In this week’s Security Ledger Podcast, we talk with Genevieve Southwick, CEO of the B-Sides Las Vegas hacker conference about the information security industry’s #metoo problem and what steps conference organizers are taking to stem sexual assault and harassment at information security events. Also: researcher Alec Muffet talks with us about making a TOR version of Wikipedia (and why it’s not sticking around). Finally, Martin McKeay of Akamai talks about the state of Internet security one year after Mirai. (Spoiler alert: Mirai is still a problem.)
Part 1: Information Security has a #metoo problem
First person testimony by victims of sexual assault and harassment toppled giants in sectors like politics, the media, film, high-tech and the arts in recent weeks. At the same time, the #metoo movement has spread awareness about the prevalence of sexual harassment and assault beyond the limelight.
Listeners will not be surprised to learn, then, that the male-dominated information security industry is not free from accusations and even documented cases of assault and sexual harassment against both women and men. In fact, recent weeks have brought a renewed focus on sexual predation within the information security and information privacy sectors, including articles focusing on renowned hacker and privacy advocate Morgan Marquis-Boire and John Draper, the hacker known as Captain Crunch. Both individuals are alleged to have harassed and even assaulted women (Marquis-Boire) and men (Draper). Often, the alleged assaults happened at free-wheeling security industry conferences, which are among the only socializing and networking oases in the otherwise cloistered information security industry.
In our first segment on this week’s podcast, we welcome Genevieve Southwick (@banasidhe) into the Security Ledger Studios. As the CEO and Executive Producer for two, important security conferences: B-Sides Las Vegas and B-Sides Denver, Southwick has had a front row seat for the security industry’s attempts to address sexual harassment and other behavior that can make the industry – and industry conferences – hostile to women.
Southwick told me that there has long been a “whisper network” within the community about sexual predators, it has often been challenging to get victims of harassment to go public. Southwick herself says she knows of a number of serial offenders whose actions have still not been publicized. In this interview, we talk about the cases against Marquis Boire and Draper and how her conferences and others are stepping up to try to counter sexual harassment in the industry and at industry events.
Part 2: In an age of Government surveillance: can TOR keep information free?
In our second segment, we talk about the growing appeal of anonymity services like The Onion Router (or “TOR” as its known). As governments around the world contemplate stricter monitoring and control of citizens’ online activity, more and more Internet users are being pushed towards anonymity tools like ToR – The Onion Router. Facebook and The New York Times are just two of the prominent media sites that have created separate “onion” versions of their content just for the ToR network, allowing ToR users to access their sites without traversing the public Internet and exposing themselves.
In this week’s podcast, we speak with Alec Muffett (@alecmuffett), a researcher who works extensively to democratize ToR. Most recently Muffett helped port Wikipedia, the crowd sourced encyclopedia for ToR as a proof of concept. He tells us about that project and why it’s not likely to stick around. And he says that modifying applications to run over ToR is easier than you might think.
Part 3: The State of Internet Security One Year after Mirai
And finally: it has been a little over a year since the Mirai botnet caught the world’s attention first of all for cobbling Internet connected cameras together in a botnet and then for launching some of the largest denial of service attacks the world has seen. We speak this week with Martin McKeay (@mckeay), a researcher and senior editor of Akamai’s State of the Internet Security Report, which came out last week.
McKeay tells me that Mirai hasn’t gone away. Rather, it has metastasized into a range of smaller, but no less powerful botnets of things, which are available to anyone with the money to rent them.
We also discuss the apparent jump in web application based attacks and the release of an updated version of the OWASP Top 10 – a list of the most common web application flaws that (in theory) should help development organizations tamp down common security holes. It hasn’t worked out that way. We’ll talk about why.
Check our full conversation in our latest Security Ledger podcast at Blubrry. As always, you can also listen to it on iTunes and check us out on SoundCloud. And, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.