Liquidmatrix Security Digest Podcast – Episode 63

Episode 0x63

May The Forth Be With You!

Dave’s here. Wil’s here. Matt’s here. Ben’s here. I’m here. There’s a guest (or two) HOLY CRAP IT’S A REGULARLY SCHEDULED LIQUIDMATRIX PODCAST. Also, Dave claims he’s fixed the website – we’ll see how that goes.

Upcoming this week…

1. Lots of News
2. Breaches
3. SCADA / Cyber, cyber… etc.
4. finishing it off with DERPs/Mailbag (or Deep Dive)
5. And there are weekly Briefs – no arguing or discussion allowed

And if you’ve got commentary, please sent it to mailbag@liquidmatrix.org for us to check out.

DISCLAIMER: It’s not that explicit, but you may want to use headphones if you’re at work.

ADDITIONAL DISCLAIMER: In case it is unclear, this is the story of 5 opinionated infosec pros who have sufficient opinions of their own they don’t need to speak for anyone except themselves. Ok? Good.

In this episode:

• News and Commentary
1. Lessons Learned from the Java Deserialization Bug (
   Apache Nose Job that Ben mentioned – everything old is new again)
2. Let’s talk a bit about privacy on Tor
3. Baby Monitors live in New York!
4. 2016 Social Security Blogger Award Voting is Open Now
5. Security Firm Norse Corp. Imploding
   Threat Butt
• Breaches
1. Let’s just assume that there have been some.
• SCADA / Cyber, cyber… etc
1. The Muricans are invading Canada’s all bran fibre (h/t @ultramegaman)
2. Israel got hacked by the NSA and James Bond
3. Go get your prescriptions from these guys
• Curmudgeon’s Corner
1. The latest from Internet Curmudgeons — tonight Spacerogue – YES THAT SPACEROGUE!
• DERP
1. Developers Accidentially Ship Dropbox and Gmail Logins – Motorola
2. HSBC succesfully defends against DDoS but is offline
3. Security researcher finds ‘backdoor’ to MediaTek processors
4. Tavis wrecks Comodo
• Mailbag

1. Gentlemen,

   First let me say how happy I am that the Liquidmatrix podcast is pushing out new episodes in 2016. I look forward to listening more.

   That said I find I must take exception to the “Mailbag” commentary in Episode 61.

   <rant>

   What definition of “enterprise” are you using?

   I will heartily endorse that Matt is an “awesome” hacker and that the toolkit he is building at the startup he’s at is likely totally awesome. But in what world is a startup also an enterprise?

   Startups use homebrew and open source systems because they are cash-short and it makes more business sense (meaning a combination of financial, risk, compliance, and resource sense) to build versus buy.

   But any true enterprise CISO that used a SIEM built by one of their team members is (using the language of the kids today) “smoking crack”.

   Why? Allow me to expand the thought.. Assume Matt works for me at an $8B company and I adopted the SIEM platform he developed versus using MSSP or SIEM…

   1. As the company grows the amount of time Matt will need to spend building connectors and enhancing the system will continue to grow. Matt will need to take time away from actual security (which is what I hired him for in the first place) and act more like a developer than a security staff member. Is that the best use of his limited time? I doubt it.
   2. Some compliance regimes (yeah, I know, I can hear the complaints now but at the enterprise level this stuff matters) require systems you rely on for security to “have support”. I’m not a development shop! I do security for a company that makes widgets! Crap – now I have a finding in my external audit and my PCI assessor is twitching.
   3. What happens when Matt gets bored (and he will – all good hackers do after a period of time) and leaves the company? Who’s going to support this thing? Now I have to go find an equally awesome hacker (not an easy prospect these days) and hope they can support this now critical piece of security infrastructure. There is a very real possibility that the system will degrade into a useless piece of crap before I can find someone to take over… That’s potentially devastating as I have *nothing* to fall back on.

   Are you seriously asking me to sign up for this amount of risk? REALLY?

   </rant>

   Homebrew and open source security tools have their place and properly used are likely viable solutions in the startup/SMB space. Use in a true enterprise, IMO, is likely going to add so much risk that the cash expense of $VENDORPRODUCT is very much worth it.

   Keep up the good podcast work, y’all. I look forward to more episodes.

   Martin Fisher

• Briefly — NO ARGUING OR DISCUSSION ALLOWED
1. Michael Geist on the TPP
2. Internet Link Tester / Validator w/ Raspberry Pi (or any Linux)
3. Maximum Absorbency Garment
4. Bill Clinton has used email once or twice. Nope just twice.
5. Safe Harbour 2 is here
6. Google’s Vulnerability Reward Program paid out more than $2 million in 2015
• Liquidmatrix Staff Projects — gratuitous self-promotion
1. Messages from our Sponsors
2. We really need to have more projects
• Upcoming Appearances:  — more gratuitous self-promotion
1. Dave: – RSA, ATLSECCON, NAB, Interop, Bill’s thong shop
2. James: – Currently nothing till Vegas.
3. Ben: – At home
4. Matt: – RSA? Maybe? Come buy me beer during SXSW
5. Wil: – Waiting to take OSCP…
6. Other LSD Writers: – Apparently bloggering…
7. Closing Thoughts
1. Seacrest Says: Out.

Download the MP3

Listen:

Subscribe to us using plain old

Also, we’re now available through

Creative Commons license: BY-NC-SA