The Standard Deviant Security Podcast | Bi-weekly show discussing cyber attacks, data breaches, malware, privacy issues, Internet culture and infosec

Are you ready for a completely different kind of information security podcast? The Standard Deviant Security Podcast is a bi-weekly show that takes an in-depth look at the people behind the cyber security stories you hear in the news. Each episode cuts through the noise and hype to deliver compelling and entertaining interviews with people that are challenging the status quo. Hosted by Tony Martin-Vegue --
RSS Feed Subscribe in iTunes
The Standard Deviant Security Podcast | Bi-weekly show discussing cyber attacks, data breaches, malware, privacy issues, Internet culture and infosec



All Episodes
Now displaying: Page 1
Jan 25, 2016

Aaron Swartz died about three years ago on January 11, 2013. He was 26 years old and lived a short but remarkable life — he was a programmer, hacktivist, writer and entrepreneur. He helped develop RSS, Creative Commons and also was a co-founder of Reddit among many other accomplishments. His lasting legacy really his is activism around copyright law and his belief that information should be free. He died by suicide while under federal indictment for data theft, for downloading a large amount of academic journals from JSTOR.

Episode #17 features Justin Peters who recently wrote a book on Aaron titled "The Idealist: Aaron Swartz and the Rise of Free Culture on the Internet." We talk about Aaron, his ideas and the person behind the news headlines. Please visit for full show notes.

Dec 18, 2015

Episode #16 is all about shenanigans on mobile devices and how end users and app developers can protect themselves. We are joined by Mary Min, VP of Global Business Development at SEWORKS to discuss mobile malware, common mobile security threats and app piracy. We also delve into the darker side of what can happen with mobile apps: apps can be decompiled by an individual who can then insert code that does everything from harvesting login credentials to changing the outcome of a battle in an online game. We also hit the topic of copycat apps and get Mary’s take on the current court case of Lilith Games versus uCool, in which Lilith Games is alleging that uCool’s game, Hero’s Charge, is a clone of Soul Clash. Please visit for full show notes.

Dec 7, 2015

It's been about a year since the cyber attack against Sony Pictures Entertainment made the news worldwide. We are all familiar with the hack and the media attention that followed. What is not so well-known is how Sony management responded to the crisis and how employees coped with the business disruption and public leaking of very sensitive personal data. Amanda Hess at Slate spoke to current and ex-employees at Sony to shed light on these very subjects and recently published a piece titled, "Inside the Sony Hack: What it was like to be a rank-and-file Sony employee as the unprecedented cyberattack tore the company apart." It's a very revealing article that many of us in the Information Security profession can draw lessons from. Amanda is joining episode #15 to talk about what it was like to be an employee at Sony at the time, the management response, her thoughts on who perpetrated the hack and many other compelling topics. Please visit for full show notes.

Nov 30, 2015

Most people know what a software bug is: an error or flaw that causes software to behave in unexpected ways.  A bug bounty is exactly what it sounds like — it’s a program offered by software companies and websites that incentivises researchers to report software bugs to them. Compensation can range from recognition to money - in some cases, a lot of money. Bug bounty programs have experienced tremendous growth in the last few years. We’re joined for episode #14 by a leading expert on bug bounty programs, Katie Moussouris. She’s here to chat about bug bounty programs, what they are, how they work, how to set one up in a company and some notable successful bounties in the past. Please visit for full show notes.

Oct 28, 2015
Kevin Borgolte joins us for episode #13 to talk about a paper he recently co-wrote, titled "Drops for Stuff: An Analysis of Reshipping Mule Scams.” He explains a very elaborate and profitable scam in which people are tricked into receiving and reshipping goods purchased with stolen credit card numbers. Kevin is a is Phd candidate at UC Santa Barbara and has done extensive research in the field of information security and underground economics. Please visit for full show notes.
Oct 19, 2015
We’re going to go old school and talk about BBS’s for episode #12. A BBS, short for Bulletin Board System, was the primary method computer a user communicated and traded software with others before the Internet became ubiquitous. Typically, a BBS was run off a computer with a dial-up modem line. Users would call the BBS (one at a time) and leave messages, upload or download information files (called text files) and trade software. 
BBS’s had a culture of their own. Some BBS system operators (or, SysOp) were serious and trying to run a business. The flip side includes the hacking underground, software pirates and some interested in very strange subject matter. We are joined by Jason Scott to guide us through the history and cultural significance of BBS’s.  Jason is an archivist, technology historian and filmmaker. He runs a website -, which is an archive of the information sharing that occurred during this time period. Jason also created and directed a film called “BBS: The Documentary."
Check out Jason’s documentary here:
and don’t miss

Please follow Jason on Twitter @textfiles 
Follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at
Sep 24, 2015

Episode #11! Made it past 10, and the podcast is really gaining momentum. Thank you to everyone for listening.

Dr. Scott Craver joins the podcast this episode. He runs a contest out of Binghampton University in New York called the Underhanded C Contest.

The contest and the rules are simple - participants are given a challenge and their objective is to produce malicious code that, upon inspection, is either not detected or looks like an innocent mistake. The different challenges are very creative — for example, there have been challenges around digital fingerprinting, intentionally losing an airline passengers luggage and writing surveillance code for social networking sites.

This contest is particular interest to those of us who work in security because it demonstrates how a sufficiently motivated person can write malicious code that is very hard to detect.

Scott Craver is a professor of Electrical and Computer Engineering at Binghamton University.  He received his BS and MS at Northern Illinois University, and a PhD at Princeton University studying problems in steganography and watermarking.  His work in these areas earned him an Air Force Young Investigator award, and later a Presidential Early Career Award for Scientists and Engineers.  His research focuses on multimedia security, and includes watermarking, steganography, and biometrics.

Please visit the Underhanded C contest page at:

Follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at

Aug 30, 2015

Episode #10 of the Standard Deviant Security Podcast takes a look at SecretCon, the topic of privacy in information security and gender issues in the technology field. SecretCon is a one-day conference in New York City focusing on privacy topics and enterprise security. The conference will be held on Friday, October 9th -- information and tickets are available at The line-up looks great this year with some really engaging and provocative speakers, including Andrew Case, Melanie Ensign, Dan Ford, Riley Drake and many others. If you are in the NYC area, this is not an event you will want to miss.

This episode's guest is Elissa Shevinsky. Elissa is here to give us a preview of SecretCon and also to discuss privacy, information security and many other topics. 
Elissa Shevinsky is CEO of JeKuDo Privacy Company and co-organizer of SecretCon. At JeKuDo, she is leading a team building secure tools for enterprise collaboration. The company is backed by the security investors at Mach37 in Virginia.
Shevinsky is also the editor of "Lean Out," an anthology about gender equality
in startup and gaming culture.

Tickets and the full speaker line-up for SecretCon can be found here:

Visit to learn more about Elissa's company.

Be sure to check out "Lean Out: The Struggle for Gender Equality in Technology and Start-up Culture," available now at OR Books and on Amazon.

Follow Elissa on Twitter @elissabeth

Follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at

Aug 23, 2015

Episode #9 of the Standard Deviant Security Podcast is all about secure messaging on the Internet. Privacy and confidentiality is a very important topic and the constant data breaches and privacy violations we see in the news where users personal information is exposed really emphasizes how serious it is. We're going to be talking about secure messaging and some of the underlying cryptographic technologies that facilitate secure communications. It’s usually a very complex concept and it's not easy for most people to follow, so I've invited Justin Engler to the podcast. I had the pleasure of seeing his talk at DEF CON 23, which took the complicated topic of secure communications and cryptography and made it very understandable for people who aren't experts in the field.

Justin explains the basics, such as the difference between an unsecured message and a secure message, the common threat actors regular users have to be concerned about and key exchange. We also have a chance to discuss a very cool project he worked on a few years ago – a robot that guesses and enters 4-digit PINs!

Justin Engler is a Principal Security Consultant with NCC Group. Justin has been involved in application security assessments of many open and closed source messaging applications and other related technologies. He has spoken previously at DEF CON, BlackHat, Toorcon, and other regional events. Justin has 5 years of security consulting experience and has been involved in security, software development, and IT professionally for over 10 years.

You can follow Justin on Twitter @justinengler.

Please follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at

Aug 11, 2015

We're going to do something a little different this episode and take a slight departure from the usual topics of cyber security, vulnerabilities and hacks and take a look at career and personal development.

In the last episode, #7, with Jack Daniel and in episode #1 with Bill Brenner we briefly covered the subjects of work stress, burn-out and depression. This is a subject that is near and dear to me because I have, at various points in my career, suffered from all three. Those of us in Information Technology and Information Security know these conditions all too well: we work in high pressure, high stress jobs in which the stakes are very, very high. Most companies now depend on  IT systems for their very survival and those of us that maintain and secure those systems feel the daily stress.

Joining me for Episode #8 of the Standard Deviant Security Podcast is a good friend of mine, Jeena Cho. Jeena isn't in security - she's an attorney so she knows a thing or two about managing the stress of a demanding career. We discuss work stress, coping with depression, silencing the inner critic, imposter syndrome and dealing with trolls. We also discuss something that myself, Jeena, Marc Benioff, Howard Stern, Ray Dalio and Russell Simmons all have in common - we meditate. It's how we unlock high performance, greater focus and keep depression in check.

Jeena Cho is co-founder of JC Law Group PC, a bankruptcy law firm in San Francisco, CA. She is also the author of the upcoming American Bar Association book, "The Anxious Lawyer: An 8-Week Guide to a Happier, Saner Law Practice Using Meditation." She offers training programs on using mindfulness and meditation to reduce stress while increasing focus and productivity. She's the co-host of the Resilient Lawyer podcast.

You can reach her or on Twitter at @jeena_cho.

Please follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at

Jul 28, 2015

Security BSides Las Vegas is right around the corner, August 4th and 5th. Security BSides is unlike any other security conference out there – it’s community driven, completely open (anyone can spin up a BSides in their city) and it has spread like wildfire. Now, in 2015, BSides events are held all over the US, in Europe, Asia, Africa and South America.

BSides Las Vegas was the very first in July 2009 and it’s still the largest. Anyone who has been to a BSides, whether it’s a very large one or one of the smaller events, knows the speaker quality and grassroots origins make it a very special and important part of our community.

Episode #7 of the Standard Deviant Security Podcast is dedicated to the history of BSides, BSides Las Vegas and community building in information security. Joining us is Jack Daniel, a co-founder of Security BSides. We will discuss exactly what BSides is, how and why BSides was started and how to get involved. We also discuss the implication that the security community can be “cliquey” and how to overcome that perception, if you feel that way.

Jack Daniel works for Tenable Network Security, has over 20 years' experience in network and system administration and security, and has worked in a variety of practitioner and management positions.

A technology community activist, he supports several information security and technology organizations. Jack is a co-founder of Security BSides, serves on the boards of three Security BSides non-profit corporations, and helps organize Security B-Sides events.

Jack is a frequent speaker at technology and security events. An early member of the information security community on Twitter, @jack_daniel is an active and vocal Twitter user. Jack is a CISSP, holds CCSK, and is a Microsoft MVP for Enterprise Security.

Please follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at

Jul 13, 2015

Episode #6 of the Standard Deviant Security Podcast is an exploration into the world of organized cyber crime, the online operations of terrorist groups and government policies combatting cyber espionage. Our guest is Megan Penn, who researches cyber security policy, violent extremist organizations and many other related topics.

We cover many subjects, ranging from data theft at e-waste sites, to why ISIS is so successful at using social media tools, to China’s cyber espionage efforts. Additionally, Megan offers invaluable advice for people that want to get into the cyber security field, but don’t have a programming or computer science background.

Megan Penn is a recent graduate from the George Washington University, where she received her M.A. in Security Policy Studies from the Elliott School of International Affairs. During her degree, Megan concentrated on transnational security issues, specifically non-state actors and human security, and cyber security policy, a self-designed concentration to include courses in information technology policy and engineering management. Her final co-authored capstone offered policy recommendations for the U.S. government in countering violent extremism online. Although new to cyber security, Megan has been published in Canada and the U.S. on cyber security policy, mobile technology, and cyber crime.

You can follow Megan on Twitter @megantiffany12.

Please follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at

Jul 4, 2015

Episode #5 of the Standard Deviant Security Podcast focuses on the topic of trust with Ken Westin of Tripwire Inc. Ken has done a lot of work and research on this topic and has very insightful commentary on the subject. The Internet, when it was first conceived and designed, was built around a model of implicit trust - people and devices just trusted each other. Fast forward 40 some years and now we deal with all sorts of activity that can harm data, reputation, and people - activities that the original creators of the Internet probably couldn’t even conceive of. We've added on technology that increases trust and mitigates risk of data breaches, DDoS attacks, organized crime rings and other threats but significant risk still exists and seems to be increasing. Where is the security industry succeeding and where is it failing?

Ken is a Senior Security Analyst at Tripwire Inc., with 15 years of experience building and breaking things through the use/misuse of technology. His technology exploits and endeavors have been featured in Forbes, Good Morning America, Dateline, New York Times, The Economist and has won awards from MIT, CTIA, Oregon Technology Awards, SXSW, Entrepreneur and named in Portland Business Journal's 2013 "40 Under 40". He has worked with law enforcement and journalists utilizing various technologies to unveil organized crime rings, recover stolen cars, even a car jacking amongst other crimes.

You can follow Ken on Twitter: @kwestin

Please follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at

Jun 19, 2015

The Verizon Data Breach Investigations Report (DBIR) is one of the most, if not <i>the</i> most, widely read and well respected annual security reports in the industry. The report analyzes nearly 80,000 cyber attacks based on contributions from 70 organizations. The resultant data is staggering - and publicly available through the VERIS framework for everyone to benefit from. The DBIR team then analyzes the data for the better part of a year and comes up with a pretty amazing report. The report gives analysis on cyber attacks broken down by victim industry, method of attack, the target and many other vectors.

This year the DBIR tackled the cost of a data breach. For the last decade or so the standard accepted by the industry was the Ponemon Institute's model. The latest DBIR offers a new model, one that is build on a completely different data collection method than Ponemon's.

This new model ended up causing quite a bit of commotion, controversy and media attention because the conclusion is starkly different than the previously established model. The guest for episode #4 of the Standard Deviant Security Podcast is Jay Jacobs, a Security Data Scientist at Verizon and a co-author of their annual Data Breach Investigation Report. We discuss the controversy, the new model for ascertaining the cost of a data breach and much more.

In addition to being a co-author of he Verizon Data Breach Investigations Report, he is a co-author of "Data Driven Security", a book covering data analysis and visualizations for information security and also hosts a podcast for data driven security and blogs at  Jay is also a co-founder of the Society of Information Risk Analysts and currently serves on the organization's board of directors.

Follow Jay on Twitter @jayjacobs.

Please follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at

Jun 6, 2015

People that work in the security field are talented, courageous, strong individuals that often toil tirelessly to make the world a better place. However, people outside of the security community don’t always see all of the positive qualities and instead define us by some of our worst elements – cranky, inept people whose behavior borders on criminal activity. We all know this isn’t the case at all, but how did we get here and how can we fix it?

Episode #3 of The Standard Deviant Security podcast features a discussion about communication, public relations and reputation management in Information Security with Melanie Ensign. Melanie is a security communications advisor with experience counseling Fortune 500 companies across a range of disciplines including media relations, employee awareness, incident response, hacker relations, disclosure incentives, social engagement, and public policy. She also serves as public relations Goon for DEF CON and r00tz Asylum. Melanie holds a Master of Science degree in corporate public relations from Boston University.

Melanie discusses some of the perception and reputational issues the security community currently has and offers great advice on how we all can deal with the media attention that has been put on security, seemingly overnight. We also discuss how to deal with media and journalists, how to best communicate security concepts to business people, how to make Information Security more inclusive and many other topics.

Everyone in the security field, from academics to penetration testers will get a lot of value from the interview and learn how we can all put our best foot forward.

Please visit Melanie on Twitter at @imeluny and check out r00tz Asylum (, a great non-profit that Melanie is involved in that teaches kids how to love being white-hat hackers.

Please follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at

May 31, 2015

There are some that would lead us to believe that we are on the verge of a "cyber 9/11" or a "cyber Pearl Harbor," but the evidence and facts do not match up with the rhetoric. Episode #2 features an interview with Dr. Brandon Valeriano. He is a Senior Lecturer at the University of Glasgow and the author of several books, with the two most recent ones being "Russia's Coercive Diplomacy: Energy, Cyber, and Maritime Policy as New Sources of Power and "Cyber War versus Cyber Reality: Cyber Conflict in the International System," both co-written with Dr. Ryan Maness.

Dr. Valeriano makes the argument that we are not on the verge of cyber war and demonstrates that nations that do have significant cyber capabilities show remarkable restraint and will continue to do so. We also discuss cyber espionage, the actual capabilities that some nations have and examine notable examples, such as Operation Olympic Games.

Please follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at

May 29, 2015

Here we go! The very first episode of The Standard Deviant Security Podcast

The first episode features an interview with Bill Brenner. Bill is well known in the security community for his prolific writing and podcasting on Internet security. He currently works at Akamai technologies as Senior Technical Writer and Bill also blogs about the wider security industry at and Dark Reading. Unrelated to cyber security, he also writes about mental health issues at The OCD Diaries.

Please follow the Standard Deviant Security Podcast on Twitter @standeviant and visit the website at