The 32nd episode of The Silver Bullet Security Podcast features founder and Chief Technology Officer of WhiteHat Security, Jeremiah Grossman. Gary and Jeremiah discuss clickjacking, cross-site request forgery, why 50% of web problems can’t be discovered reliably automatically, and which conferences Jeremiah most enjoyed on his 2008 world tour.

• Jeremiah Grossman
• Clickjacking
• Adobe 0-day Browser Exploit
• Cross-Site Request Forgeries: Exploitation and Prevention [PDF]
• Web Spoofing: An Internet Con Game by Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach.
• Web application scan-o-meter
• The “Wall of Fame”

Jonathan Zar joined me a week later on Blue Box Podcast #2 and we've been going ever since. We've now produced over 112 episodes, had close to 245,000 downloads of our various shows, met some amazing people, learned a lot along the way... and hopefully helped you all learn a lot out there as well.

Thank you to all of you who have joined with us on this journey... whether you've listened to our show from the very beginning (and we know of a couple of you who have) or have only recently joined in... thank you!

And now... on to the next three years... :-)

Technorati Tags: blue box, bluebox, dan york, danyork, jonathan zar, security, voip, voip security, voipsa

On the 31st episode of The Silver Bullet Security Podcast, Gary talks with Matt Bishop, professor of Computer Science at UC Davis and author of the book Computer Security: Art and Science as well as many peer-reviewed papers. Gary and Matt discuss Matt’s plan to work security analysis and secure coding into a wider computer science cirriculum, Matt’s early work with Mike Dilger on TOCTOU, whether or not progress is being made in the field of software security, and the role of training in large-scale software security initiatives. Their chat closes with a mention of Matt’s home menagerie (which does not include any one-legged chickens at this time).

• Matt Bishop
• IEEE Security & Privacy Magazine
• Computer Security: Art and Science
• Silver Bullet Security Podcast interview with Dorothy Denning
• Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security (the “Ware Report” referred to in the podcast)
• Secure Computer Systems: Mathematical Foundations - The Bell Lapadula model [PDF]
• Secure Computer System: Unified Exposition and Multics Interpretation [PDF]
• Testing C Programs for Buffer Overflow Vulnerabilities - Eric Haugh, Matt Bishop [PDF]
• TOCTOU
• Checking for Race Conditions in File Accesses by Matt Bishop and Michael Dilger
• “The Song of the One Legged Chicken”

On the 30th episode of The Silver Bullet Security Podcast, Gary talks with Ken van Wyk, principal and founder of KRvW Associates. Ken was the first employee of CERT and has been an active member of FIRST. Ken and Gary discuss why the discipline of computer science doesn’t learn from failure like mechanical engineering does, how we’re making steps backwards in computer security, whether focusing on web applications is a good or bad thing for software security, and Ken’s recommendation for moderately-priced red wines.

• Ken’s personal page
• KRvW Associates
• CERT
• FIRST
• Secure Coding
• Incident Response
• SC-L mailing list
• From the foreword to Secure Programming with Static Analysis - blog entry with photo of Tacoma Narrows Bridge
• TJX’s stock increase since the January 2007 security breach
• The Addison-Wesley Software Security Series
• Barbara D’Asti wines

From the Consumerist:

Last week, “This American Life” featured a 30-minute piece on people who scam the scammers—in this case, three guys who prey upon small-time Nigerian con men and try to trick them into placing themselves in mortal danger. “This American Life” tells how they almost got a guy to enter a Western Union office in Chad carrying an anti-Muslim/pro-Bush note that announces his intention to rob the place. Whether you think these stunts are funny probably depends on your level of empathy even for criminals, and whether you think the avengers ever fully succeed. But c’mon, getting someone in another country to hold up a sign that’s offensive in your language is pretty much always funny

Listen to the episode over at this American Life.

Don't they know that security by gag order never works, except temporarily?

Just a few months after CEO and founder Diane Greene was ousted, it comes as no surprise that her husband and co-founder, Mendel Rosenblum, has also resigned via a company wide message last night. Turns out he’s going back to Stanford to teach. What a lovely way to get out of the political mess VMware has become. Admit it, haven’t we all had a point where we get fed up with the latest work snafu and wondered, maybe I should go back to college and teach? I had a really good time in college… Kudos to Rosenblum for doing it and doing it in style.

And if you believe Tarry Singh, the company knew this was going to happen but waited until after registrations were closed for VMworld before making it official. Hmm.

From the New York Times, more on Greene’s firing and just what kind of atmosphere is forcing executives to leave VMware:

After Ms. Greene made a special presentation to VMware’s board, Mr. Tucci, who heads VMware’s parent company, EMC, pulled her aside, according to people familiar with the events, who asked for anonymity because they were not authorized to discuss internal company decisions.

Inviting Mendel Rosenblum, Ms. Greene’s husband and the co-founder of VMware, into the room, Mr. Tucci told Ms. Greene she was fired, effective immediately. And he said the board wanted Mr. Rosenblum, VMware’s chief scientist, to take her seat on the board. Mr. Rosenblum declined the offer.

Honestly, what kind of a judgement call was made to first fire the man’s wife in front of him and then offer him her board seat? Has Tucci never seen an episode of Survivor?