Security Voices

Security Voices

There are great stories in the security industry that aren’t being told. Fascinating people who fly below the radar and aren’t being heard. We know because we encounter them in hallways, hotel lobbies and just about everywhere imaginable across the globe. Everytime we think “I wish I had recorded that conversation so that everyone could hear it…” Our goal with Security Voices is to provide a place for clear-headed dialogue with great people that’s unencumbered by the hyperbole and shouting that’s far too common in security circles. We don’t have anything against sponsors or sales pitches, but they run counter to our goal of cutting through the noise,

so we don’t have either. We’re aiming for 100% clear signal.

All Episodes

Hundreds of inexpensive satellites are now regularly launched into space through SpaceX’s Smallsat Rideshare program. Some are sophisticated and commercial, others are DIY and experimental. They share space with now over 3,000 other artificial satellites orbiting the Earth. What could possibly go wrong?Frank Pound joins Jack and Dave for a conversation to answer the question of just how hackproof satellites really are and why it matters, starting with the Hack-a-Sat competition. Hack-a-Sat is an intensive capture the flag style competition currently in its second year where teams square off against one another to break into and defend satellite tech. And along the way, we learn that doing so requires encounters with strange software, hardware and not a small amount of hard math.The most known, visible satellite hack dates back to the 1980s and involves a broadcast takeover around Thanksgiving from a Max Headroom mask wearing man which ended in a spanking, but no real harm done. Jack and Dave explore the attack surface of satellites with Frank to find out when the next attack happens, where it’s likely to be. And along the way, we discover the Hubble Telescope’s terrible secret: ancient Javascript in its belly that’s likely kept on life support by some unfortunate government contractor. Throughout the hour-long conversation with Frank, one gets the impression that we’re still in the early days of satellite hacking. However, the breakneck pace of satellites being launched and their considerable potential vulnerability to cyber attacks point in the direction of a lot more than simply Max Headroom interruptions and GPS whoopsies in the future.

Sep 13

1 hr 11 min

A clear pattern is emerging of security leaders also being anointed with responsibility for privacy. Some of the origins of this movement no doubt can be found in regulations like GDPR who blend requirements for both security and privacy in mandates for data breach response. While this may seem like a logical pairing for lawmakers, it can be anything but a happy marriage inside an organization as they not only compete for resources but also have divergent needs in areas such as data retention.Whitney Merrill, founder of the Defcon Crypto and Privacy Village and current Privacy Counsel at Asana, joins Jack and Dave to untangle the complicated relationship between privacy and security. From shared ground in areas such as longstanding shortages in staffing to profound differences elsewhere, security and privacy are just similar enough to allow those who combine them thoughtlessly to make a mess of them both. Case in point, Whitney explains that privacy is often not a risk exercise at all, but instead a legal matter. We conclude with Whitney’s clear, practical advice for CISOs who find themselves responsible for privacy for the first time to keep their head above water and a healthy distance from regulators.Our dialogue with Whitney also serves as a catch up session for anyone who wants to go past current headlines, from the latest on Clubhouse, Facebook and Grindr to mobile deanonymization and the unsavory business of data brokers. She explains just how hard it is to actually get an organization to properly respond to a data inquiry, but why she does it and how the visibility she provided on the struggle may have prompted the California Attorney General to recently take action against a very visible, repeat offender.

Aug 16

1 hr 9 min

We’ve conditioned ourselves to look at our technology in a similar way we look at a box of tools: as instruments that passively do what we make them do. When we think of the future of artificial intelligence, it’s tempting to leap to fully autonomous solutions一 when exactly will that Tesla finally drive by itself? In our interview with Jamie Winterton, we explore a future where AI is neither a passive tool or a self-contained machine but rather an active partner.Human/machine teaming, an approach where AI works alongside a person as an integrated pair, has been advocated by the U.S. Department of Defense for several years now and is the focus of Jamie’s recent work at Arizona State University where she is Director of Strategy for ASU’s Global Security Initiative and chairs the DARPA Working Group. From testing A.I. assisted search and rescue scenarios in Minecraft to real war time settings, Jamie takes us through the opportunity and the issues that arise when we make technology our sidekick instead of solely our instruments.The central challenges of human/machine teaming? They’re awfully familiar. The same thorny matters of trust and communication that plague human interactions are still front and center. If we can’t understand how A.I. arrived at a recommendation, will we trust its advice? If it makes a mistake, are we willing to forgive it? And how about all those non-verbal cues that are so central to human communication and vary person to person? Jamie recounts stories of sophisticated “nerd stuff” being disregarded by people in favor of simplistic solutions they could more easily understand (e.g., Google Earth).The future of human/machine teaming may be less about us slowly learning to trust and giving over more control to our robot partners and more about A.I. learning the soft skills that so frequently make our other interpersonal relationships work harmoniously. But what if the bad guys send their fully autonomous weapons against us in the future? Will we be too slow to survive with an integrated approach? Jamie explains the prevailing thinking on the topic of speed and autonomy vs. an arguably slower but more optimal teaming approach and what it might mean for the battlefields of the future.Note: Our conversation on human/machine teaming follows an introductory chat about data breaches, responsible disclosure and how future breaches that involve biometric data theft may require surgeries as part of the remediation. If you want to jump straight to the human/machine teaming conversation, it picks up around the 18 minute mark.

Jun 7

1 hr 1 min

Communications professionals are often quiet coaches. They work their magic behind the scenes. They hold their opinions tightly and express them infrequently. In short, their influence is everywhere but their fingerprints are often invisible.Melanie Ensign is having none of that. And we’re all the better for it. In this 64 minute interview, you’ll have the pleasure of meeting one of the most influential and outspoken communications executives in the world of cybersecurity and privacy. We begin with her role as press department lead for DEFCON, a role she’s held for 8 years and explains is that exact inverse of what you think it is.In our next topic, Melanie breaks out the verbal chainsaw and applies it with vigor to the voice-based social network Clubhouse. From privacy mistakes to seeming indifference to community feedback on the topic, she explains in detail why she recommends her clients (and anyone else) avoid Clubhouse until they clean up their act.The remainder of the conversation is a mini-master class on how to succeed in communications for everyone from startups to new CISOs. Melanie dissects press releases and what to do instead of hitting Business Wire every Tuesday if you’re a young company. Young or old company, she shares why using fear uncertainty and doubt (FUD) to persuade people ultimately fails and how we can move past it as an industry.Much of Melanie’s work at her company Discernible is working with CISOs and their teams on their internal communications. Influenced by her time working at Uber and Facebook, Melanie offers a game plan for moving from reactive to proactive communications. Her advice is not for the weak-willed: she refuses to clean up anyone’s mess and doesn’t think you should either.This quickly has become one of our favorite episodes and there’s truly something for everyone in the dialogue-- except for those who dislike a little profanity to season their conversations. Note the explicit tag and enjoy the ride.

Apr 12

1 hr 8 min

We’ve met and passed the 1 year anniversary of the COVID-19 pandemic and cases of burnout are off the charts. We’re tired of Zoom. We’re tired of masks. Far too many kids are stuck at home instead of at school. The list could go on but the result is obvious: we’re burned out. The effect can be all the more profound for beleaguered security professionals who often struggle with burn-out even at the best of times. Jack and Dave return in this mini-episode for a quick conversation about how to identify and respond when you’re feeling like you’re burnt. While often it’s Dave and a guest doing most of the talking, in this episode Jack is driving. He shares from his deep experience on the topic, starting with an explanation of Maslach’s burn-out inventory which provides a structured, clear guide for determining just how crispy you are. The inventory is tailored for different professions, and while there is not one specific to cybersecurity, Jack and Dave explore specific aspects of our industry that up the stakes for burn out.Importantly, Jack explains why getting help from a pro versus leaning on friends and family can be essential. We wrap up with some time-honored approaches to restoring yourself so that you’re ready to jump back in the action once again.Note: For this short episode we tested a new production service and you’ll also note we updated the website and our branding as well. And transcripts! We now have 100% more (raw) transcripts than before. We’ll be unleashing all this magic soon on a new full-length podcast we recorded this past week with the one and only Melanie Ensign.

Mar 31

31 min 35 sec

This episode of Security Voices is different. Let’s say you sat down at the end of a long day and had a casual drink with a few industry friends before dinner. The conversation quickly turns to serious topics which are all discussed with thoughtful insight, biting humor and some well-placed profanity. Welcome to the latest episode of Security Voices where Jack & Dave wander off the beaten path with Abhishek Agrawal and Ryan Noon, co-founders of email protection company Material Security. This one isn’t for the easily offended or as the soundtrack to a drive with the kiddos.“How not to suck as a vendor” is our introductory question, prompting an earnest conversation that starts with “don’t be an active cancer”, covers The Market for Silver Bullets and ultimately explains why the pandemic has made already questionable cyber security marketing even worse.After exploring some of our top influences, from The Autobiography of Malcom X and The Origin of Consciousness to Joe Frank’s avant garde radio show, The Other Side, we talk email security. In a year that changed so many things, Abhishek and Ryan explain how truly little changed for phishing attacks. While the trend is not compelling, the reason why is. They walk us through what truly makes phishing attacks successful: distracted people reacting to well-timed messages. This hard truth confounds the market for anti-phishing training as ultimately our susceptibility has much more to do with our emotional state at the time than it does our factual knowledge or even our learned behavior.If you’ve wondered what the difference between phishing and business email compromise (BEC) is, this episode is for you. Abhishek provides a clear explanation of both topics before we forecast an ominous new threat on the horizon: Really Scary Phishing™. Our wrap-up eschews the usual speed round and instead asks “What can cybersecurity can learn from other industries?” Jack lays out how the service industry has much to teach us about taking care of our own while Dave explains what he learned about empathy and innovation from the advertising industry. We depart on a hopeful note, as Ryan relays a story reminding how small acts of kindness can have a large impact on others.We’ll be taking a short break before the next episode as Jack and Dave attend to some important “life stuff”. See you in the Spring!

E

Feb 7

1 hr 4 min

In our 1st episode of ‘21, we cap off our cloud security series with a recap of the major milestones, key trends and surprises across 2020 through the eyes of cloud expert and podcaster, Justin Brodley.  If you think you might have missed a few things that happened in the public cloud last year while waiting for news on COVID-19 vaccines, hitting refresh on election results or wondering when the four horsemen were finally going to show up, this episode is your chance to catch up and look ahead through the lens of both a practitioner and a pundit.Recorded during AWS Re:invent, we examine the cloud service provider conferences across the year to find a clear absence of security topics making their way to center stage.  While there were some notable developments, such as services providing easier cloud traffic analysis, much of the attention was elsewhere. Multi-cloud, in particular, leapt to the forefront for even Amazon who had been reluctantly dragging their feet.Our comparison of the different cloud service providers (CSP) conferences gives way to Justin’s take on key differences in their security strategies. From Google’s cloud native approach to Microsoft’s gambit to compete with stand-alone security offerings seemingly inspired by their experience on-premises, we breakdown the CSP’s strengths and weaknesses in cybersecurity.We chart the big moments of 2020 in the cloud, starting with outages that began with pandemic-strained capacity at Azure to the longest AWS outage witnessed in years around Thanksgiving.  While security news didn’t penetrate the headlines in many instances, Justin mentions some noticeable developments and what we hoped to see, but didn’t. Justin shares his top advice for anyone moving to the cloud to shore up their defenses. Given the vast amount of phishing, social engineering and misconfiguration issues in the cloud, it turns out that this has a lot more to do with improving our humans than it does our technology.  Nonetheless, the threat landscape meaningfully advanced with more complex, serious attacks in 2020 which moved well beyond “S3 bucket negligence”  that's perhaps best exemplified by the sophisticated Capital One breach.In the waning moments of our 6 episode cloud series, we look to the trends that will define 2021 and end with a hopeful signal that us security types just might be starting to get the hang of this cloud thing.​About JustinJustin Brodley is an IT Executive with 20+ years in SaaS, Cloud, and IT operations. Most recently as VP of Cloud Operations at ICE Mortgage Technology (formerly Ellie Mae).  He has helped companies transform their SaaS business, adopt cloud-native practices, and drive the cultural change of DevOps and DevSecOps.  He is also one of the hosts of https://www.thecloudpod.net a weekly cloud news show covering AWS, GCP, Azure, DevOps, and more. 

Jan 17

1 hr 6 min

Investors make their money seeing things others don’t. Making big bets based on both digging into painstaking detail and their ability to forecast what will happen many years into the future. In this 5th and (almost!) final episode of our series on public cloud security, we get deep into the mind of Bucky Moore from Kleiner Perkins to learn how the flow of funding is both responding to and shaping our industry’s transformation from protecting our own data centers to renting them from others.Bucky begins by laying down our mile marker in the global cloud journey, answering the eternal question of “Are we there yet?” with a clear answer of “Not even close.” We follow these remarks to a walk through the different corners of the cyber security industry to see how they’re keeping pace. While many fail to impress, one of the legacy behemoths stands out from the pack as having impressively galvanized their business to meet the cloud challenge.Setting companies aside, Bucky, Jack & Dave identify what technologies are the likely casualties are long-term cloud transition followed by a look at the obvious new areas to invest. Bucky describes a few more obscure tech opportunities he and Kleiner Perkins are watching that may produce a surprise hit in the future.We explore the eye-popping amount of money raised by managed security services companies in 2020 such as Arctic Wolf, deepwatch & Pondurance and how they differ from the not-so-glamorous past of the MSSP market. Our discussion explains the hidden forces driving the new managed services opportunity and how we think it will play out over the years ahead.If you’re looking to understand the insanely high valuations of companies like Snowflake and CrowdStrike-- or wondering what a SPAC is-- Bucky weighs in on these topics as well as we also dive into the surprise investing frenzy of 2020. Spoiler alert: it has a lot to do with both money and investors having no better places to go.

Dec 2020

1 hr 10 min

As longstanding cybersecurity companies lumber their way into the public cloud and "born in the cloud" startups fight for attention, cloud observability titan Datadog entered the security market in 2020 with two new products.  This is far from the first time a company has used an adjacent market to make the cybersecurity leap. Oftentimes it fails, but Splunk immediately comes to mind as a crossover success. Jack and Dave interview Datadog’s Marc Tremsal in this episode to provide a view into what cybersecurity looks like from the lens of a company steeped in the world of cloud infrastructure.Datadog did not break down the doors of the industry, but rather was invited to enter by their customers whose needs were not being met by cybersecurity companies. Marc explains the mistakes that incumbents have made that have left a considerable opening for others— they have very little to do with technology and a lot to do with marketing and sales. From selling to CISOs rather than the people doing the work to overheated marketing claims, cybersecurity companies have alienated would-be cloud customers who openly wonder why they can’t buy protection the same way they purchase the rest of their infrastructure.Marc talks through the challenges of staffing a cloud security product team—  how much do you value deep domain expertise? Do you shrug it off and simply hire the best developers?  We explain how the hottest talent on the market will be cybersecurity veterans who take the time to retool for the public cloud as they will hit the “goldilocks” spot for a growing throng of potential employers.We wrap up a surprisingly optimistic conversation with a glance ahead to 2021 where Marc reckons consolidation of providers will be a key trend alongside a hard look at just how immutable some of our infrastructure truly is.

Nov 2020

1 hr 10 min

Our conversation with Rich Mogull was intended to provide an analyst view point on public cloud security. While Rich certainly delivered on this promise, the episode turned into something more important: therapy. If you find yourself wondering if you’re burnt out from cyber security and life in general, this is for you. Our conversation with Rich starts with the work he does in disaster response, focusing on his recent time responding to the COVID-19 pandemic as a paramedic.  He explains how key concepts of anti-fragility from responder culture such as “trench foot” and “changing your socks” also apply to the rough and tumble world of cyber security— especially in assessing yourself for burnout.If you find yourself drowning in work and straining to catch up to the rest of the organization's push to the public cloud, this is for you.  We discuss how this happens quite naturally in most places, resulting in a dysfunctional norm of security teams inadvertently being left behind but still responsible for protecting the public cloud. Rich lays out a recipe for getting back on track, starting with making sure it simply isn’t time to throw in the towel and find a better gig.If multi-cloud seems impossible to defend with the skills and resources you have, you’re probably right. Rich takes us through the mind-boggling complexity of what it takes to stay on top of a single public cloud environment, let alone several. He doesn’t mince words in his unflattering assessment of the challenges with all 3 major cloud service providers: Amazon, Google & Microsoft.We wrap up with a hopeful look at what lies ahead for protecting the public cloud. Rich and Dave share examples of how long standing problems such as re-architecting are now solvable and operational challenges can truly be simplified when mantras like “shift left” move from buzzword bingo to new reality.

Oct 2020

1 hr 6 min

In our 1st episode of this series, Teri provided an expert’s broad view of what’s happening with security in the public cloud. In this episode, Yelp’s Zach Musgrave does the opposite: we go into the trenches to understand what it takes to protect a fully cloud native business on a daily basis.While Yelp was born in ‘04, 2 years before Amazon launched its first AWS service, it started its cloud native journey in 2013. Their early transition makes the company one of the longest tenured organizations who have defended a cloud native business at scale. Zach shares the fundamentals of how they work, from security team org structure and success measurement to key relationships across the company. We dig into the 2 different but critical aspects of security: 1) protecting the infrastructure (people & systems) and 2) policing the Yelp ecosystem itself (defending business operations).Zach explains how DevSecOps at Yelp was adopted not out of buzzword compliance but plain necessity: the need to safeguard 500+ microservices in production simply breaks a traditional security model. We explore some of the misconceptions with DevSecOps and the amount of care and feeding it takes to make it successful. We also cover Yelp’s tooling which centers on generous amounts of open source and their own projects including their current work on the Enhanced Berkeley Packet Filter (eBPF).We wrap up with some strong feelings about multi-cloud and readiness for the zombie apocalypse (they’re related, trust us) alongside forecasting the future for security tech as the cloud native tsunami rolls on. Spoiler: there’s no reprieve for old school network security.

Sep 2020

1 hr 4 min

Initially led by software as a service (SaaS), the transition to the public cloud is one of the most important changes we’ve witnessed in information technology to date. From the early days of SaaS to the current stage where adoption of infrastructure, platform and function as a service (IaaS, PaaS, FaaS) are catching on like wildfire, there’s an increasing awareness that the end state of this shift few aspects of how we do our jobs will be unchanged. This Security Voices episode is the first of five where we dig into the details of how the public cloud is transforming cybersecurity.Teri Radichel joins us to explain key concepts in public cloud technology, the differences from on-premises, migration options and more. If you’ve ever wondered what is meant by “lift and shift” or “cloud native”, this is for you. Teri’s background as a trainer, author and researcher shines through as she describes both broad concepts in easily understood terms but she also doesn’t spare the details for those who are already cloud savvy.Beyond the core concepts, Teri compares and contrasts the security models across Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). As she walks us through the differences between the three platforms, you get a sense of the complexity faced by those straddling an on-premise environment as well as the public cloud – not to mention several clouds at once. From networking to identity and access management models, no cloud service provider is quite like the other. Moreover, the fierce competition between Google, Microsoft and Amazon is driving such rapid changes in their platforms that any grip you have on exactly how things are is a slippery one at best.In spite of the challenges, Teri explains her belief that one can achieve better security in the cloud than on-premises. Doing so requires thinking differently, however, such as Teri’s advice to handle data as we would handle money. We hope this episode lays the groundwork for you for understanding the current state of public cloud security as in the next show we dive into the trenches with a cloud security practitioner at Yelp.

Sep 2020

1 hr 6 min

If you’ve been laid off, furloughed or are just plain tired of everything, this episode is for you. Kathleen Smith, the longstanding cyber career expert at B-Sides (and beyond) joins us for a dialogue on what’s happening in the security job landscape. Lost your job? Kathleen explains a tried and true process for recovery, reflection and finding your next gig. Not to mention a few surprising options for those who aren’t afraid of a little adventure, such as the military reserves or a job in one of the often overlooked national laboratories.In a rare moment of good news this year, Kathleen explains how COVID-19 has driven an increase in cyber security jobs both in the government and commercial sectors in response to a recent increase in threat activity.  If you’re willing to put in the extra effort (and put down your cannabis), she also describes what it takes to score a government clearance and gain access to an entirely new pool of opportunities.Once a coveted perk, remote work has blown the job market wide open for all. Roles once restricted to those within a certain location are now broadly accessible. However, working far away from your colleagues in your house has serious implications for your social relationships, energy and health  that many are only beginning to understand. Kathleen breaks down how to recreate boundaries between one’s personal and professional life, a skill she learned the hard way during her time in non-profits such as the American Red Cross and World Wildlife Fund.Before wrapping up, Kathleen talks directly to leaders and how she has adapted her style in 2020 to meet the extraordinary challenge while avoiding burnout. We hope our hour plus conversation with Kathleen is a welcome break from whatever you’re facing right now, providing you with help in your current job or a fresh perspective on what to do next.

Jul 2020

1 hr 20 min

Discussing cryptography is usually a surefire way to end a dinner conversation. It combines two things that intimidate (and bore) many people: hard tech and complex math. In spite of this, cryptography is on center stage today as it is the very foundation of defending our privacy and perhaps unlocking how we can safely share health information in the midst of the pandemic. There are few people who both understand and can explain cryptography in plain English better than Dr. Zulfikar Ramzan, CTO of RSA.Our hour long conversation with Zully tackles how concepts such as zero knowledge proofs and multiparty computation might be applied during the current COVID-19 pandemic. Historically, sharing healthcare information has been an “all or nothing” affair with difficult privacy trade-offs being made in the name of ensuring we receive the right care at the right time. Zully takes us through how long standing encryption concepts, now made practical by advances in computing, may allow us to selectively share vital health information such as vaccination records or test results without sacrificing our personal privacy.Zully also explains how cryptographers are preparing for a world where quantum computers can make short work of our current encryption practices. He draws perspective from the mid-90s when the Advanced Encryption Standard (AES) was being developed and explains the road ahead for promising lattice-based methods that could form the basis of a new, post-quantum AES replacement.Beyond cryptography, we discuss Zully’s role as CTO at one of the most iconic brands in security. He takes us through “a day in the life” and explains his responsibilities beyond being the company’s spokesperson. Perhaps more importantly, Zully explains how he balances all of this with his family where making crispy cauliflower takes priority over factoring prime numbers.

Jul 2020

1 hr 11 min

The average tenure of a CISO is 26 months due to high stress and burnout, according to a recent survey. In stark contrast, Andy Ellis has now been CSO at industry titan Akamai for over 20 years. Jack & Dave explore Andy’s longevity formula in a 70 minute interview that spans everything from his advice to young security leaders to the death of live events and why it’s perfectly fine if your favorite wine is a $16 malbec. While most of our episodes gradually ease into a more focussed conversation, our discussion with Andy jumps straight into the subject of applied human cognition— a common theme of his presentations and writing. He explains how his understanding of human thought patterns and biases directly influences his approach to conducting risk assessments and dealing with especially thorny conflicts. Far from theoretical, Andy breaks down exactly how he and his team enable Akamai to self assess and internalize risk in a fashion that expedites projects where the security team might otherwise be a bottleneck.From his vantage point at Akamai surveying a sizable amount of the Internet’s traffic, Andy shares their insights from both observing and responding to the pandemic, starting with their move to a ZeroTrust model. Some aspects of COVID-19, such as customers’ struggling to pay bills and how to best help them, are similar to past crises. Others are utterly unique. Jack and Andy explain the crisis likely permanent impact on live events (e.g., industry conferences) and what they may evolve to in the future.We also discuss the fine line Andy, Jack and Dave walk in the cybersecurity community of being both a vendor and a practitioner. How does one remain objective when you also represent a company that has to sell products or services to exist? How can one neutralize the perceived bias or even the stronger allergic reaction that some have against vendors? While there’s no surefire solution to such a complex matter, each of us shares our tips and learnings as we (and the industry as a whole) aim to strike the right balance.We wrap up with Andy taking us through how to pick a good bottle of wine. In the same manner as he tackles complicated cybersecurity issues, Andy breaks it down into simple steps that he illustrates with his own colorful experience.

E

May 2020

1 hr 23 min

The misinformation spread during the COVID-19 pandemic has made what happened with the 2016 U.S. elections look like the “good old days.” Epidemiologists are on center stage trying to explain complex topics to billions of people concerned for their lives-- and sometimes politicians are aiming to do the same. The multiplier effect is how hopelessly entangled challenging technical issues like end to end encryption and contact tracing via bluetooth on mobile phones are now also being publicly debated.The most natural reaction? Confusion. Kenn White is here to help.During our 60 minute conversation with Kenn, Jack and Dave go past the headlines trumpeting Zoom’s security issues in an attempt to lay bare the real issues with their recent missteps.  Their initially misleading claims around end to end (E2E) encryption is our primary focus, but before diving deep into Zoom, Kenn explains exactly how hard it is to make it work by describing his 2 year journey to deliver E2E encryption at MongoDB. We pull apart the remaining concerns and Zoom’s impressive response to provide our take on just how worried you should be, from Johnson Elementary School to the defense industrial base.Kenn has a unique perspective on the idea to use contact tracing via Bluetooth to identify who infected people have been in proximity to in order to slow the spread of a disease.  Having spent 10+ years supporting clinical trials, he explains why using our mobile phones to make contact tracing during the COVID-19 pandemic is unlikely to be successful in the near future. We hope this conversation with Kenn brings you clarity and calm at a time when both are in short supply.​Note: We spend the first ~15 minutes talking about coping strategies during the pandemic. If you’d like to jump straight to the content focused on E2E encryption it begins right around the 15 minute mark.​About KennKenneth White is a security engineer whose work focuses on networks and global systems. He is co-founder and Director of the Open Crypto Audit Project and led formal security reviews on TrueCrypt and OpenSSL. He currently leads applied encryption engineering in MongoDB's global product group. He has directed R&D and security Ops in organizations ranging from startups to nonprofits to defense agencies to the Fortune 50. His work on applied signal analysis has been published in the Proceedings of the National Academy of Sciences. His work on network security and forensics has been cited by the Wall Street Journal, Reuters, Wired, and the BBC. He tweets about security, privacy, cryptography, and biscuits: @kennwhite.

May 2020

1 hr 3 min

In the midst of the COVID-19 pandemic, it’s easy for thoughts to stray to the apocalypse. Nowhere is this tendency more common than when we talk about robots. Decades of books, movies and television have explored the topic of “when robots attack” and the calamity that follows. Today, domestic robots struggle to make it up the stairs and Siri can’t reliably order take-out… or even take notes. It all feels very far-fetched. And it is. However, if we move past the science fiction and look more closely at developments between humans and robots, we can begin to see some startling developments. This is the domain of Straithe, a pioneering researcher who studies how interactions between humans and robots can be abused and manipulated. We know very well how email, phone calls and websites can be used as part of elaborate social engineering schemes, what happens when the attacker’s tool looks like a person and can physically interact with us? While domestic robots like the Jetson’s Rosie are not wheeling around our houses today, we are being implicitly trained to interact with digital assistants such as Amazon’s Alexa, Apple’s Siri and many others. While the privacy implications of having such assistants always listening is much discussed, we’re only beginning to understand how matters change when they take physical form such as Knightscope’s K5 or Softbank’s Pepper the Robot. Straithe explains how these robots not only create serious privacy concerns through passive collection and instant transmission of everything from license plates to MAC addresses, but also how people are likely to react for them if they are used for ill intent. She explains early research that indicates robots are effective at getting people to do things on their behalf. When you combine these factors with a spotty record of robot security vulnerabilities, the potential for genuine harm through robots goes from far-fetched to near future.Our ~60 minute conversation with Straithe is hopefully a break from whatever you’re dealing with during the current crisis. We hope you find this glimpse into a fascinating corner of cyber security research a diversion from whatever you’re dealing with presently and useful framing for what lies ahead.

Apr 2020

1 hr 3 min

In this episode we step far beyond the hype cycle and dive into the details of scaling a data science team in the security industry with Dr. Sven Krasser. Sven joined CrowdStrike in the early days and the initial part of the conversation with Dave is an incredibly timely conversation covering how to structure and work with remote teams effectively. The interview was recorded a week before the 2020 RSA Conference in San Francisco when the early impact of COVID19 in the U.S. was just starting to be felt.There are 2 dominant themes to our conversation. First, Sven covers the hard realities of machine learning (ML) and warns against both over dependence and hyperbole. There are many areas where a more simplistic approach is going to get the job done faster and cheaper without the need to maintain a costly ML model. Sven shares his approach to choosing the right tool for the job and a handy tip for determining where ML marketing has gone astray.The second theme is the attack surface of ML itself. Seemingly long gone are the days when companies boasted that ML was the coup de grace for the defenders in the endless game of cybersecurity 'cat and mouse'. Today, we know that there are tactics aplenty for both weakening and defeating ML-based defenses that are available to everyone and easier than ever. Our longstanding cat and mouse game isn't over, it's simply more complex than before. Our nearly 70 minute conversation with Sven serves as both a "102" exploration of applied ML in cybersecurity and a chat between friends.  We cover the less obvious advantages of being based in Los Angeles, the criticality of data quality to effective ML and exactly which marketing myths rankle data scientists the most.

Mar 2020

1 hr 11 min

The second half of our Day Jobs series is the very first Security Voices episode we recorded: Dave interviewing Jack on the origins, shenanigans and future of BSides. Jack charts the history of the conference from its inception at a rental house in Las Vegas with a couple hundred people to today where Security BSides is a global movement that has eclipsed 500 events (and growing).One of the most unique aspects of Security BSides is that anyone can create their own event. It is a nonprofit organization that has as its heart a single, potent principle: be good to and for your community. The flexibility of BSides to be molded to the needs of the local community wherever it goes, from Memphis to Riyadh, is a core ingredient of its success. Jack explains how they carefully walk the line of letting each organizer shape their own BSides conference while stepping in only as necessary to lend a helping hand or occasionally correct course when things have come off the rails. The “just enough” guidance approach extends all the way to allowing new events to change names completely and blossom into different conferences. Security BSides in Phoenix became CactusCon, an event in the Bay Area became Bay Threat and MiSec traces its roots back to a BSides in Michigan. All of these offshoots are not only encouraged but celebrated by Jack and the BSides crew who see this as yet another way of fitting the event to the personality of the local community.Security BSides often serves as the starting point of open dialogue on critical industry topics such as gender diversity and mental health that the larger conferences only address years later. Jack takes us through the first “Feathers will Fly” session in Las Vegas which served as a meaningful catalyst for future conversations on gender inequality and (the lack of) diversity in cyber security. We wrap up with Jack musing on the future of BSides and what it could become long past the year 2020.

Mar 2020

1 hr 3 min

Our February Security Voices episodes are a 2 part series where Jack and I focus on our “day jobs”, starting with the current episode on Open Raven. Part 2 will be the very first podcast we recorded, but never released where Dave interviews Jack on the origins and escapades of B-Sides. This is close as we intend to come to promoting anything explicitly on Security Voices and if you’re completely allergic to even the scent of such things, join us back in March where we’ll pick back up with an interview of the Chief Scientist at a high-profile security company. In the meantime, we thought you might appreciate a little background on what Jack and Dave do outside of Security Voices as it understandably colors our perspective, from the questions we ask to the stories we tell. Open Raven was officially founded in April of 2019 by Dave and Mark Curphey, whom some will recall was the focus of episode 5 of Security Voices. Rather than solely focus on the founders, something we feel happens entirely too much, we felt you might like to hear from the people building the product itself. Consequently, Dave emcees the episode as we interview the Open Raven team members on topics from the graph back-end to how the company is branded and thinks about UX. The content is at times a little technical but should still be approachable by most and it should give you a sense of the design decisions one makes in an early stage company.Throughout the episode you will hear the authentic voice of the team as they share the principles driving what Open Raven is building along with the pain and successes along the journey.

Feb 2020

1 hr 3 min

Could you create a fake cyber security company and rack up industry awards overnight? How about fabricating a founder and scoring them impressive job offers? Haroon Meer did both of these recently for a presentation titled “The Products We Deserve” as an exploration and commentary on the state of the industry. Jack, Dave & Haroon take on snake oil in security during an hour long conversation to determine exactly how someone could create a great company amidst the pressures that threaten to pull one in the wrong direction.The catalyst for Haroon’s presentation and our discussion is his personal experience at Thinkst where he has focused on building a “bottoms-up”, product first company that has grown steadily since its inception without venture capital. His thoughts, from how to deal with industry analysts to “ball pit marketing” at conferences, come from Thinkst’s direct experience aiming to not only grow the company, but grow it in a way that is true to their own values. How Haroon and Thinkst navigate challenges such as having a strong presence for the company at the RSA Conference (sans shenanigans) is an exercise in creative problem solving versus rejecting the experience entirely or simply following the crowd. While it would be easy for an episode such as this to be bleak or even angry, Haroon’s thoughtful approach and optimism give us a portrait of how we might emerge from our awkward adolescence as an industry into a better future.

Jan 2020

1 hr 9 min

Our 1st episode of 2020 is a story in three parts, beginning with hard fought wisdom of a veteran security practitioner, then diving deep into machine learning (ML) before wrapping up with how both security and AI apply to connected vehicles. The first part of our 74 minute conversation with Josh Lemos is the backstory of how he started his career in cybersecurity as a consultant... and left services to join ServiceNow as a practitioner. His time at ServiceNow lays out a solid formula for fixing application security inside a growth company who can little afford to slow down-- or suffer the pain of the inevitable breach if the situation doesn’t improve.​Jack & Dave’s conversation with Josh on ML lays down many of the basics and is intended to be a rough primer for future episodes where we will further explore the topic. We discuss how ML projects often take much more preparation than originally planned and topics that range from class imbalances, the differences between supervised/unsupervised ML, a starter’s toolkit and what to expect along with some rookie mistakes to avoid.As part of Cylance/Blackberry, Josh has recently been involved with connected vehicle projects where standard security techniques for detecting executable malware on laptops and servers can start to look like child’s play in comparison to effort required to properly diagnose events across the diverse hardware and software found in a modern car.  Before wrapping with our speed round, we look ahead at areas where ML may be able to make leaps forward in both vehicles and across cyber security.

Jan 2020

1 hr 14 min

While visions of sugar plums might be dancing in children’s heads as we close out 2019, the 2020 elections are occupying the head space of many adults in the U.S. In 2016, the importance of election security was made crystal clear. What’s happened since then? Are we ready for 2020? How do experts believe our defenses will hold up when tested by foreign and even domestic attacks?We spent an hour exploring election security (and more) with Camille Stewart, a cyber security attorney with experience working inside tech companies as well as considerable time spent on Capitol Hill in both the Department of Homeland Security and as a consultant. Camille breaks down the major aspects of election security and we discuss why it’s seemingly so fractured across municipalities-- and why that may not be such a bad thing after all.  Jack, Dave and Camille debate how election defenses might be improved, from the role of open source and private services to “defending forward” by taking out troll farms. While Camille declined to grade our readiness for the attacks in 2020 (which have already begun), Camille does make predictions about what will happen during the ‘20 elections, including the likelihood of domestic influence campaigns.Our ~75 minute conversation with Camille showcases the breadth of her experience in both the Silicon Valley and Washington D.C. She explains lessons learned from her time protecting brands at Cyveillance, breaking down the optimal way to get a social media company’s attention when you’d like to have something changed or removed. Camille also explains how State security might be modeled after progressive smaller countries who excel in cyber, leaning on her time working in foreign relations during the Obama Administration.  We wrap up with her recent investigation and resulting paper on how foreign nations, especially China, have been leveraging U.S. bankruptcy proceedings to acquire large amounts of American intellectual property on the cheap.

Dec 2019

1 hr 17 min

It all changed one day while Nand was sitting in traffic on the 101 freeway. Why am I doing this? Nand had experienced no less than 4 successful exits of cyber security companies where he was founder or CEO. He was one of the most accomplished cyber security entrepreneurs in the Silicon Valley. At that moment, Nand decided to leave corporate life and set course to start a new phase of his career in the government.His first step was to uproot his family and move them into graduate housing at Stanford where he would finally do that MBA degree he had considered long ago. Throughout Nand’s hour long interview with Jack and Dave, Nand explains how his family embraces the abrupt change from predictable Valley life and comforts to community living inside a small apartment on campus. While Nand is determining how to best complete projects with 19 year-olds, his wife Sarbani and children flourish, starting a non-profit as a result of their experience.Nand’s next step towards Washington D.C. is a one year stint across the country to the Harvard University John F. Kennedy School of Government where he aimed to learn “the art of politics”. His time spent amongst princes and fledgling politicians taught Nand important lessons in complexity, the power of good Queen ballad during karaoke and the occasional necessity of a Scorpion Bowl to wash it all down.After considering a run for Congress, Nand completes his plan to restart his career in government when by a series of unusual events (and a bit of start-up hustle) he becomes the CTO of the Department of Defense’s efforts in Artificial Intelligence. From his new vantage point, he shares what tech companies look like from the Washington D.C. perspective and answers heady questions such as “Who’s more trustworthy? A politician or a venture capitalist?” and we find out whether it’s easier to be in a government or a Valley boardroom.

Dec 2019

57 min 58 sec

The 2nd half of our conversation with Niloo focuses on her recent work in Washington DC where she holds several positions and recently (October 22nd, 2019) testified to Congress on the United State’s cyber security readiness. We begin with the topic of retaliation: What’s the proper response to a cyber attack if you want to discourage future aggression? Is cyber retaliation necessary to defend a country?With the 2020 elections on the horizon, Niloo explains her perspective on influence campaigns such as the highly publicized activities by Russia in the ’16 presidential elections. While often seen as election interference, she explains the broader goal of Russia’s strategy as an attack on the fabric of trust throughout a country— and how your phone and social networks can be complicit in this scheme.We end on a hopeful note: there are plenty of reasons to believe things will be better in the future in cyber security, starting with government restructuring from long outdated WW2 norms to a more modern organization design. And we learn why Niloo may not be your best choice as a new BFF on GoodReads.

Nov 2019

39 min 18 sec

There are stories, and then there are “epics”: tales of a journey so full of unexpected twists and excitement that you’re left wondering how all that could happen to a single person. Niloo Razi Howe’s life is such an epic. Whereas most epics feature men with swords, this one focuses on a woman with heels and a hockey stick.While Niloo’s story as an Iranian exile is well-documented, our primary focus is on her career which began as an author and quickly moved to becoming a McKinsey consultant and then attorney… until she founded one of the few modestly successful online pet supply businesses in the 90s. Moved by 9-11, Niloo found the cyber security market and made it her sole focus as an investor at Paladin Capital Group. We discuss her early learnings from investing in security which focus on her time working with a portfolio company selling the millimeter wave scanning systems that are now commonplace at airports everywhere. Niloo took subsequent roles transforming a startup and then tried her hand at transforming industry titan RSA as their Chief Strategy Officer. Niloo then left it all to focus on her terminally ill mother. This experience affected her profoundly and we wrap up this first part of our conversation with Niloo by exploring how she now structures her career on 3 pillars of different activities versus 1 job.

E

Nov 2019

56 min 57 sec

The Silicon Valley legend is the college dropout who made billions… but what if instead they stayed in the dorm room? This is the intriguing story of Marcin Kleczynski and MalwareBytes, told in a candid ~1-hour interview where he explains how his company was built in vivid detail. Marcin takes us through his formative moments as a Polish immigrant in Illinois helping his family’s cleaning business to his choice to remain in school at his mother’s insistence while MalwareBytes was making millions. Dave and Marcin discuss key product questions such as how much is too much product functionality to give away, how to work with the channel, whether or not you can effectively serve both consumer and enterprise markets and the future of endpoint protection. He also explains why it still makes sense to build a great office when the world feels like it’s shifting quickly to a remote workforce. We also find out why you should never send deep dish pizza to people in California...

E

Oct 2019

1 hr 2 min

Joel Fulton’s journey began in Alaska as a free range kid with dreams of becoming a fireman to ultimately find him in one of the most prestigious CISO roles in cyber security at Splunk. Our conversation twists through his time as a computer auditor, MMA fighter, an author, a salesman, a PhD student and a few other positions in between. Our dialogue with Joel showcases the breadth of his interests as well as his gift for taking seemingly unrelated concepts and connecting them to illustrate a point, from choke holds to The Philosopher’s Toolkit all the way to systematic dismemberment. Joel’s interview offers plenty of practical examples for aspiring and longtime CISOs, breaking down how he thinks about discovery, orchestration and security training. Even at 80 minutes, this episode feels far too short.

Sep 2019

1 hr 19 min

Since this Spring, Security Voices have been “following the money trail” to explore all angles of how security companies are funded and run. In our final 2 episodes of the series, we’re shining a light on lesser known companies and individuals whom have avoided traditional funding and taken a more unique approach to starting their businesses. This episode showcases Tozny, an encryption company with its longstanding roots in government contracts. Isaac, the founder and CEO, explains how he’s built a stable, steady growth business in Portland by harnessing one large customer after another… using entirely publicly available information and an open submission process. His conservative “staying alive” approach stands in stark contrast to the glitzy, go-for-broke mainstream security market.

Sep 2019

52 min 23 sec

Seemingly everyday a security company announces that it has raised a new, big round of funding. As we close out our investor series, Jack and I wanted to highlight the bootstrappers— those brave people who kickstart their businesses using solely their own resources. Our interview with Zack Schuler of Ninjio illustrates the experience of a company with a big mission to reinvent security awareness that began with no funding but a loan from his bank account. While Zack had the benefit of a previous exit (he bootstrapped his 1st company at the age of 21), his mentality and practices are that of someone who hustles for every deal, obsesses over each hire and makes painstaking decisions about how he uses his time and money. Zack explains his special formula of hustle, Hollywood and a little bit of luck to build a winning company with no investors looking over his shoulder.

Aug 2019

44 min 10 sec

Dark clouds seem to hang over the security industry, especially after Black Hat and DEF CON. Playing constant defense can be disheartening, especially after hearing about every new type of possible attack in Las Vegas. We felt everyone could use a little post conference pick-me up so we pulled together this short (~15 min) episode which focuses on all the positive things that are happening in the industry from past interviews. We’ve often reflected on how interesting and encouraging it is that every guest we’ve interviewed has always had something they thought was much improved from the past— and how everyone of these industry luminaries called out something different than the others.

Aug 2019

15 min 32 sec

Robocalls have plagued our phones in recent years, prompting many of us to no longer answer calls if we don’t immediately recognize the number. Ballpark estimates put the number of calls in 2018 at 48 Billion-- a 50% increase from the previous year. Ever wondered who was behind the flood of phone spam? How much they make? Where they’re from? How they got your number? We dig deep into the robocall epidemic with telecom expert TProphet, answering all of these questions and more before breaking down what telcos and legislators are doing to try and improve the situation. After comparing the North American robocall problem to the one in China, we take a look ahead at what the future holds for phone spam.

Jul 2019

1 hr 1 min

Few topics capture our imagination like the Internet of Things (IoT); our concerns swing from how much Alexa is really listening to us all the way to doomsday scenarios orchestrated by a violent robot takeover. Our conversation with Shaun Cooley lays the foundation for a rational understanding of IoT risks, starting with its role in stopping rhino poaching in an African game preserve. After explaining the full IoT landscape, we explore how it is fundamentally different from “normal” IT security and how the coming IT/OT convergence could result in an epic clash of cultures-- not to mention a few breaches. No IoT conversation is complete without covering 5G and satellite internet, and nor do we spare you the musings on how it could all go quite wrong...

E

Jul 2019

1 hr 18 min

What happens when you take a longtime security pro and turn her into a venture capitalist? We find out in the 4th installment of our investor series when we interview Dr. Chenxi Wang, fresh off her 1 year anniversary starting Rain Capital. The beginning of our interview showcases the grasp of our market that makes Chenxi such a sought-after partner-- we go deep into the transformation of app sec, poking at fuzzing vs. static analysis, package vs. code level analysis and how the network-centric roots of the security may be impeding our progress. We do a brief retrospective on Kubecon before diving into her reflections on being a full-time investor, starting with what separates an angel from a true venture capitalist. Chenxi explains what sucks about being a VC (spoiler alert: it’s fund-raising) and how she’s using Rain to chip away at the longstanding diversity problem in the security industry. Before hitting our usual hype-o-meter and speed round questions, we discuss exactly how she ended up on the board of directors for a logistics company based out of North Dakota.

E

Jun 2019

1 hr 2 min

Mike Reavey has quietly left his fingerprints on some of the biggest moments in security. He began as a Captain in the Air Force, locking down networks from attack by adversaries back when APT was still shorthand for “apartment”. Mike recounts his time spent battling the most destructive malware the industry has ever seen (Blaster, Slammer, Code Red, etc.) while leading Microsoft Security Response and how he later kept Azure out of the headlines while heading up cloud security in Redmond. He recently made a hard turn into gaming security at Electronic Arts where he’s been learning the many nuances of protecting a fast-moving entertainment company where creativity and speed are king. Mike, who regularly competes in body-building competitions, explains why you can’t outrun a pizza and how anyone can get a little more fit while balancing a hectic schedule packed with family, work and fitness. Mike’s stories are as pragmatic as they are colorful-- this interview is a recipe for anyone who wants to know exactly what it takes to succeed in a big, high pressure cyber job.

Jun 2019

1 hr

Part 3 of our investor series offers a unique perspective on the security market as Jack and I interview Kara Nortman, partner at Los Angeles-based Upfront Ventures who balances investments in enterprise and consumer companies without an explicit focus on cyber.  Kara traces her roots back to a long ago meeting with the @Stake team when she was with Battery Ventures and we chart how security moved from an arcane art to a topic relevant to every startup no matter the industry. Our conversation covers a number of big questions: Will Silicon Valley continue as the heart of tech in the future? Is it better to have a killer insight or to know how to build a product? How exactly do VCs work in 5 minutes or less? Kara also reveals her “full family” approach to helping her portfolio companies, explaining why the key to unlocking product marketing success might actually be a curious 8 year old.

E

May 2019

53 min 5 sec

In a world not-so-long-ago, CISO’s fought for people to understand what they did and why it mattered. Fast forward to today, and the modern CISO faces a dizzying variety of challenges everywhere from the boardroom to explain 3rd party risk management to product design sessions where they might be debating anything from data anonymization to SOC2 compliance. Our guest in this episode, Justin Dolly, stands apart as a no-nonsense CISO who has covered a truly broad spectrum of problems such as negotiating consumer privacy trade-offs for fitness wearables while at Jawbone or diving headlong into the ransomware problem at MalwareBytes. During this episode, Justin weighs in on the future of identity, the death of passwords and whether moving to a ZeroTrust model is more aspirational than practical. This episode has something for everyone with the notable exception of people who love VPNs. Justin’s fiercely pragmatic approach and gift for storytelling make this one of our favorite episodes so far.

May 2019

1 hr 3 min

A goal of our podcast is to highlight people who don’t highlight themselves— but are every bit as deserving of the spotlight as those on the big stage. Noah fits this profile perfectly- he’s the smart guy you sat next to at an industry dinner whose perspective on network forensics and GDPR were as interesting as his weeklong isolated "vacation" on the tundra of Baffin Island. An understated yet up and coming security investor currently at Point72, Noah’s take on the security market is insightful and raw: he explains why there are too many security companies and why it matters. He details why the mid-market is underserved by security vendors. We cover how investors mistakenly overcapitalize security vendors and when is the right time to bootstrap vs. taking any funding at all.

May 2019

1 hr 4 min

Our latest episode features an 1 hour interview with iconic Silicon Valley CISO Justin Somaini.  He explains common mistakes made by investors and vendors, what it feels like to be a global CSO of a 90,000 person company, who the CISO should report to and how the CISO can win in the boardroom (often by staying out of it!) Sales people, this is one if for you: Justin explains how you can avoid stepping on CISOs' toes and what you can do to stand out from the crowd.  For aspiring or young security leaders, Justin shares generously from his playbook including what should be your focus in the critical first weeks of a new job.

Apr 2019

59 min 33 sec

We kick off our investor series with Ping Li of Accel who was recently named the #2 investor in the Silicon Valley and is one of the most prominent investors in the security industry. We cover the biggest mistakes security companies make, how to successfully pitch your company to a veteran investor like Ping and we play an inaugural game of buzzword bingo to see if there's truly a market for that AI-powered blockchain idea you've been kicking around.

Mar 2019

1 hr 5 min

Recently "retired" software security legend Gary McGraw joins us for an unfiltered conversation with Jack at his farmhouse in rural Virginia.  Gary's walks us through the history of software security with his characteristic sharp humor and insights, sparing no "poser or pretender" along the path to today (including the term "app sec" itself). Beyond his impressive career in security, any conversation with Gary uncovers his diverse interests from his life as a musician to his travels, from reading fiction to writing books. Jack's interview of Gary is no exception-- it paints a portrait as colorful as the man himself. This is the 4th and final episode in our app sec (er.... software) security series.

Mar 2019

1 hr 1 min

Mark is equal parts developer and security expert, visionary executive and hands on coder. In his interview we discuss OWASP's origins & present state, the complicated relationship between security teams and developers, open source and much more. Mark shares what worked (and didn't) while building SourceClear and what he sees happening to security when software finally eats the world. It is the 3rd episode in our appsec series.

Mar 2019

1 hr 5 min

A sample of what's in store in the Security Voices Podcast.

Mar 2019

2 min 49 sec

An Interview with Wendy Nather, Director of Advisory CISOs at Duo Security

Feb 2019

1 hr 3 min

DevOpSec Conversation with Zane Lackey, CSO Signal Sciences

Feb 2019

50 min 27 sec

A conversation with John Dickson, Principal at Denim group.

Feb 2019

37 min 25 sec

Interview with Carey Nachenberg

Feb 2019

1 hr 7 min