Network Security Podcast

When Gene Kim came to me with the idea to get Mike Dahn and Josh Corman around a table in Orlando, Florida one evening after the annual PCI Community Meeting, I was excited.  Gene wanted to end a minor, pointless feud between two of our friends who'd gotten off on the wrong foot earlier in the year.  In effect, we decided to hit the reset button on the relationship between these two gentlemen.  And Orlando proved to be the perfect time and place to do exactly that.  A good size bottle of Macallum 12 didn't hurt any either.

To give you a quick recap, this is the third of a three part series (Part 1, Part 2) being sponsored by Tripwire called "PCI Hug It Out".  In Part One, we heard Mike's views on PCI and why he's such a strong proponent of the standard.  In Part Two, we heard Josh state his position and why he is sometimes thought of as being an opponent of PCI.  And here in Part Three we explore the points of commonality between Josh and Mike, and how we can turn these into calls to action from the community as a whole.

There is, of course, the question of The Hug; did Mike and Josh put aside their previous arguments and start a new friendship, did they agree to disagree, or did the night end in fisticuffs?  And how much can we raise for the EFF and Hackers for Charity?  Once again, we ask you to visit the Tripwire blog and let us know if you've contributed.

This was a fun project to do with Tripwire and the guys.  I'm sure the four of us will get together again in the future to listen to the sounds of our own voices.  We all hope that people who are interested in PCI and security in general found something worthwhile in our discussion over the tabletop, face to face.  For our part, this was worth doing even if no one ever heard it, so if we've given anyone else some things to think about, this was a win.  Thanks for listening.

Despite catching some kind of ConFlu at HacKid, Zach manages to join Martin for a sniffle-filled show. Rich is off in London, speaking at RSA Europe 2010 (or, well, sleeping).

Network Security Podcast, Episode 216, October 12, 2010
Time: 32:45

Show Notes:

• HacKid Conference – Boston 2010 (wrap-up by SecBarbie)
• Don't expect to peer into Google cloud services security
• The Zombie Network: Beware 'Free Public WiFi'
• Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser
• Tonight’s Music:  Bored (on a Thursday afternoon) by Robin Tymm

Last week Gene Kim and I interviewed Mike Dahn about his views on PCI and why it's important to him.  This week we get to talk to Josh Corman of the 451 group and question him about the influence the Payment Card Industry Data Security Standards (PCI DSS) have on the security market as a whole.  Josh also gives us more about the basis for the tension between Mike and himself.

There's a lot of ground to cover between the views of Mike and Josh.  Josh is not part of the day to day process of the compliance field.  He doesn't see the things that assessors see every day.  But he does talk to C-level executives on a daily basis and he knows the perception that CSO's and CISO's have of compliance.  He realizes that the perceptions of these leaders has a direct impact on their spending and therefore on what technologies recieve market share. 

Mike, on the other hand, has been involved in PCI for a long time.  He helped form much of the training that is given to each Qualified Security Assessor (QSA).  He's trained a huge number of QSA's himself and continues to work in various special interest groups (SIGs) related to PCI.  He's invested a lot of his time into PCI and has a body of work to be proud of.  He sees the changes PCI has brought to the merchant and service provider landscape and believes the changes are definitely more positive than negative.

Gene and I hope that, despite their very different viewpoints of the same issues, Mike and Josh can overcome the differences to understand what they have in common.  The good news is, you only have one week to wait to find out. Four guys get around a table in Orlando, Florida, drink a bottle of good whisky and record a podcast; what could possibly go wrong?

Thanks again to Tripwire for making this series possible.  We're almost our goal of $1000 donations to the Electronic Frontier Foundation and Hackers for Charity.  If you donate to either of these charities on our behalf, Tripwire will match, up to $1000.  So please help us raise money for these two worthy donations.  Leave a comment here after you’ve donated, send an email to mhixson@tripwire.com or use the hashtag #PCIHugItOut to let us know you’ve donated and Tripwire will contribute as well.

Martin has been a busy little interviewer, so tonight you don't have to listen to the regular crew nearly as much. In the next couple of weeks Rich is heading for parts unknown in the next couple of weeks, or at least parts of Europe and Asia that have RSA Conference's.  But he'll be back eventually.  And Zach was on the road this week.

Show Notes: 

• HouSecCon 2010 - Michael Farnum gives us the scoop
• Verizon 2010 Payment Card Industry Compliance Report - Martin interviews Wade Baker and Jen Mack from Verizon Business.
• Tonight's Music:  Allison Crowe with Whether I'm Wrong

I hate it when my friends argue.  Disagreement is fine, but when it get's to point of high emotions and deteriorating listening skills, I get sad.  So when two of my friends, Josh Corman and Mike Dahn started disagreeing and fighting after Shmoocon earlier this year, I was more than a little upset.  Both men are people I respect greatly due not only to their passion for security in general and PCI specifically, but also for their ability to see aspects of the industry that no one else sees.  And I usually respect their ability to not only form their own logical, reasoned arguments but to listen to and pull out the best of what other people are telling them.  So when these two started feuding, I was understandably upset.  Josh and Mike, while coming from very different viewpoints, both agree that the end goal is to make our industry more secure, no matter how we get there.

I wasn't the only one who noticed the friction between these two.  Gene Kim, creator of Tripwire and the then CTO of Tripwire had also noticed and included several comments about getting Mike and Josh to sit down and reconcile their differences in his presentation at BSides Las Vegas.  This was followed by Nick Owen (aka wikidsystems) offering $100 to donate to charity if Josh and Mike would 'hug it out', with a number of other people offering up donations if Mike and Josh would just hug and make out .. er.. make up.  And thus was the idea for PCI Hug It Out was born!

The idea languished for a little while, until Gene approached me with an idea:  Tripwire had offered to support a project to help understand the stances Mike and Josh take on PCI, why they are so different and where they both agree on what can be done to improve the security of the industry as a whole.  By understanding their differences and commonalities, we hoped that both of these outspoken proponents of security would be able to harness their energy to move us all forward rather than concentrating on each other.  Gene and I interviewed first Mike, then Josh and thanks to Tripwire's sponsorship, we were all able to meet in Orlando at the PCI Community Meeting and have a real face to face discussion about what can be done to improve our situation.

On top of everything else Tripwire has done, they've agreed to match the first $1000 dollars worth of donations to the Electronic Frontier Foundation and Hackers for Charity!  These are both very worthy charities and everyone who's been involved with the project is glad we're able to support them in this way.  We hope you'll add to the donations that Tripwire and others are supplying and allow these organizations to continue their efforts.  Leave a comment here after you've donated, send an email to mhixson@tripwire.com or use the hashtag #PCIHugItOut to let us know you've donated and Tripwire will contribute as well. 

The first installment is our interview with Mike Dahn.  Mike explains how he got into the PCI arena, a lot about his philosophy concerning PCI and why he continues to support efforts to make PCI better.  The podcast is available from the Network Security Podcast site, or you can download it directly at http://traffic.libsyn.com/mckeay/PCIHugItOut-MikeDahn.mp3.  Next week we'll be joined by Josh Corman to explain his viewpoint on PCI and how it's driving the security industry, followed by the recording of our meeting in Orlando, FL the week after.  And yes, there will be photos of the final confrontation between these two industry exemplars.