#107 Niall Merrigan, Hacking, Bug Bounties and Responsible Disclosure

Summary
Niall Merrigan, security researcher tells me about bug hunting and the best hacks he has seen.

Details
Who he is, what he does. Bug hunting, crowd sourcing the hunters, bug bounties, should you invite attacks on production, Hacker One and Bug Crowd. IoT is the most attacked software; smart cars, aircraft. Security.txt. Responsible disclosure, what do if you find a bug, Niall's experience when reporting a particular bug. Even when bugs are known and acknowledged they are not necessarily fixed; industry code systems, hacks designed to kill. Is every hack is a "sophisticated hack", the @mat hack. Are you a target for hacks. The most impressive hack Niall has seen. Physical access to device, hak5 rubber duckie. Supply chain injection*. Hacking a cat.

* We recorded this episode before the Super Micro story broke.

Links
Niall's homepage
Niall's Twitter

Download mp3 of podcast

#88 Aaron Bedra, Threat Modelling

Summary
Aaron Bedra talks to me about threat modelling, why you should do and what to cover.

Details
Who he is, what he does. What is threat modeling and how he approaches it. Types of security, loss of money, loss of life. Should you secure something if it is not valuable. Are we in a post security world? How often your site is attacked. How to decide what to protect. Regulations and breaches. How to protect your system, watch for outgoing data. How to build secure software from the start (it starts with a hug from Aaron!). Hashed passwords are not as secure as you think. Encryption and input validation. How to check third party libraries. Better software practices lead to better security. How much security is enough, "if you are investing more than you could lose, you're doing it wrong".

Links
Aaron's homepage

Download mp3 of podcast