cje + The RSnake Show!

I've known Robert (Rsnake) Hansen for a decade or more "via the interwebs" and it was a pleasure to sit down with him to record an episode of The Rsnake Show at Blackhat this year. If you're not familiar with The Rsnake Show, it's a long-form conversation where Robert (who is, incidentally, one of my favorite intellectual expeditioners) pretty much drives the bus and explores all of the things he has ever wanted to ask the interviewee.

Recording this was a tonne of fun and we cover a LOT of ground - There's a general theme of system-level thinking, vulnerability and transparency, and the personal pursuit of potential through things like entrepreneurship.  It's very much a backstory and #thoughtops conversation where I share a lot of my fundamental beliefs and discoveries around security, criminal creative and economics, and in how I believe the human/machine interface works.

Today's episode takes us to Las Vegas, Nevada, where I had the pleasure of meeting up with Casey Ellis during the Blackhat security conference. A pioneer in information security, Casey opens up about how he ventured into the realm of bug bounties and went on to create BugCrowd, the first crowdsourced vulnerability assessment company. From detailing the inception of BugCrowd to explaining how it altered the economics of finding bugs, Casey provides an insightful look into the ever-evolving landscape of information security. Our conversation goes beyond just bug bounties.

We delve into the nitty-gritty of the industry's reaction to BugCrowd, explore the changing market dynamics in Infosec, and discuss the role of AI and its fragility in security. Casey also shares his personal experiences with entrepreneurship, mentoring, and his perspective on vulnerability in both the digital and physical world. Join us for this enlightening conversation with Casey Ellis, where tech meets entrepreneurship in a world brimming with secrets and discoveries.

0:00 Intro

2:52 Casey's backstory

13:33 Presidential vehicle and car hacking

15:59 How BugCrowd came to be

19:41 How the math and diversity works for the crowd

23:48 Responsible disclosure debate

29:00 Typical bug bounty program laid out

35:57 Bug bounties from the crowd's perspective

40:17 Metrics on bounties

41:38 How payments work for the crowd

47:00 How did the industry react to BugCrowd

58:22 How the market has changed in Infosec

1:07:54 Improving policy for security researchers

1:17:28 AI's role and autonomous Infosec

1:28:45 AI defense and fragility

1:31:42 The cottage industry of finding security flaws

1:35:37 Vulnerability in the physical world

1:46:00 Fledgling security entreprenuers

1:48:57 What Casey isn't good at

1:51:56 What's next for Casey

1:56:03 Outro