Down the Security Rabbithole Podcast (DtSR)

TL;DR: This week's episode is a special one. I (Rafal) revisit episode 100 with the one and only Dan Geer. Some shows are "in the moment", some are timeless. This show is timeless. Dan's wisdom and insights are as applicable today as they were 12 years ago. Crazy, right? Fun story - I ran into Dan at Black Hat conference a few years ago and asked him what he would say is 'different' since we recorded that episode... his response? "My beard is longer". Solid GOLD.Listen in. Take notes.Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

TL;DR: On today's pod, Rob Allen of ThreatLocker makes his triumphant return to derail us straight into a conversation about legacy systems and why he's still supporting WindowsXP. Right, you read that right. A great conversation ensued, and I'm glad we were able to record this one. Enjoy.From us to you, thank you for following along this year, and we wish you a happy new year, and all the best in 2026!YouTube video: https://youtube.com/live/dFO1NTo1MGcHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

Gadi Evron, a seasoned security practitioner and CEO of Gnostic, dives into the urgent implications of AI on security in this engaging discussion. He highlights how AI is shifting the attacker model, making it easier for threats to emerge. Gadi delves into real concerns versus hype around AI-generated malware and outlines automated vulnerability advancements. He warns of a growing singularity in attacker automation, creating compressed timelines that challenge defenders. Tune in for insights on future defenses, including automated patching strategies.

TL;DR: This week's show features Aaron Costello, and is all about an analog from real-world attacks on humans, applied to AI "agents". I know what you're thinking - computers are supposed to be more difficult to trick, right? Right... no. Attacks such as this where computers try to be "helpful" (just like humans) are probably more common than we'd like to think. Give this a listen, it's a hoot.YouTube video: https://youtube.com/live/fM88jSkamDQHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

TL;DR: On this episode, it's just Jim and Rafal talking about how sometimes you just need to take a big step back from your day job and touch some grass. Our chosen profession is, demanding, to say the least. So let's take a minute to acknowledge what we're really thinking. Unfiltered, raw, and straight from our heads to your ears, enjoy.YouTube video: https://youtube.com/live/ULTq1pzckFgHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

TL;DR: This week's pod features a conversation with the Jay Jacobs, whom had previously been on the show talking about this very topic (vulnerability ranking/scoring) many, many years ago. If you missed Episode 297 check it out, it's crazy how far (or not) we've come since that conversation.YouTube Video: https://youtube.com/live/cpL9ZYbwkesHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

TL;DR: John Rafal & Jim as we welcome Dustin Lehr to talk about the state of AppSec and how we got here. We discuss vulnerabilities, accountability, culture, and a host of other things. It's a caffein-fueled episode, so buckle in!Youtube video: https://youtube.com/live/yoBIQ_sIawIHave something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast

In this discussion, Brian 'Jericho' Martin, a seasoned expert in vulnerability intelligence and founder of attrition.org, dives into the complexities of vulnerability scoring and patching. He passionately debates the shortcomings of CVSS and critiques the CVE process, highlighting why many vulnerabilities remain unnumbered. Brian proposes a new prioritization model for addressing threats and stresses the need for better vendor responsiveness. With a nod to the messy realities of existing systems, he contemplates whether meaningful industry improvements are possible.

In this discussion, Robert "RSnake" Hansen, a renowned security researcher, critiques traditional vulnerability management. He argues that most patching efforts over the last two decades have been futile, as the majority of reported vulnerabilities never get exploited. Hansen reveals that vendor incentives hinder real change and examines the economic motivations behind attacks. He suggests focusing on monetary risk metrics and reevaluating what truly secures systems, emphasizing that the industry's current approach has inflated costs for defenders without impacting attackers.

TL;DR: This week's pod features your favorite hosts reflecting on how security has lost its way. When everything is a catastrophe, nothing is. When every breach is world-ending, none of them matter. Have we completely lost the plot? Prepare to have a good think.YouTube Video: <coming soon>Have something to say? Let's hear it.Support the show>>> Please consider clicking the link above to support the show!-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=YouTube home: https://youtube.com/playlist?list=PLyo0dkKRvfVtWXjRxNISrhme1MgBj3C2U&si=scHDiTuLXSEQ9qHqLinkedIn Page: https://www.linkedin.com/company/down-the-security-rabbithole-podcast/X/Twitter: https://twitter.com/dtsr_podcast