Dennis Fisher, editor-in-chief at Decipher, reflects on his journalism career covering cybersecurity for more than two decades in the latest episode of the WE’RE IN! cybersecurity podcast. He began in 2000, covering email before transitioning to security. Soon his focus shifted to vulnerability reporting, including blockbuster bugs in Windows and Internet Explorer. This led to Microsoft's trustworthy computing memo and significant changes in the software industry.
Dennis Fisher, editor-in-chief at Decipher, reflects on his journalism career covering cybersecurity for more than two decades in the latest episode of the WE’RE IN! cybersecurity podcast. He began in 2000, covering email before transitioning to security. Soon his focus shifted to vulnerability reporting, including blockbuster bugs in Windows and Internet Explorer. This led to Microsoft's trustworthy computing memo and significant changes in the software industry.
Dennis also discusses the challenges of cybersecurity journalism and the importance of democratizing information.
Listen to hear more about:
Blake: Thank you so much for joining us on the podcast, Dennis.
[00:00:02] Dennis: Yeah, thanks for having me. I'm excited. I'm looking forward to it.
[00:00:05] Blake: Now, you co founded both ThreatPost and now Decipher and have been covering InfoSec in some capacity for over two decades. What are some of the biggest changes that you've witnessed in the beat since 2000, in the Y2K bug era?
[00:00:20] Dennis: Yeah, it's uh, it's kind of crazy to think about how long it's been, but when I first started covering security, it was end of 2000, beginning of 2001, I was at what had just become E Week Magazine at the time. It was PC Week before that. And the guy who had been covering security at the time had just left.
[00:00:40] And so I kind of Put my hand up and said, Hey, that looks like a fun beat. I want to do that. I had been covering, uh, email before that, which is like, yeah, imagine how exciting was.
[00:00:50] Blake: The email beat. Today it'd be the Slack beat, I guess.
[00:00:53] Dennis: essentially. Yeah. Um, it was extremely, uh, uninteresting, but I was like, Hey, I, I had done some, um, this was in the era of like BB script viruses and things like that. Like I love you and the anaconda cova virus and that, that kind of stuff. So I had done some security stories with Scott Baranato, who was the security reporter at the time. When Scott left, I was like, hey, I want to, I want to do this. So I ended up getting it. Nobody else wanted to do it. And really all it entailed was, like, email borne viruses was pretty much everything at the time.
[00:01:26] And then pretty quickly after that, in like the 2002, 2003, 2004 time frame, Became the, Hey, let's focus on how bad Windows is and how bad Internet Explorer is and how many bugs there are in the software that we're all using and why is everybody in this monoculture and we're all exposed to these serious problems at the time.
[00:01:48] And this is when groups like, Loft and then At Stake and some other security research teams were really starting to look for bugs actively in, you know, popular software like IE, Windows, not so much Linux at the time, but popular enterprise and consumer software was really coming under the microscope for, for these early research teams.
[00:02:10] So that became a big thing. And, you know, that led to the trustworthy computing memo from Bill Gates and this real sort of turnaround for Microsoft at the time. There was almost nothing going on in the early 2000s. Now it's like there's 50 things happening every day and you sort of have to pick and choose.
[00:02:28] It was more a case back then of like, damn, am I gonna have anything to write about in the next like five days? You know, for the magazine, like what am I actually gonna come up with from this conference or just on a random Thursday?
[00:02:41] Blake: It does seem like things have kind of continuously picked up steam. I've heard it quipped before that the cybersecurity industry is the only one that's been allowed to fail up, so to speak. The problem just keeps seeming to get worse and worse with each passing year. But of course, that can't always just be pinned on the big tech titans or the companies trying to solve those problems. But it is an interesting trend nonetheless.
[00:03:01] Dennis: You know, the security industry is an industry that shouldn't really exist. It exists because humans write software. So software has bugs, you know, so we had to wrap this whole other industry around it to try and make safer this product that isn't safe. A lot of people compare it to cars and seatbelts and that kind of thing, which isn't a perfect analogy, but you get the idea.
[00:03:23] You've got software and hardware that everyone has to use on a daily basis for every task in their lives. But a lot of it was built without the understanding of how humans were going to interact with it and what the potential vulnerabilities and weaknesses might be. Now we have a several billion dollar industry that is trying to fix all those problems.
[00:03:46] Blake: Yeah, yeah. And, uh, thinking back to the Loft folks, it's what's old is new again in a way, right? We're still seeing huge Microsoft vulnerabilities crop up in the news from time and again. And I guess the difference now is the big companies are less inclined to try to sue or threaten researchers who are exposing bugs in their systems, which is, I guess, a positive development in some regards.
[00:04:05] Dennis: Yeah, that, that is definitely a positive development, although I think if you ask some of those, um, the loft guys, they could probably point you to some things that are still happening or other researchers could be like, yep, we told you, that this is still happening and you do see it every once in a while. Not really the legal aspect of it, but more of like, you might see some social media shaming of a researcher or, in an advisory, the vendor might say. You know, or ignore the researcher that reported it to them or something like that. But like the existential legal threats aren't quite as prevalent as they were 20 years ago.
[00:04:39] Blake: It's more grousing that you didn't give me two years to fix this researcher, dear researcher. What, why, what, what's going on,
[00:04:45] Dennis: How impolite. Yeah.
[00:04:46] Blake: How impolite, how uncouth. So, against that backdrop, what's your most memorable story? Whether it's a vulnerability, a particular event, or something that you've covered in your, in your cyber security journalism career here.
[00:04:58] Dennis: There's probably been a few that, that come quickly to mind. One, honestly, was that trustworthy computing memo that I mentioned earlier. For folks that, that I haven't been in the industry that long. You can go Google that, but I, I can vividly remember coming into the e week office. It must have been a Thursday morning because that's when our print deadline was.
[00:05:19] Blake: Print deadlines, whew.
[00:05:20] Dennis: Print deadline. Look that up too. And seeing an email in my inbox and it was from somebody I knew at Microsoft who had forwarded me this memo that Bill Gates had written and I think sent out to the company the day before or maybe overnight. Essentially saying, hey, listen our customers are telling our telling us our software is not good enough. It's not secure enough and they're running into big problems and if we don't fix it, they're going to stop using us. And That led to essentially Microsoft taking a whole bunch of different actions. They set up the Microsoft Security Response Center as a eventual result of that. And like approximate effect was they stopped development on Windows at the time.
[00:06:01] I forget what version it was, probably XP. And just stopped, stopped development on it and said, Hey, listen, we're going to, we're going to hard stop and we're going to go back and add security features, look for problems. And sort of redo our development practices so that we're focusing on security first and, you know, not putting features and usability above everything else. That led to huge changes, not just at Microsoft, but across the software industry, honestly, some of which took, you know, a decade to play out. That was a big one and that had really long term effects that, you know, we're still seeing some of which have kind of been rolled back by some of the, some of the vendors, I think, but, that was a big one.
[00:06:43] And honestly, um, another one was a story I wrote, like, right when we launched a Cypher a few years ago was this oral history of the Loft, which wasn't so much me writing it, but it was me, you know, talking to, not just the loft members, but people who were around the, The BBS and hacking scene at the time, you know, in the, the mid to late nineties and very early two thousands and sort of chronicling not just the growth, growth of the loft and the birth of that, but like how that spread its tentacles out into the larger cyber security world. The effects that all of these folks have had on the broader security and software worlds themselves. You know, if you go and look at what those folks have done over their careers, it's pretty wild. I know you had Space Rogue on here a,
[00:07:28] Blake: space Rogue, friend of the podcast. Yeah, and it is, it is, they are such a goldmine of, uh, the Loft members, such a goldmine of that cybersecurity history, the how we got here point, exactly. It's, and it is so important, I think, because in this industry, you do keep seeing so many of the same mistakes repeated. And, you know, and so I, I do think, revisiting that and, speaking with Loft and getting that oral history is a very powerful piece of journalism in the cyber world. So, so definitely, I can see how that's a, that's a seminal moment in your, in your career there, getting that, teasing that out. Now, on the flip side, do you have a story that got away? One that you really thought you could nail down, but didn't quite bring over the finish line?
[00:08:09] Dennis: God, that's such a tough one. I think any journalist will tell you they have, there's a bunch of those if you've been doing it for any significant amount of time. There's, there's one that me and one of my colleagues worked on. I don't want to like, the problem is I can't really, cause we didn't pull it across the gold line.
[00:08:26] Blake: Right. You can insinuate, but right.
[00:08:28] Dennis: Yeah, I can maybe tell you about it later, but like, it's, it's a pretty good one that I, we had some pretty good information that there was significant leak inside one of the major software vendors of like, their bug information. So it was getting out before public disclosures. So you can imagine what the effects of that could have been. You know, you could end up with, depending on how the leaks were happening, you could end up with cybercrime groups or even APT teams having access to a bug in, you know, software X. Before even, you know, maybe the development teams inside the company knew about it or before it was fixed, obviously before a patch was available. So,
[00:09:12] Blake: Dear listeners, you can't hear it, but I'm grimacing right now.
[00:09:15] Dennis: Yes, yeah. We worked on it for a long time and we essentially knew we were right and had pretty much everything we needed to do, but couldn't get the last little bits to, to really get it into print. You know, It's still one of those things that, that me and this person kind of talk about every once in a while and think, man, God, we're this close, you know, we can, if we adjust, you know, we need like one more person to say, yep. That definitely still bugs me. I think about it every once in a while, but.
[00:09:45] Blake: Well, maybe, maybe stay tuned. Who knows? Maybe that'll still come out of the woodwork. I, I do know probably for the better that you did wait for that to become fully ironclad though, because as we just mentioned earlier in our conversation, some of the big software vendors can get litigious. Uh, so, uh, you know, you definitely don't want to put out a, put out a story that isn't a hundred percent there, um, on
[00:10:04] Dennis: No. And that's also like the worst feeling as a journalist is if you put something out and then you get told that it was wrong or like you got some important facts, like a little bit, you're just like, Oh my God, especially back in the day when it was print and there was no good way to fix it. Like, You know, you can't just go into the CMS and be like, Oh, let me fix that typo or like whatever issue, uh, you know, an update that, you know, 15 years ago, that wasn't possible.
[00:10:32] Blake: Early in my journalism career, I misquoted the CEO of Google, which went out on the AP wires. And that was, that was a fun one. But, uh, but I will say, no, no, no, it was, it
[00:10:42] Dennis: I feel it. Yeah.
[00:10:43] Blake: It was pretty brutal. The corrective that had to be issued. Now it's, it's been a, it's been a pretty tough decade. You know, obviously cybersecurity media, it's so important in the, the ecosystem is still very vibrant, and you have all these amazing sources offering the cybersecurity community news, whether it's free or with a subscription. But, you know, unfortunately, there have been a series of layoffs. There have been some buyouts and closures. Protocol recently shut its doors, and more recently, the Washington Post Cybersecurity 202 folded into their technology newsletter. Where do you see the future of cyber journalism against this pretty challenging backdrop?
[00:11:18] Dennis: Yeah. That's something I think about quite a lot, honestly, in, in me and, you know, other journalists I know in the industry talk about quite a bit because we've all sort of had to adjust or make changes in our careers because a lot of us started in that world where there were big technology magazines that were, you know, had been around for a long time and were stable and then within a couple, a couple of years, that all deteriorated very quickly.
[00:11:43] So you move to online, you know, and some of us started our own things and, and stuff like that. And I was always really happy when I saw something like the, the 202 or those other publications start. Like, great, let's get more people writing about this. More information is better for everyone. This is a really complex topic and the more that we can make it, you know, understandable for, um, general purpose audiences, the better off we all are. When one of us is safer, we all get a little safer. So that always made me really happy. Even if it was a little competition for us, I was fine with that. I do think, and this is, you know, may sound a little self serving, but I do think that kind of the corporate sponsored brand journalism world that we sort of started to help at ThreatPost and have continued at Decipher is one of the main avenues that I think is not just for cybersecurity journalism, but for probably tech journalism and some other niches as well is a really viable option because you know, when we started Decipher at Duo Security at the time, the goal was to democratize information about security.
[00:12:51] We wanted to make it understandable and usable for everyone, not just experts, you know. I'm not an engineer. I'm not an expert. I just, you know. I've been doing this for a long time, and most of the journalists that are covering this, you know, some have engineering backgrounds. Most of us are just writers, and I do think that that's one of the more viable pathways for cybersecurity journalism going forward because the, you Media organizations, it's a tough go, like advertising isn't there, the models are just so different now, it's really difficult to see. I mean, even in general purpose media, like Sports Illustrated just shut down like last week, like that's been around for 60 years. What are we doing?
[00:13:34] Blake: Pitchfork folded into GQ. I mean, there's all sorts of changes. Yeah. No, I hear you. And honestly, you're preaching to the choir. They're talking about editorially independent publications that come in under the auspices of cybersecurity vendors in some cases. And I agree, you know, that that is one avenue for getting important information out there. And I don't think that it's a model that automatically taints the, uh, the quality of the content, and I think that's been a misconception, and I think actually you've seen in recent years, amazing publications emerge like The Record by Recorded Future, like Decipher. To that rising tide lifts all boat point that you made, I think these all are so important for the ecosystem, especially when you consider that some of the traditional legacy media are struggling so much.
[00:14:16] Now, I did want to speak to that editorial independence point, you know, Decipher does Characterize itself as an independent editorial site that takes a, quote, practical approach to covering information security, end quote. And you are published by this, uh, you know, MFA focused cybersecurity company Duo, which is pretty well known in the community. How do you maintain that kind of editorial firewall, the sort of separation of church and state?
[00:14:41] Dennis: Yeah. We've been really lucky with that. So when we started Decipher, it was myself and my colleague, Fumita Rashid, who, were the two editors at the time.
[00:14:51] The sort of philosophy at the time was, we're hiring you guys because you're good at what you do. Go do that. We're going to leave you alone. We want you to give our audience, our customers, information about security so that they're aware of the problems and then if, you know, if we have something that can help them address those problems, all the better. But we just want more people to be aware of what the threats and the problems are out there. So we were acquired by Cisco not long after that, about a year after we started Cypher, I think, almost exactly a year. And, you know, that philosophy carried over to Cisco, and I'm, I couldn't say better things about the way that we've been treated and how they view us and the editorial independence. Several different, you know, sort of managers that we've had over the years, everyone understands that we're trying to get more information into the hands of more people so that people understand what the threats are, what the vulnerabilities are, how to fix them, and that this doesn't all have to be terrifying and scary and everything isn't awful all the time, and there's a lot of bad stuff happening, but there are steps you can take, and there's people out there trying to defend it and trying to help you.
[00:16:03] So, Cisco and the executives that we deal with, who are, you know, our higher ups, very clear understanding of what the philosophy is and have been really, really tremendous in, in letting us do what we do well.
[00:16:16] Blake: I'm glad to hear it. I think it's important that it sounds like these set executives have a high degree of media literacy to kind of understand that. Yes. Okay. Just because Decipher isn't out there marketing, Cisco, essentially products or something doesn't mean that there's not value there both for the, for the company, but also again, to that community point writ large, which, which is so important to just emphasize when you have something as tough to market, I put in quotes as, as journalism can be. Now, have you ever, have you ever considered starting a publication that wasn't about cybersecurity?
[00:16:46] Dennis: Oh man. Have I ever, I sure have, like, I have a bunch of different, you know, sort of varied interests outside of like, you know, outside of technology, um, you know, I, I play a ton of golf. I'd love to do something in golf media at some point I think would be a lot of fun. I'm like a complete movie nuts. So I'd love to do like, we do some movie podcasts on decipher, like about hacker movies and stuff like that. But I'd like to do like some sort of general movie podcast or something. There's a million of them out there. So that's, you know, sort of a crowded field. But writing wise, I don't know, like, as you know, man, like writing's hard. Like it's, it's really hard. It's time consuming.
[00:17:27] Blake: Not when you just outsource it to AI, Dennis,
[00:17:30] Dennis: Yeah, no shit.
[00:17:30] Blake: Kidding.
[00:17:31] Dennis: What are we doing? We should just chat GPT the hell out of all this. But, um, I mean, I also like write books in my spare time. So, by the time I'm done writing for work and then writing something, you know, some kind of fiction piece, I'm kind of exhausted. So, like, even if I do feel like, hey, it'd be so fun to have like. A golf media site or a movie media site or whatever. Like, then you think about what all that entails. Like, I don't know, man. I'll just read everybody else's stuff and be happy.
[00:18:01] Blake: That's fair. Rounding up freelancers or something for that doesn't sound like a fun spare time activity. Now, I'm glad you mentioned your fiction writing. You do have two published novels to your name, Motherless Children and the latest Be Gone. How has your experience as a reporter and editor influenced your fiction writing?
[00:18:21] Dennis: Quite a bit, actually. I mean, both stories have a little bit of a security element to them. They don't, like the, the main plot points don't turn on, you know, hacking or anything like that, but they do have, like one of the characters in both books is essentially, freelance hacker type who's, you know, involved in the stories. I definitely have used my background to kind of like inform the plots of those stories and just my experience as like a, you know, having been a reporter and editor for so long, um, understanding the way that story structure works and the way to get, bring people into a story and keep them there, hopefully, and, um, you know, communicate the ideas that I have over the course of, you know, 400 pages instead of like 1500 words is, uh, that was honestly a big challenge for me because you're so used to writing, like, you know, Okay, you've got like maybe 45 seconds for somebody to read whatever it is you're writing on online, right?
[00:19:23] But when I decided I wanted to write a novel, I knew that I didn't really want to do a technology based ones. Like there's a bunch of people that do that kind of stuff really well, but I wanted to kind of like step back from what I write about every day to sort of like. I've always loved crime novels and like murder mysteries and that kind of stuff anyway, so I was like, you know what, let me, let me try that, see if I can, see if I can do it, and uh, I really enjoyed it. So, it's something I'm, I'm happy I, I got to do and, um, get a third one. It's sort of in progress. I don't know. Um, things take time, but, you know, hopefully in the next
[00:20:00] Blake: okay. Ready to roll out? Got some working titles already or still a little, uh still a little too early to say.
[00:20:08] Dennis: I tend to wait until the end and see if I can come up with a few that might work and then. Uh, you know, close my eyes and point to one on the list and be like, yeah, let's, let's go with that.
[00:20:17] Blake: Can we expect more juicy crime plotting related to it?
[00:20:20] Dennis: Definitely. Yeah. I think I, you know, I figured out one thing that I'm good at and so I might as well stick with that. I'm not, you know, I'm not writing any, yeah, yeah. There's no romance novels in my future I don't think.
[00:20:33] Blake: Well, you did start off your journalism career covering crime too, which is interesting because there are, you know, quite a few parallels between the cyber and crime world. I'd be curious to hear your thoughts on What similarities you see between those beats of violent crime and cybercrime. And, you know, there are, there are some places where they overlap. Like, uh, Andy Greenberg's Tracers in the Dark book comes to mind of kind of the world of like cryptocurrency, dark web marketplaces, and you do get these, you know, knock on the door, bang, bang arrests and all kinds of. Wild physical violence that can offshoot from that. Uh, what are your thoughts on those two disparate areas of crime?
[00:21:11] Dennis: They're both really interesting to me on a, on a, in a few different ways. I mean, one of the things I really liked about when I was a daily newspaper reporter covering crime was it was something different every day. You never knew when you walked into the office or the courthouse or whatever that morning, what the day was going to bring. So that was always cool to me. It wasn't like going to a city council meeting, like every Tuesday night and like, you know, you know what the agenda is. So it was always something different and that's certainly how the security beat works too. Like, you never know, even from hour to hour, what, what you could be writing about or talking about. So I love that. And. Honestly, like, like you mentioned in the last, yeah, probably 8 to 10 years, the overlap between cybercrime gangs and traditional, you know, whatever you want to call it, real world crime has certainly, it was It's Always there from the beginning because some of the early, you know, cybercrime groups were associated with, you know, organized crime groups, especially in, you know, Russia and other places.
[00:22:16] And that's still true, but it's become much more of a overlap. You know, that Venn diagram is much tighter now, especially with the cryptocurrency world. You mentioned Andy's book, which is amazing. He's written a couple of others that sort of look into that as well. You turn over a couple of rocks and you're like, oh my god, this is so bad, like the, the connection between traditional organized crime groups and cyber crime groups isn't even, they're just sponsored by them, you know, they're directly connected now and it's, you know, it's a less risky play for organized crime groups than, you know, stealing cars or robbing banks or whatever, like cryptocurrency. And cybercrime, you know, in general, is just a much, there's a lower barrier to entry and it's like the risks of actually getting caught in facing any consequences for it, especially in some of the countries we don't, you know, Western countries don't deal with from a law enforcement perspective, very, very low. So, yeah, unfortunately the connection is very strong.
[00:23:23] Blake: Yeah, there's still that sense of impunity in some parts of the world where it's just people, criminals feel empowered to carry out some of the worst. I don't even want to call them. I don't want to dignify them by calling them shenanigans, but worst crimes, I mean, ransomware in hospitals, attacking our critical infrastructure. It's really It's grim out there. And you do weigh in on some of these, uh, heady security topics pretty regularly with your, uh, your own podcast, the Decipher Security Podcast. Definitely encourage our listeners to give that one, uh, to check that one out. You've hosted an array of C suite level speakers. Do any memorable guests come to mind?
[00:24:00] Dennis: Oh man, that's a good question.Some of my, the favorite people I've gotten to talk to are honestly people that have become friends of mine. Like folks that I've had on over the years, several times, like Gary McGraw, who's a software security expert. Who's been doing, you know, security stuff for almost 30 years, is just one of the smartest and like most engaging podcast guests you'll ever have. He's also like a world class musician and has all these other, you know, crazy interests. Last year, oh God, I guess it's two years ago now, time, time's moving fast.
[00:24:35] I got to talk to Meg Gardner, who's also a crime novelist. And was the co author of, um, Heat 2 with Michael Mann, the book that they're turning into a movie. I think, I think they've already started filming it as, as we're talking. And like, I had loved her writing and I just randomly reached out to her when I saw the book come out and I knew there was some, Some sort of connection. And I was like, would you consider coming on the podcast? She got right back to me. It was like, love to, let's do it. And I was like, Oh my God, I've never been more nervous in my life. Like she, you know, she couldn't have been sweeter and couldn't have been nicer, but I was so like quadruple checked every, you know, audio thing.
[00:25:15] And I was just like, if this screws up, I'm going to, I'm done. I'm going to be so mad, but that was great.
[00:25:21] That's the kind of stuff I love just like as, as an old person who's been around, you know, kind of getting to know these people over the years. I love that kind of historical perspective that informs like what we're seeing now, you know, everything, everything old is new again. So, um, those are some of the ones that just jumped to mind now. Yeah.
[00:25:39] Blake: And talking about, you know, circling back to the loft conversation, Cult of the Dead Cow was another one with so much sometimes unrecognized influence. And so, yeah, Joe's writing on that has been really impressive and illuminating. I mean, a certain Texas politician, uh, his, revealing his connection to the, uh, to the Cult of the Dead Cow was, was, uh, quite a surprise
[00:26:00] Dennis: that was a big deal. That was a big deal.
[00:26:03] Blake: uh, yeah, what I, for listeners remind, remind us what was his, I always blank on his name, the,
[00:26:09] Dennis: Oh, Beto O'Rourke.
[00:26:11] Blake: O'Rourke, of course.
[00:26:11] Okay, thank you. I was like, I knew, I knew he, you know, people were following his campaign so closely, and then it suddenly emerges that he's just this like ex hacker as well. It's kind of, kind of, uh, kind of out of left field, to say
[00:26:23] Dennis: it was wild.
[00:26:24] Blake: Uh, so you're, you're a writer and editor. I have to ask, Oxford Karma, yay or nay?
[00:26:31] Dennis: Absolutely. Yay. For sure. Yeah. I
[00:26:33] Blake: Okay, I don't know if this is ever going to air.
[00:26:36] Dennis: Okay. Yeah. I mean, we can just stop right here if you're, yeah, I, this is one of those weird things. I didn't even know it was like a controversy until I don't know, like I never thought about it in college. I never, I was just like, this is how you do it. And then I think at some point in my magazine writing career, one of my editor or one of the copy editors kept like taking out that, you know, the, the final comma or whatever.
[00:27:01] And I'd see it and I was like, why does this keep happening? Like, this is. He's doing this wrong. And then I discovered there's these two, two absolutely diametrically opposed camps that are just like, you know, screaming across the fence at each other. I was like, I don't know, man. It's a little comma. It just makes it easier to read. You understand the sentence better.
[00:27:20] Blake: I'm not a big sports fan. So maybe this is where I get my rivalry in is with the Oxford comma debate and I can, I can have something to cheer for and against. But, but thanks for being honest, at least even, even if you're wrong. I
[00:27:31] Dennis: That's okay.
[00:27:32] Blake: Transparency there.
[00:27:33] Dennis: I mean, I'd agree with you, but then we'd both be wrong. So that's, I mean, that's fair.
[00:27:38] Blake: No, so finally, this is something that we ask of all our guests of the podcast, which is what's something that we wouldn't know about you just by looking at your LinkedIn profile.
[00:27:46] Dennis: Oh God. Yeah. There's probably a lot of things. I mean,One interesting thing is like when I was a kid, we lived on, this little tropical island called Kwajalein, which is part of the Marshall Islands. Which are like, if you fly to Hawaii and then fly another six hours southwest of Hawaii, you'll get to the Marshall Islands. It's a tiny little speck in a chain of islands called the Kwajalein Atoll. It's essentially an army base, army installation. And we, the U. S. Army did a lot of, uh, missile testing there during the mid century. And, uh, my dad was in the army and then he was an engineer for IBM, So we lived on this tiny little Island. That's literally like, I want to say it's about a mile and a half long and like half a mile wide. It's one of the most remote places in the world. And, um, But I loved it. I was like three, four or five years old when we lived there. So I was just like running around with no shoes on, you know, like having the time of my life, like not going to school, having a great time. It was amazing. I loved it.
[00:28:50] Blake: Well, let the record show. I also, uh, grew up on an Island, actually a little Santa Bell, a little more accessible though, it
[00:28:57] Dennis: Oh yeah. I've been there. That's a cool place.
[00:28:59] Blake: Yeah. So, uh, so now, uh, shoot, now somebody probably knows some security question, uh, one of my, uh, but so it goes, well, thank you so much for sharing some of your, your insights on the security media landscape and your experiences that really appreciate having you on the show here.
[00:29:15] Dennis: My pleasure. Thanks so much for having me.
[00:29:17] Intro: Testing, testing, sounds good.
[00:30:07] Hey Zoe, how are you doing? I'm good, nice to meet you here for the podcast.
[00:30:24] Correct, yep. That's the game plan. Um, I'm recording locally now on GarageBand, so I'll upload that. Um, typically I just kick things over to you just to briefly run through any housekeeping notes. to make sure he's sounding good, um, in this case and, uh, you know, ask what you, whatever sample question of choice.
[00:30:47] I think, uh, Mackie used to use, what did you have for breakfast this morning or something just to get out, you know, the audio levels and then, um, and then, you know, uh, remind Everybody, of course, to keep, keep the tab open until I can get fully uploaded, all the usual producer stuff, um, which I know I'm preaching to the knowledgeable choir here, but just to kind of, you know, go over how it's typically gone.
[00:31:10] Um, and then, yeah, it's a pretty smooth interview process. So I, I lead things, tend to keep things pretty conversational, um, and then, uh, go from there. So, uh, hopefully, hopefully smooth sailing, but yeah. Sorry to hear about, um, yeah, anyway. Uh, hi Dennis. Welcome.
[00:31:29] Good. It's, it's great to finally connect. I feel like we've been in the same sort of journalism nexus and haven't really, uh, haven't really ever, uh, crossed paths before. So I really appreciate you joining us on the, the We're In podcast here. Yeah. So, um, anyway, we've got our, uh, producer here, Zoe, who will walk through a quick couple of housekeeping notes before we jump right into the questions.
[00:31:53] Um, just a, just a heads up, I record the intro separately, so I typically just dive right in and go for it when we do start. Um, but, uh, anyway, uh, Zoe, I'll let you, uh, briefly get Dana set up here and then we'll, we'll, we'll get right to it.
[00:32:58] Yeah, we'll just do audio. Yeah, we've, we occasionally have done, you might've seen some like video promos that we do, but we kind of treat that as like an optional thing that we don't, we don't, you know, it's, it's a podcast first and foremost. So we'll just do audio here and you don't need to worry about what's in the background.
[00:33:11] Yeah. Yeah, yeah, yeah. Yeah, yeah, no, trust me. I, I, I, I've got a four month old. So if you actually like, I, I, I put on a good show right here, but like, if you look anywhere else, it's just like toys and burp cloths and just all sorts of stuff going on. So.
[00:33:36] Oh boy. Okay. Preview preview of what I have to look forward to, I guess. Um, yeah, but, uh, yeah, well, well, great. And I would also just add to that. Um, I mean, we rarely take up the full hour. I mean, these, you know, it's so, so I wouldn't worry too much about that. And also, um, uh, you know, since it isn't recorded live, if there's any redos that you want to do or like, ah, I didn't really frame that right or whatever, we can, we can absolutely do that and just edit that in the final cut.
[00:34:01] So pretty, pretty low stakes in that regard, which is, uh, which is nice compared to the live radio hits.
[00:34:16] Oh, and Kirsten's joining us from the Cinexide. Hi, Kirsten. We just went over all the, all the ground rules here, um, just to kind of take some notes and, um, and, uh, she helps write our show notes and whatnot. So we'll be tuning in. Great. Well, uh, we can, we can jump right in and, uh, get recording, Zoe. Thank you.
[00:34:37] Oh, yeah, I always need to do that.
[00:34:43] Every time, every time I forget to pause my slacks and then I hear the dings going as you're, you know, it's just.
[00:34:55] I should know better at this point, hosting this now. It's like, but I still managed to forget. So thanks for the reminder. Dennis,
[00:35:32] perfect. Thanks Zoe. And if, if anything's going off the, off the rails, then Zoe will pop back in, I'm sure and correct the, correct the record. Great. Well, thank you podcast, Dennis.
[00:35:49] Now, you co founded both ThreatPost and now Decipher and have been covering InfoSec in some capacity for over two decades. What are some of the biggest changes that you've witnessed in the beat since 2000, in the Y2K bug era?
[00:36:37] The email beat, today it'd be the Slack beat, I guess?
[00:38:39] It does seem like things have kind of continuously picked up steam. I've heard it quipped before that the cyber security industry is the only one that's been allowed to fail up, so to speak. The problem just keeps seeming to get worse and worse with each passing year, but of course that can't always just be pinned on the big tech titans or the companies trying to solve those problems, but it is an interesting trend nonetheless.
[00:39:51] Yeah, yeah. And, uh, thinking back to the loft folks, it's what's old is new again in a way, right? We're still seeing huge Microsoft, uh, vulnerabilities crop up in the news from time and again. And I guess the difference now is the, the big companies are less inclined to try to sue or threaten researchers who are exposing bugs in their systems, which is, I guess, a positive development in some regards.
[00:40:44] Yeah, it's more grousing that you didn't give me two years to fix this, dear researcher. What's going on here? Well, how impolite, how uncouth. So against that backdrop, what's your most memorable story? Whether it's a vulnerability, a particular event, or something that you've covered in your cyber security journalism career here.
[00:41:27] Print deadlines. Woof.
[00:42:14] Sounds about right.
[00:43:52] Space Rogue, friend of the podcast. Yeah, and it is, it is, there is such a goldmine of the loft members, you know, such a goldmine of that cybersecurity history, the how we got here point, exactly. It's and it is so important, I think, because in this industry, you do keep seeing so many of the same mistakes repeated.
[00:44:10] And, you know, and so I do think, you know, revisiting that, and Speaking with Loft and getting that oral history is a very powerful piece of journalism in the, in the cyber world. So, so definitely, uh, I can see how that's a, that's a seminal moment in your, in your career there. Getting that, teasing that out.
[00:44:29] Now on the flip side, do you have a story that got away? One that you really thought you could nail down but didn't quite, uh, bring over the finish line?
[00:44:55] Right. You can insinuate, but right. Laughter.
[00:45:43] Dear listeners, you can't hear it, but I'm grimacing right now.
[00:46:25] Well, maybe, maybe stay tuned. Who knows? Maybe that'll still come out of the woodwork. I, I do know probably for the better that you did, uh, wait for that to become fully ironclad though, because as we just mentioned earlier in our conversation, some of the big software vendors can get litigious. Uh, so, uh, you know, you definitely don't want to put out a, put out a story that isn't 100 percent there, um, on that front.
[00:46:46] Um,
[00:47:12] Early in my journalism career, I misquoted the CEO of Google, which went out on the AP wires. And that was, that was a fun one. But, uh, but I will say, no, no, no, it was, it was, it was, it was pretty brutal, the corrective that had to be issued. Now it's, it's been a, it's been a pretty tough decade. You know, obviously cybersecurity media, it's so important in the The ecosystem is still very vibrant and you have all these amazing sources offering the cybersecurity community news, whether it's free or with a subscription.
[00:47:40] But, you know, unfortunately, there have been a series of layoffs. There have been some buyouts and closures. Protocol recently shut its doors. And more recently, the Washington Post Cybersecurity 202 folded into their technology newsletter. You know, where do you see the future of cyber journalism against this pretty challenging backdrop?
[00:50:22] Pitchfork folded into GQ. I mean, there's all sorts of changes. Yeah, no, I hear you. And honestly, you're preaching to the choir. They're talking about editorially independent publications that come in under the auspices of cybersecurity vendors in some cases. And I agree, you know, that that is one avenue for getting important information out there.
[00:50:40] And I don't think that, um, I don't think that it's a model that automatically, uh, somehow. Uh, taints the, uh, the quality of the content, and I think that's been a misconception, and I think actually you've seen in recent years, um, uh, amazing publications emerge, like The Record by Recorded Future, like Decipher, like, you know, and, To that rising tide lifts all boat point that you made, I think these all are so important for the ecosystem, especially when you consider that some of the traditional legacy media are struggling so much.
[00:51:12] Now, I did want to speak to that editorial independence point, you know, Decipher does I think Characterize itself as an independent editorial site that takes a, quote, practical approach to covering information security, end quote. Um, and you are published by this, uh, you know, MFA focused cybersecurity company, Duo, which is pretty well known in the community.
[00:51:32] How do you maintain that kind of editorial firewall, uh, the, the sort of separation of church and state?
[00:53:41] I'm glad to hear it. I think it's important that it sounds like these said executives have a high degree of media literacy to kind of understand that yes, okay, just because Decipher isn't out there marketing Cisco essentially products or something doesn't mean that there's not value there both for the for the company, but also again to that community point writ large, which which is so important to just emphasize when you have something Uh, as, as tough to market, I put in quotes as, as journalism can be.
[00:54:08] Now, have you ever, have you ever considered starting a publication that wasn't about cybersecurity?
[00:54:57] Not when you just outsource it to AI, Dennis, that's it. And I'm just kidding.
[00:55:05] That's right. That's right.
[00:55:29] Yeah. That's fair. Rounding up freelancers or something for that doesn't sound like a fun spare time activity. Now, I'm glad you mentioned your fiction writing. You do have two published novels to your name, Motherless Children and the latest, Be Gone. How has your experience as a reporter and editor influenced your fiction writing.
[00:58:08] Okay. Okay. Ready to ready, ready to roll out? It. Got some working titles already or still? Still a little, uh, still a little too early to say,
[00:58:32] can we expect more juicy crime plotting related to it or, okay. Okay.
[00:58:43] If it ain't broke, don't fix it.
[00:58:48] Well, you did start off your journalism career covering crime too, which, uh, is, uh. Interesting, because there are, you know, quite a few parallels between the cyber and crime world. I'd be curious to hear your thoughts on You know, what similarities you see between those beats of violent crime and cybercrime.
[00:59:04] And, you know, there are, there are some places where they overlap, like, uh, Andy Greenberg's Tracers in the Dark book comes to mind of kind of the world of like cryptocurrency dark web marketplaces. And you do get these, you know, knock on the door, bang, bang arrests and all kinds of wild physical violence that can offshoot from that.
[00:59:23] Uh, what are your thoughts on those two disparate areas of crime?
[01:01:51] Yeah.
[01:01:55] Yeah, there's still that sense of impunity in some parts of the world where it's just people, criminals, feel empowered to carry out some of the worst, I don't even want to call them, I don't want to dignify them by calling them shenanigans, but worst crimes, I mean, ransomware in hospitals, attacking our critical infrastructure, it's really, it's grim out there, and you do weigh in on some of these heady security topics pretty regularly with your Uh, your own podcast, the Decipher Security Podcast, definitely encourage our listeners to give that one, uh, to check that one out.
[01:02:26] You've hosted an array of C suite level speakers. Do any memorable guests come to mind?
[01:05:14] And talking about, you know, circling back to the loft conversation, Cult of the Dead Cow was another one with so much Sometimes unrecognized influence. And so, yeah, Joe's writing on that has been really impressive and illuminating. I mean, a certain Texas politician, uh, his revealing his connection to the, uh, to the cult of the dead cow was, was, uh, quite a surprise for.
[01:05:38] Uh, yeah, well, I, for listeners, remind, remind us, what was his, I always blank on his name, the, um, Beto O'Rourke, of course, okay, thank you. I was like, I knew, I knew he, you know, people were following his campaign so closely and then it suddenly emerges that he's just this, like, ex hacker as well, it's kind of, kind of, uh, kind of out of left field, to say the least.
[01:05:58] Uh, so, you're, you're a writer and editor, I have to ask, Oxford Karma, yay or nay?
[01:06:08] Okay, I don't know if this is ever going to air. I, I, uh, this just,
[01:06:55] I'm, I'm not a big sports fan, so maybe this is where I get my rivalry in is with the Oxford comma debate and I can, I can have something to cheer for and against, but, but thanks for being honest, at least, even, even if you're wrong. I appreciate the, the, the transparency there. Um,
[01:07:12] No. So finally, this is something that we ask of all our guests in the podcast, which is what's something that we wouldn't know about you just by looking at your LinkedIn profile.
[01:09:01] Well let, let the record show. I also, uh, grew up on an island, actually a little Sanibel. A little more accessible though, it sounds like, than, uh, than than Marshall Island. Yeah. So, uh, so now, uh, shoot, now somebody probably knows some security question, uh, in one of my, um, but so it goes. Well, thank you so much for sharing some of your, your insights on the security media landscape and your experiences that really appreciate having you on the show here.
[01:09:27] Great. So now we hang tight for a sec while the recording gets uploaded, and now I can ask you, who was the software vendor?
[01:09:35] Okay, now I'm like, I'm not surprised. There are only so many on the dartboard that you can try to pick, but, but, yeah, hard to confirm. Now, I, um, I feel you there. There was one that. Well, yeah, there's, there's a spicy one that I've, that I've still got in the back kicking around in the back of my head, rent free, that has to do with cyber attack on us critical infrastructure that I'm just like, couldn't quite get it confirmed.
[01:10:01] And I'm like, and I'm like, Oh, it would be so, it would be like front page, New York times. It would be so big. And it's just like, it's just not there. You just can't run it. Um,
[01:10:17] yeah.
[01:10:21] Yeah, it's just, just, just kicking ourselves. Uh, can't all be Will Turton or whatever. Although some of them, like the Bloomberg story, I don't know if that chipped story, everybody swears by it at Bloomberg. I, I, I just, I, I don't see it. I just don't see it. I don't know.
[01:10:58] Yeah, that's not good journalism. Yeah, kind of coming, coming with the conclusion foregone is not, is not the way to go. Yeah. Yeah. Yikes. Well, anyway, yeah, really appreciate it. Um, we'll have the edit off to you, uh, probably within a couple of weeks here, Zoe, would you say? Um, yeah, and, uh, yeah, we, you know, I think a lot of the topics we discussed are pretty evergreen.
[01:11:19] So we'll get this slotted in likely maybe late February, early March kind of timeframe for actually airing it live, well, live, you know what I mean, and pushing it, publishing it. So, so, uh, we'll keep you posted, give you a chance to review it and, uh, and yeah, I'll keep following the work you do over at Decipher.
[01:11:36] Um, it's great stuff. So yeah, brand, brand backed journalism, uh, unite, right? That's it. Oh,
[01:11:56] really? I don't, I'm not familiar with that.
[01:12:15] Oh, interesting. Wow.
[01:12:22] Huh.
[01:12:34] Well, speaking of, speaking of runners, is that Prefontaine in your, in your Twitter bio by the way? I was, I was, I meant to ask about that actually because, uh,
[01:12:45] no kidding. Too much.
[01:12:53] Nice. Yeah, he is a, he is a, he is a legend for sure. So, um, yeah, I'm, I'm a bit of a runner myself. I wouldn't say I ever got to the upper echelons of, uh, of pre levels. I'm I'll, I'll, I'm, I ran one. I'm a one and done marathoner. I'm like, I ran one. I did it. That's it. . I'm like,
[01:13:15] Yeah. Uh, well anyway, we'll uh, we'll stay in touch, and uh, thanks again, and um, yeah, maybe, where are you based? I, I, I totally forgot, uh, okay. Yeah, yeah. Got it. Well, don't be a stranger if anything brings you down to DC, I'm right in Cap Hill, so, um, definitely, uh, yeah, yeah, yeah, so, uh, to catch up sometime, talk shop.
[01:13:43] Yeah, yeah, it's a good, it's a good spot. Alright, take care. Bye.