Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
This week, David
0:02
Hunt from Prelude is with us to discuss scientific
0:04
approaches to security testing. Then
0:06
Jerry Bell, the man behind InfoSec newest
0:09
community water cooler Infosect dot
0:11
Exchange joins us to talk about the state
0:13
of Infosect culture and recent
0:15
Mastodon migrations. Finally,
0:17
in the enterprise security news, security
0:20
funding is back baby. Security
0:22
unicorn layoffs continue though. We
0:24
talked zombie corns, iron net
0:26
struggles. Netflix acquires comedian.
0:29
We talk breeches. Lastpass, Rackspace,
0:31
Octavia GitHub, Slack via GitHub.
0:34
GitHub announces 2FA improvements. I
0:36
wonder why. AI
0:39
generates insecure code, cyber
0:42
insurance challenges, and fire
0:44
festival fraudster funding more
0:46
frauds. All that and more on this episode
0:48
of Enterprise Security Weekly. This
0:53
is security weekly. For security
0:55
professionals, buy security professionals.
1:01
Broadcasting Lai from G Unit Studios
1:04
in Rhode Island. It's the show where
1:06
we talk security vendors and on afraid
1:08
to name names, it's enterprise security
1:10
weaver.
1:12
The cybersecurity landscape is full of
1:14
single solution providers. Making it
1:16
easy for unexpected cyber threats to
1:18
sneak through the cracks. That's why Fortress
1:21
creating a stronger, simpler strategy
1:23
for protection one that increases your security
1:25
maturity while decreasing the operational
1:28
burden that comes with it. This is all possible
1:30
thanks to best in class portfolio
1:32
in deep bench of expert problem
1:34
solvers. Fortress integrated scalable
1:37
solutions help customers face their toughest
1:39
challenges with confidence. Learn
1:41
more at security weekly dot com.
1:43
Forward slash fortress. Welcome
1:48
to Enterprise Security Weekly and Happy
1:50
National Bird Day. This is episode
1:52
three hundred and one recorded on Thursday,
1:54
January fifth twenty twenty
1:56
three. I'm your host, Adrian scenarios,
1:59
and joining me is the master
2:00
marketing, the mayor of mayhem, Tyler Shields.
2:02
How are you, Tyler? You know, Adrian,
2:05
I was this close half tempted to
2:07
showing you the bird. And then was like, no, that might
2:09
be over there. That would have been great. Really
2:11
gonna
2:12
do it. I was close. I would appreciate
2:14
it. I I mean, sixty
2:15
percent of our audience wouldn't have known just,
2:17
you know, so yeah. So they would just
2:19
heard you laughing at at randomness.
2:22
I got you. But, no, I am Yeah. What's what
2:24
what's favorite bird. My favorite bird is is a
2:27
sweetie bird from Snoopy. My
2:29
favorite bird is the Grackle. If
2:31
you've ever watched the Grackle gackle. They're they're
2:34
hilarious. They're
2:36
they're nature stand up comics. Yeah.
2:39
Look look at videos of Grackle. They're just
2:41
absolutely not really fumbling in the background
2:43
for sure.
2:44
Alright. Tyler, I need to call shenanigans.
2:46
Did you really just call Woodstock Tweedbird?
2:49
Damn it. Oh, you
2:50
were so frightened. You knew who I meant, but ESW, you're
2:53
right.
2:53
I knew you meant it. Woodstock is great.
2:55
Woodstock is
2:56
well managed. Controversy right
2:58
at the beginning of the show. Indeed. Twenty twenty
3:00
three starts strong. Let
3:02
me finish the introductions here before we get into
3:04
too much more. We also have
3:06
the Zar of Zero
3:07
Trust, the captain of content, Katie Tyler.
3:10
How are you, Katie? I'm
3:12
well. I also do
3:14
like Woodstock, and
3:16
Woodstock is not sweetie bird, but fun
3:18
fact. Depictions of birds
3:20
break me out. Real Okay?
3:22
But depictions of birds? No.
3:25
I'm just gonna, you know,
3:27
get what you mean by depictions. Oh, oh, you
3:29
mean like cartoon birds? pictures
3:33
of birds, statues of birds. I was
3:35
once at a wedding with an ice sculpture of a
3:37
bird. That was the creepiest thing. I think I'd
3:40
ever seen in my entire life. Were
3:42
they upset when you knocked it over? When
3:45
I kicked it and smashed into pieces? Yeah. No.
3:50
It was like it's doing a split high
3:52
iceberg. It was -- Oh. --
3:54
so creepy. I
3:56
don't don't know why you would find that creepy. That's
3:58
that's fascinating to me.
4:00
But
4:01
I guess, however It was creepy. It
4:03
was not as cute as with stock. So
4:05
-- Alright. -- so the other thing I wanna add to our bird discussion,
4:08
because I know a goose is gonna be like, we gotta get
4:10
to the real meat of this. But the other thing I wanna add
4:12
to the bird discussion is birds are not
4:14
real. Does anyone recognize that
4:16
meme? I do. Yeah.
4:18
Birds aren't real. It's it's a thing. There
4:20
there are actually robots robots installed
4:23
by the US
4:23
government. So just remember I
4:25
believe in our wheel. What
4:27
about all those dead birds that cats dragged
4:29
to my back door?
4:31
Fake. They're all fake. That's fake news. That's
4:33
fake news. Okay. Yeah.
4:36
I've I've had I've had cats. I've
4:38
had clean up quite a few quite a
4:40
few
4:41
that we're we're not quick enough to escape
4:43
the the orange tabby. I
4:46
guess the
4:46
cats don't like me because I don't
4:48
have a cat. There's a bunch of cats in the
4:50
neighborhood and they just keep I
4:51
I don't know. Maybe maybe it's a
4:53
sacrifice or or a gift that they
4:55
think they are providing to the back of my house.
4:58
You're
4:58
just giving off weird dog vibes. Yeah.
5:01
Definitely the dog. Do cats like
5:03
to they they think of them
5:05
as gifts, so they're trying to win you
5:07
over? It
5:08
hasn't happened yet, Kat. Sorry if you're
5:10
listening. Did you think even for a moment,
5:12
Adrian, that this would have been, like, a massive
5:14
opening to the show? No.
5:17
Not at all. I thought this was gonna be a
5:19
quick one. Like, so I I do
5:21
wanna give a shout out for
5:23
National Bird Day to an app called
5:25
Merlin. Because there's there's a
5:27
bird I actually thought were bats because
5:29
I only heard it, like, right at dusk,
5:32
you know, in the in the early evening.
5:34
And I just could not figure out what
5:36
these birds were. And I found this app
5:39
that I think is made by a nonprofit
5:41
or a university called Merlin. And
5:44
you can just hit record in
5:46
this app. And, like, in
5:48
seconds, if you record a
5:50
bird sound. Like, it's identified it
5:52
right away. It's taken that recording. It's
5:54
matched it to a database. And
5:56
and you can help and you you can help update
5:59
their database with new bird
6:01
sounds and I think they can ID by
6:03
photos as well and
6:05
found out it was a kill
6:06
deer. This is the name of the bird.
6:09
So -- Chazam for bird noises.
6:12
Chazam for birds. Yep.
6:15
I will say that Oreo's I'm sorry,
6:17
not Oreoals. Cardinals do not like it when they when
6:19
you replay their birdsong through
6:21
like a Bluetooth speaker, they get very confused. Oh,
6:23
yeah. Oh, yeah. Yeah.
6:25
No. I I I've thought about that. I've I've wondered
6:28
about mess and missing
6:30
birds. Yeah. I put a Bluetooth speaker
6:32
up near the roof, and they kept flying in
6:34
and, like, die bombing it. They did not understand
6:36
what the center loper was in the neighborhood.
6:38
I bet. Oh my god. That's funny.
6:40
Alright. And as you've heard speaking.
6:42
We also have the Baron of Bloodhound, the pirate
6:44
king of PowerShell, Sean Matt Cap
6:46
is with us as well. Hello
6:48
all. And my favorite bird is the
6:50
cassowary because it's probably one of the closest
6:53
birds to a modern day
6:55
dinosaur. Looks like it's
6:57
designed to headbutt the headbutt the
6:59
crap out of you if you know it. Yeah. And it's got
7:01
sharp claws like a velocirap which
7:03
is my favorite dinosaur. that
7:06
that's that's a pretty bad ass
7:08
bird pick, I have to say. Alright.
7:11
We got a quick announcement here. You can
7:13
join our DISH cord channel and talk
7:15
about your favorite birds or dinosaurs.
7:18
And you can chat with host ESW questions
7:20
during the show and do all
7:22
kinds of fun stuff on there. You can go to
7:24
security weekly dot com forward slash discord
7:26
to receive and invite to our
7:28
discord server. Alright. And
7:30
today, we are talking about not
7:32
not birds anymore. We're gonna leave that behind.
7:34
We're talking about scientific approaches to security
7:37
testing. We're excited to have David
7:39
Hunt, co founder and CTO with
7:41
Prelude with us today. David
7:43
has a career spanning many industries, including
7:46
enterprise aerospace, and operational
7:48
technology. Prior to Prelude, he
7:50
led the team that built Meijder Kaldera,
7:52
which if you have dived into
7:55
adversary simulation or security
7:57
testing at all, you're probably familiar with that
7:59
project. Welcome to the show
8:01
David. Thank you
8:03
very much. Happy to be here. I am
8:05
kinda in the background trying to figure out how to spell
8:07
Grackle. So if anybody has that exact
8:10
spelling, just shoot it over.
8:11
It's like crackle, like like the video
8:13
service crackle but with the
8:15
g. Yeah. It's just perfect.
8:21
Yep. So that's yeah.
8:23
I ESW, feel free to share
8:25
your favorite bird if you want to do that before
8:27
we we we move into
8:28
this. The introduction. So
8:31
my favorite bird is a I mean, it's not gonna
8:33
be the most exciting. I don't think out of it
8:35
today, but a cardinal which already came up,
8:37
but it's actually helpful to know that there
8:39
are tips and tricks I can use with the cartonals in
8:41
my backyard to, let's say, get to
8:43
know them better. So I really appreciate
8:45
that color. What
8:47
is it you like about cardinals? Is it like an
8:49
aesthetic thing or something that they
8:51
do? Totally color. I
8:53
love the red color. The blue j's
8:55
are also with the list. Yeah. I love love
8:57
red. Nice.
8:59
Nice. Yeah. Color
9:00
wise, I love eastern bluebirds, but
9:03
we will move on from Bert's.
9:06
So this is actually
9:08
one of my questions. You want to.
9:11
This is this is actually one of my favorite
9:13
topics. So I I
9:15
actually so I started a
9:17
company back in in twenty seventeen with a good
9:19
friend of mine, Kyle. And,
9:21
you know, we we quickly
9:23
observed, like, the whole idea of the company was
9:25
to reimagine consulting
9:27
services if we were just gonna do it from
9:29
scratch. And things we found is that, you
9:31
know, people just don't don't
9:33
realize what they've gotten wrong. They don't know how
9:35
to prioritize on the defense
9:37
side. And a lot of our customers
9:39
were small and medium sized companies. So if they
9:41
had any security staff, they had one to
9:43
three security staff, some smaller companies
9:45
here. And so we we
9:47
designed some services to help them,
9:49
you know, test their
9:51
defenses, you know, not like from a
9:53
ESW perspective, but I guess more of like a
9:55
a purple team, what you call a purple team
9:58
perspective back then, which
10:00
I I think has evolved somewhat. And
10:02
that's the reason David, I wanted to have
10:04
you on, is I'm very
10:06
interested now that I'm seeing some companies
10:08
focusing more on testing
10:10
security teams and testing security
10:12
environments and making sure everything works
10:14
correctly. Because every time I
10:16
analyze, III do like
10:18
post mortem on a breach or something like that.
10:20
Almost every single time there's just
10:22
stuff misconfigured. People don't
10:24
know how to find alerts in their environment.
10:27
You know, just basic stuff that that practice
10:29
ESW testing would would fix. Is that the
10:32
same thing that kind of like, may maybe
10:34
if you wanna talk about how you got drawn
10:36
into minor
10:37
caldera, you know? And then maybe take us
10:39
into Prelude from there.
10:42
Absolute yeah. Absolutely. I think
10:44
in a large way, just to touch
10:46
on one of the things you're mentioning, we've
10:48
been stuck in the industry for for quite a
10:50
while in react being reactive to
10:52
what's going on. So in a large
10:54
way that's centered around topics like CVEs,
10:57
around patches, and vulnerabilities, something
10:59
comes out. We have something very specific that
11:01
comes out when a CVE number
11:03
is it it is published
11:05
and released. We get a product and
11:07
we have a version of that product. That
11:10
becomes the target. We look in our
11:12
environment. We're very reactive. It takes us weeks to
11:14
find and patch all of those things.
11:16
Meanwhile, the rest of the environment is
11:18
wide open. And so we've kinda gotten
11:20
used to in cyber security to
11:22
reacting not being proactive. And
11:25
testing is all about kind of moving
11:27
that forward and being proactive with how you
11:29
locate things, the structure and
11:31
process to to how you actually do
11:33
that. And that's kind of the missing
11:35
component that we've for for quite some time in the
11:37
industry looking back
11:39
over the years. And so for me personally,
11:41
I think
11:43
I started to really, I think, formulate
11:46
a lot of my ideas and
11:48
opinions on the matter when I was at
11:50
Meijer on the
11:52
Caldera project. And what brought
11:54
me to Meijer originally to to take on
11:56
that work was
11:58
the lack of efficacy
12:00
in defensive products. And
12:02
so what I mean by that is
12:05
there's a significant amount of defensive
12:07
products that exist anti virus,
12:09
EDR, WAF, there's all sorts of
12:11
technologies that exist to protect
12:13
us. And what we don't
12:15
have are any ways to make rational
12:17
decisions about which ones aren't
12:19
working well for us, which ones aren't configured
12:21
correctly. We're in a lot of cases, which ones
12:23
are even installed in the first place. So in
12:25
a large environment, it can be tricky to even
12:27
understand where you have coverage even
12:29
a little bit. Howard Bauchner:
12:33
So when I was formally at
12:35
CRA, which which owns a security
12:37
weekly podcast. One of the things I I had
12:39
built was product
12:41
testing. You know, so also
12:43
in the questioning, like like, I
12:45
I have my suspicions and and, you know, I was
12:47
trying to figure out how do how do we do this? You
12:49
know, in in the b to b enterprise space. Like,
12:51
with consumer stuff, it's easy. You you go to
12:54
ESW Buy, you know, or Amazon or something
12:56
like that. You buy a product. You
12:58
know, you you test it, you review it,
13:00
you publish the the results.
13:03
Even with a car, you can do that. But in
13:05
enterprise security, you know, getting your hands on a
13:07
license for a lot of these products is
13:09
not an easy task. You know, you you
13:11
base have to work with the company. They have to be comfortable
13:13
with you doing the testing. And I've
13:15
always had my suspicions, like, I wonder some
13:18
of these products even when configured
13:20
correctly. You
13:22
know, do they work at all? You
13:24
know, and some some of my experiences
13:27
doing that
13:27
testing, the the answer is is no. I
13:30
even in in ideal environment, I'm
13:32
not sure some of these products really
13:35
deliver in, you know, what what they say they do
13:37
in the box, which is important to know.
13:39
Yeah.
13:39
And that that that's the big thing is
13:41
is there actually is no way at scale
13:43
to understand that. And it's funny
13:45
that you mentioned Best Buy actually because an
13:47
example I like to give is this this
13:49
triggers all the way down the consumer side
13:51
to the enterprise side and even
13:53
into the government side, which is if
13:55
I walk into ESW Buy today, you or I
13:57
walk into Best Buy and are, like, need to buy a
13:59
laptop, grab one off the shelf, pick
14:01
it out, and we say we wanna buy an
14:03
antivirus to go along with it. We
14:05
ESW consumers even at that level, that individual
14:08
level, we have no way to determine
14:10
or pick which AV that we want
14:12
to use outside of
14:14
things Like, well, which color kinda
14:16
resonates the best with me today? There
14:18
isn't anything that will guide me to a a
14:20
rational decision.
14:22
Yeah. Yeah,
14:24
definitely. So, yeah,
14:27
so kind of moving into you
14:29
know, III think for me, the big question
14:31
is, like, we know we have this gap here, you
14:34
know, but if if you go
14:36
through PCI, if you go through some of
14:38
the regulations and and even some of the
14:40
standards we have, you know, there there's
14:42
not really you know, like
14:44
like, one of the things I was I was
14:46
doing recently is putting together
14:48
a cloud IR checklist recently.
14:50
301 I
14:53
was looking at some of the old ones that I
14:55
was replacing. And
14:57
and none of them say anything about
14:59
testing. You know, with AI with
15:01
IR and disaster
15:03
recovery and and BCP and things like that
15:05
especially. You know, it's my experience
15:07
that if if you haven't
15:09
actually done it, you have maybe
15:11
accounted for fifty percent of the things you need to
15:13
do for it to go smoothly. you
15:16
know, I think that applies to security
15:18
defenses as well. So so how do how do
15:20
we, you know, aside
15:22
from bringing a product to market and trying
15:24
to educate people? Do
15:26
do you see an opportunity
15:29
for for compliance or
15:31
regulation to to come in here and say,
15:33
hey, no, this is actually something that
15:35
everybody should do. Or or or does some of that
15:37
already exist and maybe I've overlooked it?
15:39
Yeah. It's it's
15:42
interesting. I think we're gonna see a lot more of that
15:44
happening. So driven through policy,
15:46
driven through compliance, and I think a lot of
15:48
things that we've seen, you know, we've seen some evolution
15:50
in this occurring with how the rapid
15:52
pace to at least how public
15:54
some of the attacks recently have
15:56
been in the news ransomware attacks obviously
15:58
getting getting quite a bit of attention.
16:00
And a lot of these are taking advantage
16:02
of of not zero days, things that are
16:04
unknown, but taking advantage of things
16:06
that are already known, things that if
16:08
we had done proactive testing and environments
16:10
we'd be ahead of and patching and
16:12
fixing issues. And so, yeah, I think a lot of
16:14
these a lot
16:16
of the desire to do
16:18
continuous security testing upfront is
16:20
going to be driven through policy and compliance.
16:24
Yeah. ESW
16:27
we've talked about, you know,
16:29
how to convince people that this is
16:31
something that they should do. And
16:33
we've already seen a lot of different
16:35
both open source and commercial
16:37
efforts to to
16:39
you know, bring this to people to to
16:42
productize it. So so
16:44
let let's kinda shift
16:45
there. You know, how what is
16:48
you know, and and there's several use cases here. Right?
16:50
Like like, I often separated it into
16:52
functional testing versus
16:55
I forget what I called the other kind of
16:57
testing, but But basically, the way I think of it
16:59
is is the control actually
17:01
turned on? Is the email actually getting
17:03
somewhere very functional
17:06
testing? You know, is the port or
17:08
or, you know, is is the sensor plugged
17:10
into the right spam port? That kind of very
17:12
simple, like, on off
17:15
you know, you know,
17:17
the the the the toasters are plugged in
17:19
type situations. And then you have
17:21
the much more difficult side of
17:23
it, which is emulating
17:26
adversaries and and saying not
17:28
only can you detect an
17:30
attack, but can you detect a
17:32
sneaky attack or a sneaky attack, you know,
17:34
and kinda stepping up
17:36
the level of efforts there. So
17:38
so how do you approach that
17:40
with with a product and and with
17:42
customers? Do do you separate those out
17:44
into separate things? Or does
17:47
the, you know, the the adversary
17:49
emulation stuff also
17:51
serve as the functional testing? Is it not necessary to do ESW
17:53
both separately? Howard
17:55
Bauchner: Yeah, I think
17:56
it's been an evolution, actually. So
18:01
the way testing has kind of evolved in
18:03
the security space has included areas like
18:05
penetration testing for trying to
18:08
find vulnerability isn't kind of the penetration
18:10
of the network, the the perimeter of the
18:12
network itself. Vulnerability
18:14
scans have have kinda dominated that space
18:16
for locating things. That's
18:18
been very proactive. And then you have what you've
18:20
mentioned, which is more in the red teaming space, in
18:22
the purple teaming space, which is,
18:24
hey, I've been with understanding
18:27
how my network and my
18:29
environment would react if this
18:31
particular APT were to come
18:33
in or if this particular type
18:35
of behavior were to happen in the environment. I
18:37
wanna know how we would react, what alerts
18:39
would trigger, how our defense would would
18:41
actually hold up. And
18:44
that's kind of the the current way
18:46
that a lot of modern organizations are
18:48
running now, which is bring
18:50
in the purple team, bring in the red team, and
18:52
them to test everything continuously
18:54
but also manually. There's a little bit of autonomy that
18:56
goes in there when it comes to
18:58
some systems like Caldera, for example,
19:00
that can be set up. But
19:03
that testing is still
19:05
what I'd call
19:07
almost random, which is if you're
19:09
tasked with emulating a particular APT,
19:12
you can get a playbook of what they're used to doing.
19:14
But what you do is a purple team or a red
19:16
team or is you grab sort of random
19:18
behaviors that they that they're known to
19:20
do. You apply them in the network and you try to
19:23
bypass your defense, but there isn't a rhyme
19:25
or reason and there's a lot of
19:27
nuance between one particular command
19:29
that you could run-in an obfuscated version
19:31
of that. So there's a lot of cat and mouse that
19:33
happens in red teaming and purple teaming. Which
19:36
is incredibly critical, very, very important
19:38
role, but it's hard to scale. So when it
19:40
comes to how do you actually turn that into a
19:43
product, you can actually work on scaling, get it out, make it
19:45
more accessible to more people. I
19:47
think you have to add a little bit of structure
19:49
on top of that. And
19:51
so what we've been focused on is can we
19:54
apply what we call a rule,
19:56
which is basically a surface
19:59
area on a particular type of
20:01
device, call it a Windows
20:03
laptop or or, you know, a Linux
20:05
server and say, hey, can we
20:07
define a surface area on
20:09
that machine And can we
20:11
write automated tests that are targeting
20:13
that particular piece of surface
20:15
area for no notes? An
20:17
example of that is kind of
20:19
the traditional example, which is, will my
20:22
defensive product quarantine
20:25
a known malicious office
20:27
macro document. And we
20:29
target that test. It should catch it every
20:31
single time if the defense is on and
20:33
and configure correctly. And you
20:35
turn that test on and say run this every single day and make sure
20:38
that defense is working. And you continue
20:40
to repeat that process and you have that
20:42
continuous testing running on
20:44
all of your endpoints all at the same time, and that enables you
20:46
to kinda get a complete coverage
20:49
and get a a much better idea of what's
20:51
going on. Yeah. So so it's
20:53
kind of a like a sanity
20:55
check, like a security
20:58
controls regression
20:58
test. Right? Like, you wanna make sure that, you
21:01
know, one day all of a sudden, you know, I mean,
21:03
that's something I used to do as a
21:05
podcasters. ESW mean, I'd always turn AV back
21:07
on once I was done. I would
21:09
just disable AV, you know, back in the days
21:11
there weren't when I pen tested, there weren't
21:13
a whole lot of tamper
21:16
controls there. And you could literally
21:18
just that stop AV, do
21:20
whatever you need to do and then turn it
21:22
back on, which, you
21:24
would fail the regression testing, you know, if I were in the middle
21:26
of doing that. But but
21:28
is that the idea
21:29
there? That's absolutely yeah.
21:32
Yeah. So I think the the missing component
21:34
that we're really trying to push on, and this has
21:36
been missing in the offensive security space for
21:38
for quite a while. Is
21:40
a lot of structure on how do you
21:42
actually attack the problem set.
21:45
Not just following an APT
21:47
playbook, but an actual structure that allows
21:49
you to get each component of the
21:51
endpoint in a methodical,
21:53
very scientific approach on how you how you
21:55
would do that. And so I'll give think
21:57
one of the examples I've seen in recent years of
22:00
this, which I did a couple of years ago,
22:02
which is running a
22:04
continuous test on
22:06
a particular Linux Server that was,
22:08
for the most part, air gaps. A
22:10
SIS admin came in one day
22:12
and started updating packages
22:14
on that And in order to update
22:16
packages on that particular machine, they
22:18
needed to enable
22:20
a proxy. So they set a proxy up from an
22:22
Internet enabled server to this
22:24
air gap server, install their
22:26
things, and then forgot to remove
22:28
that proxy when they signed off for
22:30
the day. And in that case, we had
22:32
lateral movement ESW running on that
22:34
box. And just one day out
22:36
of the blue, that that
22:38
agent that we had running the ESW, was
22:40
capable of moving across the
22:42
network through that
22:42
proxy, moving from that hoping to
22:45
be a hair gap system onto Internet
22:47
enabled devices. And that was a a
22:49
case of catching something within a
22:51
twenty four hour period that that could have
22:53
been caught many many months later
22:55
by an adversary. So
22:57
so that's one use case. And and
22:59
this is I'm gonna hand off to Sean has
23:01
a couple ESW as well after
23:03
after I clarify on this, but seems like
23:05
you've got a couple use cases here. You know? So
23:07
one is what you're describing like ensuring
23:09
your controls are working as
23:11
expected. You know, the environment is configured
23:13
as expected and there's no surprises
23:16
or no regressions, you know, but
23:18
also it seems to me like,
23:20
a key use case here would
23:22
or should be to
23:23
actually test your IR team, you know, to test your
23:25
SOC, to test the, you know, make
23:28
sure you know, the process part of it works that that
23:30
the the humans can find things
23:32
in their systems when you're relying on
23:34
a human to find something. And
23:36
and know what to do in in
23:38
those scenarios. Know what their next step is
23:40
to, you know, contain and and
23:43
recover and eradicate and all all
23:45
all the those fun IR
23:47
steps.
23:47
Right? Absolutely. Yeah. We see that as
23:50
a as a huge use case, especially with
23:52
companies and and enterprises in
23:54
particular that either have
23:56
SOC where they have internal purple teams that are in charge
23:58
of writing rules, segment rules,
24:00
and so forth in order to
24:02
to fire off alerts. And so
24:04
what we've seen is kind of people approaching
24:07
security testing in order to solve one of two
24:09
problems. It's either efficacy
24:12
of a defensive product, whatever that may
24:14
be. It could be on the network. It could
24:16
be on the endpoint itself. Or it
24:18
could be, hey, I wanna test the
24:20
behaviors of my
24:22
response. That could be the IR team. That
24:24
could be the team that's monitoring the alerts
24:26
in the
24:27
SOC. That could be, you know, the user of
24:29
an endpoint itself, do they actually report something
24:31
occurring and is kind of testing
24:33
the overall response to various
24:35
things occurring in real
24:37
time. Great. Thank you.
24:40
Sean here. So that that leads directly
24:43
into something I was going to ask
24:45
around does Prelude correlate the
24:47
attack ESW to
24:49
detection in the SIEM to
24:51
identify or associate
24:53
with the activity that was performed? Or
24:55
is it one of those things where it's identified
24:57
and then the SOC is then doing that
25:00
correlation? Yeah.
25:01
Yeah. So it's a little bit
25:03
of both at the end of the day.
25:05
And so what I mean by that is ESW
25:08
every time that we run an action inside
25:10
of one every time we run
25:12
a test, any alert that would get
25:14
fired will include a tag that has
25:17
our particular know, tagging unit on it. So it
25:19
helps you identify what's coming out of our systems.
25:21
You can filter and and adjust to
25:23
that. So that does allow you
25:25
to filter
25:27
or separate things coming from from things
25:29
coming from other places, if you wanna analyze it
25:31
from that perspective. What we don't do
25:33
is we don't tell you whether that alert is working or
25:36
not. That's kinda up to you to analyze
25:38
your own alerts and decide what's your own
25:40
threshold. So the context of that alert
25:42
could be incredibly important based on what it
25:44
is or it could be something that's incredibly low
25:45
priority? So along those
25:48
lines, how easy would it be for
25:50
an organization to identify if
25:53
the appropriate event logging is
25:55
not actually configured in order
25:57
to detect that sort of activity.
25:59
So for example, if you're leveraging, say, Windows
26:02
event logging, but certain
26:04
events or event categories are
26:06
not configured to be logged
26:08
then would Prelude help identify
26:10
that? Or would it just be
26:12
a blank slate for the sock?
26:15
Now that's actually AAA
26:17
big advantage for running the continuous test on
26:20
the endpoint. On the that particular
26:22
example, which is the Windows event logging, the
26:24
way that we try to approach it and get people
26:26
into this habit is deal with
26:28
that on the endpoint itself, not within the
26:30
SOC. And so the test itself
26:32
has the ability to do
26:34
the action ESW well as verify what
26:37
the actions output
26:40
was. So in this example, you might say
26:42
my test is to dump that old sass. And
26:44
then and you can say, well, what
26:46
is the after effect of that? Let me check
26:48
to see what Windows event
26:51
logs occurred in the system and
26:53
what matches the behavior, what was expected
26:55
versus what was there. And let me ship
26:57
ship that result off somewhere where it can
26:59
be analyzed.
26:59
Okay. So it's not an automatic
27:02
thing. It's more of AAA
27:04
combination of what the tool is providing plus
27:06
what the the SOC or or
27:08
instant response is handling around
27:09
that. Quick question about your
27:12
tagging, where does that get injected? Is
27:14
that injected at the source or
27:16
is that something that can get injected
27:18
as part of the the SIEM event
27:21
forwarding flow. Yeah.
27:23
So in the operator, which is our command and
27:26
control center that we
27:28
have in play right now, you can inject it in
27:30
two places. So you can inject it at the
27:32
agent level, which is the thing
27:34
running the ESW particular, or
27:36
you can inject it into something that we
27:38
call outpost, which is where the agent
27:40
sends the result to. And when it
27:42
gets sent to that, outpost it's a a
27:44
little bit of a Python server.
27:46
When that Python server accepts
27:48
the the output from the
27:49
agent, it can then tag it before inserting
27:51
it into your login database.
27:54
Okay. Cool. I've been involved in a number
27:56
of purple team members sizes over the years with
27:58
different organizations or different sizes. And one of
28:00
the biggest challenges often has
28:02
been the, okay, here are the vulnerabilities
28:04
or here are the weaknesses in this
28:07
environment. And here's what detection saw
28:09
or what event kind of came out the other side
28:11
as far as what we could correlate. But
28:13
the big gap often seems to be how
28:15
do we fix that and how do we prioritize it?
28:18
Is there something around Prelude that helps
28:20
guide the customer to an effective
28:22
feasible solution for any specific issue or
28:24
set of activities?
28:26
Yeah. That's always that's actually a really big
28:28
one, which is prioritization. So you
28:30
you've got n number of issues. What do
28:32
you fix and what order do you fix them
28:34
and so forth? We've we've battled
28:36
that a lot and kinda kicked that around in a in a variety
28:38
of different context. So what we're
28:41
leaning into right now, kind of the the
28:43
lessons we've learned in
28:45
in spending time in writing purple teaming
28:48
is we wanted to try to catch all of
28:50
the what we call the surface area issues
28:52
that are the known BADs
28:54
first. We want to look at the
28:56
endpoint holistically and say there
28:58
are ten things that should never
29:00
occur on this particular type of
29:03
endpoint. We know for
29:05
taking the dumping LOS SaaS example.
29:07
Nobody should ever be able to dump LOS SaaS on
29:09
this computer no matter what. That would be good.
29:11
No known. We'll call that a rule. Another
29:13
one that we take is a
29:17
malicious office macro should
29:19
always be quarantined. And so we've
29:21
come up with a of these tests that are based around these known,
29:24
known rules. And what
29:26
most of our tests are circulating around right
29:28
now is can
29:30
we execute tests that are no
29:32
knowns, verify that your
29:34
defenses actually protecting in those cases?
29:36
And if not, And hopefully, this
29:38
is a small percentage of of
29:41
issues for most people. In
29:43
those
29:43
cases, you're not protected from those
29:45
issues. Go ahead and fix those as your first
29:47
thing. Okay. So less of
29:49
the Nuance, like, edge cases and more of
29:52
the, like, big big
29:54
components.
29:55
Gotcha. So in your dumping L SaaS example, obviously,
29:57
there's a few different ways to do it through task
29:59
manager programmatically, which is leveraging that
30:02
same
30:02
method. couple other ESW such
30:04
as mini cats.
30:06
Certainly, settings protected
30:09
process is a way to help protect and
30:11
identify when that sort
30:13
of activity is occurring, including some
30:15
detection and defense around
30:17
that, is is Prelude looking at
30:19
these different methods that attackers are
30:20
using? Or is it primarily a
30:23
single approach to what
30:25
the issue is as far as the
30:28
activity that prelude puts into it and
30:30
what what comes out the other
30:31
side? Yeah. This is actually where it gets a lot of fun
30:34
because this comes up on purple team
30:36
being the time if you've been on a manual, purple team assessment,
30:38
which is you'll try in the dumping else as
30:40
example, you'll say, hey, I'm gonna try to do it. This
30:42
way, you get caught you hop to a
30:44
different system and you try to do it a different way. And
30:46
and basically, you're playing this cat mouse game in order
30:48
to determine if you can find a way on
30:50
a particular system to to not
30:53
get caught. And so to replicate that
30:55
in a structured, continuous security
30:57
form, that's autonomous. The way
30:59
we the way we do it is we define the rule
31:01
when we say Users should never
31:03
be able to dump LSA. So that's the
31:06
rule. Underneath that, we develop
31:08
tests. And we can have as many tests
31:10
under that rule as we'd like. That
31:12
cover all the different implementations of dumping
31:14
that we can think of that we've
31:16
seen in the wild that have exploit code to
31:18
them and so forth. And we allow you
31:20
to schedule those tests to run on
31:22
your endpoints at whatever sort of schedule
31:25
that you'd like. So, for
31:27
example, you may say, I wanna run this
31:29
type of LSS dump every
31:32
day on this subset of computers. I
31:34
wanna run this other variation on
31:36
this other subset, and you could have
31:38
it it kinda mix and match across
31:40
your
31:40
network, and what you're doing is looking for
31:42
anything that triggers. Okay.
31:46
That's fair. So final
31:48
question. Does Prelude build
31:50
on attack strategy based on what's vulnerable
31:52
in the environment in other words, does it identify a vulnerable system
31:54
and then identify what the next step
31:56
could be based on that one plus
31:59
other information and knowledge about what's
32:01
vulnerable in the in the
32:01
environment, like an attack or
32:03
what? Yeah. No. We
32:05
we don't go that deep in that direction. I'd
32:07
say, our goal is to identify
32:11
at the top level, how
32:13
how are your defenses protecting
32:16
you against all of these
32:18
different rule sets? it's not about finding this
32:20
device in particular vulnerable
32:23
to kind of like say a CVE or something
32:25
to that effect? It's more of are
32:27
you are your defenses protecting you
32:29
against an attack that falls in the category of
32:31
that CPE? So one example
32:33
of that might be
32:36
So let's take our our macro office example again because
32:38
that I think plays well for this,
32:40
which is if you will get
32:43
how many CVEs are tied
32:45
to malicious office
32:47
macros. You'll find quite a
32:49
few. And so if your defensive
32:51
system is capable of catching and
32:53
responding to all of the, you know,
32:55
popular variations of of macros
32:57
that are found in the wild, especially
32:59
ones like MSFvenom and and other things
33:01
can be dropped in into
33:04
the into the VBA scripts.
33:06
Then you start to say, hey,
33:08
I'm actually getting some pretty good confidence that
33:10
my defense can effect against this particular type of
33:13
attack, which means that I feel
33:15
pretty good about my coverage across, you know, and
33:17
number of CVEs 301
33:19
the vulnerability space or surface area of this given
33:22
endpoint. Great. Thank
33:24
you. ESW
33:27
on the topic of these tests,
33:31
yeah, I think something that's interesting
33:33
is how you decide to
33:35
to build and prioritize the test that that you guys build.
33:37
You know, because again, it it seems
33:39
like, you know, talking about the cat and mouse
33:41
game of of evasions and and things
33:44
like
33:44
that. You know, all these different ways
33:46
you can evade defenses
33:48
and controls. How do
33:51
you guys So I guess a two
33:53
part ESW. How do you guys
33:55
decide on what to build? Are you constantly
33:57
looking at, like,
33:59
some of the reports that come out
34:01
from researchers, you know, researching
34:03
different attack or TTPs and stuff like
34:05
that. You know, do you go look at the
34:08
attack matrix? Because III think clearly that's that's one of those things
34:10
where, you know, I think for years what
34:12
we've needed is like a heat map of the
34:14
attack nature because, like, all tests
34:16
aren't important. You know, like like, there are
34:18
some companies who wanna test for every single item
34:20
on there. You know? But clearly, some of
34:22
those are more important than others. You
34:24
know, so how do you prioritize that? And then the other side of that, you know,
34:26
I think one of the tricky things in
34:28
security is is the the idea
34:31
of what to red flags versus yellow flags. You
34:34
know, things that are absolutely bad. A
34:36
hundred percent of the time,
34:38
it should always float to
34:40
the top you know, you you should always see this alert
34:42
versus things that are, you
34:44
know, maybe they're bad. And because we
34:46
have so many of those, and I call those
34:48
yellow flags, We have so many of
34:50
those yellow flags. It's very easy
34:52
to bury all your red flags.
34:54
You know, all your
34:56
your absolute super important
34:58
tests in a bunch of maybe kind
35:00
of important, you know,
35:02
given
35:03
the context tests. Totally.
35:05
Yeah. Absolutely. Let me
35:07
let me ask you
35:08
a question that could be kinda fun here. So what he
35:11
Okay. It could be fun. Right? Is
35:14
a a MacBook Air
35:17
or an
35:17
iPad, which one is
35:20
more secure? III
35:23
would say the the iPad is more
35:25
secure because, yeah, less opportunities for
35:27
for the user
35:29
to act independently. 301 grab
35:32
software if that's not front
35:34
end. Tightly controlled. Absolutely. See what
35:36
that totally.
35:38
So I'd say that is the delta that we are
35:40
looking at this from from just
35:42
a very qualitative standpoint. So
35:44
so it's actually on the the minor
35:46
attack leadership team for those that
35:49
don't know. When I was on the Calithera project. And ESW, yeah,
35:51
I got spent a lot of time around the matrix
35:53
and kinda seen the pros and cons there and and how
35:55
does that apply to things like
35:57
you know, the matrix on with things like behavioral
36:00
analysis and and so forth. Really,
36:02
really fascinating ways of classifying
36:04
things. But you come up with that
36:06
same problem in purple teaming,
36:08
which is you've got this giant matrix. How
36:10
do you decide what to do? And is
36:12
something like an impact tactic more
36:14
or less important than a lateral movement
36:16
tactic. And that is such a contextual
36:18
decision that it becomes very difficult for
36:20
somebody to prioritize. Similar CDs. How
36:22
do I know this one is better than that one?
36:24
For me, in particular.
36:26
So the way we look at it is a
36:28
little bit more surface area related. So if
36:30
you look at the MacBook versus an
36:32
iPad and you say, well, yeah, iPads
36:34
are actually more secure than Macbooks, because
36:37
the user is not allowed to do certain
36:40
actions. So that delta between these two is
36:42
actually a really good way to think about how you
36:44
should prioritize your tests. Which is
36:46
why what are those things in
36:48
particular that you can't do on the
36:50
iPad? So you can't, you know, you
36:52
can't dump elsewhere. Right? So that's
36:54
the thing. You can do that on the
36:56
on the Windows computer in this case. So that's an area that that we'd wanna
36:58
target. You can install things outside
37:00
of the App Store on
37:03
the iPad. So when you look
37:05
at that on the MacBook, you say, well, the
37:07
user is allowed to install things.
37:10
What are types of tests that I need to write run
37:12
continuously around execution
37:14
of or installation of
37:18
executables. And so when you start
37:20
to think in those sort of ways, you start to build boxes or constraints
37:22
around what you wanna do, and then
37:24
you can very quickly create a priority
37:28
around what is important to you. Test around
37:30
installation of of things
37:32
or people touching processes on
37:34
the
37:35
ESW. What are
37:37
those deltas between secure devices and quotes and in
37:39
secure devices? I feel like
37:41
it was kind of a trick question because
37:43
the ESW answer
37:46
to that question wasn't an option.
37:48
And it's always windows.
37:51
Right? Yeah. Exactly.
37:54
The safest
37:55
possible option that you could get.
37:58
Yep. Yep. Alright. Yeah.
38:01
So so I
38:03
I and you've got you've got some acronyms
38:05
around this as well. So, you know, part
38:07
of my question, you know, I was trying
38:09
to queue up VSTs. So so if you wanna explain
38:11
what the the concept of verified
38:14
security tests are because I
38:16
I, you know, I feel like that
38:18
second part of my question, you know, like
38:20
ESW tests that are you know,
38:22
much more reliable, hundred percent, you
38:25
know you know, versus ones
38:27
or or or or ones that are
38:29
focused on things that are more likely
38:31
to happen. Help help me understand maybe
38:34
I don't fully understand the the
38:35
concept of verified security
38:38
tests. Yeah. Totally.
38:40
Yeah. So in development in
38:42
red teams and purple teams, are you used to building
38:44
something called the TTP tactics,
38:47
techniques, and procedures? Really that refers to the procedure level. So if
38:49
you look at the attack matrix, you've got
38:52
tactics and techniques, and what you're
38:54
doing ESW a red team or purple teamers,
38:56
you're building procedures or
38:58
implementations of those techniques.
39:00
And that's that's how you approach things. And so
39:02
you've got the structure of the attack framework itself.
39:05
And that's kinda where the structure falls off.
39:07
That's what you have, which means that as a
39:09
purple team or if I wanna write a security
39:11
test that is on the
39:14
attack matrix, I can write it in any language I want. I can write
39:16
it in any format I
39:18
want. That test has no
39:20
constraints to
39:22
it. The test I write could be wildly different from a test that somebody
39:24
had another company or even within my own
39:26
company writes. And so this is where it becomes
39:28
a little bit of the wild wild west in offensives
39:31
security where everybody ESW writing TDP's their
39:34
own way with their own
39:36
intentions. And in a lot of ways, they are
39:38
not safe to run-in production for those
39:40
reasons. There's no way to validate
39:42
though. And so that's
39:44
common in command and controls
39:46
products, including our own
39:48
prelude operator. When we were
39:50
getting ready to release our current
39:52
product, which is called build, that
39:54
product is designed around the
39:56
concept of ESW, verified
39:58
security test. ESW wanted to
40:00
develop a way, a structure
40:02
that allows you to take the power of a
40:04
TTP, validating
40:06
defenses. And enable it to run-in production. So the VST is
40:08
really if you wanna think about it as a production ready
40:10
TTP, that's probably a pretty
40:12
good way to think about it.
40:15
And so a VST is
40:17
a structured piece of code
40:19
that contains a test function and a clean
40:22
an out function. And the test function
40:24
does in action in, you know,
40:26
take any of our examples like dumping LFS. And
40:28
then the cleanup function will reverse
40:30
any effects if there were any
40:32
in the test function. Now this VST goes a very strict
40:35
comp compelling process,
40:38
testing ESW, and ultimately
40:40
gets stored as a compiled
40:42
file, in your own file, stored just
40:44
for you. And that file
40:46
is now something that has kind of gone through all of your different
40:48
safety checks, which include the
40:50
efficacy of the file itself,
40:52
the tests. As well as many
40:54
system resources does this test use? How long
40:56
does it take to run and and so forth? And
40:58
then that test is now almost
41:01
like a golden image. Of the
41:03
behavior that you want to test against. That VST
41:06
enables you to move your security
41:08
testing outside
41:10
of development environment or security environments and allows
41:12
you to run these tests that have never
41:14
really run at production and scale on
41:16
as many devices as you want.
41:19
So if you wanna understand whether
41:21
you can whether your defense can pick
41:23
up a a office
41:26
macro on ten thousand
41:27
machines, run single VST on all ten thousand and
41:30
record which ones got it and which
41:32
ones did
41:34
not. Yeah. Yeah.
41:36
You can definitely yeah. Scaling it up,
41:38
you know, I think it is
41:40
a big thing. You know, even if you're
41:43
only doing this testing on a portion
41:45
of your computers that I feel like the
41:47
value is huge here. And one of the things I always thought,
41:49
I I wonder if you get a lot of
41:51
ESW for this for customers or if you put these together
41:53
for customers. But when we have a breach that gets
41:55
in the headlines, you know, inevitably
41:58
somebody's gonna ask you know, what would
42:00
happen if we were hit with this, this thing
42:02
that just happened to somebody ESW.
42:04
And provided there's enough
42:06
details. Is is that something you get a lot
42:08
of ESW for, like like, putting together, like, the
42:11
the chain of of tests that that
42:13
would closely simulate, you know,
42:16
that that
42:18
headline breach.
42:18
Absolutely. This is where the rules actually come in come
42:20
into place. If you look at a lot of attacks
42:22
out there, they can fall under
42:26
different rules. That are things that
42:28
are are no known. So if a
42:30
brewery happens, you know,
42:32
yesterday or happened yesterday that is
42:34
CVE, Right?
42:36
Doesn't really matter the the category. But you can look at that CV
42:38
and say, well, what are the behaviors
42:40
of the CVE that make it unique?
42:43
And then what rule does that CVE actually fall
42:46
under? Could that be something related to
42:48
ransomware? Well, do I have a rule that
42:50
tests ransomware? Now if you
42:52
have a rule that's already testing ransomware ESW that
42:54
is a very comprehensive test,
42:56
then that ransomware attack itself
42:58
even though the CVE is new,
43:00
you have a comprehensive set of tests that you're already running.
43:02
So it gives you the ability to have
43:05
confidence in what your defense will
43:07
actually respond like. Before
43:10
that attack actually happens. Now
43:12
after you learn about the attack, you may see a
43:14
variation in it that is unique,
43:16
and you can write a new test implementation that
43:18
closely mirrors what occurred there and
43:20
add it to your collection of ransomware tests that
43:22
you're running at
43:24
whatever schedule. Awesome stuff.
43:26
Yeah. I I think that's all we have time
43:28
for, but I I did before we wrap
43:32
want to mention that you do have a community edition
43:34
of of Prelude that people can download
43:36
and try out for free
43:38
and and use for free. Anything
43:40
else you wanna mention there before we wrap up? Yeah. Yeah. Absolutely.
43:43
So build itself, which is a
43:45
an IDE for
43:48
writing verified security tests that is a
43:50
completely open source project. You can find that on on GitHub, of course,
43:52
fully open
43:52
source, and and we're hoping
43:55
that is actually
43:58
A helpful thing to write tumors and purple tumors,
44:00
pen testers, anybody that is involved
44:02
in writing TTPs that is interested
44:04
in ESW to move them into
44:06
option. We hope we hope it helps the
44:08
community. Awesome stuff. David, thank you so much for
44:10
joining us on enterprise security weekly today.
44:14
Thank you
44:16
very much. Alright. Stay tuned. When we come
44:18
back, we're gonna talk implicit culture and
44:20
mass it on with
44:22
Jerry Bell. The
44:25
shift to remote and hybrid work over
44:27
the past two years has accelerated
44:30
application development on cloud
44:32
infrastructure. However, securing these new assets
44:34
has lagged behind. Qualys CloudView, the next generation of
44:36
cloud security posture management,
44:38
delivers an end to end
44:40
multi cloud security and
44:42
compliance solution encompassing the
44:44
entire application lifecycle from
44:46
build to runtime. CloudView enables
44:48
enterprises to assess their cloud security
44:50
in compliance posture, identify risks and gaps, auto
44:53
remediate issues, proactively enforce
44:55
best practices, and prove compliance
44:57
and audits rapidly and
45:00
efficiently. Identify your most vulnerable cloud assets by
45:02
visiting security weekly dot com
45:05
forward slash Qualys. Welcome
45:09
back to Enterprise Security Weekly. Don't
45:12
miss any of your favorite Security Weekly
45:14
content. Visit security weekly dot
45:16
com forward slash subscribe to
45:18
subscribe to any of our podcast feeds and have
45:20
all new episodes downloaded right to your
45:22
phone. You can also join our mailing
45:24
list, Discord Server, and follow us on
45:26
social media and our streaming
45:28
platforms, which include YouTube and Twitch,
45:30
and we're playing around with some others.
45:34
I don't I don't know how that's going. We were testing
45:36
out Twitter and LinkedIn and, I
45:39
don't know, Instagram. Like, you you can stream
45:41
in a bunch of different places now.
45:44
Alright. So for our second interview
45:46
today, Jerry Bell joins us to
45:48
talk about Infoset community culture and
45:50
the migration to Mastodon. Which
45:53
has been big
45:56
somewhat contentious news over the last couple
45:58
months. Jerry has worked in
46:00
IT for thirty years, doing everything from Writing
46:02
code to racking servers, and is currently the VP and
46:04
CISO of IBM public cloud. Jerry has
46:07
hosted the Defense of
46:10
Security Podcast which I I to in was
46:12
one of my regular podcasts
46:14
on my on my podcast
46:17
list every week. And
46:21
and he, best known, ESW,
46:23
in the last couple months, for running
46:25
the InfoSec. Exchange Mastodon instance
46:27
for the past, six years,
46:30
which recently saw a slight bump
46:32
in popularity. Welcome to
46:34
the show
46:34
Jerry. Thank
46:35
you. Thank you for
46:38
having me. Yeah. Thank you for for being here. You know,
46:40
this is something, you
46:42
know, I think when we talked
46:45
to prep for this, you know, I mentioned back
46:47
in twenty fifteen, you know, I
46:49
was I've been on Twitter for
46:51
a little while. Twitter is kind of how
46:53
I got into infosec.
46:56
I remember, if you know Dave
46:58
Schacklford, he was my my boss back
47:00
when I was a protester, and he
47:03
encouraged me to get
47:05
out go to conferences, give talks,
47:07
and get involved with the community. And
47:09
one of the things he suggested
47:11
in addition to putting together a blog and writing
47:13
blogs was getting on Twitter.
47:16
And and that's how I met a bunch of people in the
47:18
industry. In fact, yeah,
47:20
I've I've
47:22
had decade plus long relationships with with folks
47:24
on on Twitter. You
47:27
know, and and, sadly,
47:30
you know, some of them have have passed away, and I never got
47:32
to meet them in person. You know, so it's it's kind of, you
47:35
know, it's it's
47:38
an interesting medium,
47:40
you know, to to talk to
47:42
people over and things like that.
47:44
And I I found it kind
47:47
of fast ESW how easy it was to to
47:49
make that migration and how how
47:51
quickly folks jumped
47:54
over. So yeah, just kinda
47:56
wanna get your so
47:58
you've been running this a lot longer
48:00
than this big, you know, when this
48:02
big wave happens. Was that correct? Six years
48:05
you've been running this marathon instance? That'd
48:07
be six years
48:08
in April. That's
48:12
right. So, you know, I gosh, probably
48:14
six and a half, seven years ago,
48:16
I massed it on and
48:18
the Fediverse came onto my radar
48:21
and I'm someone who likes to tinker with things. And
48:23
so I set up an instance,
48:26
register the domain. And, you know,
48:28
for for five and a half
48:30
years, it was pretty much just
48:32
a little a little side
48:34
experiment that had a couple hundred
48:36
people in total, you know, maybe a
48:38
handful of people on any
48:40
given day. Until until
48:41
October. Yeah. And III
48:46
think you picked a great name. You know,
48:48
it's it's with
48:50
real ESW, it's location, location, location.
48:52
And I think InfoSec that exchange
48:55
is is a really easy one
48:57
to remember So III think
48:59
you nailed it there. But yeah.
49:01
I mean, I mean,
49:03
what was it what
49:05
was it like those those first couple of
49:07
weeks? Like like, did you have to upgrade the
49:09
hardware almost immediately? Or
49:12
how did how did all that
49:14
go? It was it was pretty exciting.
49:16
So back in in the spring
49:18
of twenty twenty twenty
49:22
two, gosh, an entire year ago. When when
49:24
there was some first for some rumblings
49:26
about Twitter potentially being
49:30
taken over, there was a bit of a pop in
49:32
in in accounts
49:34
on InfoSec that Exchange. And
49:38
up until that point, I had been running this the
49:41
the instance on a VPS ESW
49:45
it had worked pretty well. I spent a couple
49:47
hundred bucks a year for the for
49:49
the five years up until
49:52
that point. And so that
49:54
that was a bit of a wake up call, and I
49:56
actually rented
49:58
a pretty substantial server that I
50:00
never thought I would actually
50:03
grow out of was a
50:05
sixteen core server with
50:07
NVMe drives, and it was a it's
50:10
pretty pretty beefy server for for what, you know,
50:12
effectively had ten or twenty people
50:14
on it per
50:16
day. Roundabout
50:20
October twenty seventh, twenty
50:22
sixth, twenty seventh, twenty eighth, going into
50:24
that weekend. I was
50:26
actually working down
50:28
at at at the beach,
50:30
and my phone started going
50:32
nuts. I I have my
50:34
alerts set on
50:36
on Twitter. And didn't
50:38
think a whole lot of it. I knew that there
50:40
was stuff going on until I looked at it.
50:42
And I saw lots and
50:44
lots of people talking about joining
50:47
Infosec dot Exchange talking about
50:49
it and whatnot. And so I I
50:51
jumped over there and sure
50:54
enough you know, several hundred people had come in. And I thought, hey,
50:56
that's that's pretty cool. And
50:58
over the the next three or four days,
51:02
there were probably 567
51:04
hundred people per day coming over.
51:07
And then then it really
51:09
which which was pretty ESW. And then it
51:11
started to really accelerate to, you know,
51:14
thousand, two thousand, three
51:16
thousand people
51:18
per day. And per
51:20
day. Per day.
51:22
And at that point, I started the panic a little
51:24
bit because not not
51:27
only did moderation become
51:30
a much bigger challenge, but
51:32
also it was pretty apparent
51:34
that my once forever
51:36
server was not gonna cut it
51:38
anymore. And so I
51:40
I ended up standing up
51:42
moderation team who to this day is just the absolute
51:45
godsend phenomenal group of
51:47
people with the the
51:49
patience of saints And
51:51
and then I I spent a
51:54
bunch of time scaling
51:56
out the instance, both from
52:00
the perspective of capacity,
52:02
but also trying to get the
52:04
costs under control because I had
52:07
been paying for it out of my own pocket until I got
52:09
the bright idea to to really go
52:11
ask for for some
52:13
financial help and So that community did come
52:15
together and help me out with that. Howard
52:18
Bauchner: Yeah,
52:21
you know, it's Yeah.
52:23
And I think interesting that not only did you have to
52:26
technically scale
52:28
the the instance you're running, you know, but
52:31
also staff it as well. You know? And it's
52:34
so so what's that what's that like? Like like
52:36
the the
52:40
you know, doing that moderation work,
52:42
is that, like, when people
52:44
flag things on the server, like, they have
52:46
special roles where they get, like, a
52:49
queue of stuff that needs to be looked at
52:51
and handled? What what what is that role
52:54
like? It's
52:56
done, like, on Twitter, if
52:58
you're familiar with Twitter and somebody says
53:00
something offensive or
53:02
or, you know, post some post
53:04
a threat or or what have you we
53:07
have the same kind of
53:09
reporting facility in Mastodon
53:11
or the Federalverse.
53:14
So so you can you can report somebody who's a spammer
53:17
or or posting something obscene or
53:19
illegal or or what
53:21
have you. And So it's
53:24
it's a myriad of different
53:26
things. You know, it
53:28
ranges from, you know,
53:30
misinformation about vaccines
53:32
all the way to
53:34
death threats and, you
53:37
know, and and, you
53:39
know, spam and and your herbal
53:42
remedies and everything in between.
53:45
You know, it's actually
53:47
one of the things that so
53:49
so I still pop over to Twitter because there there
53:51
are some people that I communicate with that that haven't
53:53
made the switch. You know? So
53:55
it's but
53:58
I find that interesting because that's one of things that definitely drove
54:01
me to to use InfoSec dot
54:03
exchange a lot more
54:06
is around
54:08
the same time that this move started
54:10
happening, I I just started, you
54:12
know, that that first huge round of
54:16
layoffs that they did at Twitter. I just
54:18
started getting crypto spam, like
54:20
mentions spam, like my mentions would
54:23
just fill up with you
54:25
know, buy this, buy that, you know,
54:27
new coin or or join a game
54:29
or a crypto game or or
54:31
whatever. You know, a dozen or
54:33
more a day every day and it's still continuing. And, like,
54:36
you know, for a couple weeks, I was reporting
54:39
every single one and I just
54:41
gave up, you know, like like I just
54:44
I I don't need a side job, you
54:46
know, just reporting mentions and stuff like that. So
54:48
I don't know if that's just a scale thing for them, but
54:51
I never had that problem before, but, yeah, I
54:53
I wonder how many people moved over
54:55
to Mastodon, you
54:58
know, because you know,
55:00
politically, you know, the things that were happening around
55:02
Twitter or, you know,
55:04
they they had already,
55:06
you know, not been enjoying doing Twitter for while
55:08
and didn't need much of a push to
55:10
go to something else. Because I I agree with
55:12
a lot of people that it it definitely feels
55:15
like earlier days. Of Twitter. But I wonder if that's just
55:17
because the community ESW smaller and the
55:20
chances of your, you know, whatever you post just
55:22
getting lost in the noise is is
55:24
much less
55:26
on the platform with, you know, thirty, forty thousand people
55:29
versus millions. I think it's
55:31
all of those
55:33
things. You know, there there is the the
55:36
network effect is a real thing. Right? And
55:38
so there there
55:40
were certainly nucleus
55:42
of people that moved over in the early days and some of
55:45
the races they moved over ranged
55:47
from, you know,
55:49
they they just really are
55:51
offended by Elon Musk's politics to
55:54
their their afraid of you
55:58
know, what they just don't wanna see the spam, like
56:01
like what you you pointed
56:03
out or or many other reasons.
56:05
But, you know, once that migration
56:08
started and and I your opening
56:10
comments, by the way, I think
56:12
hit it right on.
56:14
It's it's actually about the community. It's
56:16
not not not so much about the
56:20
platform. I found personally, you know, Twitter
56:22
was just a phenomenal
56:24
tool. Right? III
56:27
met so many great people over the years that I
56:29
never would have had an
56:32
opportunity to connect with, to share ideas
56:34
with, to
56:36
learn from. And and so the the thing that I've learned in
56:38
in the, you know, the the past couple of
56:40
months in particular is it's
56:42
it's less about the actual platform and
56:44
more about
56:46
community. And the community has, in
56:48
large part, you know, picked up
56:50
and moved
56:51
over. But again,
56:54
you know,
56:55
the reality is Twitter is a huge,
56:57
you know, very, very
57:00
large environment.
57:02
And in in info sector exchange, we I think we just passed
57:04
forty five thousand accounts,
57:06
which is, you know,
57:09
fairly big number. But I think
57:12
Twitter is five hundred
57:13
million. like, or many
57:15
orders magnitude larger.
57:18
Yeah. Remember, I did some research back in twenty fifteen because
57:20
I wanted to understand, you know,
57:23
what what the size of infosec
57:27
or or what what yeah. Infosec Twitter back in
57:29
twenty fifteen versus all of Infosec.
57:31
You know? Because we we knew it was a bubble. You
57:33
know, we knew it was in
57:36
everybody. And back then, you know, the the through
57:38
my research, the number I came up with was
57:40
eight percent. That eight percent
57:42
of people in InfoSec were
57:46
on Twitter which actually seems pretty remarkable.
57:48
You know, I mean, obviously Infosec has
57:50
grown a lot, you know,
57:52
since since twenty fifteen. So I don't
57:54
know if
57:56
you know, the the numbers of
57:58
people using it pseudo professionally to talk
58:00
about security stuff, cyber security stuff
58:03
hacking, things like that. You
58:05
know, is ESW still up there.
58:07
But and and, obviously, the like, there's
58:09
a lot of shades of InfoSec. Right? Like, there
58:12
there's a lot of people that
58:14
consider themselves hackers and
58:16
and do security research and stuff like
58:18
that, you know, but but aren't
58:20
security professionals. Right? So it's it's
58:22
kinda hard to to do that kind of
58:24
research. But
58:26
but, yeah, it seemed like,
58:30
you know, you know, what what's
58:32
yeah. I always said when all these
58:35
new social networks came came up, like, it
58:37
doesn't the features don't
58:39
matter as much. As where the people are.
58:42
You know, as soon as the people move, as soon
58:44
as you have that that tipping
58:46
point, you know, that
58:48
that momentum where the the
58:50
people you enjoy bouncing
58:52
questions off of and and discussing things
58:54
with have moved over. You
58:57
know, if that if that's where they're spending their time,
58:59
if that's where they're posting, and you enjoy
59:01
reading their stuff and conversing with them.
59:03
Like, that's it. Like, it it doesn't matter
59:05
if Mastodon's better than Twitter, you know, Twitter
59:07
gets better. Like, it's where the
59:09
people are.
59:10
Absolutely. There there are some
59:13
I I will tell you, there are
59:15
some features that I commonly hear,
59:17
you know, as as being
59:20
problematic, like the
59:22
fact that we don't have the
59:24
equivalent of a quote tweet and Quote
59:26
tweet. Yeah. I think that is
59:28
something that will likely get fixed. Search
59:30
is something that is fairly
59:36
inhibited And
59:38
by the way, one one of the I've
59:40
I've written about this or posted
59:42
about this quite a bit over the the
59:45
course of the past couple of
59:47
months. You know, Mastodon isn't Twitter.
59:50
It's it's an it it
59:52
in some ways feels a lot like Twitter
59:54
has similar purposes But as different
59:56
lineage, the the the driving
59:58
factors behind it, you know,
1:00:00
getting to where it is today are different
1:00:02
it's a different community that built it
1:00:05
up. That the values that the people
1:00:07
had who have created it
1:00:09
are are different than what you saw
1:00:11
with, you know, with Twitter. It's
1:00:14
Twitter was a commercial enterprise that
1:00:16
valued engagement
1:00:18
and growth and time on the site
1:00:22
and whatnot. And that that
1:00:24
drove certain, you know,
1:00:26
features and capabilities. And for me
1:00:28
personally, I think it was kind of
1:00:30
bad my blood pressure because it seemed
1:00:33
like Twitter was always putting stuff in
1:00:35
front of me that I it knew I would
1:00:37
disagree with and and would --
1:00:38
Yeah. -- you know, it it became the
1:00:40
media, the mainstream media, basically. Right?
1:00:42
If it
1:00:43
bleeds, it leads. And on,
1:00:45
you know, on the other side,
1:00:47
with Mastodon and the
1:00:50
federalism in general, it was
1:00:52
more intended
1:00:54
to be a community. And it it doesn't have the
1:00:56
concept of investors
1:00:59
and advertisers and whatnot.
1:01:01
It it's it's about the
1:01:04
people. And so some of the features that
1:01:06
we had come to to
1:01:09
rely on on Twitter you
1:01:11
know, where where are were and to
1:01:13
some extent still our view is, you
1:01:16
know, potentially enabling bad
1:01:18
behavior, like, you know, abusive
1:01:20
behavior targeting and and things
1:01:22
like that. And and to some
1:01:24
extent, I think that
1:01:26
is, you know, a
1:01:28
valid concern to
1:01:31
another extent, I think
1:01:33
it is inhibiting valuable
1:01:36
use of the tool and but that
1:01:38
comes down to moderation. Right? Like the
1:01:41
fact that that you
1:01:43
have quote tweets doesn't,
1:01:46
you know, that that just means that that as a
1:01:48
moderator, like, we have we have
1:01:50
more responsibility to make sure that
1:01:52
people are are not acting
1:01:55
irresponsibly, I guess, is
1:01:57
how I'm viewing that. Howard
1:01:59
Bauchner: Yeah, I remember
1:02:02
reading that quote tweets
1:02:04
weren't there by design, you know,
1:02:06
because they they were
1:02:08
I think that's what I realized. I used
1:02:10
Twitter very differently from how some other people were
1:02:12
using it. And and it I had
1:02:14
to do some reading and some looking around to see,
1:02:17
like like like what is bad
1:02:19
use of quote tweets look like. Because
1:02:22
today, I did a quote tweet
1:02:24
on Twitter because we
1:02:26
sent out we were promoting
1:02:28
today's show. We are
1:02:30
promoting, you know, some of the interviews and and
1:02:32
the stuff on today's show from the
1:02:34
security weekly account. And, you know,
1:02:36
a common way that I'll use a quote tweet
1:02:38
is I'll I'll hit quote a tweet on that, and
1:02:39
I'll, you know, say why I'm
1:02:42
looking forward to this interview, and and
1:02:44
I'll send that on to to
1:02:46
my followers. So I'm I'm just, you know, taking this promotion and
1:02:48
and adding some commentary on it.
1:02:50
You know, so so it took me a bit to
1:02:52
understand, like like, what what is what is
1:02:54
misuse of
1:02:56
quote tweets look like. And and the other thing that kinda
1:02:58
horrified me was the idea of, you
1:03:00
you know, like somebody was really excited.
1:03:02
They found a tool that would delete
1:03:05
their their their tweets, any tweets that
1:03:07
are older than a week, you know, which
1:03:09
the way I used Twitter, like, that was horrifying
1:03:11
to me. Like, I I treasure
1:03:14
these conversations that I had,
1:03:16
you know, eight, nine,
1:03:18
ten years ago, you know, and something times
1:03:20
I go back and I use those in talks
1:03:21
and, you know, people there's some great quotes
1:03:24
on Twitter, you know.
1:03:26
There's some great conversations
1:03:28
that happened. And I
1:03:30
I find it really useful to go
1:03:32
back and and look at what we were
1:03:34
talking about back then,
1:03:36
you know, and and how that
1:03:38
informed what we're doing today. You know, as as commentary
1:03:40
on on, you know, yeah, it
1:03:42
looks like it looks like some of these
1:03:44
predictions were right, you know. So
1:03:46
it's it's I
1:03:48
I look at it and it I lot different maybe some
1:03:50
other people do is is a conclusion
1:03:52
I can't do.
1:03:55
Yeah. For
1:03:58
me for me personally, I've
1:04:01
been a little disappointed.
1:04:03
Not surprised, I guess. But
1:04:06
disappointed and frustrated because III
1:04:08
had the same thing. Like, I've had so
1:04:11
many productive and
1:04:13
enlightening discussions on Twitter what
1:04:15
the most recent example was
1:04:17
related to GDPR. When when the
1:04:19
GDPR was was coming online, I had a
1:04:21
bunch of discussions online with
1:04:23
with attorneys and and, you know,
1:04:26
actually regulators and and
1:04:28
other other people on
1:04:30
Twitter. And those are
1:04:32
all gone. So, like, I
1:04:33
can see that I posted, but
1:04:34
the but the other side of those
1:04:37
are are gone too.
1:04:40
And it's that's unfortunate.
1:04:42
But at the same time,
1:04:44
on mass, you know, in Twitter, you
1:04:46
actually had to go and find third
1:04:49
party thing to do that, ESW. that's
1:04:51
actually, like, a native capability that a
1:04:53
a platform offers.
1:04:56
What what what is that? That's a native ability? An
1:04:59
inquiry to to purge
1:05:02
post after a certain period of
1:05:04
time. Yeah.
1:05:06
Yeah. Disappearing messages, basically. Right?
1:05:08
Yeah. Same concept as that.
1:05:12
Exactly. Again,
1:05:14
so another thing that's
1:05:16
interesting, I I ESW, is Twitter
1:05:19
had absolutely turned into, you
1:05:21
know, a platform that marketing
1:05:24
folks use, that companies use. You
1:05:26
know, there's there's a lot of marketing
1:05:29
automation platforms, you know,
1:05:31
where you can schedule tweets,
1:05:33
and you can have a whole marketing digital
1:05:35
marketing team managing messaging that
1:05:37
they're sending ESW. You
1:05:40
know, a tool that'll, you know, you put together your message and it's gonna send
1:05:42
it to LinkedIn, Instagram, Twitter, a bunch all
1:05:45
at once. And I've noticed a lot of
1:05:47
those tools don't support Mastodon But
1:05:50
I I have started seeing some of those companies coming
1:05:52
over to to Mastodon. So we're
1:05:54
seeing some of those those
1:05:57
ESW cases some of those
1:05:59
non human accounts accounts that represent either organizations,
1:06:02
whether they're nonprofits or or their
1:06:04
projects or their,
1:06:08
you know, bots, you know, the ones that spit out funny
1:06:10
stuff. You know, I think there's a whole mastodon
1:06:12
server I saw that's that's nothing
1:06:14
but
1:06:14
bots. Please. But, you know,
1:06:18
What is
1:06:19
it? It's called bots in space. Bots
1:06:21
in space? That's
1:06:24
great. So
1:06:26
it's it's I don't know, what
1:06:28
is the, I guess, where I'm driving
1:06:30
is, what was the future look
1:06:32
like? Does
1:06:34
you know, the fediverse. And one of the nice features I
1:06:36
think is you don't have to look at the
1:06:38
fediverse. You know, you you can look
1:06:41
at only your your local stuff, which I I
1:06:44
think will somewhat insulate from
1:06:46
some of the negative some of the
1:06:48
downsides of of just scale
1:06:50
and growth. You know, and the noise
1:06:52
that can that can result from that.
1:06:54
But, you know, where where
1:06:56
where do you stand on like companies
1:06:58
creating
1:06:58
accounts, you know, accounts you
1:07:00
know, being automated or non human accounts in general,
1:07:03
you know, and and whether those
1:07:05
should be allowed or should there
1:07:07
be limits on them I
1:07:10
the rules in a while. I don't know if you have rules
1:07:12
specific for your instance
1:07:14
just for non
1:07:16
human
1:07:16
accounts. Or shared accounts?
1:07:18
This you're starting to
1:07:20
get into the, like, the philosophy
1:07:24
of of the
1:07:26
Fediverse some of the nuances that and challenges I
1:07:28
think that lie ahead for
1:07:30
us are when when different
1:07:32
instances have materially
1:07:34
different values. So if instance
1:07:36
a allows corporate
1:07:38
type accounts and instant b
1:07:42
finds those to be terribly offensive,
1:07:44
then the the pro probably going to
1:07:46
end up blocking each other.
1:07:48
And and so it goes.
1:07:50
For for me personally, we we
1:07:52
do have a no span rule.
1:07:54
We do have quite a
1:07:56
few corporate and
1:07:58
and, you know, nonperson type accounts.
1:08:01
And fortunately, a lot of them have actually
1:08:04
approached me beforehand and asked, you
1:08:06
know, for for my, you know,
1:08:08
my permission,
1:08:10
I guess, And the thing that I always tell them is, like, you
1:08:12
know, this isn't a it's not a
1:08:14
marketing platform. Right? You're welcome to be
1:08:16
here. You have
1:08:18
to follow the rules. And the
1:08:20
expectation is that, you know, you're contributing
1:08:23
to the discussion. Right? So
1:08:26
if you wanna post about, you know, some
1:08:28
cool research that you've done or,
1:08:30
you know, a a learning blog
1:08:33
that you you've posted or
1:08:35
video. You know, fine. But it, you know,
1:08:37
just like gratuitous spam is is
1:08:40
not
1:08:43
not welcome. So follow-up question on that.
1:08:46
Thanks for being on here. Is one of the more I'm using
1:08:49
parts of
1:08:51
Twitter for me are definitely the brand account, especially
1:08:54
the the humorous ones like Wendy's. I I understand
1:08:56
your
1:08:56
approach and take
1:08:57
on that as contributing to the
1:09:00
conversation, but how do you personally
1:09:02
feel about these sort of brand accounts potentially being on Mastodon and how do you think
1:09:07
Mastodon different
1:09:08
instances might stand on these brand accounts?
1:09:10
That's a
1:09:11
good that's a really
1:09:14
good question. I don't I
1:09:16
don't know how the
1:09:19
Fediverse would react to Wendy's to be. The
1:09:23
spicy takes. I
1:09:26
part of me thinks that it actually might go
1:09:30
relatively well.
1:09:33
Again, because
1:09:36
it's Right? You know, we
1:09:38
we see we see there are some novel commercial
1:09:43
accounts like I'm drawing a blank on the weather
1:09:46
app. What is the weather app that has, you
1:09:51
know, post offensive messages give
1:09:52
you an weather. Right? Well, they have an account. And
1:09:54
and so so, you know, I I think it it
1:09:59
it depends. Right? I don't know that it's a
1:10:01
it's a black and white
1:10:03
thing to be
1:10:06
to be candid. think as long
1:10:08
as from from my standpoint, as
1:10:11
long as it's not obnoxious, and
1:10:15
in, you know, gratuitous and and and, you
1:10:17
know, like if people don't want to see
1:10:19
that, it's pretty easy
1:10:21
to black. Right? You can block an
1:10:24
account really easily. You can actually
1:10:26
block an entire incident or, sorry,
1:10:28
instance also
1:10:30
quite easily too. So,
1:10:32
you know, again,
1:10:35
if if, you know,
1:10:37
III if
1:10:40
Wendy's joined infoset infoset that exchange, I'm
1:10:42
not sure what I would do. Maybe encourage
1:10:44
them to go to a different
1:10:46
instance. III don't know.
1:10:49
That's
1:10:49
fair. Well, I recently joined
1:10:50
in for a sec exchange, thanks to a relatively famous non horse and
1:10:53
I'm gradually dipping my
1:10:55
toes into Mastodon. What
1:10:59
do you suggest for those who are just starting with the
1:11:01
new Mastodon account, especially those that
1:11:03
are switching over from Twitter?
1:11:07
Number one is I wouldn't I
1:11:10
wouldn't recommend going to one of
1:11:12
the
1:11:15
really big instances like like, massed
1:11:17
on that social. There's I think there's a lot
1:11:20
of fear of missing
1:11:21
out by not being on
1:11:24
a super super
1:11:26
large instance. They have
1:11:28
about a million accounts. The challenge with them
1:11:30
is they have a lot of
1:11:35
I mean, to look, anytime you have a million people, you get a
1:11:37
lot of noise. And so they have
1:11:39
all sorts of of both
1:11:41
performance problems and moderation challenges
1:11:44
and not by the way,
1:11:46
that they they do any any sort of a bad job. They're actually phenomenal group of people.
1:11:48
I just sometimes
1:11:52
they don't I'm not
1:11:54
sure that's the best first for to I I
1:11:57
would say, you
1:12:00
know, find find an
1:12:02
instance that aligns with your your interests. Right? There's
1:12:04
interests like just like
1:12:06
InfoSec. That exchanges somewhat InfoSec. Focused.
1:12:11
Although, like, we don't have a rule that says you
1:12:13
only can talk about InfoSec stuff. Like,
1:12:15
I post plenty of cat
1:12:17
bug pictures and we'll talk
1:12:19
about politics and and, you
1:12:21
know, personal stuff, probably ten times more than I do about
1:12:23
security stuff. But, you
1:12:26
know, there are other instances
1:12:30
that deal with niches like
1:12:32
crafts, there's photography ones, there's knitting ones,
1:12:34
there's, you know, medical instances, there's legal
1:12:39
instances, there's news instances. So finding finding one
1:12:42
that, you know, that
1:12:44
that is,
1:12:46
you know, a bit active because if you if
1:12:48
you join one that is, you know,
1:12:51
pretty sparsely populated, you're probably not gonna
1:12:53
have you're not gonna get
1:12:55
a lot of interaction and
1:12:57
you'll get the I think you'll
1:12:59
get the wrong impression. If you find one that
1:13:02
aligns with your
1:13:02
interests, I think you'll have the best time
1:13:06
because your local timeline will
1:13:08
be filled with people who are who
1:13:10
you probably find interesting talking about
1:13:13
things that you do find
1:13:14
interesting. That makes a lot of sense. Thank you. Gotta find your
1:13:17
people.
1:13:18
Gotta find your people. ESW,
1:13:22
but having said that, right, like, regardless of where you end up, unless the two less
1:13:24
two instances have ended
1:13:27
up blocking each other, you
1:13:30
you can it's kind of like email. Right? You can talk
1:13:33
to anybody in the federer's. You
1:13:35
can follow them. You
1:13:37
can communicate back and forth. It's just if
1:13:39
you if you pick an
1:13:41
instance that interests you, you're
1:13:44
going to see
1:13:46
like, all of the content that is posted to that instance, whereas you might not see it unless you're following
1:13:48
people. That's
1:13:55
interesting. So I I have a question that that I've
1:13:58
been curious about. When you created an instance and
1:14:00
and kind of connected it to
1:14:02
the Federalverse, Are you granted special powers within Mastodon? Are
1:14:04
you able to see how many instances there
1:14:06
are or see the whole universe and
1:14:09
kinda like the watcher
1:14:11
in the Marvel
1:14:12
universe? That's a
1:14:15
great question.
1:14:16
So I mean, so
1:14:18
I think the answer is
1:14:21
ESW yeah. I don't I don't mean to to
1:14:24
evade the question at all. The answer is
1:14:26
is certainly yes. ESW, that stuff exists
1:14:29
in the database that I have access to.
1:14:31
But on the other end, if you go to fediverse dot
1:14:33
observer, you you can see
1:14:35
it too. It's it's
1:14:38
it's pretty open protocol and
1:14:40
there's there's lots
1:14:42
of, you know, lots
1:14:44
of sites online that
1:14:46
actually do track that stuff. Yeah.
1:14:55
ESW, yeah, I
1:14:56
don't I don't know if Katie, if
1:14:59
if you or Tyler, have
1:15:01
any questions, but But yeah, for me,
1:15:03
I I'm still I'm still dancing
1:15:05
between the 2II
1:15:07
go check Twitter every now
1:15:09
and then. But it's mostly just checking it, you
1:15:12
know, because, you know, some people
1:15:14
have been communicating with overdMs there
1:15:16
for years. You know,
1:15:18
I've got my Mastodon account you
1:15:20
know, in in my name. I guess I I
1:15:22
guess that's okay. I guess that's still legal over there
1:15:25
on on Twitter,
1:15:28
so people can clearly figure out how to
1:15:30
find me over over in Mastodon. But certainly, the conversations
1:15:34
I'm having are are almost a hundred percent on on
1:15:37
Mastodon these days. So
1:15:39
it's for me, you know,
1:15:41
I mentioned I use it a
1:15:43
little bit differently. I
1:15:45
I was an industry analyst. So
1:15:47
I spent all day, every day just thinking about Infosix, like, bigger problems, how
1:15:49
to solve them, that that kind
1:15:52
of stuff. And
1:15:55
it it was just an invaluable tool for me to be
1:15:57
able to go to this network that I
1:15:59
had on Twitter and
1:16:01
and pose a question. You know, or or
1:16:03
get somebody's take on something or or do
1:16:05
like a a quick survey or something like
1:16:08
that. Yeah. Oftentimes, in in
1:16:10
just like an hour or couple hours or something like that. I could
1:16:12
have these great insights on on
1:16:14
something I was brainstorming about. And
1:16:19
And, yeah, it seems to be fully over
1:16:21
into Mastodon now. So
1:16:23
it's it's, you know,
1:16:25
I found it interesting
1:16:28
how not how non sticky, you
1:16:30
know, people in in, like, product management talk a lot about the stickiness
1:16:32
of a product and how
1:16:34
you make a product sticky. 301
1:16:38
it's yeah. I mean, all those
1:16:41
features are, you know, just weren't
1:16:43
all that important, it seems. You know,
1:16:45
it's it's where the conversation's at. So
1:16:47
I'm I'm starting to repeat myself here. Well, we'll
1:16:49
we'll see
1:16:50
where we'll see what the long term
1:16:52
holds. You
1:16:54
know, I I obviously, we don't
1:16:57
know where Twitter will go. I
1:16:59
mean, they could turn the corner
1:17:01
and release some new super Uber
1:17:03
feature and everybody, you know, runs runs back to them or, you know,
1:17:07
they they could turn
1:17:10
their corporate headquarters into a Spirit Halloween. Like, we we don't know where
1:17:13
where their
1:17:16
trajectory ESW. But we
1:17:18
do know that in the past, you know, my the likes of and and
1:17:20
Slashdot, like, those
1:17:23
things fell apart. Fast.
1:17:28
And and so part of me wonders
1:17:30
if that's what's going on. For
1:17:32
for my for my
1:17:35
part, I I thought that the
1:17:37
the community that had
1:17:39
formed in in
1:17:41
Twitter was, like, something that was
1:17:43
super valuable. And -- Yeah. --
1:17:46
I feared losing that and
1:17:48
not from a
1:17:50
personal standpoint, but from, like, the
1:17:52
good of the world standpoint. And,
1:17:54
you know, I had this this place
1:17:57
and I wanted to
1:17:59
to at least offer offered up
1:18:01
as a soft landing spot. You know, from from
1:18:03
my perspective, there's a bunch of really great security
1:18:08
instances on the Fediverse.
1:18:10
You know, I have
1:18:12
one of probably
1:18:14
two or three dozen different
1:18:17
security focused instances that that are out
1:18:19
there. You know, but from from
1:18:21
my point from my
1:18:24
perspective, I'm I
1:18:26
view myself as kind of the front door.
1:18:28
So a lot of people have been
1:18:30
kind of piling into the instance from
1:18:33
Twitter, and then they they move on. Some of them
1:18:35
create their own personal incidents, some move on to
1:18:37
others, some stay, and and
1:18:39
that's that's all great. That
1:18:43
is one aspect of it I really
1:18:45
like, is that we can all still
1:18:47
talk together. But,
1:18:51
you know, Mastodon like, proper, like, Germany Mastodon
1:18:53
can't enforce new features on you. Like, you're you're not even
1:18:55
running Vanilla Mastodon
1:18:59
on this instance. So ultimately, you
1:19:01
have a lot of control over what what new
1:19:04
features to adopt
1:19:06
or or not adopt.
1:19:08
Right? That's right.
1:19:10
That's right. So we we we run a a fork and probably
1:19:12
soon gonna run a
1:19:15
fork of that fork. With
1:19:20
some extra patches on top of the
1:19:22
fork of the fork because, you know,
1:19:24
that's just the nature of the
1:19:26
beast. Right? The, you know, the the
1:19:28
the core Mastodon software is great, but
1:19:30
it has certain limitations. Like, it doesn't allow longer
1:19:33
posts than one
1:19:36
of the one of the
1:19:38
things that people are are both enthralled and alarmed by when you when you first join Infosight.
1:19:43
Oh, it's shocked. I
1:19:44
was But I was like, I was
1:19:46
like, there's being generous and then there's just
1:19:48
ridiculous. Come on, Jerry.
1:19:51
What are you doing? That
1:19:53
that was the product of a of a
1:19:55
of a battle with with another instance
1:19:57
owner. We we
1:20:00
we kept like, raising
1:20:02
What what upping each other? And then eventually, we lost interest in it.
1:20:05
And here
1:20:08
we are. But,
1:20:10
you know, there's other there's other things like the ability to to include rich text rich text for
1:20:12
markdown,
1:20:17
you know, there's there's, you know,
1:20:19
various other features
1:20:19
that the fork gives. I'm
1:20:22
no more I'm trying to
1:20:24
improve the
1:20:26
ability to search posts on on
1:20:29
the instance. And there's there's
1:20:31
a there's now a fork
1:20:33
of the fork that provides the
1:20:35
quote quote, tweak functionality. So I'm not interested in that. So but
1:20:38
yeah. Like, I don't Is that gonna
1:20:40
be contentious and
1:20:43
divisive? You think that adding
1:20:45
in route tweets? Probably. But I being
1:20:47
contentious and divisive is not new
1:20:49
to me now. I
1:20:52
I don't
1:20:54
controversy or or conflict, but
1:20:56
molly molly has it found
1:20:58
me since I've been there? Yeah.
1:21:01
III think well, people
1:21:03
used to say that on Twitter too. Like, once you pass a certain number of followers, like,
1:21:08
things change all of a sudden, you
1:21:10
start getting pushed back on stuff, you start getting challenged a lot more. And and
1:21:12
like you mentioned, there there's
1:21:14
a couple dozen info sec servers
1:21:18
out
1:21:18
there, people have gone and and started
1:21:20
their own. So it's it's I'm glad
1:21:22
you have that attitude towards it, you know,
1:21:24
because I I'd much rather you be
1:21:27
you know, divisive about, you know,
1:21:29
what you're gonna do with it than
1:21:31
constantly on the fence and, you
1:21:33
know, swaying back and forth and
1:21:35
stuff like that. And and so far,
1:21:38
I'm I'm I'm pretty happy with it, so I can't I can't complain.
1:21:40
Good. Good.
1:21:43
Sounds good. I'm really curious about
1:21:45
the the software forking in different instances running kind of their own
1:21:48
almost unique versions
1:21:51
of Mastodon. So if you implemented it,
1:21:54
quote, tweeting, how would that be seen by the federal or would that be
1:21:55
interpreted? So it's
1:21:59
a great question. I'll
1:22:02
I'll give you a couple of examples. So, like,
1:22:05
with with the rich
1:22:07
text formatting that
1:22:09
that the glitch
1:22:12
fork provides in in a non glitch
1:22:14
instance, you'll just see the the
1:22:16
formatting characters. Like, so for a
1:22:18
bold, you'll see the two stars.
1:22:22
Before and after. And it's
1:22:25
you know, it it isn't,
1:22:27
like, totally scrambled in the
1:22:29
case of the the quote
1:22:31
quote tweets. It quite literally is just the
1:22:33
the the, you know, you
1:22:35
you have your
1:22:39
your message. And then a link to the quoted tweet. And so if you're
1:22:41
on a non in instance, doesn't
1:22:43
support the quote
1:22:46
tweets, it looks like just a message with a link to
1:22:48
a post. Okay. That
1:22:51
makes sense. Thanks.
1:22:55
Mhmm. But I mean, one of the challenges that
1:22:58
that III think we have to be cognizant
1:23:00
of is that we
1:23:03
we have to not do
1:23:05
the might you know, the the
1:23:07
historical, not the current Microsoft thing, but the historic Microsoft thing
1:23:10
of, you know, embrace and extend in ways that nobody
1:23:12
else supports. Right.
1:23:16
Right. Yeah. Yeah. I wonder about
1:23:18
the I guess markdown doesn't
1:23:20
look too terrible. If you're on
1:23:23
an instance that doesn't support markdown.
1:23:25
But honestly, that's
1:23:28
been really my only frustration
1:23:30
so far. Is finding a markdown guide. Like,
1:23:32
I I every now and then I search
1:23:34
for it, and it's like, oh, we support
1:23:37
markdown as supported by so and so.
1:23:39
And I go over and I look at and I just can't find a guide anywhere
1:23:42
because it seems to be different from the
1:23:44
markdown that I use in notion, which
1:23:46
is different from the markdown that use
1:23:48
in like GitHub and
1:23:50
GitLab. Like, there's so many flavors of markdown. That's my only frustration so far. It's
1:23:55
finding a guide. It's
1:23:56
very limited. I'll I'll ping
1:23:59
you one afterwards. Okay. Awesome. Well,
1:24:02
this has been great Thank you
1:24:04
so much for taking the time to be on
1:24:06
here and answer all our our stupid questions. About
1:24:11
the the Fediverse, which is so
1:24:13
far vastly superior to the
1:24:15
Metiverse. I must
1:24:18
say. But thank you,
1:24:20
Jerry.
1:24:21
Yes. Absolutely. Thank you for having me.
1:24:23
And you spent much less in Facebook on it too. Wait
1:24:26
a bit less. Yes.
1:24:32
Alright. We'll be right back in a
1:24:34
few moments with the weekly enterprise news.
1:24:37
Managing and protecting
1:24:40
the world's early number of
1:24:42
endpoints, enabling Tinuum's customers to see, control, and protect every endpoint
1:24:44
everywhere. Tinuum's mission
1:24:47
is to provide uncertainty
1:24:50
and uncertain times with the
1:24:53
industry's only converged endpoint management. Trusted
1:24:55
by the US military and the
1:24:57
majority of the fortune one
1:24:59
hundred, Tinuum helps and protect nearly
1:25:01
thirty million endpoints. Tanium, the power
1:25:03
of certainty. Visit security
1:25:06
weekly dot com forward slash
1:25:08
obtainium to learn more. Welcome
1:25:10
back to Enterprise Security Weekly.
1:25:13
Follow us on Twitter
1:25:15
for live stream reminders highlighted
1:25:17
clips, memes, and more. You can find us at
1:25:19
Sec Weekly. And
1:25:24
clips are favorite. We we've got so
1:25:26
many great clips in the show. I mean, if if you try and listen to the show altogether, it's really long.
1:25:28
So I I love the
1:25:30
idea of pulling out clips for
1:25:34
for people to enjoy because we we've
1:25:37
had some great moments in here. You know,
1:25:39
they're three minutes, five minutes, you
1:25:41
know, eight minutes long, and it's I'm
1:25:43
I'm we're we're starting to pull those out share those. Now for the
1:25:46
Enterprise Security Weekly news, which
1:25:50
anytime we take off for a
1:25:53
few weeks, we end up with
1:25:55
a lot of news piled
1:25:58
up. And Today is no different. A surprising
1:26:01
amount of news came out
1:26:03
around the holidays. Some
1:26:05
of it was not planned.
1:26:07
We've got some breaches on the list here and some
1:26:10
of it was. So
1:26:13
we're not gonna cover everything. There's thirty eight
1:26:15
stories here. You can go to securityweekly dot
1:26:17
com forward slash ESW301
1:26:21
you wanna check out all the
1:26:23
stories that we've shared today. But we've
1:26:25
got well, really, it's eight
1:26:27
funding items here. And The
1:26:31
first one, a sixteen z, for
1:26:33
some reason, threw a hundred million
1:26:36
dollars at at
1:26:38
another crypto startup. And this one is
1:26:40
encrypting stuff they're putting on
1:26:42
Ethereum. So that's how it
1:26:44
it found its way
1:26:47
into my security feed. Typically, like, I'll
1:26:49
just filter these out, you know, like, we'll cover web three stuff
1:26:51
if there's anything really security related. But
1:26:53
I I threw this
1:26:55
one in because a
1:26:57
hundred million is big for a
1:26:59
series b. And I I just I
1:27:02
wanted to discuss to see if anybody had
1:27:05
some insight into what otherwise just looks like
1:27:07
an encrypted read only database. Like like, why is that worth a
1:27:09
hundred million dollars? I
1:27:12
don't know. Wow.
1:27:16
Old man shutting a cloud
1:27:18
status here. I'm I'm achieving.
1:27:20
Yeah. And my
1:27:23
first gut was, like, Holy smokes.
1:27:25
Are are they still investing in crypto? But then I
1:27:27
you know, after this whole FTX thing, I was
1:27:29
like, gosh, they're still putting money to
1:27:31
work at crypto. Crypto, didn't all
1:27:33
these in institutions learned from FTX? Yeah. But it's is it crypto or is it a blockchain tech?
1:27:36
Right? Those are two fundamentally
1:27:38
different things and I think
1:27:40
investing. It's
1:27:42
indirect crypto. Right? Like,
1:27:45
yeah, it's it's and
1:27:47
they might be making
1:27:49
that distinction now, you know,
1:27:52
where they they might have shifted
1:27:54
their their, you know, their their
1:27:56
funding policy and just going after
1:27:59
blockchain stuff. But still, you know,
1:28:01
III think blockchain is
1:28:03
is probably one of the
1:28:05
most disappointing technologies? Or or maybe I shouldn't say disappointing.
1:28:07
Just it is what it is. It was
1:28:09
just most overhyped maybe in
1:28:11
the last decade. Technologies
1:28:15
over the last decade? Yeah. I mean, it's
1:28:17
it could also be a direct function
1:28:20
of just
1:28:22
a, you you know, earliness of the tech. It's been around
1:28:24
for a handful of years, which when
1:28:26
you're talking about massively transformative tech, you gotta
1:28:28
let that stuff bake in the oven a
1:28:30
long time, generally before it mess simply
1:28:33
transforms anything. Right? Like, think about when we first started talking about cloud compute and things like
1:28:35
that, you know, it's what? Fifteen years ago, I don't know
1:28:37
the exact dates, but it's a long time ago,
1:28:40
and we still
1:28:43
barely barely cracked, you know,
1:28:45
a large percentage of companies
1:28:47
using these these technologies.
1:28:49
And that's a massively
1:28:52
transformative tech. So I wonder if, yeah,
1:28:54
the tech's
1:28:54
important. It's just super early. Yeah. I I think a lot of it was that
1:29:00
Bitcoin hit and went up and up and up
1:29:02
and up and a lot of people felt like they missed that train earlier on. You know,
1:29:04
there's there's the joke about someone spending
1:29:06
a hundred dollars on a pizza because he's
1:29:09
they
1:29:10
bought it with Bitcoin in the early
1:29:12
days. I I
1:29:12
think a lot of it is this fungal, this fear
1:29:14
of missing out, that
1:29:15
something crypto
1:29:15
related, something you
1:29:18
know, that it that is part of the
1:29:20
blockchain. It's
1:29:20
either they're gonna miss what it
1:29:23
is. And if they get in early, they
1:29:25
throw some money at
1:29:26
it. Maybe
1:29:26
they can ride that wave as as they go
1:29:29
forward with it. And I
1:29:30
think that's
1:29:30
part of what we're seeing with web three as
1:29:34
well. But who knows? Yeah. I mean,
1:29:36
certainly, you know, I think one of
1:29:38
the things that limited use cases for
1:29:42
a blockchain was to fact that it was completely transparent.
1:29:44
Anybody could grab a copy
1:29:46
of it. So that limited
1:29:49
your use cases. Right? But I
1:29:51
haven't seen anything before now that would prevent you
1:29:53
from encrypting at least part of the
1:29:55
data that
1:29:57
you put on there. You know, so it's
1:29:59
it's I feel like I
1:30:01
have some very recent relevant
1:30:03
insight into, like, how
1:30:05
this might be used after investigating how
1:30:07
both ESW and one
1:30:11
password selectively use encryption,
1:30:13
you know? Because III
1:30:15
think part of my And
1:30:18
we have both of stories or or the LastPass is a big chunk
1:30:20
of the breach stories that
1:30:22
we have on here today. And
1:30:27
I think the the assumption, like, when you hear of
1:30:29
these password management solutions talking
1:30:31
about vaults, you know, the
1:30:33
metaphor of a vault doesn't work
1:30:35
very well because everything inside the vault
1:30:37
is protected equally. And that's just not how encryption is ESW used for
1:30:40
password managers. Like, one
1:30:42
password is a SQLite database
1:30:44
and
1:30:46
stuff that needs to be encrypted is encrypted and
1:30:48
the, you know, the stuff that doesn't, you know,
1:30:50
like, last day it was or the
1:30:52
data was created, last day it was
1:30:54
modified, last day it was used, So a
1:30:56
lot of dates in there and some of
1:30:58
the other information isn't. And the big contentious thing with LastPass is
1:31:01
they didn't encrypt
1:31:03
the URL field. Which
1:31:05
going through my old blast pass stuff, I found
1:31:07
a ton of secrets attached parameters to URLs
1:31:10
in that URL field. ESW
1:31:16
that, you know, I think it's
1:31:18
interesting as as we start talking about
1:31:20
about encryption on
1:31:22
blockchain. So maybe it enables new use cases. It's my long winded
1:31:28
way of you know, using the
1:31:30
the password manager example.
1:31:31
Why is the old saying, those encryption is easy, key management is hard.
1:31:33
So if they figured out
1:31:35
some novel approach a
1:31:38
key management that it enables some sort
1:31:40
of distributed control and
1:31:42
secure capabilities around
1:31:44
that, then maybe it could
1:31:46
be interesting. But is it
1:31:48
quantum
1:31:49
resistant? The the thing that's commonly
1:31:51
clear is, like, if
1:31:53
if we're yeah. Definitely not quantum
1:31:55
research. If we're talking about like, the the cool thing about
1:31:57
Ethereum when I was researching
1:31:58
Ethereum, I did some investing Ethereum
1:32:01
early
1:32:02
on. It's supposed to be a kind
1:32:04
of like a digital contract, digital compute system.
1:32:06
So you can write code onto the Ethereum
1:32:08
blockchain that gets executed.
1:32:10
Smart contracts. Right. Smart That gets executed.
1:32:12
And more so than smart contract business, it's not a con it is
1:32:14
a contract, but it's also you can code on top of it,
1:32:17
which makes it a
1:32:19
blockchain compute engine I mean, in
1:32:21
theory, that is the coolest idea that I've heard in a long time. It's just
1:32:24
maybe
1:32:27
so freaking early that it's just,
1:32:29
you know, I don't know, as I read
1:32:30
through this, I'm going, yeah, it's they're trying to realize exactly what
1:32:32
Ethereum was trying to realize from day
1:32:34
one just in a better way.
1:32:38
Which is a great storyline. And story lines
1:32:41
are how you get money sometimes.
1:32:43
Yeah. I go ahead and
1:32:45
do the same. So so
1:32:48
sorry. Real real quick, Sean. I was just
1:32:50
gonna say that there's a whole cottage
1:32:53
industry of smart contract scanning
1:32:55
tools. You know, look looking
1:32:55
for issues in your smart contract
1:32:58
code. Sorry. Go ahead. No.
1:33:00
Absolutely. I mean, it's Ethereum
1:33:02
is very cool that the whole
1:33:04
smart contract and approach to leveraging
1:33:06
the blockchain for not just a a method of tracking, what transactions occurred,
1:33:11
but also to have some other elements where you can have some
1:33:13
smart contract type
1:33:14
capabilities. Very, very cool. But obviously,
1:33:16
a lot of scammers have
1:33:18
leveraged that in order to extract
1:33:21
money out of people's wallets and and do some
1:33:23
interesting things. And I I think a scanner is is a fascinating way
1:33:25
to to do it.
1:33:27
I think that when you
1:33:30
have a system or a solution
1:33:32
or a technology that provides
1:33:35
amazing capability. Certainly, there's going to
1:33:37
be some the the kind of underground part
1:33:39
of that as well. It's gonna be
1:33:41
interesting to see how blockchain
1:33:43
actually
1:33:43
progresses. One of
1:33:46
the biggest limitations
1:33:46
that I'm aware of with blockchain is
1:33:48
just transactions per second. Like,
1:33:51
they're severely limiting to the
1:33:53
point where you just can't
1:33:54
realistically transact at an approach that a business or approach
1:33:57
a a business level, you
1:33:59
know, business
1:34:01
level of of what would be
1:34:03
required in
1:34:03
order to have transactions that that would
1:34:06
meaningful run a business.
1:34:08
So that part of it is
1:34:10
always the interesting thing to me.
1:34:13
and that's a really important point for for a couple reasons. You know, and
1:34:15
I I think that is an issue with
1:34:18
some of the earlier blockchains,
1:34:20
but Yeah.
1:34:22
I've heard some were created specifically
1:34:24
to address the the transactional issue. But,
1:34:26
yeah, I think with with Bitcoin,
1:34:29
I don't know if it's still this way.
1:34:31
You know, there's some proposals to to fix this somehow, but think it
1:34:35
was seven trans actions a second globally? Like,
1:34:38
was the the fastest you can add stuff to, you know, to the the Bitcoin
1:34:40
blockchain? But
1:34:44
even if they fix that, you know, the
1:34:46
other issue I saw with a lot of
1:34:48
use
1:34:50
cases for Ethereum is that there was still a gas
1:34:52
fee. You know, like, because
1:34:54
it was wrapped around currency, you
1:34:56
know, like a lot of these use
1:34:58
cases just wouldn't work if it cost you
1:35:01
eighty bucks a record to add a record to that blockchain. To
1:35:03
to add a record to that database like that. That
1:35:05
prices you out of a whole
1:35:07
bunch of stuff. Like
1:35:10
and and that was before the market downturn, you know, I think it was, like, eighty to a hundred dollars if you wanted to mint NFT.
1:35:15
And I think the vast majority of
1:35:17
NFT's people were minting were worth vastly less than eighty to hundred
1:35:19
dollars. Howard Bauchner: I I was gonna say NFT
1:35:21
was definitely where people started hearing about
1:35:24
gas fees certainly
1:35:26
where where I did. You mentioned
1:35:28
about seven transactions a second.
1:35:31
Mastercard's network is estimated to
1:35:33
run at about five thousand transactions
1:35:35
per second. So obviously, it's an order
1:35:37
of magnitude difference between the two. And
1:35:39
and I don't know if
1:35:41
that's a solvable problem
1:35:43
until you get equipment computing? Yeah. The the credit
1:35:45
card
1:35:46
processor I joined in in two thousand one is my
1:35:50
first big career salary job back when
1:35:52
I was I was a
1:35:54
young man. We did four
1:35:57
point five million
1:35:59
transactions a day. III
1:36:03
don't know what that comes out to in transactions
1:36:05
per second. But but, yeah, it's it's a lot more than
1:36:07
seven per second. Right? Alright.
1:36:13
Moving on.
1:36:16
Let's see.
1:36:20
Honestly, I didn't have time to
1:36:22
look into a lot of these. I am aware of VM Ray. I
1:36:24
I think that's, like,
1:36:26
a malware detection and analysis
1:36:32
tool? Yeah. So that's interesting seeing them
1:36:34
get
1:36:35
funding. You know, I've
1:36:37
I've not seen malware analysis
1:36:39
in in detection last decade were were
1:36:42
huge. You know? FireEye, you
1:36:44
know, had all these companies
1:36:46
selling appliances that would do it
1:36:48
on prem for you. You
1:36:50
know, they take malware that had never been seen before and and analyze it for you.
1:36:56
And, obviously, still an important
1:36:58
tool. I I think for some on the I don't know,
1:37:04
Sean, if if if you have
1:37:06
any insight on on the relevance of malware analysis,
1:37:08
the the automated
1:37:11
malware analysis these days, do
1:37:13
we need another virus total or what's the other big
1:37:16
one? I think it
1:37:18
was a Korean tool hybrid
1:37:20
analysis.
1:37:23
Yeah. I I think one of the biggest challenges with what we've
1:37:25
had as far as automated tools like
1:37:27
virus total is
1:37:29
it it says or at
1:37:31
least what a lot of people expect is that they upload a sample
1:37:33
and it runs against a number
1:37:35
of different
1:37:38
antivirus type
1:37:39
engines. However,
1:37:39
the cloud components of those engines usually aren't captured as
1:37:41
part of
1:37:42
that. So it may say there's no
1:37:44
detection on virus total for it,
1:37:46
but when you actually run it against
1:37:48
whatever that standard antivirus is. It uses the cloud
1:37:50
component of that, and it detects that that, yes, this is actually malicious.
1:37:55
I think the the automated elements of of
1:37:57
scanning across a number of things
1:37:59
that we're seeing in the
1:38:02
industry is pretty interesting, especially
1:38:04
around mour because what is malware? It's something
1:38:06
that's doing something that we don't want it to. There's ways to evade, there's ways to
1:38:08
make it look
1:38:11
like it's
1:38:12
normal. Certainly, there's a lot of
1:38:14
different
1:38:14
techniques for malicious code to evade detection. One is to
1:38:16
check to see if
1:38:18
it's actually in a VM.
1:38:20
Most people do not run code or run an application
1:38:22
in a in a virtual machine. They're actually running it on their computer, which
1:38:26
is typically a laptop.
1:38:28
So if the malicious code can detect that it's
1:38:30
a new VM or some sort of virtual container, it
1:38:33
very often can
1:38:35
identify that that hey, this is
1:38:38
being analyzed and maybe I can just go ahead and show that this is it's not doing
1:38:40
anything untoward that
1:38:42
that would be an affected
1:38:46
and should be normal. So I
1:38:48
think that if there are some novel
1:38:50
approaches to how to better detect
1:38:53
malware, and better extract what those what
1:38:55
those elements are that are malicious, then sure. Let's let's see
1:38:57
what can be
1:39:00
done
1:39:00
here. I think there's
1:39:02
room for improvement for sure. Does anyone else
1:39:04
hear the name cyber cube
1:39:06
and think of the board? Or
1:39:10
is it just my yes. I do. Yeah.
1:39:13
The name the name
1:39:14
gave me pause for sure. That's
1:39:16
the name of
1:39:17
their ships. Right? Like like, if if
1:39:19
I were to just see the board, you
1:39:21
know, and and need to come up with a name for their ships, I would
1:39:23
go with CyberCube.
1:39:28
That's the biggest news on that fundraising, not
1:39:30
that they raise whatever they raised fifty million for growth.
1:39:32
What what really matters on that news
1:39:34
is the name of their company. Yeah.
1:39:39
And they it looks like
1:39:41
they're I forget the I forget the
1:39:43
acronym for this, but
1:39:45
basically companies that cyber insurance
1:39:48
vendors basically outsource, you know,
1:39:50
the the job of determining,
1:39:52
you know, how how much
1:39:54
of a policy to approve you
1:39:56
know, how to price the the
1:39:59
the
1:39:59
insurance policies. And it's my understanding that's that's kinda where CyberCube
1:40:03
is at. They enable reinsurance placement ESW the terminology
1:40:05
in their website and trying to
1:40:07
translate that underwriting decisions.
1:40:11
Yeah. So we've seen a lot
1:40:13
of these and we've got
1:40:15
more to talk
1:40:17
about cyber insurance later. I think
1:40:19
one of them is questioning whether
1:40:22
or not cyberattacks can
1:40:24
continue to be insurable if they
1:40:26
continue at the at the current
1:40:28
rate. And then
1:40:30
another one is is basically
1:40:32
Ohio Supreme Court saying ransomware is not
1:40:35
insurable under physical damage policy. Which,
1:40:39
you know, I think most people are gonna
1:40:41
say duh. Like, you know,
1:40:44
but, you know, it
1:40:46
just III
1:40:48
think further shows that that it it's a challenge to
1:40:50
get insurance to pay out on this stuff, and it's gonna
1:40:52
be more of a challenge in the future. And
1:40:54
I think there's gonna be a lot more
1:40:58
situations where, you
1:41:00
know, there's there's a catch
1:41:02
to your policy where, you know,
1:41:05
they they need to determine
1:41:07
if it's, you know, worth paying
1:41:09
out whether you're a negligent
1:41:11
or not. That
1:41:13
that kind of thing. So
1:41:15
interesting to see how that goes.
1:41:15
Some experts on in the
1:41:17
past and they certainly know a lot more
1:41:19
about cyber insurance than I do,
1:41:21
but it seems to me
1:41:24
based on everything
1:41:25
we've heard and all
1:41:27
the research I've done and and
1:41:30
talking to people about their plans,
1:41:32
that Well,
1:41:34
first of all, this isn't atypical of
1:41:37
the insurance agent industry.
1:41:40
But that It's
1:41:42
almost insurance is supposed to be a CYA. Right? But it's almost impossible
1:41:44
in the majority
1:41:47
of cases because technology,
1:41:52
the digital e commerce, cybersecurity is
1:41:54
so complicated that there's always gonna
1:41:57
be a layered problem, a
1:41:59
layered issue, a layered attack
1:42:02
progression, and so there's
1:42:04
always gonna be a way
1:42:06
that an insurance company can say, oh, you did
1:42:08
these twenty seven things, but
1:42:10
the twenty eight one now
1:42:12
where the problem was. And --
1:42:14
Yeah. -- because this is not a
1:42:17
very clear it's not like
1:42:19
a car accident. If somebody
1:42:21
runs a red light or
1:42:23
if somebody changes lanes without looking, like, these are not
1:42:27
straightforward types of events.
1:42:30
And so there's always going to be something that gives
1:42:32
an insurance company
1:42:35
an opportunity to
1:42:38
say, no, you don't qualify because
1:42:40
you are negligent here. So
1:42:42
that really makes me question
1:42:45
the whole industry
1:42:46
really. Not cyber security. The insurance the cyber industry.
1:42:49
Insurance industry. Yeah. Yeah. So I
1:42:51
think this nicely dovetails into
1:42:56
let's see. Number I don't know
1:42:58
which number twenty two. So Rackspace,
1:43:00
Sean, would you if
1:43:02
you were Rackspace's cyber insurance
1:43:07
policyholder. Would you pay out on that policy
1:43:10
in
1:43:10
their case? Well, given that I've
1:43:12
worked with cyber insurance companies
1:43:14
in the past, I don't know that I can respond to that directly, but I
1:43:16
will say that one of the things that could
1:43:18
be a limiting factor for any insurance
1:43:22
policy payment would be
1:43:24
potential negligence. And that term has certain
1:43:26
meaning in in different areas. If something if
1:43:29
a patch was released for
1:43:31
a certain product, In the
1:43:33
case of exchange, it was released and it it determined that was was
1:43:35
reason why the the rack
1:43:38
space exchange environment was breached.
1:43:42
Then that could be something that would could make that
1:43:44
a a situation where a cyber insurance provider
1:43:46
might
1:43:46
say, no, we're not gonna pay on this
1:43:49
because you didn't do your due
1:43:50
diligence. Or didn't do what most people would feel was
1:43:53
appropriate. Now Kevin has
1:43:55
Kevin Beaumont's post on
1:43:58
Mastodon has a ton of information that he
1:44:00
has broken down as he has he's done in
1:44:02
the past on many
1:44:03
other topics
1:44:03
around exchange, and he's been focused on
1:44:06
exchange security for a number
1:44:08
of years and highlighting issues with
1:44:10
exchange configurations. I've used to run
1:44:13
exchange and exchange servers before, including one personally at home, which
1:44:15
has topped a long time ago, thankfully. Exchanges, it's
1:44:18
very difficult to get
1:44:20
right. It's
1:44:23
been around for a very long time. I remember working with the
1:44:26
Exchange four four point o.
1:44:28
And a lot of
1:44:30
things that exchange servers need in order to process
1:44:32
email and to operate correctly is
1:44:34
Internet
1:44:34
access, which means that you have
1:44:36
to have a connectivity into your Exchange
1:44:39
server not just for SMPP ESW your standard
1:44:41
exchange interactivity or email interactivity,
1:44:43
but also
1:44:45
the exchange
1:44:46
components. you're talking about Outlook Web access.
1:44:48
You're talking about other other
1:44:50
components such as the the mobile
1:44:54
accessibility. So all
1:44:56
of these add pathways for attackers
1:44:58
to connect in, and certainly if
1:45:00
there's a known vulnerability, that's
1:45:03
a significant issue. A lot of
1:45:05
-- or a number of the exchange vulnerabilities
1:45:07
that have come out over the past
1:45:09
two or three years are things that were active
1:45:11
in the wild. I've said before that
1:45:14
if you're running an Exchange
1:45:16
Server that you probably really
1:45:18
should be looking at a hosted
1:45:20
provider. At this point, Rackspace themselves has
1:45:22
shifted everything over to Microsoft three sixty
1:45:24
five. Yeah. They shut it down. It was
1:45:26
so
1:45:26
bad. They shut the whole thing down.
1:45:30
Yeah. Yeah. So when you get to
1:45:32
the point where even a hosted
1:45:34
provider feels like Exchange is best
1:45:36
hosted and run by the vendor
1:45:38
Microsoft, then this is definitely a gut check for twenty
1:45:41
twenty three for anyone who still has
1:45:43
on prem exchange servers because it
1:45:45
is difficult to to
1:45:48
to secure And then you have the whole situation
1:45:50
where you have hybrid, where you have exchange servers on prem that have mailboxes as well as those that
1:45:52
are in Microsoft three
1:45:54
sixty five as well. So
1:45:58
Yeah. It's it's not an easy thing. And
1:46:00
running exchange, securing exchange is a big
1:46:02
challenge, and there's a number of
1:46:05
ways to compromise Active Directory by
1:46:07
compromising Exchange. So The whole thing
1:46:09
ties together and results in a
1:46:11
very bad day for folks who
1:46:13
are not actively patching and insuring
1:46:16
exchanges
1:46:16
updated. Yeah. It was a it was a breathtaking
1:46:18
breach. I mean, just just the scale
1:46:23
of it and it's interesting because the
1:46:25
scale of Rackspace is pretty big. This is a three billion dollars revenue company. So
1:46:27
not quite as big as
1:46:30
most of the big public
1:46:33
cloud players. But their hosted exchange product was only one
1:46:36
percent of their thirty
1:46:38
billion revenue. They said around
1:46:42
in their eight k, they
1:46:45
said around thirty million
1:46:47
per year was what they
1:46:49
made there. But the number of customers, we don't have an
1:46:51
exact number, but it's either thousands or tens of thousands. And to
1:46:53
give you an idea
1:46:55
of the scale, of
1:46:58
small and medium sized businesses that
1:47:01
were running hosted exchange
1:47:03
with Rackspace. Rackspace hired
1:47:05
a thousand people just
1:47:07
to handle the port requests between December
1:47:09
second and and I guess still
1:47:12
maybe today. They say
1:47:14
they've gotten three quarters of
1:47:16
their customers moved
1:47:18
over to to to Microsoft 365,
1:47:23
and they have recovered. I I don't know
1:47:25
if they said how much of the data they've recovered, but it looks like they're
1:47:28
on track
1:47:31
to recover most of the the hosted exchange
1:47:33
data. Basically, their their CrowdStrike came in and helped
1:47:36
them clean up each
1:47:38
of those hosted exchange servers.
1:47:40
And they're bringing them carefully online one at a
1:47:42
time, extracting all the mail data as a PST, handing that
1:47:45
off to customers so that they
1:47:47
can then import it into Microsoft
1:47:50
365. But yeah.
1:47:53
So so on the one hand,
1:47:55
I've gotta say very impressive how they
1:47:57
how they handled it. You know, a
1:47:59
company that that has always referred to
1:48:01
their own support as fanatical, you know, so
1:48:03
they had no choice,
1:48:06
but you know you know, throw throw
1:48:08
everything they had and and more
1:48:10
into responding to this and and
1:48:12
taking care of customers. But at the
1:48:14
same time, there there's no word on
1:48:17
whether the attackers exfiltrated
1:48:19
any of that data.
1:48:21
So having worked breaches before, that's always where you get
1:48:23
very cagey and language as far
1:48:26
as
1:48:27
what you admit what you agreed
1:48:29
to, what you see is has actually occurred. Certainly,
1:48:31
as CrowdStrike does
1:48:31
their their investigation
1:48:34
works on the incident
1:48:36
response, more information will
1:48:38
be forthcoming through Rackspace. It's a challenge when to
1:48:41
communicate publicly, what you've
1:48:43
identified, and how, as
1:48:47
well as obviously what is the
1:48:49
liability that, say, Rackspace might have
1:48:51
in the
1:48:51
situation, especially if they
1:48:54
have local government
1:48:55
customers, which Kevin in his post has has pointed
1:48:57
out that there's a number of local government customers that host their email on
1:49:00
Rackspace or
1:49:03
at least have I think one of the things that
1:49:05
Rackspace customers are gonna start looking at is, okay, well, do we continue with Rackspace or do
1:49:07
do we just
1:49:10
directly switch over to Microsoft? matters
1:49:11
if Rackspace is ultimately hosted
1:49:14
being or Rackspace email
1:49:16
is ultimately being hosted
1:49:18
by Microsoft three sixty five.
1:49:21
But, yeah, it's it is a an interesting
1:49:23
situation because as we've seen with the last pass ESW, there's
1:49:25
information that has come
1:49:27
out over time. And
1:49:30
with really any breach. There's information that
1:49:32
comes out over time. The first thing
1:49:34
that's admitted is that there was
1:49:37
a breach they're evaluating and identifying
1:49:39
what what was actually what
1:49:39
was affected as part of that.
1:49:42
You start identifying, okay, what level
1:49:44
of customer information was
1:49:46
was affected? Because that's one
1:49:48
category, if there was privacy information that was
1:49:51
affected or in Europe, if it's GDPR, how
1:49:55
these things impact what
1:49:57
the company needs to do. And were there
1:50:00
response times on certain things? Because that matters also.
1:50:02
A lot of companies have control actual obligations
1:50:04
to respond and notify
1:50:06
a customer if certain types of information was breached or exposed. It doesn't necessarily
1:50:09
have to show
1:50:11
that it was captured
1:50:14
Xfiltrate it, downloaded it to
1:50:16
to an attacker, but it was it
1:50:18
exposed. And so there's different levels
1:50:21
of responsibility that companies have depending on what space they're
1:50:23
in. So Rackspace is certainly gonna be going through that process
1:50:25
with CrowdStrike to help
1:50:28
them identify
1:50:30
what
1:50:30
was affected, what level of diligence do
1:50:33
they need to do from this point forward?
1:50:35
I do find it very interesting
1:50:37
that they had termed the customer mailbox
1:50:39
data that was
1:50:39
hosted on Rackspace's legacy and is providing a PSC file that
1:50:41
can be downloaded for
1:50:44
the customer. Migrating
1:50:47
a lot of data takes time, and the
1:50:49
easy button is really export
1:50:51
to PST because there's a
1:50:53
native function for that. As part of the old old
1:50:55
school migrations for Exchange, I remember
1:50:58
migrating Exchange Mail data from
1:51:01
Exchange Server to Exchange Server, and
1:51:03
it was a huge pain from an older system to
1:51:05
a newer system. So, absolutely, I
1:51:07
understand why they would
1:51:10
wanna just export that he provides to
1:51:12
the customers and have them have them kinda do the
1:51:14
work. But that really sucks going into January twenty
1:51:17
twenty three. And now
1:51:19
301 of a
1:51:20
sudden, as your maybe the
1:51:22
one IT support person has to then figure out how to download and import
1:51:27
a dozens, if not hundreds of
1:51:27
PSTs. That that cannot
1:51:30
appear by some PST.
1:51:32
Yeah. How
1:51:34
big are those
1:51:36
PSTs? They're gonna be big, especially if
1:51:38
the customers have had mailbox data in there
1:51:41
for a while.
1:51:44
I mean, Yeah. I I don't think you're
1:51:46
too far off. There there's gonna be some that are very,
1:51:47
very large. Would that be a single PST per
1:51:50
exchange server or per certainly
1:51:54
not per account on the
1:51:56
Exchange
1:51:56
Server. That that would be nuts
1:51:58
and stuff. It's it's per account. Yeah.
1:52:00
So each mailbox is per ten
1:52:03
POC. Yeah. Yeah. So that's a lot of PSTs. Some of those
1:52:05
are gonna be pretty big, especially with people that
1:52:07
I mean, after a
1:52:10
while, once I think Gmail dropped the the super large
1:52:12
mailbox sizes, then everyone else 301
1:52:14
like, yeah, we'll do large mailboxes
1:52:17
sizes. I remember when Gmail was
1:52:19
first announced,
1:52:19
And everyone's like,
1:52:19
are you crazy? There's no way you can provide a
1:52:22
gig mailbox. Like, that isn't just not
1:52:24
possible. And it was like,
1:52:26
oh, no. We didn't get it.
1:52:29
Yeah. Yeah. And then I I think it maxed at, like, seventeen gigs, and then they
1:52:31
were like, yeah, you need to delete some stuff. You don't you
1:52:34
don't need all this
1:52:36
crap. Because
1:52:38
there are database limitations on the on the
1:52:40
back end. I mean, exchange has has upped and increased
1:52:41
those sizes over over years. So, yeah, there could be some that
1:52:44
are gigabytes multi
1:52:47
gigabytes to
1:52:48
tens of not hundreds of gigabytes
1:52:49
downloading and importing those are gonna be a
1:52:52
real big
1:52:54
pain. Especially since they have to get downloaded from
1:52:57
Rackspace and then then
1:52:59
ultimately uploaded into
1:53:01
Microsoft Office three sixty five.
1:53:03
Into into that environment, assuming that the the IT support personnel at
1:53:06
each of these different companies that are
1:53:08
customers of Rackspace
1:53:10
even decide to do that. They
1:53:12
may just provide the the PSC
1:53:14
files in the user's home drives and say, here's
1:53:17
how you can connect
1:53:19
that to Outlook. It's probably what I would
1:53:21
do initially and then figure out what the migration process would be, maybe even getting the last
1:53:24
six months of email
1:53:26
imported
1:53:27
in. But, yeah, it's not
1:53:29
what you wanna wake up to
1:53:31
in the New Year, unfortunately. You know, when
1:53:33
this began, when this breach began, when I first saw
1:53:36
this announced, I
1:53:39
went to Intermedia's website to see if
1:53:41
they still did exchange hosting and and
1:53:43
they did, and it was there. Now
1:53:45
when I go there, I don't see
1:53:47
it on
1:53:47
the website. Yeah. I'd imagine a lot
1:53:50
of hosting providers are are looking at risk and looking
1:53:52
at what the the value
1:53:54
is. I mean, as was said,
1:53:57
this is one percent of their revenue. So, obviously, not that big
1:53:59
of a big shift north of that. No. Not at
1:54:01
all. And I I would
1:54:04
I would probably predicted
1:54:06
that that anyone else that's that's doing actual exchange, hosting is probably just gonna
1:54:08
shift over to m
1:54:10
three sixty five as
1:54:12
well. Because this is
1:54:14
it's just not worth it at this point
1:54:16
when you look at the price. The like,
1:54:18
you you're you're scraping you're scraping for
1:54:20
fit on it anyway because you're hosting your
1:54:22
own own initiative. Their stock got hammered, you know. And they're they're I'm sure paying
1:54:24
out the nose for CrowdStrike
1:54:27
to come in and
1:54:30
and do all the stuff that they're doing. And,
1:54:32
yeah, it's just not
1:54:33
worth it. No. Breaches are very
1:54:35
costly. They're very expensive, and it's not
1:54:38
just the cost of the the actual incident
1:54:40
response company. It's the cost of
1:54:42
your personnel. People get burnt out.
1:54:44
They work eighty, hundred, twenty hour
1:54:46
weeks. They get burnt out
1:54:48
quickly. And before you know it, you
1:54:50
lose some of your best people. And then, of course, there's the brand reputation issues behind
1:54:55
that. So yeah, it's it's not a good day for them for their
1:54:57
their operations and and support
1:54:59
folks as well. Yeah.
1:55:04
Yeah. So speaking of breaches lastpass
1:55:06
is the other big one, that actually happened
1:55:11
last August. But it was December twenty second when they
1:55:13
last past updated the
1:55:15
blog post. Added an
1:55:18
update to that that blog that
1:55:20
they originally posted in
1:55:22
August, that was very confusing to a lot of people. You
1:55:24
know, it the
1:55:27
blog post still said we recommend our customers take
1:55:29
no action. But at the same time,
1:55:31
they're they're like, yeah, they
1:55:33
they they got all the data. They get all
1:55:35
your all your vaults are are gone. And it
1:55:37
was unclear what was encrypted in
1:55:39
those vaults
1:55:41
and what wasn't they didn't have, like,
1:55:43
you
1:55:43
know, a distinct list. They just said,
1:55:45
you know, some stuff is encrypted, like,
1:55:48
for example, you know,
1:55:50
they listed a few examples. And,
1:55:52
you know, didn't didn't generate a whole lot
1:55:54
of confidence that that blog post. And in
1:55:57
fact, the way
1:55:59
it was worded a lot of folks
1:56:01
through the holidays thought that it it was saying
1:56:04
that one
1:56:07
type of field was encrypted and other types of
1:56:09
note fields were not. And I think that's where most people put their backup
1:56:11
codes if they use 2FA
1:56:14
and they're told to save their backup
1:56:16
codes. I think most people
1:56:18
just dump them into the notes field of that password entry. You know, so a lot of people are saying,
1:56:20
oh, crap. You
1:56:23
know, all my backup codes. You
1:56:25
can bypass 2FA on all my accounts. And a lot of people spent the
1:56:28
holidays, you know, resetting all
1:56:30
their accounts going one by one
1:56:32
through hundreds
1:56:34
of accounts that they had stored in in LastPass
1:56:37
and resetting those. But I I
1:56:39
spent some time actually downloading
1:56:42
I found a GitHub project that
1:56:44
allowed you to pull your vault. You know, it it told
1:56:46
you how to pull it out of the browser because it
1:56:48
actually gets loaded
1:56:51
into the browser. So you can actually
1:56:53
download the your entire password vault using dev
1:56:56
tools in
1:56:59
Chrome. Out of your browser, and then it gave you the ability
1:57:01
to parse it into a
1:57:03
CSV, either encrypt it
1:57:05
or you could choose to decrypt
1:57:07
it. If if your master password. And and I
1:57:09
did that and I compared both the
1:57:12
encrypted
1:57:13
and decrypted version,
1:57:16
finally answered all my questions that the press
1:57:18
release that the blog post should have answered. So it seems
1:57:20
like it's still gonna be
1:57:22
a theme in twenty twenty three,
1:57:24
Same thing with Slack's press
1:57:26
release over over their breach that happened over the holidays, which was GitHub related.
1:57:29
Similar to Okta's
1:57:32
GitHub related, source
1:57:35
code compromise. These
1:57:38
press releases really
1:57:40
aren't given
1:57:42
customers much confidence, I think, and and they're not answering the
1:57:44
questions they need to answer. Yeah. And
1:57:46
it's it's
1:57:47
a black eye for the industry
1:57:49
as well because when you're looking
1:57:51
at something that that should be
1:57:53
secure. I mean, you said it earlier, Adrianne, a vault is
1:57:55
a vault. Like, we're we're
1:57:58
used to
1:57:59
the the physical representation of a vault, you put your
1:58:01
money into that vault. You lock it. It's
1:58:03
closed. Everything inside that vault
1:58:06
is locked. So the concept of having some fields that are
1:58:08
encrypted and other fields that aren't is
1:58:10
very confusing and doesn't doesn't actually
1:58:14
show that that fault that
1:58:15
that Vault approach is is the is the right
1:58:17
one or is the right way to to refer
1:58:20
to
1:58:22
it. And certainly,
1:58:23
lastpass, having this issue affects all the others
1:58:25
as well because it's erodes trust.
1:58:27
People then start going, alright.
1:58:29
Well, maybe I should buy
1:58:32
that notebook. From Target or Walmart and just go
1:58:34
ahead and start writing my passwords down in that. Keep that right
1:58:36
next to me
1:58:39
because that's more secure relatively
1:58:41
-- Right. -- then evolved that stored in
1:58:43
the cloud that potentially others could access. ESW, yeah,
1:58:47
it's it's not a good thing, and it's been tough enough getting people to
1:58:49
even move to AAA
1:58:51
password vault system. Where
1:58:55
they they are using better passwords because the system generates
1:58:57
them or not. At this point, I'm just
1:58:59
telling family members
1:59:01
to go ahead and use the Apple
1:59:03
vault that that's that's built the Apple products because it's it's
1:59:06
a little first of all,
1:59:08
it's integrated. And
1:59:10
second of all, it just works And the third point of good
1:59:12
at securing data or at least hopefully ESW. But
1:59:14
it all comes down to trust just like
1:59:16
all these things in cloud.
1:59:19
We we have to We have to have
1:59:21
some level of trust when it comes to these systems and when that
1:59:23
trust is eroded by something like Rackspace
1:59:26
or something like
1:59:28
LastPass, then it makes it more difficult. It
1:59:30
makes it more difficult for people to be able to do the things that are going to help them with their
1:59:35
security ultimately. And I was just going
1:59:38
to break what you said, Sean,
1:59:40
about you know,
1:59:43
it's been hard enough to to move
1:59:45
people to a password vault. You know,
1:59:46
I still know
1:59:47
a lot of people who are not in security, not
1:59:49
in tech, who who don't even
1:59:51
know what it is, and
1:59:53
think that the idea of a password vault is just so complicated and confusing. And when
1:59:56
really
1:59:59
just not, And I don't
2:00:02
know how much
2:00:03
this hit the mainstream. Probably not as much as
2:00:05
it is in our minds,
2:00:07
but but it
2:00:09
Like he said, again, it is
2:00:12
a black eye on the industry.
2:00:13
On on one hand, but on the
2:00:15
other hand, if if
2:00:18
you're that giant target,
2:00:20
you know, obviously,
2:00:21
attackers are gonna be trying to
2:00:23
come after
2:00:24
you.
2:00:24
Doesn't make it any
2:00:26
easier for those of us who have vaults and
2:00:28
and we know that they
2:00:31
can be compromised just as
2:00:33
easily as anything else if if
2:00:35
property proper measures aren't taken, but, you know, the
2:00:37
sure doesn't go a long
2:00:39
way for our credibility as
2:00:42
security practitioners when we say,
2:00:44
hey, use these security tools,
2:00:46
and then the security tools themselves are breach. Because in the mainstream, it is
2:00:52
it's still really hard to
2:00:54
convince people that cybersecurity matters. Yeah. And these are not
2:00:58
just consumer tools. Are are not just business tools. These are consumer
2:01:00
tools as well. So, you know, Pat, we we've
2:01:02
a lot of us have been spending years
2:01:04
trying to talk family and
2:01:06
friends into using password managers And
2:01:09
man, you know, last past making us look
2:01:11
bad. Yeah. I mean,
2:01:13
I even got my father
2:01:15
to go on, like, the
2:01:18
family plan and the upgraded plan and,
2:01:20
you know, it it it's just
2:01:22
hard because this is not the first
2:01:25
password vault
2:01:26
breach. Right? It's it's hard to say with any credibility. Hey, use this. You'll be better off.
2:01:28
And then, oh,
2:01:31
by
2:01:31
the way, spend
2:01:34
forty hours updating all three thousand of your passwords. Yeah.
2:01:36
I I I'm
2:01:39
still working through mine. I
2:01:42
I mean, I hadn't touched it since
2:01:44
twenty
2:01:45
eighteen, twenty nineteen maybe, because
2:01:47
I worked for some companies
2:01:49
used it. So I ended up using
2:01:51
it for some personal stuff as well and some side projects
2:01:53
like we used it for a little while for for
2:01:56
Besides Knoxville. And
2:01:58
so, like, I've got this mishmash of all
2:02:00
this stuff that that I've just got
2:02:02
a one by one go through
2:02:05
and clean up. And as I'm going, I'm
2:02:07
looking at that URL field and saying, okay, you know, can
2:02:09
I take this string and log in? Because there's a lot of parameters
2:02:11
that are just token equals and
2:02:15
it's like an OAF token. You know, sometimes OAF tokens
2:02:17
never expire or don't expire
2:02:20
for
2:02:21
years. So it's
2:02:24
a mess. It's a mess. I
2:02:26
I can't
2:02:26
believe they didn't encrypt that URL field. That that was one password says. I
2:02:31
checked on that. It was something
2:02:33
I was thinking about when when it was announced, I don't know, years ago, when when we found
2:02:35
out LastPass didn't
2:02:38
encrypt the URL field.
2:02:41
And I thought the same thing, Adrianne,
2:02:43
that there's a lot of data that's passed through that
2:02:45
when my my bank years and years ago is probably twenty
2:02:48
years ago, fifteen
2:02:51
years ago, started providing online access to the
2:02:53
bank and the associated credit card with it.
2:02:55
I started looking at the URLs and
2:02:57
saw that it was passing the full
2:02:59
credit card string in the
2:03:01
URL. So things like that could definitely be be have been captured
2:03:03
in that URL field. So not only do we need
2:03:05
to change passwords, but he should be checking
2:03:07
to see what
2:03:11
what actually was
2:03:11
put into that URL field when we added the
2:03:13
URL. I stopped putting URLs in it
2:03:15
at all once I found
2:03:17
out that it wasn't encrypted. Just because
2:03:19
I I like pain when I'm
2:03:21
trying to log in to
2:03:23
site. But you're right. I mean, I
2:03:25
did the same thing. I took this
2:03:28
recovery password recovery pins and and information
2:03:30
and put that into the notes field
2:03:31
because, of course, notes would be encrypted. Right? And I
2:03:33
think there's still some uncertainty on
2:03:35
that. I I think there's
2:03:38
probably a no uncertainty just just to
2:03:40
clear that up. Okay. I checked on
2:03:43
that. There's only one notes field
2:03:45
and it is encrypted in last pass.
2:03:47
So the
2:03:47
the only
2:03:48
I I mean, there's a couple other
2:03:50
fields that are unencrypted, but but the big
2:03:54
The big one that's unencrypted for LastPass is the
2:03:57
URL field. Everything else you would
2:03:59
expect to be encrypted, the username
2:04:01
field, the password field, the
2:04:03
the notes field, is all encrypted. So
2:04:06
the idea of secure notes and notes that are part of other
2:04:10
entry types
2:04:13
ESW just branding, product branding stuff. There is
2:04:15
only one notes field and any entry
2:04:17
you have in
2:04:19
in last past that
2:04:22
has a notes field goes in
2:04:24
that same encrypted notes field. So
2:04:26
just to clear that up for for
2:04:28
for people listening, I I spend
2:04:31
a lot of time over
2:04:33
the holidays verifying that
2:04:34
manually by picking apart my vault. Yeah.
2:04:37
Well, I was there was a a person posting on Twitter, and at the moment,
2:04:39
I forget who it was, who went through entire breakdown
2:04:43
of the entire blast
2:04:45
past situation over over the Christmas break and spent a lot of time evaluating notes
2:04:47
or encrypted versus not.
2:04:50
And it seemed like it
2:04:53
was pretty certain that they were encrypted, but there wasn't a
2:04:55
good answer on it. So I'm glad to hear that, they are. Yep.
2:05:00
And And it's just so
2:05:03
unfortunate that, you know, a cybersecurity practitioners, the industry has spent years talking
2:05:05
about. Compliance doesn't
2:05:08
equal security. 301
2:05:10
yet when it comes to
2:05:12
these breach announcements and
2:05:15
these notifications, they're doing
2:05:18
the minimum acquired by law to meet compliance,
2:05:20
and so they are
2:05:22
there by not doing
2:05:25
right by their customers.
2:05:27
And it's just, like, the whole confusion
2:05:30
around the secure notes thing.
2:05:32
Like, that that's part
2:05:33
of my rant on on press releases
2:05:35
here and breach press
2:05:38
releases.
2:05:38
You know, I I think a lot of these companies are just actively doing damage to their image
2:05:41
by not being as
2:05:43
transparent and as Pacific
2:05:47
as they should be. And these and and I understand these
2:05:49
releases have a lot of like
2:05:51
like, public companies have to
2:05:53
think about what they're required
2:05:56
to say they've got different audiences. They
2:05:58
they've got investors, board members, you know, you know, regulators reading
2:06:00
these press releases so they've got to
2:06:02
say the right things for them. I've
2:06:06
I've seen plenty of companies have, you know,
2:06:09
like like the generic public statement.
2:06:11
And then they do a blog post
2:06:13
and they're like, okay, here's a technical
2:06:15
breakdown of what was compromised what was exposed and what
2:06:17
wasn't. There's no reason you can't do that. That that that
2:06:19
I'm aware of at least. I've seen
2:06:21
tons of companies do it right,
2:06:24
so it's frustrating when
2:06:26
these companies actually create more problems for
2:06:28
themselves. You know, because I wasn't the
2:06:30
I found I wasn't the only one
2:06:34
you know, to read that press release or
2:06:36
or the blog post as,
2:06:38
you know, there's different types of
2:06:40
notes field. You know, one is
2:06:42
encrypted, because they call one secure notes, and then there's
2:06:45
just notes, you know. So I I
2:06:47
assume there were two notes
2:06:49
fields. And no, they just implied
2:06:52
that in their post
2:06:54
and created more problems for
2:06:56
themselves. So yeah. Same
2:06:58
thing with Slack, you know, red red
2:07:03
Slack's latest one. Where they share some
2:07:06
information, but they they create more questions than the answer with with
2:07:11
their post. You know, they they say code were private code
2:07:13
repositories were accessed by
2:07:16
attackers, but they
2:07:18
weren't, like, the the
2:07:20
Slack code repositories. So, you
2:07:22
know, you're left wondering, okay, what what were they then? What was compromised?
2:07:24
ESW, you
2:07:27
know, it seems like it would have been easy to answer all the
2:07:29
questions ahead of time there. And it's just
2:07:32
frustrating to
2:07:34
me. I think they're creating more problems for themselves than
2:07:36
they need to. Yeah.
2:07:37
And it it seems like sorry. Back
2:07:39
to the last past thing, it seemed like a
2:07:41
lot of the the the biggest issue with it is
2:07:43
that if you're if the strength of
2:07:46
your password, your master password for LastPass is is weak, then
2:07:48
you have more of a problem.
2:07:50
And it's more likely that you're
2:07:53
your vault could be exposed. Whereas if you had a stronger master password, then probably you
2:07:55
be okay. And I think
2:07:58
that that's part of the other
2:08:02
concern and challenge around the LastPass situation.
2:08:04
Is the is the that it
2:08:06
could affect this person worse than
2:08:09
this person especially if they used an email
2:08:11
address that's public that's well known. It it just doesn't give
2:08:14
a good feel for
2:08:16
the people that have used it. And
2:08:19
so that's why I think we're seeing a lot of people migrating off into one password or elsewhere. Yeah.
2:08:25
And before we wrap up today, I know there's a ton of stuff
2:08:27
here. We're we're just not gonna have time to discuss. But
2:08:32
Tyler, I wanted to kind of zoom
2:08:34
out, you know, we do have some funding items, but we also have some layoffs here. So
2:08:37
I I
2:08:40
think it's interesting juxtaposition, you know, that that
2:08:42
we're still seeing, you know, LP
2:08:44
money, you know, that that needs to
2:08:46
be spent, you know, VCs are are
2:08:50
spending that money. But then
2:08:52
all the acquisitions, I I don't know if
2:08:54
it's a or or not acquisition.
2:08:57
Sorry. Layoffs that that we're seeing
2:08:59
happened to be companies who
2:09:01
are unicorns, you know, who
2:09:03
who fairly recently declared
2:09:06
that that they were
2:09:08
unicorns. So it's you know, so there's
2:09:10
that. And, you know, III do have,
2:09:12
you know, down here
2:09:14
a little bit. Number thirty,
2:09:17
Where is it? Where did I put these? I I put our post in
2:09:19
here somewhere, Tyler. Yes.
2:09:26
I saw them earlier. Yeah. Thirty one and thirty two. The zombie quarantine
2:09:28
posts. ESW your
2:09:34
thoughts on that? Your thoughts on on the Are we gonna continue
2:09:36
to see turns out I
2:09:38
have to unmute to answer your question.
2:09:42
ESW was gonna say, don't you have
2:09:44
any any comments? A sudden,
2:09:46
okay.
2:09:47
No. You're notoriously quiet on
2:09:49
that one. I
2:09:50
got it. Through you a softball man, you
2:09:52
a hundred percent lubbed it up for me and I
2:09:54
told you the number that it was on everything.
2:09:57
So Okay. Yeah. You know, it turns out we're
2:09:59
in this weird state of affairs with
2:10:02
regards to two businesses. They
2:10:04
over ESW, over
2:10:06
inflated, overvalued, throughout twenty twenty one
2:10:09
and into early
2:10:12
twenty twenty
2:10:14
two. Which put them in a weird state of being overfunded
2:10:16
and having an inability to
2:10:18
efficiently deploy the capital. That's
2:10:21
the need for layoffs. But at the same time,
2:10:23
there's so much dry powder on
2:10:26
the side of investing, which
2:10:29
is money ready to be invested
2:10:31
that there's some fantastic opportunities to look at
2:10:33
small businesses in a down market that
2:10:35
we can get involved with
2:10:37
and invest in and watch them grow throughout the recovery
2:10:39
of the market over the next three to
2:10:41
five years, that, you know, investments are
2:10:44
occurring too. So we're just in
2:10:46
this weird state where there's a reconciliation
2:10:48
occurring overly valued companies. Right?
2:10:50
And so, really, I think it's a situation where
2:10:52
we're merging a
2:10:55
state of unicorns with
2:10:58
a state of zombie companies. Right? Zombie companies being companies that that are in state
2:11:00
of what what do we
2:11:02
call it the other
2:11:03
day, Adrian default
2:11:08
dead? Yeah. Yeah. Yeah. And default
2:11:10
dead being that they've got capital,
2:11:13
you know, but not maybe not
2:11:15
enough runway, you know, maybe they're not gonna raise
2:11:17
another round. So so they're they're dead and
2:11:19
just don't know it yet.
2:11:21
Right? Right. Right. And that's kind of the
2:11:23
zombie world. Right? Is this default dead state companies that may have
2:11:25
a ton of capital, but have a valuation that's so high that it's
2:11:28
literally gonna take
2:11:31
them way too long to ever get to that valuation. And so, you know, we
2:11:33
you and I kinda you know, we created
2:11:35
this term called zombieorns, which is
2:11:37
a crossover unicorn and a zombie
2:11:40
company. Right?
2:11:40
You can sell credit for that.
2:11:42
Oh, no. No. No. We did it together on this pod. This pod created zombie horns. But I
2:11:46
wrote a piece about
2:11:48
you know, it's a tongue in cheek
2:11:50
piece relating the movie zombie land to zombie horns and how to survive the zombie corn
2:11:55
apocalypse. Which I think is a fun read, but the cool part was that
2:11:57
you went through and you actually put a bunch of data
2:11:59
behind it. And you you did research
2:12:01
and did actual journalism as
2:12:03
opposed to my high level snark
2:12:05
writing. But yeah. The I think we're just in this weird state where layoffs have to occur for
2:12:08
the zombie coins of the
2:12:10
universe to remain viable companies over
2:12:12
time. And
2:12:15
that's why we're seeing these massive layoffs simultaneously to
2:12:18
large scale investments occurring.
2:12:21
Yeah. Yeah.
2:12:24
And and Yeah. It it
2:12:26
I'm not sure that there's really any
2:12:31
kind of anything in the past we can point to? I mean, the two thousand
2:12:33
and eight recession, you know, we
2:12:35
saw we saw the the
2:12:39
neck space get hit kinda hard, but we
2:12:42
we've never really seen mass layoffs across
2:12:46
the the cybersecurity industry. You know, so it's Yeah. I know. I think it was an
2:12:48
Last time we've seen that,
2:12:50
honestly,
2:12:51
was the dot com days,
2:12:53
and the cyber security
2:12:55
industry didn't exist exist.
2:12:56
Yeah. There was
2:12:57
you could count you could count on one or two hands the total number
2:12:59
of cybersecurity companies in the late nineties,
2:13:01
early two thousands.
2:13:04
Right? So you know, this is a a reckoning for
2:13:06
the cybersecurity industry to to come to terms with what the valuations really need to be today,
2:13:08
and they haven't been through it
2:13:10
before. A lot of the cybersecurity leaders
2:13:13
haven't been down this negative push ride before. Now
2:13:15
some of them have been down recessions, and some
2:13:17
of them have been
2:13:19
down situations like the
2:13:22
dot com days, but not in a
2:13:24
cybersecurity capacity. specifically, how the cybersecurity market
2:13:26
will react to this kind of downward forces
2:13:29
ESW difficult. Right? It's difficult to
2:13:31
know in advance exactly what's gonna happen. But, you
2:13:33
know, I think the the key to surviving being
2:13:35
a zombie corn is
2:13:38
being aggressive on your cuts, cutting cutting deep, doing it once, and being transparent, and really,
2:13:40
you know, focusing on
2:13:43
on culture, focusing on a
2:13:47
reset. Finding a way to reset your business to
2:13:49
evaluation, a size, a business model, and
2:13:51
a growth rate
2:13:53
that makes sense given today's economy. And it's
2:13:55
just not easy to do. It takes massive massive moves
2:13:57
in a lot of these
2:13:59
overfunded companies. Yeah. Yeah.
2:14:02
And
2:14:02
it's it's a it's a shift in operation
2:14:04
too. Right? You know, it's it's, you
2:14:07
know, you can't you can't keep operating the
2:14:09
same way you were when you're hiring a
2:14:11
hundred employees a month.
2:14:12
Yeah. You
2:14:12
gotta change the business model to match the realities of the
2:14:14
market. Right? And that's what a lot of companies are struggling to
2:14:18
do right now. And and right before we wrap, I
2:14:20
just wanna call out networks acquired
2:14:22
Remedient, which is the you
2:14:25
know, I think one of the we
2:14:27
we've only seen a few acquisitions. And since we
2:14:30
had this downturn in
2:14:32
the
2:14:33
market and the layoffs began,
2:14:35
it's good to see that we're still seeing acquisitions. I think we we threw
2:14:38
out there when the market was
2:14:42
was, you know, when the layoffs began and the Unicorn stopped, you
2:14:44
know, that this would be a buyer's
2:14:46
market. But I think our our
2:14:51
guess is that is that maybe companies
2:14:53
in the early days of it had a hard time
2:14:56
agreeing on a
2:14:58
new valuation because, basically, you
2:15:01
know, the the buyers are saying, look,
2:15:03
those those unicorn valuations you got before, you're you're not getting that today's market. Right?
2:15:05
That's right. You know,
2:15:08
and and
2:15:10
obviously, the the company is getting acquired, want
2:15:12
to maximize the value for
2:15:15
themselves, their their investors
2:15:17
and and their employees. So I I think
2:15:19
it took a couple of months for us to start to see
2:15:21
the acquisitions. And the only one we have a comp for
2:15:23
is Palo Alto picking up
2:15:25
cider security. For a hundred and ninety five
2:15:27
million on thirty eight million raised.
2:15:29
So that's that's roughly five x
2:15:32
on on money raised, so it's
2:15:34
not terrible. And it's it's a really
2:15:36
tough comp to use because they
2:15:38
weren't even a year out of
2:15:40
stealth, you know, very, very early
2:15:42
stage. And Palo Alto you know, the
2:15:44
way they acquire companies, you know, the the deal sizes they do
2:15:46
are kinda weird anyway. I'm surprised it wasn't a round number.
2:15:49
Almost all their acquisitions
2:15:51
are perfectly round numbers.
2:15:53
But but yeah. No. It's it's good to still see
2:15:56
acquisitions here.
2:15:59
Net networks will like it's doing
2:16:01
kind of a Fortress thing where this is their sixth acquisition since getting
2:16:03
picked up by PE firm TA
2:16:06
Associates back in twenty
2:16:08
twenty. ESW they're
2:16:10
they're putting together a war chest of security technologies and companies. Yeah. We're gonna try I think it's
2:16:12
a smart thing to do right
2:16:14
now. Right. We're gonna see continued
2:16:19
consolidation both at a tool level and a platform
2:16:22
level throughout twenty twenty three, but certainly at
2:16:24
a at a
2:16:26
corporate development
2:16:27
level, right, even of your business level, twenty
2:16:29
twenty three is gonna be the year of cybersecurity acquisitions. You're exactly where I why it hasn't
2:16:32
happened yet.
2:16:35
You know, when there's enough runway and you don't
2:16:37
have to sell, you can sit there as a founder and say, I'm gonna wait. I'm gonna wait. Maybe it turns. Maybe it turns. But if it
2:16:40
doesn't turn, and
2:16:45
the longer this macroeconomic downturn
2:16:47
continues to run out, the
2:16:49
more pressure will happen for
2:16:52
these companies to sell off. And private equity
2:16:54
is gonna be ready. They got tons of powder on the side,
2:16:57
ready to do roll ups, ready to pull
2:16:59
things together, ready to unify different markets. And so
2:17:01
I think this is the year of private equity, really
2:17:04
getting heavy into security.
2:17:06
And this is the year of acquisitions.
2:17:08
And I think it's we can call it the harvesting.
2:17:10
Right? In many ways, it's like the the final harvesting of
2:17:13
of two to
2:17:14
six horror
2:17:15
movie. The horror movies. You know what is
2:17:17
it? Yeah. It's like the quickening or or the harvesting. I don't know what you
2:17:19
wanna call it, but it's it's
2:17:22
finally coming to harvest all of the wheat that
2:17:24
has been grown over the last to three years.
2:17:26
It's gonna be harvested in twenty twenty three. Alright.
2:17:31
And with that, I think
2:17:33
all the time we've got
2:17:35
today. Sean,
2:17:37
are you still here,
2:17:39
Sean? I'm still here.
2:17:41
Yeah.
2:17:42
Alright. Thanks for joining us. Hi. Hi. When Tyler starts talking about the
2:17:47
VC world, because I'm I'm
2:17:49
listening quite quite aptly to it because I I don't know as much
2:17:51
about that area as he ESW
2:17:55
always interested to
2:17:57
learn. Thank you, John. Well, Sean, Katie, Tyler. Thanks
2:17:59
for being here. Happy New Year to
2:18:03
all of you and to everyone
2:18:05
listening. And and we will be back
2:18:08
next week.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More