I’ve been listening to a podcast called Security Now for a few weeks now. It features security guru Steve Gibson and Leo Laporte (who also hosts another podcast I listen to called TWiT (This Week in Tech)). Gibson is also the author of a hard disk recovery and maintenance tool called Spinrite, and in each SN episode, he reads an email or two from a Spinrite customer talking about how they lost tons of data when their hard disk failed and how Spinrite got it all back for them. This is not security-related in the least, but other podcasts have commercials as well, so it doesn’t really bother me. The podcast itself is pretty good — it’s not super technical (i.e. it’s not directed toward security programmers) but it’s not dumbed down either. Every other episode is Gibson answering questions from listeners regarding everything from online authentication (i.e. when using paypal or stuff like that), to disk encryption to browser security (like cookies and such) to spyware, malware, and viruses.

Last week, I heard of another security podcast called PaulDotCom Security Weekly, so I thought I’d give that a listen as well. My first impression was not very favourable.

Before I go any further, I should say that I’m no security expert, but I am relatively knowledgeable in the area. Computer security has interested me for a number of years, and I am one of the de facto security people at work. I have written (and re-written) pretty much all of the database and communications encryption code in the SQL Anywhere server and client software, and I’m also responsible for other security-related things like permissions, authentication, and auditing. My point is that I’m not ready to start my own security podcast anytime soon, but I am able to at least keep up.

Back to PaulDotCom. The hosts introduced themselves and one of the first things they did was talk about what beer each of them was drinking at the time. Immediately after that, they made fun of Security Now and Steve Gibson by referring to Security Now as a “Spinrite commercial” (and they’re not far off with that, I suppose), and played a bunch of clips from various SN episodes — each clip was one where Gibson had lost his train of thought, or said “um…” a couple of times while trying to think how to say what he wanted to say. Of course putting all the clips together made it sound like Gibson was some moron who didn’t know what he was talking about. On top of that, they are now sponsoring a contest for listeners of PaulDotCom to come up with videos or whatever talking about how they “made the switch” from Security Now to PaulDotCom. This is not a great strategy for first-time listeners — if the first thing you do in your podcast is tell me how much better than the competition you are, you’ve just set your own bar pretty high, and now you have a lot to live up to. They seemed to spend an inordinate amount of time talking about how their podcast is so much better than SN, but it was twelve minutes into the podcast before they actually discussed something security-related. It also seemed a bit hypocritical to talk about SN being a Spinrite commercial, since they asked every guest they had if there was anything they wanted to hawk, like websites or products or anything, and even came right out and said “if you’re looking to hire computer people, send us an email, we know people who need work”.

The word “professional” did not come to mind at all during this podcast. As I mentioned before, one of the first things they did was talk about what beers they were drinking during the podcast. They seemed quite proud of the fact that they were doing this, and referred to it a couple of times later as well. One of them made a simple mistake and amid laughter, one of the other guys jokingly suggested he “have another beer”. Making fun of Gibson and SN was childish (though I did find it quite funny), and there were even a few curse words in there as well. I have no huge problem with cursing in general (as long as my kids aren’t going to be listening), but again, it doesn’t exactly scream “professionalism”.

The weird thing is that it seems to me that PaulDotCom and SN aren’t aimed at the same audience. While SN is aimed at anyone who is interested in technology and security and familiar with computers (but isn’t necessarily a programmer or IT professional), PaulDotCom seemed to assume a much higher level of knowledge. They had a pretty interesting interview with a guy that works on analyzing (i.e. reverse engineering) malware, and how some of the more advanced malware programs try to avoid being detected and also avoid being reverse-engineered by covering their tracks, changing their behaviour if they think they’re being debugged, and even modifying themselves. But they got way into the technical details of how this is done, which I found interesting, but I suspect many SN listeners wouldn’t. They also talked about some other web-based attacks and how they could be defeated, and got into some details on specific routers (i.e. they mentioned specific model numbers and what kind of firmware they were running and so on), but some of these discussions assumed a level of knowledge above my own, and they certainly didn’t stop to explain what they were talking about. The guys at PaulDotCom are certainly knowledgeable, but they seem to assume your level of security knowledge is the same as theirs. Rather than a bunch of security experts explaining things to people less knowledgeable than themselves without talking down to you (which is what I find Gibson does pretty well), this was more like eavesdropping on a conversation between a bunch of security experts who don’t care if you are listening.

If you are a programmer directly involved in writing some kind of anti-virus, anti-spam, or anti-spyware software, then this is probably a pretty good podcast for you. It’s probably the best security podcast for people who are already security experts. For the rest of us, Security Now seems like a better choice, if you have to choose only one. Even with my aforementioned experience in the field of computer security, I still found myself glazing over during parts of the PaulDotCom podcast, because they’d start talking about stuff with no background for those who were unfamiliar with the terms they were using. I mentioned before that Security Now isn’t dumbed down, but having said that, there are certainly times when I glaze over during that podcast as well, because Gibson is going into great detail explaining what a “cookie” is or something like that. But I’d rather skip stuff because I already know it than have to skip stuff because I don’t understand what the hell they’re talking about. To be fair, I will probably continue listening to PaulDotCom at least for a while, because I did find it interesting for the most part. I’m not trying to “defend” Steve Gibson and Security Now, but the next few PaulDotCom episodes better be pretty darned interesting, because the whole “we’re better than Security Now” thing just turned me right off. Since that was the first thing they talked about in the podcast, well, you know the whole thing about first impressions.

Update (Feb 4): I listened to the next episode of PaulDotCom on the way to work this morning, and felt obliged to update this entry, because the next episode was really interesting, and I quite enjoyed it. There was almost no mention of beer and no cursing. They mentioned Security Now but only in reference to their contest. There were a few off-colour sexual innuendo-type jokes, but no big deal. The technical stuff was at a lower level (and by “lower” I mean more technical in nature — definitely aimed at developers and security professionals) than Security Now, which as I mentioned is more aimed at security-conscious people who are not necessarily security pros. I haven’t “made the switch”, in that I still enjoy listening to Security Now as well, but unless the second episode was the anomaly and most episodes are like the first one I listened to (which seemed less focused than this one and I didn’t enjoy as much), I’ll continue listening to both. My first impression of PaulDotCom may not have been very favourable, but my second was pretty darn good.