Saturday, February 02, 2008

PaulDotCom and Security Now

I've been listening to a podcast called Security Now for a few weeks now. It features security guru Steve Gibson and Leo Laporte (who also hosts another podcast I listen to called TWiT (This Week in Tech)). Gibson is also the author of a hard disk recovery and maintenance tool called Spinrite, and in each SN episode, he reads an email or two from a Spinrite customer talking about how they lost tons of data when their hard disk failed and how Spinrite got it all back for them. This is not security-related in the least, but other podcasts have commercials as well, so it doesn't really bother me. The podcast itself is pretty good — it's not super technical (i.e. it's not directed toward security programmers) but it's not dumbed down either. Every other episode is Gibson answering questions from listeners regarding everything from online authentication (i.e. when using paypal or stuff like that), to disk encryption to browser security (like cookies and such) to spyware, malware, and viruses.

Last week, I heard of another security podcast called PaulDotCom Security Weekly, so I thought I'd give that a listen as well. My first impression was not very favourable.

Before I go any further, I should say that I'm no security expert, but I am relatively knowledgeable in the area. Computer security has interested me for a number of years, and I am one of the de facto security people at work. I have written (and re-written) pretty much all of the database and communications encryption code in the SQL Anywhere server and client software, and I'm also responsible for other security-related things like permissions, authentication, and auditing. My point is that I'm not ready to start my own security podcast anytime soon, but I am able to at least keep up.

Back to PaulDotCom. The hosts introduced themselves and one of the first things they did was talk about what beer each of them was drinking at the time. Immediately after that, they made fun of Security Now and Steve Gibson by referring to Security Now as a "Spinrite commercial" (and they're not far off with that, I suppose), and played a bunch of clips from various SN episodes — each clip was one where Gibson had lost his train of thought, or said "um..." a couple of times while trying to think how to say what he wanted to say. Of course putting all the clips together made it sound like Gibson was some moron who didn't know what he was talking about. On top of that, they are now sponsoring a contest for listeners of PaulDotCom to come up with videos or whatever talking about how they "made the switch" from Security Now to PaulDotCom. This is not a great strategy for first-time listeners — if the first thing you do in your podcast is tell me how much better than the competition you are, you've just set your own bar pretty high, and now you have a lot to live up to. They seemed to spend an inordinate amount of time talking about how their podcast is so much better than SN, but it was twelve minutes into the podcast before they actually discussed something security-related. It also seemed a bit hypocritical to talk about SN being a Spinrite commercial, since they asked every guest they had if there was anything they wanted to hawk, like websites or products or anything, and even came right out and said "if you're looking to hire computer people, send us an email, we know people who need work".

The word "professional" did not come to mind at all during this podcast. As I mentioned before, one of the first things they did was talk about what beers they were drinking during the podcast. They seemed quite proud of the fact that they were doing this, and referred to it a couple of times later as well. One of them made a simple mistake and amid laughter, one of the other guys jokingly suggested he "have another beer". Making fun of Gibson and SN was childish (though I did find it quite funny), and there were even a few curse words in there as well. I have no huge problem with cursing in general (as long as my kids aren't going to be listening), but again, it doesn't exactly scream "professionalism".

The weird thing is that it seems to me that PaulDotCom and SN aren't aimed at the same audience. While SN is aimed at anyone who is interested in technology and security and familiar with computers (but isn't necessarily a programmer or IT professional), PaulDotCom seemed to assume a much higher level of knowledge. They had a pretty interesting interview with a guy that works on analyzing (i.e. reverse engineering) malware, and how some of the more advanced malware programs try to avoid being detected and also avoid being reverse-engineered by covering their tracks, changing their behaviour if they think they're being debugged, and even modifying themselves. But they got way into the technical details of how this is done, which I found interesting, but I suspect many SN listeners wouldn't. They also talked about some other web-based attacks and how they could be defeated, and got into some details on specific routers (i.e. they mentioned specific model numbers and what kind of firmware they were running and so on), but some of these discussions assumed a level of knowledge above my own, and they certainly didn't stop to explain what they were talking about. The guys at PaulDotCom are certainly knowledgeable, but they seem to assume your level of security knowledge is the same as theirs. Rather than a bunch of security experts explaining things to people less knowledgeable than themselves without talking down to you (which is what I find Gibson does pretty well), this was more like eavesdropping on a conversation between a bunch of security experts who don't care if you are listening.

If you are a programmer directly involved in writing some kind of anti-virus, anti-spam, or anti-spyware software, then this is probably a pretty good podcast for you. It's probably the best security podcast for people who are already security experts. For the rest of us, Security Now seems like a better choice, if you have to choose only one. Even with my aforementioned experience in the field of computer security, I still found myself glazing over during parts of the PaulDotCom podcast, because they'd start talking about stuff with no background for those who were unfamiliar with the terms they were using. I mentioned before that Security Now isn't dumbed down, but having said that, there are certainly times when I glaze over during that podcast as well, because Gibson is going into great detail explaining what a "cookie" is or something like that. But I'd rather skip stuff because I already know it than have to skip stuff because I don't understand what the hell they're talking about. To be fair, I will probably continue listening to PaulDotCom at least for a while, because I did find it interesting for the most part. I'm not trying to "defend" Steve Gibson and Security Now, but the next few PaulDotCom episodes better be pretty darned interesting, because the whole "we're better than Security Now" thing just turned me right off. Since that was the first thing they talked about in the podcast, well, you know the whole thing about first impressions.

Update (Feb 4): I listened to the next episode of PaulDotCom on the way to work this morning, and felt obliged to update this entry, because the next episode was really interesting, and I quite enjoyed it. There was almost no mention of beer and no cursing. They mentioned Security Now but only in reference to their contest. There were a few off-colour sexual innuendo-type jokes, but no big deal. The technical stuff was at a lower level (and by "lower" I mean more technical in nature — definitely aimed at developers and security professionals) than Security Now, which as I mentioned is more aimed at security-conscious people who are not necessarily security pros. I haven't "made the switch", in that I still enjoy listening to Security Now as well, but unless the second episode was the anomaly and most episodes are like the first one I listened to (which seemed less focused than this one and I didn't enjoy as much), I'll continue listening to both. My first impression of PaulDotCom may not have been very favourable, but my second was pretty darn good.

5 comments:

Anonymous said...

Hi Graeme,

I wanted to first thank you for your detailed analysis of both our podcast and Security Now. I think for the most part you picked up on quite a few good points about both. I do hope that you continue to listen to BOTH Security Now and PaulDotCom, as they both have value, in different ways, as you pointed out.

For the record, you are incorrect when you state that we think we are better than Security Now. We're not better, we're just different. You will hear us compliment Security Now on our podcast, and do just the opposite when they do things that are not so beneficial to the security community (i.e. spinrite, kindle reviews, etc..).

We try to do things on PaulDotCom that benefit the security community and get listeners involved. We believe that if more people listened to both Security Now and PaulDotCom that they would enjoy both in their own unique way. However, Steve and Leo go out of their way never to mention another security podcast. We will recommend whatever resource we believe has value (podcast, blog, webcast, etc...) including listening to Security Now. Also, we ask our very prestigious guests to plug whatever they have going, because if they are on our show they are doing something of value to the security community (not trying to get their kindle review to the top of the list).

I hope that you continue to listen to both PaulDotCom and Security Now and provide us with feedback along the way. I very carefully listen to all of our listeners (esp. ones who have "suggestions for improvement") and make adjustments as we go. This is how we grow and hopefully become a better show for it.

And yes, we are edgy, and we drink beer, but trust me if we did the NPR version of security weekly you would be very bored and probably would not listen at all. :)

Thanks for listening!

PaulDotCom

Anonymous said...

Wait, there are security professionals that don't drink?

Joel Esler said...

As a friend of Paul's and a listener to PaulDotCom AND Security Now (as well as alot of other Leo Laporte's stuff, simply because i know the dude), I agree with Paul's points.

Both have their merits and downfalls. While you may catch Paul and Larry downing a beer or two, it's rare to find someone out there that doesn't enjoy a good beverage now and again.

I've never held Steve Gibson in high esteem because of some of his "research" that he has done in the security field. If he is so into security how is it that we don't see in on bugtraq? Full-Disclosure? SANS? IDS lists? Vuln-Dev? Pentest lists?

Don't get me wrong, I think the guy has his good points (while they are few and far between) especially his ability to answer seemingly "simple" questions to security professionals.

"Hey I got this email from Paypal, says I should give them my social security number and stuff"

Whereas Paul, Larry, and I might just say "Uh, delete it!" Gibson takes the time out to defend why you should delete it.

I personally think that Paul and Larry's Podcast is much better, but then again, I am a more technical person. However, I still listen to both because they both have their highs.

Graeme said...

Now that PaulDotCom himself has responded to this posting, I'm not sure I even want to post this response for fear of looking like a kiss-ass. (Ooooh, look at me using curse words. Hang on while I get myself another fuckin' beer.)

I have softened my position on PaulDotCom since I wrote the original article (as you can see by my update of Feb 4). I've now listened to three PaulDotCom podcasts, and enjoyed them all. Yes, they drink beer during the podcast, but I've heard no evidence that this negatively affects it in any way, so who cares. It's not like by the end of the podcast they're too drunk to remember what they're talking about or shlurring their wordsh or anything. And it's not like I have anything against beer, good God no. Plus, they're American, so they presumably drink weak-ass American beer, not our good strong Canadian stuff, so how much could it affect them anyway? By the way guys, the word is process, not prahcess, eh?

Paul says that they are not really trying to compete with Security Now, and will even recommend it at times, though I haven't heard them say anything remotely positive about it yet. Admittedly though, 3 podcasts out of the 98 or so they've recorded is a pretty small sample size. The fact that they're sponsoring this "Making the switch" contest certainly makes it sound like they want people to listen to them instead of SN, not in addition to SN. Whatever. As Paul mentioned, at least they acknowledge that there are other security podcasts out there, which Steve and Leo do not.

Anyway, I will continue listening to and enjoying both. Thanks to Paul and the boys for a fine podcast and thanks also to Paul and Joel for their comments here.

Anonymous said...

I have been a listener of SN since inception, and even asked a question. The question was not answered at all well imo, but that is not all that unusual.

I discovered PDC when they where around episode 40 thanks to the Network Security Podcast and have become fanatical about listening to them due to their more technical nature. I find myself listening to each episode twice, or more. The first to find the gist of the tech segments, and then I try to practice the "lesson".

I still listen to SN, but only the ones that are of more interest to me, along with the Q&A's. Something I have learnt is how to use the skip button on my iPod, not just with the SN podcast with all the TWiT network. Most of the advertising in them does not apply to South Africa.

I think it is important for anybody who is interested in a subject to take in all he can from as many sources as possible, and sort it out for himself. Paul and Larry disagree some issues which makes for more entertainment.