Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host Gary McGraw, CTO of Cigital and author of Software Security. This podcast series is co-sponsored by Cigital and IEEE Security and Privacy Magazine where a portion of this interview will appear in print. This is the 118th in a series of interviews with security gurus and I’m super pleased to have with me today Jack Daniel. Hi Jack.
Jack Daniel: Hello. It’s great to be with you.
McGraw: Thanks. Jack Daniel is a Security Strategist at Tenable Network Security. Jack is a leading security technology activist and a regular at ShmooCon, DEF CON, RSA, and other big security conferences. He co-hosts Security Weekly and produces the Uncommon Sense Security blog. Jack also co-founded Security BSides, which I’m sure you’ve all heard about by now. Jack started life as a car guy and has decades of experience fixing actual machines with mechanical parts. Jack now lives on Cape Cod with his family. Sadly, his son is also a worker in the field of computer security. I’m so sorry about that last part.
Daniel: Yeah. It is rough. We both work from home and he’s back in the house because we’re eventually going to sell the house to him and move south—for the past few winters we’ve had enough.
McGraw: And he’s probably severely overpaid just like you and everything.
Daniel: Yeah, but it is kind of funny because his office and mine are on the same floor of the house—the mutterings on the phone, you can tell when we’re on conference calls. We hit mute and you hear the string of things we all say.
McGraw: That’s hilarious. I love it. So, Ron Gula who runs Tenable has done a really interesting thing collecting up a set of gurus, including you, to work for Tenable. It’s an interesting collection of guys. Is that strategy working?
Daniel: I hope so. I like Tenable. I like working with Ron and with Jack and Renaud and the others. It does give us an interesting perspective. I mean—I work with Marcus Ranum. I work with Chris Thomas, better known to most as Space Rogue, Renaud Deraison, Paul Asadoorian, Carlos Perez, and a lot of other great folks. Some of them have more tightly product-defined jobs. Marcus and I do more conversations with the world of security, talking about where things are headed. We go out and talk to customers, we talk to people who aren’t customers, we talk to people in the industry and try to get out ahead. Our world isn’t the traditional product management view, it’s further down the road—the bigger picture.
McGraw: Yeah. That’s cool.
Daniel: And it helps Tenable know where we’re going and where the industry’s going. It gives us some credibility as far as understanding people. Marcus and I, and some others, have the luxury of being integrated into the company well, but we’re not tied to the sales team so we can go into very candid conversations with people who aren’t necessarily customers. The sales people aren’t always happy, but they respect it when you’re talking to somebody and you say ‘oh, that’s who you use’—
McGraw: And it gives you, you might say, a more objective view when you have people like you two. You know, I’ve been friends with Marcus for gosh—I think 20 years now. To the extent that he sometimes comes over to the solstice parties and stuff like that. And, he always tells the truth whether it works or not. [both laugh]
Daniel: It is a challenge sometimes for people. I’ve been on a couple of calls with Marcus, Space Rogue, and myself where one of the VPs asked our opinion and didn’t really understand—
McGraw: And found out what that means? [both laugh]
McGraw: So it seems like it’s really working for Tenable and it’s an interesting idea. I think the last time I saw it in the security space was back in the old days when SANS used to run conferences only, and they were all just a collection of gurus. There weren’t any SANS people. They weren’t really doing training. They were just trying to take USENIX out as far as I could tell. Of course they transitioned away from that, but they had a hell of a collection of good people that would come and speak and stuff way back then.
Daniel: I think part of being able to do that requires that you have a profitable and growing company. So Tenable has the luxury. It’s one of those critical mass things. It was certainly a gamble years ago when Ron brought Marcus in in the early days and then started bringing more folks in. So, it’s not that we don’t contribute to marketing materials or support the sales team at times, or do other directly related things, but you’ve got to be able to put that investment out—
McGraw: Yeah. It’s a very interesting idea. I’m glad to hear that it’s working. I should talk to Ron about it really—we serve on a Board together. But, we were always talking about other stuff. So that’s really cool, and it makes for a fun job, huh?
Daniel: Yeah, it does—as you know. You’re in a similar situation, right? You start doing these things and the next thing you know, titles like CTO aren’t really just window dressing, you actually have to do the job.
McGraw: I always call myself the “hood ornament of the corporation;” which, you know, works for me. I wanted to ask you about communities because I know that that’s important to you. If you look to your background that word comes out a lot. So, what kind of role do you believe communities play in security, especially commercial computer security?
Daniel: There are a couple of things that I think are important to know when we talk about community. You have to say it plural. One of the things that becomes clear if you straddle a lot of them is that there are hundreds, if not a couple thousand, of us that you’ll see at DEF CON and at BSides Vegas or Black Hat and those sort of events. And you’ll also see it at RSA, and there are a lot though that you don’t and they’re very different personalities. But on the professional side, one of the things that I think that community does, or that I know it does, and it varies regionally and within certain disciplines, is that it solves some of the communication issues. We have certs and we have a bunch of information sharing tools and organizations, but there’s nothing like somebody that you meet at a local whatever it is. Whether it’s a regional conference or whether it’s a local ISAC, or ISSA, or ISC2, or whatever meet-up; somebody you actually have pizza and beer, or pizza and soft drinks, with a few times a year that makes it that much easier to have a candid conversation. Community is very powerful for that. It is powerful for information sharing when we’re all very cautious. Almost everything we do in our professional lives is under implied or actual NDAs. We respect our intellectual property, and our customers, and clients, and each other and so you can’t often share as widely as you’d like. The other thing that is critical and has shown itself, especially in the BSides community, is the career path aspect of it.
McGraw: Right. So you get a little bit of mentorship and you can find out—
Daniel: Right. You know who to ask. It’s like ‘I’m stuck.’ And, I won’t name names, but I was in a group chat with one of the premier pen testers who got stuck. He’s somebody that everybody knows and he was battling something. He was slugging through it. He was getting there. And somebody popped up and said ‘hey, try this.’ Days’ worth of work distilled into an hour and he pushed through. Making those connections and then you feel like sharing, and that’s when the communities become stronger.
McGraw: I think you’re totally right. So you can get advice about your career. You can get advice about the field. There are people that you can kind of let your hair down with, so to speak.
Daniel: Absolutely. And those communities, sometimes they have a couple of people that really drive them and then those people move on or something and they dry up. There’s others where you get a critical mass of people who are willing to share information. The communities that we see where people are actually engaged, more than a couple of drivers pushing it forward—those tend to thrive. And you can argue whether or not the skills shortage is real, or if we just have such horrible technology and that we need a lot of people to fix it, or whatever. In the short term, it’s like saying you shouldn’t patch software, you should write secure software. That’s wonderful, but for now, we need to put some patches in.
McGraw: Yeah. Nobody believes you shouldn’t patch it. I don’t think.
Daniel: You would be better off having secure code in the first place. That’s one of those academic discussions. But it’s like ‘I’ve still got to patch.’
McGraw: Have you seen real code that real people write? It’s always a mess. [both laugh]
Daniel: Exactly. There are a lot of ways to work in community and share. There’s a shortage of people with the right skills. One of the things a community often does, and I’ve seen it, especially in BSides, because I’m so highly involved in it; but I’ll tell you what happens in a lot of other communities, is you post a job description. You have to come up with something that looks like your typical HR posting, and you do the best you can—
McGraw: And someone needs to find out what that really means and see if they really want to do it. Yeah. Networking is great.
Daniel: Then you get down to the ‘this person doesn’t exist’ but close enough. Well, when you think of it, it’s like ‘this guy, I know somebody that’s a SQL guru who hasn’t really done it in this environment, but he’s got some of the skills and we hung out at a cocktail lounge or tiki bar in Louisville last year’ and you make those connections. Hey there we go. And that’s how we get past that first layer of HR and recruiting in a lot of ways. We find the right people or the right positions. And the converse is true. Somebody will say ‘hey, I got a call from somebody wanting me to join this company’ and what’s going on with them—
McGraw: So, let’s talk about this notion of career development. You have a really interesting past. I just listened to your podcast with Dennis Fisher on ThreatPost which was awesome. Can you summarize your story about how you moved from being a 20-year veteran mechanic, knowing about all sorts of obscure (car) platforms, into security—in like seven sentences?
Daniel: First of all, a lot of people ask me for career advice. The first bit of advice is don’t use my career path, which is doing the wrong thing for decades and then—
McGraw: Dude, I got a Ph.D. in Computer Science. Then I was like, ‘I have to be a professor? No!’
Daniel: Yeah, I was a mechanic as a teenager and I had a knack for performance diagnostics. So, before computers became terribly common I was the one that would chase down the horrible electrical—
McGraw: The obscure errors.
Daniel: And as cars became computerized, and in the process of doing those things, I transitioned into working in the parts and service departments where the folks behind the parts counter at your average car dealership are usually the people who run the computer systems. They, at least traditionally, had more interaction with systems for parts ordering and other things.
McGraw: And it’s a “back office job.” You get a desk and everything.
Daniel: So, I moved into parts and service management. Because of my diagnostics skills, I worked on cars part-time, even when I was managing technology for dealer groups across the Boston area. I would occasionally get called and it was like ‘we have this automatic transmission we can’t fix.’ I’m like ‘OK. I’ll see you at 11:00 tonight and fix it.’ So, the diagnostics is part of it. Basically, I went from fixing cars to working on the infrastructure and dealer organizations which meant using computers. There were more and more computer in use until almost all I was dealing with was computers and then bad things happened to those and I had to fix them. Then bad things happened again and I had to fix them and keep them from happening again, which summarizes how a lot of us get into security. Like ‘oh, that was dumb of me. And that opened the door for a bad person to—’
McGraw: Well I think it’s really interesting that you understand highly complex systems and that was the first thing that you did. And frankly, my first car, back in 1976, was a Subaru (they made one model). Even I could figure out how it was supposed to work. You just open it up, and I could tell then. But those years ended about 1979 when cars began being computers and the modern car design thing happened. Now it’s impossible to repair a car without a computer. And we even have DMCA problems with tractors, for God’s sake. So, do you think that security design and security engineering are in some sense experiencing the same thing that the car guys experienced 20 years ago?
Daniel: I like to make bad analogies. So, the comparisons eventually fall apart, but if you think about what we’ve been doing in going from mainframes, to client server, to virtualization, to cloud, and now the distributed cloud systems (containerization)—where we’re getting away from, even as an admin, you’re getting away from carrying some expensive box, an expensive yellow machine that says ‘fluke’ on it, to diagnose problems. Those days are largely gone. But if you can’t think about when the points opened, condenser discharges, voltage, and that sends a spike up to the distributer cap and triggers the coil; but anyway, if you can’t think back to the fundamentals—
McGraw: It’s harder to know what’s going on, right?
Daniel: You look at it like you said. So, you look under the hood of your old Subaru, or my old ’76 Gremlin, or something like that and ‘I can figure this out.’
McGraw: You can say ‘oh, I see how a combustion engine works’—but not anymore.
Daniel: And when there was that box that ran NetWare, or NT, or whatever in the corner and the clients talked to that and there were a couple of switches, and that router thing, and a firewall thing.
McGraw: That was pretty simple.
Daniel: You could see how it worked. Now it’s like ‘wait, when I’m working on a presentation, am I on my laptop or am I in the cloud or am I somewhere in between? Am I caching? Where’s the data? How does this work?’ I think there is a parallel there.
McGraw: Yeah, it’s really interesting. And I also think that vast experience, even in a different domain with complex systems, is a hugely powerful thing that in some sense might be being “professionalized” right on out of our industry. In fact, Dan Geer and I have both written about the neo-Renaissance going on in security. Years ago, we talked about what happens when creative people from lots of different backgrounds come together and it’s really an interesting time in a new field. But this professionalization, which has been happening for about 10 years now, drags things in a different direction. And in some sense, you may not be able to bring in some crazy knowledge about something that nobody else knows. What do you think about that?
Daniel: I completely agree. I’ve had these thoughts and conversations too. In a time when everybody came from something else, you get this diversity. But on the flip side, we have so much maturity of the industry. We have people who, in high school, decide this is what they want to do. They go to college. They’re in college and they flip and decide they want to be in our field and get a degree in it and come out and go to work, and that can bring a level of stability, and professionalism, and maturity. But, we don’t have that diverse view of the world. I think we still do, but we’re in danger of losing that.
McGraw: In some sense, you need people at all levels of the discipline too. If you think about medicine, it’s not like everybody’s a brain surgeon. In fact, most people are EMTs, followed by nurses, followed by doctors, followed by surgeons. They have different backgrounds in some sense, so maybe we’ll find some stasis or some point that makes sense when we get to that stage where we have different levels of professionalization requiring different backgrounds.
Daniel: Let’s hope so. But I see both the advantages, or the potential advantages, and certainly the potential and real disadvantages.
McGraw: Yeah, me too.
Daniel: Not being able to function—how well you handle things going horribly wrong.
McGraw: Yeah. And also, unexpected crazy things. And you know, the idea of drawing analogies which I love to do. I actually studied analogy in grad school, believe it or not. That helps you think through new problem situations in ways that would never occur to you if you didn’t have anything to map the analogy to.
We’ll be right back after this message.
This is Gary McGraw, your host for the Silver Bullet Security Podcast. If you like what you’re hearing here, you should check out my monthly security column published by SearchSecurity and Information Security Magazine. You can find the most recent column at www.SearchSecurity.com/McGraw. All of my writings are collected on my web page at https://www.garymcgraw.com/technology/writings/. Thanks for listening.
McGraw: Let’s talk about BSides. What is BSides? Why did you start it?
Daniel: The short version of this is that in June of 2009, the annual rejection letters from Black Hat and DEF CON started flying out. This was the first year that there was a real mass of security people and the hacker community had really started to come together on Twitter as a communication platform. So there was a lot of venting on Twitter. You know, a bunch of us had conversations. A few of us got on the phone, or skype, or whatever and chatted. Some of these talks looked like a good talk but they were probably on whatever the “big deal” was. Black Hat and DEF CON can only do so many of these talks. It’s like ‘that was the same talk as you’ve been doing for three years. I see why they turned it down.’ When there were other talks, they were like ‘oh, that’s just a little bit niche.’ That’s not something that Black Hat is likely to take on. In fairness, Black Hat has added a lot more tracks. They get a lot—
McGraw: It’s become more like RSA, every year. Big ass trade show.
Daniel: Chris Nickerson and the DC 303, the Denver-DC crew, used to rent a house every year instead of getting a bunch of hotel rooms. We thought ‘how about if we have some folks come out and do talks at the house?’ It was no big plan to change the world or anything. It was like ‘ah, let’s get together.’ It was basically a—not a mansion or anything—but it was a decent-sized house with a big room they used as a wedding chapel. We did two days’ worth of talks and—
McGraw: And it turned out to be fun.
Daniel: Some of the talks were things that didn’t fit—Val Smith did an absolutely nuts ‘Val Smith’ sort of psycho hacker political rant that was beautiful but was not going to go on stage.
McGraw: Right. Right. Right.
Daniel: Aaron Jacobs and several others did a panel discussion on issues in information security. It would be five years before RSA would put it on stage. This is a huge one and it had—we had a bunch of people that everybody knows on there from Jen Minella—a whole bunch of people with a bunch of different perspectives on that. And that was another topic that wasn’t going to happen there.
McGraw: So, it’s an idea of bringing in those wider ideas on purpose and putting them in—
Daniel: Right. And the name BSides was from the days of vinyl and the A-side was what got played on AM and the B-side was where you let the base player prove he was really a musician, or whatever it was.
McGraw: As a musician, that makes me really happy.
Daniel: That was the thing. It was the B-side. The first one was ran opposite Black Hat in July of 2009. And you realize that that model of out boarding and being parasitic, maybe that’s harsh, but that was the way some saw it. The second event was not even parallel to anything else. Then there was one that ran alongside RSA. We had never really planned on this becoming a thing. It was just ‘we’ll try this once and see what happens.’
McGraw: Well listen, man. I remember when ShmooCon was just an idea that Bruce had with Heidi. And I mean, look at it now. And the same thing with Black Hat. These things kind of evolve in that direction accidentally. So, the real question is, will BSides end up being like Black Hat? Then you’re going to have to have a CSides or FM radio thing.
Daniel: Some folks might be frustrated with me for saying this. The BSides Las Vegas certainly has this challenge right now. We’re probably going to be about 2,500 people this year which is capacity for the venue. Last year, BSides Las Vegas had, between the safety and security team, the regular volunteers, and core organization team—22 or 23 team leaders—plus their seconds, we were somewhere around 220 people working on the event. This is larger than total attendance of the first year.
McGraw: What’s really funny is it’s kind of like—you start out as the counterculture and then you become a movement like the hippies were. Then, all of a sudden, you get into power. It’s sort of hard to criticize because you are the establishment. You can see that unfold in the political arena as well.
Daniel: With the BSides model though it’s extremely de-centralized. There are a handful of us on the global board which is an American 501c3, and we do sort of brand protection—brand management if you will. But our primary function is coordinating, supporting the organizers who run their own events.
McGraw: So it’s a collective, kind of.
Daniel: As of last weekend there have been 233 events around the globe.
McGraw: That is amazing. Well, congratulations on that. That’s cool.
Daniel: The last one was in Lagos, Nigeria. Another new city and new country. Dozens of countries—
McGraw: That’s amazing. Let’s talk about tribes. So security has a whole set of tribes. We sort of talked about them a little bit in the community. I started out at the top. I started out in the science/academic tribe with people like Avi Rubin and Ed Felten, for example. Computer scientists. But I’m also part of the commercial security tribe which is a worrisome tribe indeed. Then there’s the hacker boy researcher tribe which is who you hang out with. Sometimes the tribes interact. Sometimes there are people that interact between tribes. We all like each other and respect each other, but they’re tribes. Were there tribes like that in car mechanics?
Daniel: We didn’t get together that often. We really only saw each other, for example, mechanics in automotive management was at trainings or events put on by the manufacturers which were there to push their—
McGraw: Exactly. They were just marketing junkets.
Daniel: There was some in the mechanical trainings stuff, there was a little bit of getting together. You would go to a class and you would learn something. Depending on the instructor, you might actually make connections with—
McGraw: Right. Right. Right. That makes sense, but it seems like there might have been like Renault mechanic crap, like there are only six guys who know that.
Daniel: Yeah. There weren’t many. I didn’t know any other Renault mechanics when I was doing Renaults in the late 70s, early 80s. I didn’t know any others except for the factory people that I interacted with who were AMC folks. They were rare.
McGraw: Let’s talk about the tribes that do exist in security. What’s your feeling about the tribes and their mixing, or their trifurcation or whatever? How do you think it should go, does go? How do you feel about the whole thing?
Daniel: One of the things that comes up a lot—so right now, we’re in the run up to RSA—and so those who self-describe as hacker first have their annual RSA zero event. It’s a failure. It’s miserable. There are things about RSA that frustrate us.
McGraw: [laughs] Of course. That’s the most worrisome tribe. For sure.
Daniel: But, I have a really hard time saying something that has 400 and some odd talks, and they’re not all cutting edge, but there are a lot of good talks. Are they Black Hat? Are they CanSecWest? Are they ShmooCon kinds of talks?
McGraw: No, but they’re talks. The thing is that everybody’s coming to town. Like, everybody who does business in security is in town.
Daniel: Just last year there were just over 33,000 people there. I’m not sure how you call 500+ exhibitors, 30,000+ participants a failure.
Daniel: Is it too commercial? You know, it’s highly commercial. If you ask the majority of those of us who are part of that hacker tribe make our living in there, so it’s kind of—some folks really get wound up and start biting the hand that feeds them. It’s kind of like the pen test tribe is one of the more adamant, and you know they like to make fun of PCI, but if the PCI requirements were removed, how many pen testers would be unemployed?
McGraw: Ah, irony.
Daniel: Any one of these tribes has that same myopia. This just happens to be one that’s like front and center on a couple of things.
McGraw: Here’s a question. Does BSides have a tribe, or is it just people who didn’t have a tribe?
Daniel: BSides has multiple tribes. In regional areas, BSides has helped build some tribes in places that didn’t have much community; that hadn’t had that OWASP chapter that became a catalyst, or whatever it was.
McGraw: The BSIMM community did the very same thing. We have these people talking to each other in an amazing way. When you find your long lost brother, it’s like ‘oh!’
Daniel: Right. And BSides tends to be much more inclusive. Now, every now and then something happens and somebody gets excluded for something or another. You can’t put thousands of people together without having some—
McGraw: Exactly. All it takes is more than three.
Daniel: Yeah. That’s one of the key things that I do in the community. A lot of times I just want to grab people and—
McGraw: What, you mean gender controversy? [both laugh]
Daniel: Yeah, I want to grab their heads and smash them together until—what I have to do is conciliatory.
McGraw: Oh, I thought you were saying the opposite.
Daniel: No. No. I want to sometimes. You know, club them like baby harp seals. Give them a hug and say ‘you know, we don’t all have to agree on this.’
McGraw: Get it together.
Daniel: On the tribe idea, BSides Vegas I think is interesting because of the way it’s grown. One of the ways we try to keep the feeling of BSides in something that is that size is that there are actually sub-tribes. You could think of it as a nation and there are tribes within it. The data science track is semi-autonomous.
McGraw: Well you see that in big corporations. If you ever worked with Microsoft, or at Microsoft, there’s the federal government (Windows) then there’s the state government which is like Office, then there’s like the Expedia people that are like South America. They’re all little branches that sometimes don’t even talk.
Daniel: The tribe that we really put a lot of effort into supporting is the, what we call the proving ground, and that’s the folks that work to get new speakers, people who haven’t spoken on the national stage. They’re partnered with mentors to give their first talk with in a supportive environment to give them constructive criticism and feedback and help them. And draw more people in that are able to share what they know in a coherent way.
McGraw: That makes all tribes stronger. That’s very cool work. I’ve got one more question for you which is more down my neck of the woods. As a software security guy, and a security engineer, I worry about what a massive overemphasis in our field on hacking and breaking things is doing, especially at cons, but even at some trade shows like Black Hat. Shouldn’t Black Hat have a builders track by now? Like, what the heck?
Daniel: I have some sympathy for Black Hat because I know folks who are on the review board. They have an image and it’s like the commercialism of RSA. You start heading down a path and gravity takes over.
McGraw: I don’t know, Shostack tried to turn that and it didn’t happen.
Daniel: People go to Black Hat to break stuff, I guess. In some conferences, smaller ones do—ShmooCon has really made an effort to push more emphasis on the past several years on to that repair track. But it’s fun. Breaking stuff is fun.
McGraw: This isn’t just repair, Jack. I’m talking about security engineering from the beginning.
Daniel: That is one of the things that, me being a college drop-out and having stumbled into this, one of the things that I wish I had is that academic background to understand how we got where we are from sitting in a classroom with a professor. We have some fundamental challenges, and I think that at a very tactical level people that are fighting the fight are continuously just fighting battles with no clue about the larger war. It’s a ton of wasted effort. You know, anyone that’s working on securing—well, you know 10 years ago anybody that was working on securing Symbian, all of their effort’s gone. People that spent a lot of effort securing NT, granted they had a long way to go, even when we gave up on NT.
McGraw: What we can say is thank goodness most of their effort is gone.
Daniel: Right. So, those things are gone. The people that built QNX, or one or two things still running it. When we put a ton of effort into highly volatile solutions, they’re gone in years.
McGraw: That’s very well thought out. I think that’s right. Highly volatile is the exact right way to describe that. So, without that it’s hard to get up over and get out of the moment and do some meta-level analysis.
Daniel: One of the things I’ve been doing is my Shoulders of Infosec project, looking at some of these historical figures because it’s ignorance on my part so I try to share what I know.
McGraw: Do you know Matt Bishop?
Daniel: I do not.
McGraw: Oh my goodness. I’ve got a guy for you to know and everybody else listening. Matt Bishop is a professor at UC Davis. He did a history project which still has collected thousands of excellent resources in academic computer security and other places too which is well worth understanding. Goes back into the 70s and really early classified stuff. And Matt is really open to talking to everybody. He would love to chat with you about that.
Daniel: That’s awesome. University of Minnesota has a lot of histories too. One of the things I found looking at these folks is that if we look at early computer systems, they were horribly insecure. We go back to mainframe sort of things, early government and military systems.
McGraw: Well they were secure in the sense that you just close the door and nobody could get in there.
Daniel: They were securable in that if you followed the wire, you found everybody that was connected to it. Then they started making progress. But, somewhere there’s a series of things that happened in my feeble mind that I think kind of set us up for—I won’t say set us up for failure because it’s changed the world largely for the better. We got global interconnectivity.
McGraw: You know what we got before that? Software.
Daniel: Consumerization and global interconnectivity which led to commoditization, and now it’s cheaper to run a processor with a full OS on it to—internet of things or whatever you want to pick on.
McGraw: Running your dishwasher.
Daniel: Why are you running a full OS on that? It needs to do these two—
McGraw: Dude. So, one way to describe this is it used to be that the people were cheap and the computers were expensive, relatively speaking. Now the computers are cheap and the people are expensive.
Daniel: That’s an interesting perspective. That’s true. Yeah.
McGraw: So, we’ve got to wrap it up, but wow. Fascinating. It’s been great to get to know you a little bit. I’ve been into craft cocktails for a decade. I know you are too. I have a really fancy bar at home. You, by the way, are invited. Not everybody listening, but you, Jack, are invited. What’s your favorite kind of boozy beverage and/or cocktail? Bonus points for a recipe you invented yourself.
Daniel: Recipes I invent myself tend to be what’s available at the bar and see if I can make it taste good.
Daniel: My drink preferences go in two fairly different directions. I am a big fan of bourbons and ryes, and so classic things. When I go to a bar that I want to see if they can deliver, I want a Sazerac or something like that. The other one is that I am an aficionado of good tiki drinks.
McGraw: Guess where I was yesterday, or I guess it was Sunday night. Three Dots and a Dash in Chicago. Fantastic.
Daniel: That’s another one. That’s one of Paul McGee’s—he’s now not part of that. He’s moved on and he’s got another one on the other side of town in Chicago called Lost Lake and those two are phenomenal. His new one, Lost Lake was just voted, or just named, best cocktail bar in America and it’s sort of a divey tiki bar.
McGraw: I know. I would have gone there except Three Dots and a Dash was a block away.
Daniel: Yeah, Three Dots and a Dash is right there where you always are. And it’s fantastic. And the crew that’s there—I’ve had great conversations with people. So those kind of—not the slushy crappy things—they have a lot of ingredients, they’re hard. But, I have a progression. If I’m out and don’t want to see how a bartender responds, I’ll start with, ‘see if you can do an old fashioned or Manhattan’ and then they pull the bottle of Gallo vermouth out and I say ‘I’ll just take that rye neat.’
McGraw: Nevermind. Stop now.
Daniel: And the Sazerac takes another step, then they kind of give you a look. If the look is ‘oh, this could be fun’ then you can say ‘hey, or go in whatever direction that you want.’ Then sometimes you find the folks that are really into the history and you start getting earlier brandy cocktails which are fun to play with.
McGraw: Cool. Well thank you. This has been a fascinating conversation. I really appreciate your time.
Daniel: Well thank you very much for having me on.
McGraw: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Cigital and IEEE Security and Privacy Magazine and syndicated by SearchSecurity. The September/October 2015 issue of IEEE S&P Magazine is devoted to the economics of cybersecurity. The issue features our interview with European cryptographer Bart Preneel.