Newsletter

Monday blues.  

Did you hear? Solarwinds CEO Sudhakar Ramakrishna is down to keynote (it’s actually a fireside chat) at the RSA Conference next month. Although this will be a pure PR exercise with carefully curated and sanitized statements, I think it’s important to put these CEOs on stage and record their answers for the historical record.

Even as I say that, I remind you that RSA Conference is a pay-for-play thing where these keynotes are sold off (they’re incredibly expensive!) to a handful of security vendors who can afford the price tag.  These talks are easy to ignore — and you should ignore them — but if Ramakrishna can can help spread proper security religion to this audience of CNBC-watching executives, the industry just might benefit from it.

I wish him well and I hope he has a message that resonates.

Speaking of conferences, it’s starting to feel like Black Hat in July will be an inflection point for the return of in-person cybersecurity events.  Black Hat organizers are pushing ahead with a hybrid in-person/virtual event in Las Vegas and I’m a bit surprised to see so much excitement in my network for the annual hacker summer camp this year.

It feels like, especially here in the U.S., we’re on the back-end of the pandemic.  On Twitter and Slack, I can’t avoid seeing post-vaccination celebration selfies that are quickly followed by the immediate booking for that first post-pandemic trip somewhere.

For a lot of us in cybersecurity, that trip will be to Las Vegas for Black Hat and a Q3 that will start to bustle with meet-ups, workshops and smaller-scale in-person events.

However, remember that vaccine envy is a very real thing.  For my friends in parts of the world where a vaccine is still several months away, I feel you.   Hang in there and we’ll see each other soon.

P.S:  All things remain the same, I plan to be in Vegas for Black Hat.

On to this week’s newsletter…

The most clicked link from last week’s issue was Patrick Howell O’Neill’s scoop on Google disrupting a so-called “friendly” nation-state cyberespionage campaign.

Three new podcasts for your earholes.

It’s been a busy week at the Security Conversations podcast studio, with three new shows up since last week’s newsletter:

• Microsoft’s David Weston hopped into the studio to talk about the surge in firmware attacks and why this invisible layer just might be the most important to defend.
• Journalist Patrick Howell O’Neill joined the show to talk about Google, Apple and the nation-state zero-day frenzy.
• MongoDB CISO Lena Smart is a truly inspiring security leader.  I urge you to listen and share her unconventional path to cybersecurity after leading high-school at 16 to join the entry-level workforce.  Today, Lena is the CISO of an $18 billion tech company.   Inspiring stuff.

The upcoming guest list is just as impressive.

• Fahmida Rashid, Executive Editor, VentureBeat
• Heather Gantt-Evans, CISO, SailPoint
• Matt Tait (‘PwnAllTheThings’), COO, Corellium
• Nate Warfield, CTO, Prevailion

Listen on Apple, Google, Spotify and Amazon or wherever you catch your podcasts.

Must-read security research.

• Following up on Jake Miller’s incredible work on h2c smuggling, hackers at Assetnote use the technique to launch in-the-wild attacks against the big cloud providers — Cloudflare, ASzure, GCP and others — and the results are rather frightening.
• Security analysis of AMD predictive store forwarding – This whitepaper describes the PSF feature, how it works, and associated potential security concerns (speculative execution).
• From Chris Rohlf on Facebook’s security team: IsoAlloc – uninitialized read detection.
• Collin Green’s six buckets of product security is a clear, concise read on the ‘shift-left’ energy.

​Tangentially.

• With the Fisher-Price My Home Office set, your preschooler is the boss of their own workstation at home, the local coffee shop, or the moon.

Have a great week and reach out with things I should be doing better.

_ryan

PS:  The podcast is available on all platforms (Apple, Google, Spotify and Amazon).  As the kids say, like and subscribe, like and subscribe.