Posts for Tag: podcastreview

Hacking Humans - Podcast Review

It's been said over and over again, when it comes to cybersecurity, "humans are the weakest link."

(Actually, that's not exactly accurate, but we'll save that conversation for a potential bonus blog entry!)

It's easy for me to burn through podcast episodes. I gobble down CYBER, Darknet Diaries, Malicious Life, and Hackable? as quickly as new episodes are released. Adam Grant, Gretchen Rubin, Derek Thompson, and some other folks keep the non-cybersecurity part of my brain occupied, but I felt like I needed to get addicted to find another cybersecurity podcast to add to the stable. There are plenty of cybersecurity business-related podcasts out there, and I know that side of cybersecurity is important, but, well, I subscribe to them and then never listen after trying an episode...and...I just want something that has more storytelling involved (see the previous blog entry "It Was a Dark and Stormy Night") I like danger and excitement and fear. I also felt like my current lineup didn't include enough social engineering, which is how I got interested in cybersecurity to begin with.

Hacking Humans to the rescue! 

Hacking Humans is a weekly podcast (new episodes drop every Thursday) by The CyberWire, an independent cybersecurity news site that is sponsored by seemingly every security vendor known to humankind. That said, CyberWire does seem to be maintaining their editorial independence. At least they are very open about the sponsorship. The primary sponsor for the Hacking Humans podcast is the security awareness training company KnowBe4 - you will soon memorize all their ads and the jingles.

The hosts for Hacking Humans are Dave Bittner and Joe Carrigan. Dave works for CyberWire and Joe is involved with the Johns Hopkins Information Security Institute as a senior security engineer. For anyone unfamiliar with Johns Hopkins University, here is their library:

I've been there. It's in Baltimore. It looks exactly like that. One feels smart just standing in it.

Dave and Joe both have pleasant voices, which we know is key for me. The hosts don't tell stories, exactly - the format is more like a morning talk show - the kind where two or three guys tackle sports, for instance - but instead of sports it's cybersecurity. Their banter is very engaging. When I had satellite radio activated in my car I would listen to the talk shows on the POTUS channel, such as Julie Mason and Michael Smerconish, and Hacking Humans has that feel. 

The episodes typically begin with a listener email/letter, which the hosts discuss, followed by some headline news, which always contain some basic explanations of security concepts that arise in the news item. They don't talk down to anyone but they aren't talking over folks' heads, either. They explain how social engineering attacks are working without using Cialdini words like "scarcity". The hosts take turns telling the stories. My favorite segment is what they call "Catch of the Day" where listeners send in phishing examples and the hosts discuss how to tell the example is a phish. There seem to be a lot of scammers who like to portray themselves as military service women (quite badly). The hosts continue the episode with a guest interview and then discuss between themselves after the interview is over.

I definitely feel like I've learned something (or reinforced something) after listening. The cyber insurance episode stands out as one that I felt I needed to recommend to friends who are in cybersecurity. Business Email Compromise (BEC) isn't typically covered by cyber insurance because that's a fraud situation. Cyber insurance covers hacking - although I (and the hosts) think a case could be made that BEC is hacking humans. Theft of intellectual property is also not typically covered by cyber insurance because it's an intangible. Cyber insurance is a type of SLA, really, so have lawyers ready to go through every line.

The podcast is available through nearly every podcast avenue there is, including their website. They provide a transcript, so you can listen without having to worry about taking notes. 

The latest episode, #50, "People aren't perfectly rational", features research from Elissa Redmiles, who does some really interesting work connecting social sciences and behavioral economics with security and privacy (check out her article about why users don't install updates. At one point she noted, "we often as security professionals don't make particularly economically backed tradeoffs when we're thinking about asking people to do security. So we're sort of asking people to do a never-ending list of things without archiving old ones or measuring exactly how much this new behavior is going to help someone. So eventually users become overwhelmed, and then they just try to pick between behaviors on their own, which they may not be very well-equipped to do." She backed that up with research in line with the latest NIST 800-63-3 recommendations to only require password changes in the event of a breach. Elissa has discovered that enforcing password changes on a schedule leads to users re-using passwords across sites, which is worse than having the same password for a year. She also discussed some findings about motivations for using two-factor authentication and the folly of telling users to not click on links. I was eating this up because I love behavioral economics!

Hacking Humans has been renewed for a second season so I will be able to continue to feed my brain with social engineering podcast episodes!

"It was a dark and stormy night" - A Review of Two Podcasts

"It was a dark and stormy night; the rain fell in torrents — except at occasional intervals, when it was checked by a violent gust of wind which swept up the streets (for it is in London that our scene lies), rattling along the housetops, and fiercely agitating the scanty flame of the lamps that struggled against the darkness." - Edward Bulwer-Lytton, Paul Clifford (1830)

I love a good story. Now, I've never read Paul Clifford, but that opening line does make me wonder what sort of gothic tale awaits me were I to set aside the time. It has a favorable rating on Goodreads - apparently it's a tale about a highwayman! 

I'm presuming my audience is mostly male, because statistics, so it follows that when you see "highwayman" you will, like my husband, picture this:

(this was discovered when I suggested "highwayman" as a Halloween costume)

Most women know that "highwayman" is more like this:

Like the man in the Loreena McKennitt song: 

"He'd a french cocked hat at his forehead
A bunch of lace at his chin
A coat of claret velvet
And breeches of brown doe-skin
They fitted with nary a wrinkle
His boots were up to the thigh
And he rode with a jeweled twinkle
His pistol butts a-twinkle
His rapier hilt a-twinkle
Under the jeweled sky"

Ah, yes, a highwayman...

(spoiler: it doesn't end well for the highwayman)

I not only love a good story, I love a good procedural crime story. I don't watch TV as a rule, but if you sit me down in front of any of the Law & Order shows I will have to watch them to the end. It doesn't matter to me if I know how a story ends; it's the story itself I find engaging - the journey, as it were. (I actually read spoilers before I go to movies so I can relax and enjoy the story.) Storytelling is not only a excellent form of entertainment, an enjoyable story can help us remember things. Stories aid learning because hearing stories lights up areas of the brain that PowerPoint just can't do. So, it's no wonder that the podcasts I enjoy the most tend to feature storytelling. (If you remember my earlier entries to this blog I'm a huge fan of podcasts, not only for when I'm driving but also folding laundry and getting ready) 

I came to this realization about the storytelling podcasts upon reading an op-ed in the Washington Post written by a fellow who doesn't care for podcasts: "I think they’re tedious and samey and sedative". The author's point was more about music and sound quality, but as I was reading his examples I mentally went through the sorts of podcasts I listen to. A few of them are the conversational type (Happier by Gretchen Rubin, Happier in Hollywood by Gretchen's sister and her writing partner, etc.) and I find those well-produced and interesting enough. A few of the cybersecurity podcasts, such as the Motherboard CYBER one I reviewed earlier, feature interviews. If the content is interesting and the voices don't annoy me I will keep listening. But, the ones I binge listen like rats in drug studies are the storytelling ones - the ones that have suspense and action and a satisfying conclusion. The top two are Darknet Diaries hosted by Jack Rhysider (probably not his real name, but it could be) and Malicious Life hosted by Ran Levi. Both podcasts are widely available on a variety of streaming or listening platforms, or one can visit their sites, which also contain supporting resources. Malicious Life has transcripts on their website, too, so if you need to go back and check on something you won't have to re-listen. Rhysider and Levi both have real-world cybersecurity experience in addition to being skilled storytellers.

Now, I wasn't unsympathetic to the points about sound quality from the anti-podcast op-ed author I mentioned above, although my sticking points with podcasts tend to be the presenter's voices and not production quality. I'm happy to report that Rhysider and Levi are both quite charming to listen to. Rhysider has the drama club voice, but without trying too hard, and Levi has a pleasing accent (he's Israeli). So, in addition to having engaging content, told in a manner that lights up my brain, my ears are happy, too.

The content of both podcasts is centered around cybercrime stories - Darknet Diaries has the tagline, "True stories from the dark side of the Internet". In some stories I knew before listening how they end, or at least whodunnit, but as I indicated above, knowing how something ends has never dimmed my excitement for the story itself. I can't say that I generally have sympathy for cybercriminals the way I might romanticize an 18th century highwayman (I will admit I'd like to high-five the folks who wrote Stuxnet...) but I can abstractly admire the cleverness and the cat-and-mouse nature of cybercrime while lamenting any damage done to individuals (I am unequivocally horrified by the Equifax hackers, I'll note - although the Equifax "leadership" at the time of the hack is equally villainous in my opinion). There was one episode, though, of Malicious Life - on DeCSS - where I was all in with the highwayman, but that comes from my philosophical stance on "intellectual property" and my strong dislike of the term "piracy" being applied to anything that doesn't involve the high seas and bad folks with weapons. I also felt a kinship with Manfred, the video game hacker from Darknet Diaries. If there weren't others out there like me, who like to hear stories about crime, I doubt it would be such a lucrative market for TV and movies. It's frankly just more fun to hear about when things went wrong rather than a how-to on setting up security controls properly - not that how to set up security controls properly isn't important, but when you hear a famous penetration tester - @TinkerSec - talking about how he [tries to] break into a company, the security controls take on a new meaning; they have context.

Outside of possibly getting CPE credits for listening to podcasts, why should someone in cybersecurity spend their time listening to these two, particularly out of all the other cybersecurity podcasts out there? These podcasts not only tell older stories - such as the Morris Worm episodes - that are important to know for background and context, but also new ones. Darknet Diaries interviewed Hacker Giraffe pretty much right after that happened. You're not going to get breaking news from these two, but you will get thoughtful, well-researched analysis of cybercrime events relayed in a riveting presentation. If the formula for storytelling involves something along the lines of "put your character in a tree, set the tree on fire, get your character safely down" they are following this formula. There are ways to tell these cybercrime stories without the suspense of what will happen to the character in the tree on fire but they generally involve PowerPoint. Because of the storytelling aspect you will remember more of the stories - and not only the stories, but the cybersecurity technologies and issues that have starring or co-starring roles in the stories. You will feel the anxiety of the government intelligence agents who realize their expensive espionage malware implant might be discovered and lead to a diplomatic incident (not to mention have everything you learned about social engineering validated). If these podcasts were books you'd be turning the pages, waiting to see what happens next. No one eagerly clicks the next PowerPoint slide. If content is engaging it's more likely to be consumed. You can queue up all the cybersecurity podcasts out there and have the best intentions of listening to them, but unless you actually listen and pay attention, they aren't much good sitting in the queue. I'm not saying Darknet Diaries and Malicious Life are the dessert of the cybersecurity podcast world because they contain an overwhelmingly useful amount of brain nutrition. They aren't comfort food, either (that would Happier) They are perhaps the meal that is both tasty and nutritious: filet mignon coated with an almond and shallot mix with a side of steamed broccoli. You look forward to consuming it and feel virtuous and satisfied afterward.

CYBER: A cybersecurity podcast by Motherboard/VICE - Review

CYBER, a cybersecurity podcast sponsored by the Canadian-based media organization VICE, through its Motherboard technology-focused division, launched in November of 2018. There have been 16 full podcast episodes. They average 30 minutes in length, some shorter and some longer. They aren’t long enough for my full hour-long commute but work well for my getting ready routine or for when I’m doing household tasks like folding laundry or loading/unloading the dishwasher. It is hosted by Ben Makuch (sounds like Mack-coo), a security journalist with Motherboard/VICE, with guest Motherboard reporters Joseph Cox and Lorenzo Franceschi-Bicchierai. It is ad-supported, but anyone who listens to podcasts is used to ads. (If you’re not a fan of Samsung maybe plug your ears during the ads.)

I discovered the podcast in January of 2019 when I was doing an Internet search for “cybersecurity podcasts”, because a friend wanted some suggestions for his 400-mile round trip to visit his daughter and was interested in learning more about cybersecurity. I found CYBER and since I appreciate the edginess of the VICE and Motherboard brand – I want to be informed, but I want to be entertained while I’m being informed - it was one of the first I sampled.

Fun trivia fact: the introduction sequence features Lex’s line from Jurassic Park, “it’s a Unix system; I know this”, which many poke fun at as an example of outrageous tech-in-entertainment-fiction, but is based in reality. The File System Navigator (FSN) shown in the movie was an actual 3D file browser.

The first episode, “SIM Hijacking and the Phone Number Scam”, frightened me the most of them all, even the Bounty Hunter location tracking expose episode. I remember what I was doing when I heard it, even: steaming dresses (for wearing, not eating). I knew on a vague level that it was possible for nefarious folks to get a mobile number transferred away to them, but when I heard Lorenzo Franceschi-Bicchierai saying “here’s the bad news: there’s very little you can do, unfortunately”, I panicked. I have a mobile number through my carrier, of course, but I try to use my Google Voice numbers when I can, both for communication and the times when two-factor authentication (2FA) relies on text messages (SMS) instead of an authenticator app. However, there are some situations where I am forced to provide my carrier mobile number. I don’t trust my mobile carrier to do the right thing and ask for the passcode whoever is calling to make changes should have to give. There is nothing we, as consumers, can do to protect ourselves from our mobile carriers and their employees who are a known insider threat. The Bounty Hunter episode went more into that, because mobile carriers were selling location data to the highest bidder. Lorenzo wrote a detailed article on SIM Hijacking in the summer of 2018: https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin

"The Dark Overlord and the 9/11 Insurance Files Hack" revealed that some ransomware groups have professionalized and use contracts. (It's only a matter of time, then, until they are so busy having meetings and filling out reports that they won't have time to do actual hacking.) "Spy Versus Spy" was like a James Bond movie, which proved that true life is stranger than fiction.

My favorite episode, hands down, was the “The Penetration Tester” episode, featuring a Walmart Red Teamer, Jek. It made me want to be young and unattached and starting off in security so that I could fly around the country being a physical penetration tester. What made the episode even cooler was that a few weeks before I had noticed a tweet about how a physical pentester almost got caught. I wondered as I was listening to the podcast episode whether this was the same person, and, yes, it was.

This next part will doubtless surprise my mother and anyone else who knows what my language is like when I’m driving (“well-educated sailor” covers it), but one thing I have to point out about this podcast is that it’s at least PG-13 in terms of language and often veers into what I would call R. Myself, I don’t care, because I’m listening in an environment where no one is going to notice or comment, but when I went to recommend it to an audience where I was unsure whether ears would be sensitive I started paying closer attention to the language. One should be very careful listening to this podcast at work, in the car with kids, or around sensitive grownups. 

Interestingly, only one of episodes, the PewDiePie Hacks, is marked as Explicit. The creators are Canadian, and thus have different language conventions, but I also think there’s an attempt to be more with it by using strong language. I’m reminded of when my husband’s Belgian cousins tried to impress me with their English and had a higher F-word count than a Samuel L. Jackson movie. When the podcast is playing clips from interviews or other sources, they could bleep out the F-words, for instance (which, to be fair, are the PG-13 usage where it’s an expletive and not an activity). Or, maybe I’m finally showing my age ;-)

Still, despite having to be careful about with whom I share the podcast I do recommend adding CYBER to one’s podcast list. They know how to tell an engaging story about current and relevant cybersecurity issues, and you will want to keep listening until the end. I look forward to each new episode and have learned a lot about cybersecurity from listening.