Down the Security Rabbithole Podcast
Rafal Los (Wh1t3Rabbit)

Follow the Wh1t3 Rabbit ... attention technology and business leaders! The "Down the Security Rabbithole" podcast is not your ordinary security podcast, primarily because we take a business perspective on the colorful and fast-paced world of information security. Bringing useful commentary on relevant events in the information security community, filtered through a no-nonsense business first approach, this is a podcast that helps you get the sane perspective on hacks, risks, threats and technology that you need to help make decisions in your daily life and in your organization.

Prologue This week our pal and previous guest Patrick Miller joins us to talk about the power grid, current state of the thing, and what he's working on in the power generation and distribution sector. It's a strange place where 8" floppy disks and DOS 2.2 still live. Yeah, go search those, you think there's a 0-day for DOS 2.2? Guest Patrick C. Miller LinkedIn: Twitter:  

Prologue This week our friend Ira Winkler joins Rafal & James to talk about the human element in cyber security. Ira, like us, absolutely loathes the phrase "stupid user" - so you'll want to hear what he's working on, and his comments on the space.

Prologue With all the craziness going on in the world, from terrorism, to catastrophically botched withdraws from a 20 year war, to the incredible proliferation of ransomware, and "cyber privateering" making a comeback in the news - it's as good a time as any to discuss open source intelligence, collection, and analysis. Aki is a guy who would know a little bit of something about the topic, because anytime someone has to choose the way they describe their past "work" - you know their background is pretty colorful. Guest Aki Peritz LinkedIn: 

Prologue Let me start off by saying that this episode isn't about politics. It's about facts, claims made, and election security facts and myths. I want to thank Rob Graham for getting on the show and sharing his experience on short notice, and providing insights from Mike Lindell's "Symposium". It's truly eye-opening, and hopefully a conversation that strikes at the core of what we need to hear right now. Guest Robert Graham Twitter -

Prologue Thanks to Okta, for providing what is surely an entertaining (at least to record) and informative episode with some really cool guests. Bharat and John join James and Raf to talk about CIAM (a term Raf had to look up) and all things authentication history, past, and present. By the way, if you haven't registered, you should register for this very cool Okta Developer Day "Auth for All".   Guests John Pritchard LinkedIn:  Bharat Bhat LinkedIn: 

Prologue Big thanks this week to OpenText for providing access to Fabian Franco (go check out his bio below). He joins James & Rafal to talk about protecting endpoints, and some of the interesting things that go along with state-of-the-art detection and response capabilities. Also, if you'd be so kind as to support those who keep this show going, go check out the OpenText link below and give it a click, won't you? Why are there so many acronyms for endpoint defense? What do EPP, EDR, MDR, XDR mean and are they at all any different? Let's dive into this, on today's episode.  Guest Fabian Franco Bio: Fabian Franco, Senior Manager of Digital Forensics and Incident Response (DFIR), Threat Hunting and SOC. Fabian specializes in digital forensics, incident response, memory forensics, malware analysis, reverse engineering of malware and threat hunting. LinkedIn: OpenText: 

Prologue This week we have the pleasure of having Kevin Pope, one of Raf's close and long-time friends, and someone who's had one heck of a journey into and through our industry. Kevin is a veteran, a security-curious, and  cyber security professional - and he's also got some metered opinions too. We discuss hiring, staffing, and some of the issues we've collectively - and he specifically - have seen. Give this one a listen if you want to understand why we have the staffing problem in cyber-security that we do. Seriously.   Guest Kevin Pope LinkedIn:  Twitter: 

Prologue Huge thanks to Prevailion's Karim Hijazi for taking the time with us to dissect this Gartner headline and article on "adversaries killing people using OT". As we expected, a sensationalist headline, followed by some mildly fluffy stuff, with a kernel of truth. Good discussion nonetheless, though, and I even learned a thing. Links The Gartner article referenced: Guest Karim Hijazi LinkedIn: Previous episode: 

Prologue Frankly, we have no idea how we got through 450 episodes without interviewing Rich. No clue. Rich is a man of many talents including a trained responder for situations like we've been facing. He's also a cloud security specialist, and happens to do a half-dozen other things in his "spare time" too. In this episode we chat about what the pandemic has taught cyber security professionals, and what we'll come out the other side looking like. Warnings: Loki spoiler alert - oops, Rafal did this one Explicit language warning - Rich dropped some colorful language, deal with it Guest Rich Mogull LinkedIn:  Twitter:

Prologue It's been a long time, maybe forever, since James and I sat down and just chatted on the podcast. With all these amazing guests we have on the show it's easy to get caught up in the fun and forget to just have a two-person conversation every once in a while. With that in mind, we did it this week. We sat down, just the two of us, and chatted about the last few hundred episodes, the things that have stayed with us, and some things we wished would "get better" but alas...   Jump in, this is a special episode.

Prologue Sean Scranton joins Shawn Tuma and myself to talk about cyber insurance, specifically, as it is a massive topic of discussion lately. Building on top of the "does cyber insurance even pay out?" question and exploring if cyber insurance will actually change the industry (as Jeremiah hints in episode 447) we traverse a lot of related topics and answer some good questions. This is one of the most informative episodes on this specific topic I've found out there - without all the usual propaganda. Huge thank you to Sean and Shawn for agreeing to take time away from client work to speak with DtSR, and leave this information accessible to my listeners. Guests Sean Scranton LinkedIn:  Shawn Tuma LinkedIn: Twitter:

Prologue Vulnerability Management has been a bit of a soapbox for me lately, and this episode brings in two experts on the topic directly from the enterprise to talk about how we prioritization, spreadsheets, and today's big vulnerability problem produces serious issues for enterprise professionals. The problem is as old as our profession, but in spite of the tools, testimonials, and hand-waving it's still a massive problem. Guests Britney Hommertzheim LinkedIn:  Twitter:  Ace Moore Ace is incognito :)

Prologue On this episode of the podcast I have the pleasure of hosting one of my long-time friends and industry titan - Dawn-Marie "Rie" Hutchinson. She's fresh off of a stint as a CISO, and talking about burnout in our industry and beyond. It's always a pleasure chatting with a friend, but this is an important topic so extra thanks for sharing her knowledge and insights with us; working in a globally diverse and multi-timezone workforce isn't easy, and the lessons are useful! Guest Dawn-Marie "Rie" Hutchinson LinkedIn:  Twitter: 

Prologue My pal Rock has ventured off on his own, so I wanted to catch up with him and get a quick update on the state of business, but also get a sense for what he's seeing in the industry as he's advising companies and helping them through compliance and regulatory challenges. Fascinating conversation, always fun stuff.   Guest Rock Lambros LinkedIn:  Twitter: Twitter:  Website: 

Prolgue Ladies and Gentlemen - we've hit ** 450 ** episodes. Let me just take a moment and reflect on the number of awesome guests, long hours recording and editing, and all of you phenomenal fans and listeners spreading the show content. Episode 450 feels like the right one to drop an episode with one of my real-life best friends, British sensation, and perennial entrepreneur Vikas Bhatia. We drop the gloves and go after the shitshow that is third party risk management in modern day enterprise. There are answers, but not if you don't address it head-on. Guest Vikas Bhatia LinkedIn:  Twitter:  Company URL:

Prologue In this episode, our legal eagle Shawn Tuma is back to discuss the Colonial Pipeline incident and whether it could be a watershed moment for US Cyber interests. As Toby Keith's "Courtesy of the Red, White, and Blue" plays in the background, we discuss what's happened, what could happen, and what it all means. Guest Shawn Tuma LinkedIn: Twitter:

Prologue You've GOT to hear this! This week on the podcast, I invited Martin Zizi of Aerendir, to talk about how we can use technology to not only distinguish between humans and non-humans (bots?) but also how to identify humans with staggering levels of precision - using commonly available and inexpensive components. He's got humor, an eclectic background, and great knowledge of the topic. Join us! Guest Martin Zizi Bio: Dr. Martin Zizi, MD-Ph.D, deep expertise in Molecular Biophysics and Neurosciences. He is one of the Founders & CEO of Aerendir Mobile Inc. He is the inventor of the NeuroPrint®, a cloudless AI-supported neural-tapping technology that can be used for authentication, identification, encryption, secure TLS, and bot segregation. Following his early years in the United States as a Scientist at the Walter Reed Army Institute of Research where he worked on very advanced projects, he had a 20-years dual-track career, leading both academic and strategic projects as a top scientist in 3 fields and was also a Chief Scientific Officer for Belgian DoD. Martin was a sought-after advisor for the Belgian, the EU governments, international organizations (UN) and the industry. Aerendir Mobile Inc. is his second start-up. He was #2 at another start-up in the Medical technology vertical. LinkedIn: Twitter: Aerendir Mobile, Inc. LinkedIn: Twitter: 

Prologue I don't know about you, but I have Jeremiah in a list on Twitter that allows me to read/think about some of the things he posts without the noise of the rest of Twitter. Should a company that develops software be held responsible when a bug they missed is exploited? Why do we "Agree" on all those click-through agreements which basically disavow any responsibility, anyway? What about security tools - if they scan and miss a flaw that's later exploited, shouldn't they be liable? These and other salient topics are discussed in fairly great detail without all the usual hype you hear around this topic. Please join us, this is a wonderful episode to listen to more than once. Guest Jeremiah Grossman LinkedIn: Twitter:

Prologue When in Austin, TX ... meet up with some friends right? This week I have the pleasure of sitting down in-person with Joel whom has been doing the "AppSec thing" for longer than many of you who are reading this have been in our profession. Joel knows a thing or two - so we discuss a thing or two. Philosophy, history, and some ugly truths come out in a conversation that can only happen in-person. Guest Joel Scambray LinkedIn:

Prologue I honestly am having a difficult time understanding how this show has gone so long, so many episodes, without sitting down with Dave Marcus 1:1. It hurts my brain. So I rectified this situation and here you are. Dave is one of the best humans in the industry, has a few truckloads of knowledge, and you could stand to learn something from him. Give this episode a shot. Warning: Dave drops a pair of F-bombs, and the show goes a little longer than most at >40 minutes. But it's well worth your time. I promise. Guest Dave Marcus Twitter: LinkedIn: