In this episode, Felix continues his conversation with David Rogers (Copper Horse) about the latest State of Vulnerability Disclosure report and why “what counts as IoT” is messy. They explore how consumer devices end up everywhere (including factories), how category labels can become compliance loopholes, and why good vulnerability disclosure needs more than a generic support page. David also shares concerns about the EU Cyber Resilience Act drifting toward tick-box compliance, and what that could mean for product security teams and, ultimately, all of us. Plus: the report’s dataset is open for anyone to check.

In the first of this two-part episode, Felix is joined by David Rogers (Copper Horse) to unpack a surprisingly powerful way to measure IoT security: vulnerability disclosure policies. David shares what eight years of research reveals about how easy (or impossible) it can be for security researchers to report flaws. We discuss why the lack of a clear route to report vulnerabilities to a vendor is an “insecurity canary” and how security researchers and businesses struggle to get along without enabling easy communications on these topics. We dig into the results from the Copper Horse annual report, the impact of new regulation, and why retailers might be the hidden force improving the market. Plus: the long tail of ultra-cheap devices, and why security shouldn’t be a luxury.

In this episode of the You Gotta Hack That podcast, the conversation continues with Emily, a principal industrial cyber security consultant, as they delve into the real-world threats facing operational technology (OT) environments. The discussion highlights the inadequacies of traditional IT penetration testing when applied to OT networks, emphasizing the need for tailored approaches that consider the unique vulnerabilities and operational realities of these systems. Emily and Felix explore the concept of dwell time, illustrating how sophisticated attackers can remain undetected within networks for extended periods, gathering intelligence before launching attacks. They stress the importance of understanding actual risks and the necessity of continuous monitoring and testing to ensure robust cyber security measures are in place.

In this episode of You Gotta Hack That, Felix sits down with Emily, a principal industrial cyber security consultant and former national utility cyber lead, to demystify ISA/IEC 62443. Why do so many teams treat it like a silver bullet and why does that backfire fast? Emily breaks down what 62443 actually is (spoiler: it’s a family of standards), why “be compliant” isn’t a requirement, and why maintenance matters as much as deployment. If you’re trying to secure OT environments, this one will help you focus on what to do first.

And don't forget to check out our training courses to get hands-on and nerdy.

In this episode, Felix and Alex discuss the alarming rise of phone thefts in London, sharing personal anecdotes and insights into the implications of losing a device. They explore security measures, user behaviors, and the broader impact of identity theft in today's digital age. The conversation emphasizes the importance of enhancing phone security and being proactive in protecting personal information.

In this conversation, Felix and Oli discuss the development of a hydrogen-powered uncrewed surface vessel (USV) and the associated cybersecurity challenges. They explore the importance of integrating cybersecurity measures from the outset, navigating regulatory frameworks like Workboat Code 3, and the ongoing challenges of ensuring compliance and safety in a rapidly evolving technological landscape. The discussion highlights the need for thorough documentation, the role of regulations in shaping industry practices, and the future of cybersecurity in maritime technology.

Felix and Alex discuss the attack surface and disruption opportunities for a Cyber attack against Santa's Christmas delivery schedule.

Most people think of trains and railways as being great big lumps of metal that (hopefully) whizz along long shiny tracks, but it turns out they are incredibly complex and have a broad attack surface!

Email Felix using helpme@yg.ht

Find You Gotta Hack That on X @gotta_hack