Healthy Paranoia: Show 1 – Oppenheimer vs. Leonardo

1 August 2012 by 5 Comments

Drum roll, please! Introducing Healthy Paranoia, the new security podcast hosted by Michele Chubirka aka “Mrs. Y.” and her esteemed colleague, Ethan Banks. I know what you’re thinking, “Do we really need another security podcast?” Give a listen to episode one, where we ask questions like:

Is it better to be Oppenheimer or Leonardo?

What’s the difference between a hacker and a cracker?

Does Greg Ferro record in his underwear?

This and many other critical questions will be answered by this podcast!*

In Healthy Paranoia, we plan to take off the tin foil hats and discuss practical issues in security, no crypto required. We’ll be focusing on the “build” aspect of security and less on the “break it.”

*No unicorns will be harmed in the recording of this podcast, although they will frequently be on the receiving end of bad jokes.

Subscribing to the Show

You can subscribe to the Healthy Paranoia RSS at http://feeds.feedburner.com/HealthyParanoia.The show will appear in iTunes as a separate show in a couple of days once it completes the approval process.

Of course, if you are subscribed to the “fire hose” at Packet Pushers Full Feed RSS or iTunes then you don’t need to do anything.

Podcast: Play in new window | Download (Duration: 20:58 — 38.4MB)

Filed Under: Healthy Paranoia, Podcasts Tagged With: , , , ,
About Mrs. Y

Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.

  • Fernando Montenegro

    Loved the first show! I think the approach of defend versus break is very healthy.

    A few comments:
    - similar to Greg’s approach, some of us (ok, me) have designed security based on a Protection/Detection/Reaction mindset pretty much our whole careers. To that I would add a Management layer, not the pointy-hair type, but the supporting stuff such as DNS, NTP, identity management for the security controls and so on…
    - the shots at Windows XP were expected but not really productive. Asking managers to just ‘do better’ sounds empty as well. Are you proposing we all switch to Macs, Linux desktops? :-)
    - regarding end users, yes they can and are in some cases educated and helpful, but the prudent security architect should, at times, simply assume that the endpoints are compromised. This leads to network segregation, BYOD, … discussions.
    - finally, I loved Mrs.Y’s approach of working with developers ‘under the gun’ to let them know that security people too are ‘under the gun’ for protecting the corporate data.

    Great show, looking forward to next ones!

  • Fernando Montenegro

    One more point I forgot to mention: the title may be simplifying things a little too much.
    Oppenheimer’s efforts on the Manhattan project resulted in the atom bombs (which can be argued – war is messy – to have saved hundreds of thousands of lives by decisively ending WW2) but his later years were dedicated to, among other things, arms controls.
    Leonardo, brilliant inventor and polymath, also dabbled in creating war machines, including devices to aid in city sieges, early prototypes for tanks, advanced designs for muskets, …

    In my security discussions I prefer to distance myself from the ‘war’ theme precisely because it introduces these false dichotomies that don’t help the conversation. Much better to frame things in terms of protection, assurance, reliability, …

    • http://twitter.com/MrsYisWhy Mrs. Y.

      A fair point, but like the infamous Tesla Vs. Edison Oatmeal comic, I was using hyperbole to make a point ;-) . And Leonardo made some really beautiful things, while Oppenheimer never really managed to live the devastation from the atomic bomb down.
      ” Despite the vision and farseeing wisdom of our wartime heads of state, the physicists have felt the peculiarly intimate responsibility for suggesting, for supporting, and in the end, in large measure, for achieving the realization of atomic weapons. Nor can we forget that these weapons as they were in fact used dramatized so mercilessly the inhumanity and evil of modern war. In some sort of crude sense which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.”
      J. Robert Oppenheimer

  • ktokash

    Glad I’m not the only one who was thoroughly driven off by the boredom of security research/holes. There seems to be two major camps, the buffer overflow programmer types, and the ones who actually run security departments. I certainly see the need for pen testing applications, but full-disclosure started to read like a stock ticker tape after a while.

  • Ben Mendis

    Aren’t many of those “non-sexy” day-to-day issues solved problems? Yes, recovery and continuation are important issues, but as an industry we know how to do that and we have solid best practices worked out for dealing with it. That’s _why_ it’s not sexy, all it involves is selling it to your supervisor and then doing the menial footwork to implement it.

    On the other hand, vulnerability research and APT are more exciting because it’s an unknown threat. It’s unexplored territory. It requires human creativity and insight to solve, not just reading an O’Reilly book or whitepaper on how to setup a backup server. That’s what makes this stuff sexy, it’s the stuff that flexes our brain muscles.

    That’s my perspective. I’m not saying that that recovery and operational concerns are not also important, but it’s understandable that people aren’t excited about them. If you want to get them excited about them, you have to present them as an unsolved problem that still has a lot of room for innovation and creativity. They need to be puzzle challenging, not just challenging to push it through a bureaucracy and get it set up.

    Also, with regards to AV only catching 12%… well this is Computer Science 101. Alan Turing showed us in 1936 (a full decade before ENIAC) that an AV scanner can’t catch everything because of the halting problem. So why are we wasting so much time and energy trying to build something which we’re all taught early on is mathematically impossible to achieve? Relying on any kind of static analysis techniques is doomed to fail.