I hate it when my friends argue.  Disagreement is fine, but when it get’s to point of high emotions and deteriorating listening skills, I get sad.  So when two of my friends, Josh Corman and Mike Dahn started disagreeing and fighting after Shmoocon earlier this year, I was more than a little upset.  Both men are people I respect greatly due not only to their passion for security in general and PCI specifically, but also for their ability to see aspects of the industry that no one else sees.  And I usually respect their ability to not only form their own logical, reasoned arguments but to listen to and pull out the best of what other people are telling them.  So when these two started feuding, I was understandably upset.  Josh and Mike, while coming from very different viewpoints, both agree that the end goal is to make our industry more secure, no matter how we get there.

I wasn’t the only one who noticed the friction between these two.  Gene Kim, creator of Tripwire and the then CTO of Tripwire had also noticed and included several comments about getting Mike and Josh to sit down and reconcile their differences in his presentation at BSides Las Vegas.  This was followed by Nick Owen (aka wikidsystems) offering $100 to donate to charity if Josh and Mike would ‘hug it out’, with a number of other people offering up donations if Mike and Josh would just hug and make out .. er.. make up.  And thus was the idea for PCI Hug It Out was born!

The idea languished for a little while, until Gene approached me with an idea:  Tripwire had offered to support a project to help understand the stances Mike and Josh take on PCI, why they are so different and where they both agree on what can be done to improve the security of the industry as a whole.  By understanding their differences and commonalities, we hoped that both of these outspoken proponents of security would be able to harness their energy to move us all forward rather than concentrating on each other.  Gene and I interviewed first Mike, then Josh and thanks to Tripwire’s sponsorship, we were all able to meet in Orlando at the PCI Community Meeting and have a real face to face discussion about what can be done to improve our situation.

On top of everything else Tripwire has done, they’ve agreed to match the first $1000 dollars worth of donations to the Electronic Frontier Foundation and Hackers for Charity!  These are both very worthy charities and everyone who’s been involved with the project is glad we’re able to support them in this way.  We hope you’ll add to the donations that Tripwire and others are supplying and allow these organizations to continue their efforts.  Leave a comment here after you’ve donated, send an email to mhixson@tripwire.com or use the hashtag #PCIHugItOut to let us know you’ve donated and Tripwire will contribute as well. 

The first installment is our interview with Mike Dahn.  Mike explains how he got into the PCI arena, a lot about his philosophy concerning PCI and why he continues to support efforts to make PCI better.  The podcast is available from the Network Security Podcast site, or you can download it directly at http://traffic.libsyn.com/mckeay/PCIHugItOut-MikeDahn.mp3.  Next week we’ll be joined by Josh Corman to explain his viewpoint on PCI and how it’s driving the security industry, followed by the recording of our meeting in Orlando, FL the week after.  And yes, there will be photos of the final confrontation between these two industry exemplars. 

Posted by martin, filed under Podcast. Date: October 4, 2010, 8:33 am | 9 Comments »

9 Responses

  1. IT Security, Compliance and Best Practices » Blog archive » Introducing the PCI Hug It Out Podcast Series Says:

    [...] the first podcast in the series with Mike Dahn here or over on the Network Security Podcast [...]

  2. jml Says:

    Can’t wait to hear the other side. As someone up to his neck in supporting IT-underfunded level-4s for whom payment acceptance is *so* not a core function (though it is important), I heard precious little from Mr. Dahn that was relevant to my merchants. I could offer him a very educational unpaid sabbatical, if he’d like to learn more about the realities of PCI compliance.

    Extra credit to him for exhorting people to communicate and collaborate about compensating controls and compliance patterns, and then being pretty much unable to explain *where*, except in secret-sounding QSA cabals.

    If there’s one thing that would make my merchants’ lives better in the short term, it’s having an addition to PA-DSS that would *clearly* expose whether a given app was going to operate under Validation Type 4 or 5. Extra credit if any application that fielded an installed cost of less than $50k would be required to function as Val-4 or lower. But at least the val-type label would save me some time with app vendors who lie about merchant PCI requirements with apps storing CHD after authorization.

    Like I said; can’t wait for the next installment. If this is a grudge match, I’m bound to like something I hear next time.


  3. IT Security, Compliance and Best Practices » Blog archive » #PCIhugitout Charity Update Says:

    [...] looking for donations and there is still more of this story to tell. Be sure to check out the Network Security Podcast and stay tuned here for more details on how this all plays out. If you want to donate, you can email [...]

  4. Network Security Blog » PCI Hug It Out – Interview with Josh Corman Says:

    [...] week Gene Kim and I interviewed Mike Dahn about his views on PCI and why it’s important to him.  This week we get to talk to Josh [...]

  5. Network Security Blog » PCI Hug It Out: Face to face in Orlando Says:

    [...] give you a quick recap, this is the third of a three part series (Part 1, Part 2) being sponsored by Tripwire called “PCI Hug It Out”.  In Part One, [...]

  6. Mythbusting PCI Compliance - Security Wire Weekly Says:

    [...] it out” Network Security Podcast:  This is the third of a three part series (Part 1, Part 2) being sponsored by Tripwire called “PCI Hug It Out”.  In Part Three Gene Kim, Mike [...]

  7. IT Security, Compliance and Best Practices » Blog archive » PCI Hug it Out: Face to Face (Finally) Says:

    [...] part one of our PCI Hug it Out podcast series, you heard Mike Dahn speak about his views on PCI and why [...]

  8. IT Security, Compliance and Best Practices » Blog archive » Part 2 of the PCI Hug It Out Podcast Series Featuring Josh Corman Says:

    [...] post we talked about the start of this podcast series and what we are hoping to achieve.  In the first podcast you heard from Mike Dahn and in part two you hear from Josh Corman.  Josh is the Research Director [...]

  9. IT Security, Compliance and Best Practices » Blog archive » PCI Hug it Out Charity Update 2 Says:

    [...] case you missed it, the first podcast with Mike Dahn and the second one with Josh Corman have already been posted. You can go to Network Security [...]

Leave a Comment

Your comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.