Services (DCFS). LA DCFS is the largest agency of its type in the United States, its central focus is its 10,000 social workers who help defend some of the most vulnerable people in Southern California. Allen’s role as CISO of the DCFS is to make sure that both the social workers– and all of the highly sensitive family data– stay safe and sound while they navigate some of the most complicated scenarios you can imagine. The army of people working in cybersecurity chartered with this mission? 5 people strong. Welcome to the government.When you’re outnumbered 10,000 to 5, the name of the game is leverage. Allen explains how his team harnesses cloud services in order to amplify their impact, such as migrating from their own facilities to services such as AWS Call Center. Beyond the cloud, his primary approach is treating humans as the first and last line of defense, aiming to ensure they keep themselves and their data out of trouble. Allen’s belief in this approach is deep enough to motivate him to pursue a PhD in psychology. He’s also no stranger to traditional security controls, having clamped down on USB drives and restricted the iPhones that power social worker data collection in the field. Lastly, partnerships with law enforcement and the major cloud providers also allow their small cybersecurity team to extend their reach.In this short interview, Allen describes the unique threat model of the DCFS and how ultimately it ends up with concerns that bear a strong resemblance to critical infrastructure where availability is the top priority. Urgent, critical calls from children and families in crisis simply have to get through. Social workers must be kept safe. No exceptions. We hope that his interview with Allen provides a much needed window into the practical challenges of running cybersecurity for a large-scale government agency. Mission-driven CISOs like Allen work long hours against seemingly impossible odds for pay that’s far less than their commercial counterparts. We owe them a debt of gratitude and where we can, a helping hand.

After 2 decades of trying to make SIEMs work, security data lakes are a hot topic as they present an increasingly attractive alternative. The only hotter topic is ChatGPT and the game changing potential of AI. So in episode 52 of Security Voices, we mash the two together as Dave, Pathik Patel (Informatica), and Omer Singer (Snowflake) explore the many angles of security data lakes with an AI-assist from ChatGPT.From a functional definition to dishing on whether security data lakes signal the death of the SIEM, ChatGPT weighs in impressively early in the episode. Its later performance is much more suspect, seemingly gassing out under the pressure of harder (more poorly formed?) questions and likely a knee-buckling workload from millions of others testing the service simultaneously. The humans go on to discuss the real-time expectations for SIEMs vs. the “single source of truth” nature of security data lakes which lead to an exploration of product “suites” vs. specialized services and promise of the data lake to potentially unify them all.The week prior to the recording was the announcement of both the Open Cybersecurity Schema Framework (OCSF) standard alongside AWS’ new Security Data Lake offering built on top of S3. We discuss the implications of AWS entering the space and what it means for already entrenched companies like Snowflake and Splunk. Pathik explains the significance of OCSF for security leaders and his projection of how important it will be for alleviating vendor lock-in and ultimately boosting our ability to provide strong security analytics.The practical realities of building and running a security data lake are clearly described from Pathik’s experience at Informatica focusing on harmonizing and reporting on vulnerability data. He makes plain the amount of work involved– and the clear benefits of piggybacking off the company’s existing data lake.The episode wraps with ChatGPT refusing to say anything further while Omer and Pathik take turns doing some end of year crystal ball gazing.

The winds of change are always blowing in cybersecurity, but there’s moments when they reach a gale force, When the landscape is reshaped dramatically by an event that hits us like a hurricane, changing how we feel about our jobs, our industry, and perhaps even shaking our resolve to continue on in the same career path. When Joe Sullivan, former head of security for Uber, was found guilty of concealing a breach in early October the effect was immediate. No matter how you felt about Joe or the court case itself, the implications for security leaders— and especially those at public companies— were clear: you could now face criminal charges for mishandling a breach. Fines, jail and likely never be employed again in cybersecurity.This episode of Security Voices is a roundtable format with Jack, Dave and 3 security leaders: Justin Dolly, Myke Lyons and Bob Fish. All have a broad range of experiences and represent together a combined 70+ years in cybersecurity. Our focus throughout the ~80 minute conversation is not dissecting the Joe Sullivan case, but discussing the implications for security leaders. Will CISOs insist on having their own outside counsel in the future? How much insurance is now the right amount and type for a security leader? Does this alter our approach to social media, knowing that everything we say could have very serious implications?A clear picture of the unsettling impact of recent events emerges from the dialogue: the conviction of Joe Sullivan makes us feel less safe as security professionals. For an industry that is often accused of tribalism and secrecy, this event raises the stakes of how we communicate profoundly, threatening to drive important conversations even further into ephemeral messaging and private Slack rooms. In these quiet locations we can ask honest questions such as whether the modern CISO is simply being set up to fail given perennially undersized budgets, too small teams and the now outsized consequences of data breaches.

In cybersecurity, we have teams focused on managing vulnerabilities. We have SOCs who spend their days obsessing over threats. App sec teams. Data privacy teams. In the typical, modern cybersecurity team, we have exactly zero people focused on helping humans defend themselves and the organization in spite of a massive increase in scams and fraud that are squarely aimed at tricking people into making bad decisions. Are we really more at risk from a new foreign adversary or CVSS 9 vulnerability than we are from an executive or someone in Finance being deceived by a scammer? Enter Behavioral Engineering. A new-ish discipline introduced by forward leaning cybersecurity teams that recognizes the pivotal role that humans and key behaviors play as part of our overall security posture. What do we mean by key behaviors? How we share sensitive information. What we do when we authenticate. How we react when we see something suspicious. And so on.In this episode of Security Voices, Jack and Dave interview the Behavioral Engineering (BE) team of Robinhood, Masha Arbisman and Margaret Cunningham, as well the CISO, industry veteran Caleb Sima. In this roughly 60 minute session we establish a clear definition for BE, explain how it works in the real world and how it contrasts with commonplace practices such as “name and shame” benchmarking of vulnerability remediation progress. We’ll also clarify why security awareness training often sucks and how BE addresses historical security program deficiencies.Before wrapping up with practical advice of how and why to get started with your own BE program, we learn why you should never say that humans are the weakest link. And why you probably should actually click on things. Lots of things. And just tell someone about it afterwards it went funky.

Imagine you’re walking past the sports book in Las Vegas. People are betting on baseball, horses, and the usual fare. Something catches your eye, you look more closely and you can’t believe your eyes. People are betting on whether or not you're going to fail at doing your job this week!While this may sound far-fetched, this exact scenario played out for Tomas Maldonado, the then freshly minted CISO of the National Football League when the 2020 NFL Draft shifted to a virtual format unexpectedly due to the pandemic. Across Las Vegas, people were betting on the probability of a cybersecurity event disrupting the draft– the exact type of incident Tomás was hired to prevent. Our hour-long conversation with Tomás goes deep into the unique nature of “defending the shield” at the NFL, from concerns about drones at the games themselves to the elaborate planning that goes on before keystone events like the Superbowl. He gives us a window into the extent of information sharing across sports leagues that all face a combination of physical and cyber threats unseen in most areas of the security industry.Tomás explains how his pedigree at Goldman Sachs and 17 years in cybersecurity in financial services and beyond prepared him for his position at the NFL where he’s responsible for protecting all 32 teams who are equally customers and partners to his team. Beyond his current work, Tomás and Dave discuss not only what makes a great career but how to leave a legacy that outlives your time in the field so that your fingerprints remain long after you’ve hung up your cleats.

First, a confession: this is the last episode we would have envisioned when we started Security Voices. Compliance was as mundane as it is mandatory– where’s the fun in that? Where’s the untold, fascinating story of the person who summited the tallest mountain? Rose from ashes to improbable success? In the short years that have passed since we started in early 2019, the world has changed dramatically. And so has compliance. From driving cyberinsurance premiums to becoming the security baseline for even startups to achieve in their early days, compliance is now an undeniable juggernaut. While SOC2 defines the scope of many companies’ security gameplans, GDPR and its kin drives how we respond to breaches whereas industry specific mandates influence what data we have, how we defend it and even where we store it. In this episode, Jack and Dave welcome both Abby Kearns and Shrav Mehta to demystify exactly what’s happening in the world of compliance from 2 unique perspectives. Abby speaks from her work on software assurance as CTO at Puppet (and beyond) whereas Shrav’s angle is that of a compliance startup CEO. Plainly stated: code on one side, standards and certifications on the other. Both increasingly important and horribly complex.This 4 person dialogue traces the roots of compliance back to the early days of security and the inception of PCI DSS, one of the first widely impactful compliance initiatives to hit the industry. We chart the course of compliance to today and unpack where it has had meaningful impact… and where it is mere box-checking theater we could do without. In a similar fashion, we examine the path to software compliance today and the inevitability of automation given the dramatic changes in release speed and frequency. Abby provides a sober take on where we are today including a dialogue on what it means for response to threats such as Log4shell.If you’re a longtime listener, this episode connects back to so many of our past interviews, from Carey Nachenberg (supply chain security) to Andy Ellis (compliance perspective) and Nand Mulchandani who recently became CTO of the CIA. We hope you appreciate the references if you already heard this episodes, and if you haven’t, consider giving them a listen as they’re some of our favorites and pass the test of time with flying colors.

For the second episode in a row, we’ve caught a seasoned entrepreneur at that perfect moment when they’ve started a new company but still have time for a conversation before their new adventure kicks into high gear. Oliver Friedrichs, founder of several security companies including Immunenet and Phantom, joins us to talk product strategy as he embarks on a new journey to disrupt the security industry once again with his new venture Pangea.The most critical, first question for any young company is “what are we making”? And equally important is the follow-on question of what category does the offering fit into or how should people think about it? Is it a better version of something that exists? A new type of something that’s meaningfully different? Or is it an entirely new category of product they’ve never seen before?Oliver and Dave discuss examples of each type of strategy from their own experience and the industry in general. The “better mousetrap” approach is covered with examples from antivirus and more recently cloud security posture management. We discuss when it is a good time to “next gen” a category to revitalize it and return it to growth. Examples here include Palo Alto Networks firewall and Vulnerability Management (from its early days as vulnerability assessment). Oliver and Dave call out the fatal mistake so many market incumbents make that result in them missing out on a refresh cycle.Creating new categories dominates our conversation and we explore Oliver’s case study of Phantom in depth. We start by explaining the core principles of a new category and lay bare some indicators that a product group hasn’t yet made the leap to a full blown category. Oliver then shares the spark of idea that led him to found Phantom as the first SOAR followed by how he built the boundaries for their product and ultimately the companies that followed their lead as the first mover. While most of our time is spent discussing what worked and didn’t from a product perspective, Oliver also shares his go-to-market playbook, including what he will avoid this time around and what he intends to do again with Pangea.We wrap up with a quick look at the future of SOAR and Oliver shares an early peek at what he’s building now at his new company. This episode is perfect for early cybersecurity companies looking for product advice, product professionals wrestling with category questions, or anyone who wants to listen in on a dialogue between 2 industry veterans geeking out on product. BioFriedrichs serves as Founder and CEO of Pangea. Prior to Pangea, Friedrichs served as Vice President, Security Products at Splunk, driving the vision and direction of Splunk’s security portfolio. With a record in building four successful enterprise security companies over the past two decades, Friedrichs founded and served as CEO of Phantom (creators of the SOAR category, acquired by Splunk), founder and CEO of Immunet (early innovators in the cloud EDR category, acquired by Sourcefire/Cisco), co-founder of SecurityFocus (creators of Bugtraq and DeepSight, the world's first Internet early warning system, acquired by Symantec), and Secure Networks (one of the industry's first vulnerability management solutions, acquired by McAfee). Friedrichs also architected and developed a prototype of the first commercial penetration-testing product, SNIPER, acquired by Core Security Technologies in 2001 and further developed into CORE IMPACT. He attended the University of Manitoba and is the co-author of three security books and a recipient of 33 patents.

2+ years to interview Alfred Huger wasn’t too long to wait. After spending 8 years at Cisco following the acquisition of SourceFire, Al recently departed the networking giant to do his 4th startup in as many decades. Unbound from the usual PR police, Al candidly speaks on a wide range of topics from why he has stayed at companies long past acquisition and how to distinguish between a miserable and a winning acquirer. Having raised venture capital funding in the 90s until now, Al’s experience charts a timeline of what’s happened to cybersecurity funding over the last 4 decades. From hardscrabble early days to today’s megarounds and eyepopping valuations, Alfred explains how he’s raising funding for his new company and why even a successful entrepreneur is not likely to bootstrap their business on their own funds alone.Al shares his playbook for spotting the right product ideas along with some blunt words of caution for those excited about the latest industry analyst report. While cybersecurity veterans critiquing reviews and analysts is by no means novel, we go beyond an explanation of the negative implications to a new development from an unexpected place that is improving transparency and the industry in general. And that marketing plan? Al explains how it starts with your product and not your website.If you’ve ever thought about starting a cybersecurity company and wanted to sit down with a “been there done that” serial entrepreneur for a clear-headed, no nonsense dialogue, this episode is for you.

Let’s say it’s 2012. And you're graduating Stanford with a comp sci degree. You could go to Google, Facebook or any of a number of well-paying emerging juggernauts. If you’re Frank Wang, you move across the coast and do your PhD in cybersecurity at MIT.Now you’re doing your PhD. And you make pals with a local VC. So naturally, you start a cybersecurity incubator as an academic (Cybersecurity Factory) which churns out companies such as Huntress Labs.Your PhD is in the bag now and you're ready to start making money. Time to apply all of that theory from academia in a company, right? Wrong. If you’re Frank Wang, you become a VC at Dell Capital.It’s the middle of the Covid pandemic and VC is going bonkers. Massive amounts of capital being allocated in a frenzy unlike anything we’ve seen in decades. If ever. Rather than joining in the party, Frank sees it as a clear signal that it’s time to move on and becomes a security engineering leader at modern data stack company DBT. Now that you’ve got a comfortable job at a high flying tech company, it’s time to take your foot off the gas pedal, right? Do your part and ride it out through a lucrative exit. Frank saw this as the time to step up his side hustle instead and start the popular blog and newsletter, Frankly Speaking. The conversation is a little over an hour of Dave exploring the career arc of Frank to date and what he’s learned while blazing his own, unconventional trail through cybersecurity. The unique road he has traveled lends him perspective for those who want to better understand VCs, running a side business, or simply what happens when you ignore conventional wisdom and have the courage to make your own path.

Hidden bunkers, stacks of canned food and piles of artillery. Disaster preparedness has become an Internet meme and these are some of the “prepper” community’s showcase images. But most of us who have lived through the recent pandemic, the Capital insurrection on January 6th and more no longer take the threat of a major disaster lightly. For those of us not willing or able to dig out a backyard bunker, is there a rational middleground where we can feel well-prepared for whatever comes next?Software security legend Michal Zalewski (lcamtuf) answers this question and many others in his third book Practical Doomsday: A User's Guide to the End of the World. Using familiar threat modeling principles, Michal explores everything from evacuation gear and bulletproof vests to the genuine probabilities of civil war and a zombie apocalypse. In what can only be described as an unbelievable coincidence, Jack and Dave’s hour long interview with Michal was recorded the same day Silicon Valley Bank collapsed and was taken into government receivership.In spite of the understandably dire subject matter, Michal’s equal sense of optimism and pragmatism steer us towards the middle path of rational risks and what a “normal” person should consider doing to be ready. It’s not nearly as hard as you might think and the peace of mind gained was well worth taking a hard look at the worst case scenario.This interview is nearly cleanly separated into two parts as we focus on the opportunity and threat of artificial intelligence around the 32 minute mark, starting with Michal’s approach to writing. The real threat of generative AI to drive truly deceptive attacks takes center stage as we explore how the ability to easily generate compelling documents, images, video, etc. may make it nearly impossible to distinguish between reality and a scam.No conversation on AI and threats seems to be able to avoid mention of the singularity threat, however, Michal keeps true to form and narrows in on the much more likely “paperclip problem” of mundane AI optimizing humans out of existence. This was one of our favorite episodes in ages, we hope you enjoy it and learn as much from it as we did. We also hope you got your money out of SVB, just like Dave did the week after this was recorded. Stay safe.

There are few people, if any, who have given more of themselves to the cybersecurity community than Lesley Carhart. Our conversation with Lesley came immediately after the 3rd annual PancakesCon, a free conference she conceived with a unique “20 on, 20 off” format that celebrates who we are outside of work as much as what we accomplish as security professionals. In the fashion of a person who is both an incident response expert and a community organizer, the conference was pulled together in a frantic 11 days after Omicron wreaked havoc on Winter conference schedules and there was a gap Lesley saw that needed to be filled.Having joined the Airforce Reserves just before 9/11 with the intent to become an airplane mechanic, Lesley’s career has been spent balancing military service along with “the usual” pressures of working in cybersecurity. She explains how she juggled her civilian and military life for 20 years up until her recent retirement as an Airforce Master Sergeant. Lesley recaps her 2 decades of service while laying out the good, the bad and the misconceptions for any who would follow in her footsteps.Alongside her cybersecurity day job and military service, Lesley also actively practices and teaches martial arts to children. We explore what motivates her passion for serving those around her, focusing on her early difficulties breaking into the cybersecurity industry in spite of having had her first programming job at the age of 15. Lesley, Jack and Dave conclude with a hopeful dialogue on what more we have to do to create a truly diverse and supportive cybersecurity community– and how it might be the key to finally resolving the current staffing and burnout crisis.BioLesley Carhart is a Principal Industrial Incident Responder at the industrial cybersecurity company Dragos, Inc. She has spent more than a decade of her 20+ year IT career specializing in information security, with a heavy focus on response to nation-state adversary attacks. She is recognized as a subject matter expert in the field of cybersecurity incident response and digital forensics.Prior to joining Dragos, she was the incident response team lead at Motorola Solutions. Her focus at Dragos is developing forensics and incident response tools and processes for uncharted areas of industrial systems. She is also a certified instructor and curriculum developer for the Dragos “Assessing, Hunting, and Monitoring Industrial Control System Networks” course.She has received recognition such as DEF CON Hacker of the Year, a “Top Woman in Cybersecurity” from CyberScoop,“Power Player” from SC Magazine, and is a 2021 SANS Difference Makers award nominee.In her free time, Lesley co-organizes resumé and interview clinics at several cybersecurity conferences, blogs and tweets prolifically about infosec, has served for 20 years in the USAF Reserves, and is a youth martial arts instructor.

Your fledgling startup has just been sued by one of the most powerful companies in the world. How do you defend yourself?And keep your company afloat?This was the challenge faced by Amanda Gorton, CEO of Corellium, a company whose virtualization platform enables efficient mobile security research and quality testing across a massive variety of devices. Sued by Apple for both copyright infringement and violation of the Digital Millennium Copyright Act (DMCA), Amanda was thrust into an exhausting balancing act of defending and running her young business at the same time. In this episode of Security Voices, she shares the details of how she survived and successfully defended her company.Dave and Amanda go beyond the lawsuit and into the tricky territory of companies like Corellium who provide a service whose sales process must be governed by a clear sense of ethics to avoid it falling into the wrong hands. She shares the real world challenges of developing and applying such a policy in a company and while it may be uncomfortable to trust a small company with such a weighty responsibility, they just might be the very best option we have.We explore the complicated nature of DMCA in a world that has changed dramatically since its anti-Napster driven inception back in the late 90s. From the NSA’s release of Ghidra to Web3, we muse on the future of the DMCA whose relevance feels to be slipping into the history books.BioAmanda Gorton is co-founder and CEO of Corellium, which provides an Arm-native cloud platform that virtualizes mobile and IoT devices across iOS, Android, and Linux. Corellium enables never-before-possible security research, development, and quality testing of apps, firmware, and hardware on Arm. Previously, Gorton co-founded and was the CEO of security startup Virtual, which was acquired by Citrix in 2014. She earned a degree in classics from Yale University.

What if there was someone who could take all of the best security research over recent months and distill it down into the greatest hits? Sort of like a Spotify “Release Radar”, but for the best talks at conferences. There is. It’s not in Blinkist. It’s (back) at ThinkstScapes after a multiyear hiatus.And it’s now gloriously free.This episode of Security Voices covers the return of Thinkstscapes with Jacob Torrey who led the reboot of the now quarterly report. In the interview with Jack and Dave, Jacob explains how he and the team at Thinkst devour and summarize the very best security research from thousands of presentations and hundreds of conferences across the globe.Jacob starts with some of his favorites, which focuses on an innovative research project not from a startup or researcher, but from a multi-decade antivirus company that went all in on an industrial controls system honeypot project. From there we cover ground that ranges from speculative execution vulnerabilities to a spate of embedded vulnerabilities, including a Hollywood style attack using laser pointers to compromise voice activated devices such as Amazon’s Alexa. In continuity from our last episode with Frank Pound, we also discuss a TCP timing attack that threatens to allow eavesdropping over satellite base station connections.Look for our next episodes to resume their normal, monthly cadence as we’ve found a means of streamlining our audio production and we now have a recording waiting in the wings. Enjoy the show!

Hundreds of inexpensive satellites are now regularly launched into space through SpaceX’s Smallsat Rideshare program. Some are sophisticated and commercial, others are DIY and experimental. They share space with now over 3,000 other artificial satellites orbiting the Earth. What could possibly go wrong?Frank Pound joins Jack and Dave for a conversation to answer the question of just how hackproof satellites really are and why it matters, starting with the Hack-a-Sat competition. Hack-a-Sat is an intensive capture the flag style competition currently in its second year where teams square off against one another to break into and defend satellite tech. And along the way, we learn that doing so requires encounters with strange software, hardware and not a small amount of hard math.The most known, visible satellite hack dates back to the 1980s and involves a broadcast takeover around Thanksgiving from a Max Headroom mask wearing man which ended in a spanking, but no real harm done. Jack and Dave explore the attack surface of satellites with Frank to find out when the next attack happens, where it’s likely to be. And along the way, we discover the Hubble Telescope’s terrible secret: ancient Javascript in its belly that’s likely kept on life support by some unfortunate government contractor. Throughout the hour-long conversation with Frank, one gets the impression that we’re still in the early days of satellite hacking. However, the breakneck pace of satellites being launched and their considerable potential vulnerability to cyber attacks point in the direction of a lot more than simply Max Headroom interruptions and GPS whoopsies in the future.