Greg provides his post-RSA Conference report. We discuss the origins of worms and viruses, and continuous audit, Bill discloses his history in code testing, and why buffer overflows persist. We give a list of some cool AI-in-security use cases. There's even a SoundCloud analogy. And more!
Greg provides his post-RSA Conference report. We discuss the origins of worms and viruses, and continuous audit, Bill discloses his history in code testing, and why buffer overflows persist. We give a list of some cool AI-in-security use cases. There's even a SoundCloud analogy. And more!
spk_0: 0:00
Although I did meet during the week with Alan Schimmel started a lot of the deaf sack ops discussions, and it really changed the focus to Dev ops. Security. Hi, this is Greg Young,
spk_1: 0:18
and this is Bill Malik, and you're listening to Riel Cyber security. So you've been a road warrior last week. How was everything?
spk_0: 0:27
Yeah, More warrior ring and less roading. I think you did more travel than me. Yeah, I know. I spent the most of the week at the R s a conference which I'm sure no one has heard of.
spk_1: 0:36
Mmm. Yara say they're like a security encryption company, right?
spk_0: 0:43
Yeah. I think the conference is certainly, uh, let's just put a positive spin on the conference Is a great brand accelerator for them. The company just announced to there was announcement that they changed ownership. I think there's a group of private equity and other companies that took ownership of it, neither here nor there. You know, it is the thing is definitely the biggest security show of the year. And no matter what you think of it, it it is what it is, and it is important.
spk_1: 1:09
Well, and it was fairly well attended despite the health concerts.
spk_0: 1:13
Yeah, estimates there were about 30% down, which is fine. You know, considering the mobile world, Comrade Gris, which was the same week, had cancelled completely. I think a couple of factors. One is, you know, naked Bay Area agreed that nothing will stop the making of money in the Bay Area. Second is that a lot of companies were located in the area. But I think also the mix of smaller companies at that kind of event meant that there's still gonna be a lot of people there. I was surprised it didn't happen. I thought it was going to be canceled, but it did go ahead and Ah, little different mood. A little more somber, but still, it's still kind of a must attend for the bigger companies in the space. Definitely.
spk_1: 1:51
Were there any interesting revelations from the stage or any observations you have on the industry from the floor? I know that you had must have had a certain amount of time doing booth duty.
spk_0: 2:02
Yeah, actually, I did not go to the booth in my time with the press. Uh, I have I have boost feet from all the time I've spent over the years there. I think I've got some kind of medical exclusion. But Noah during I did a a session joint with John Respiratory, we did a survey of what the theme that people saw in the or the buzz word. And it was deep learning which had Thio plug my nose when I said, There seems to be some washing every year, right? Some of you know last year was a I definitely in years previous of machine learning and zero days. And there's always a buzzword which gives, you know, to me a bad taste in my mouth because it's just not really being legitimate if you work in that area, if you do something like if you legitimately are finding zero days and that's the focus of your company, great, but don't trifle. People are confused people. That's enough of that in this business already
spk_1: 2:47
personal curiosity on my part Did you see or hear anything about crypto currencies or block chain and its ilk?
spk_0: 2:53
Almost nothing. And that's that was the buzz word. What was that? How many years ago was that in the last few years as well? Almost you know what? I never, never came up once. Yeah, and needed my conversations, which was quite shocking. I think it's been so maligned now there's a recognition of what it really is. That that one is is pretty hard to message on, even even for the RC conference.
spk_1: 3:12
Right? And my personal observation, that is, if there weren't a wayto do something with illicit money that its lifetime is a buzz word would have been an order of magnitude. Smaller, I figured people behind Piquet I'd figure out a way to generate and transfer anonymous funds. I think p k I would have had a much longer run. Not that it's not valuable in certain contexts that Blockchain is a SW far as I can tell, not valuable in any context. But that's a whole other story.
spk_0: 3:38
Yeah, you a joint that could be a whole podcast in of itself is about Blockchain. Yeah, nothing about that. There was a really increase steam around State sponsored threat threat Focus and attribution Indirectly. There's a lot of interest about that. A lot of discussion around you know who's behind what might have been an over focus on the press, but it definitely from a lot of sessions. That was front and center, a lot of discussion on Io ti, which was interesting. A lot of small companies. They didn't hear a lot of Odai ot from the established security vendors. Trend excluded from that that did come up a lot otherwise. Other focus waas really about that imagine, sort of the deep learning I was was kind of everywhere, although not from attendees asking the question, it was more the push from the vendor escape.
spk_1: 4:21
Yeah, it's a brilliant thing with the concept of being able to use machines to augment human intelligence in some domains, but it's so quickly devolves into SciFi stuff and the misuse of a I. There was recently a convention signed about limiting the use of autonomous weaponry in warfare, which speaks to the fact that whenever people contemplate the future of warfare, the usually take a long firm glance at the last 50 years of experience and stray nowhere from that brittle, truly imaginative work in that space. Did you see anything about detecting or responding to space state sponsored cyber terroristic attacks or was really just more? Oh gosh, the sky is following by uh, by our product.
spk_0: 5:14
Yeah, I think it was more just beating the threat drum. From that perspective, there's nothing specific from the eye perspective, but there's a couple of really tiny companies which were doing some interesting things that that was intriguing to me. But but otherwise, if there had been something pragmatic out there, for example, from a trade craft perspective, I'm really interested in using a I to establish a phony, if only legend. So if you said, hey, you know, for your staff we're going to create a long chain out on the Internet that makes you look legitimate. It can help you, at least to some degree, look like you're active as this identity, which you're not. Well, that's very interesting. Very helpful for law enforcement, helpful for intelligence service is to be able to establish a phony percent over time and keep it going without having to do it manually. Oh, how interesting would that be? Or something? The spin on maybe the ClearView pitch of identifying people or something, identifying even bad guys based on some characteristics that we hadn't talked about before. But there's just no depth to it. It was like one inch down. Ay, ay, ay, ay, magic Good. That was it. Yeah, there's no not even a not even 1/2 hearted pitch. Yeah,
spk_1: 6:16
that's that's kind of unfortunate, because there is something you can really say about it. When you when you mentioned that there were a lot of small vendors, did you see many that were, like, recently revealed startups? Or is it just the usual distribution of smattering of smaller firms?
spk_0: 6:30
You know what? That diagram of man's evolution, where you knuckle dragging and walking set me up right in the light. There's really three categories. The most interesting one for me is third floor of Mosconi. West is the sandbox area, but they also have this early early stage little micro booths like a stand. And to me, those are much more interesting than anything on the floor on the floor of those companies, they probably had one or two rounds of financing started to lie a lot. To do that. They know there's not much interesting there. Now they're using the buzzwords. They've got a few $1,000,000. They're not interesting anymore, typically, but these little startups, that's the ones that were really cool probably had a name around, maybe just a couple of 1,000,000 instead of 10 or 20 million and getting stupid with it. That was to me, that's a great place. I could spend the whole conference on the third
spk_1: 7:16
floor. That's a That's a fascinating area I'd live toe here. Maura about. Did you see any specific topic areas? Or was it with all over the map and then beyond
spk_0: 7:23
all over the map? A little hard to decrypt a lot of things because again, they hadn't been washed with money yet, and I'm able to refine their messages, which was actually refreshing. But some of them, what I enjoyed from some of them was alternative views on the interface or the console. How they're presenting information, I thought, was quite refreshing in some cases, typically either a few evolution's they all start to look alike. But these early ones, that to me, was the takeaway, which is how they're presenting the information rather than what the information
spk_1: 7:51
wants. That reminds me of how much I enjoy the self produced music. My younger daughter is a big fan of alternative, and so she gets me songs, music that are produced created by bands that don't have a recording contract, and there's some just absolutely delightful stuff. It's a little rough, but it hasn't been smoothed by by the media by the recording industry, and it's it's just it's just delightful. It's really like what was great conversations. Just sometimes get into on a plane or with somebody sitting by you at a restaurant
spk_0: 8:26
bill, That's brilliant. Bring an analogy that's you know that third floor is really the sound cloud of security. Actually, there's a lot of people making music in security. Jonathan Care. You know, he's on soundcloud and very talented. But there's a few people there. So many security people. Richard Hunter and is harmonic. Yeah, he's he's actually near here. I have not
spk_1: 8:45
yet. The clouds haven't cleared where I can align with his schedule, but he performs every week or two at some place. Not too far in New Haven. Banbury down at the Senate. Stanford. I gotta step in. He's he's pretty good.
spk_0: 8:59
Musically. The real deal, Definitely. You brought up during our conversation just before this. We talking about sort of the B s around a I, and it led us into talking about viruses and the early days of the spread. Because again, you know in the news right now, sadly, so is the impact of Corona virus or covert. 19 is also being called. And of course, there's a big impact on our say with that. Sadly, the China based companies, it's like they had an imaginary force field around their booths. It was unfortunate for those folks, but I had to being impact a lot of other events being canceled. So definitely the analogy is, therefore, viruses right now.
spk_1: 9:34
Well, right. And the name came up. Gosh, it was, uh, 19 eighties. I think Fred Cohen was grad students, and he described the way these computer programs could replicate. And I think his professor said, You're it Sounds like you're talking about a computer virus and Fred ran with it and said, Yes, that's exactly what it is.
spk_0: 9:56
And you know, Fred. Yeah,
spk_1: 9:58
I actually I was worked as an independent for a number of years, and I was asked to help coordinate a cyber investigation of a VC fund that was in the midst of a mega deal. And they were concerned that there informations compromised and ah colleague, friend from Gardner will spurn up, got together a team. He asked me to head it up, and Fred came along and it was really quite good. We had Robert Weaver, who was former head of the Elektronik Elektronik Crime Task Force set of the New York Secret Service office. Quitters the thing Friends, A friend is a very intense guy. You know as well, right?
spk_0: 10:35
Yeah. In fact, in the early 1988 went to a session that he hosted in New York City. There was a massively attended session. There were 10 of us there in that in that period. There was this theory that we'd heard about ability, that code to replicate in a malicious fashion. So we were very interested in that. So I went down myself and my colonel went down and we met with Fred and said part of the day with him. Yeah, it was very theoretical the time, but it was again. You're presented much like the last we get our say, with all these kinds of pictures of bad things that can happen. But that one did resound as this is pragmatic and may have been a sign of the times but that was very realistic. And then, of course, in November of that year was the Morris worm, so that replication was even more serious. Viruses were bad, but this was then a a warm event which didn't require in action.
spk_1: 11:23
That was quite a shock. I remember a statistic that one out of every five hosts on the Internet was compromised by the Morris worm. I was working at IBM at the time. From our logs, we had IBM determined that it had attempted to enter the corporation and five separate locations repeatedly. Nobody had a huge Web presence didn't get in. But boy, oh boy, what a horror show.
spk_0: 11:47
Yeah, what often gets missed and it's actually good that that was a serious event. I think we're the better for what gets missed, though, is that where there's interactions such a for example, Today you have to click on an attachment, and that was the virus analogy or putting a diskette. Whereas worms don't require much interaction except for even a packet fly by, so any connection at all worms are the most transmissible and the most serious. Now there hasn't been many network worms, although you'd say that certainly file this attachment violists infection now or Silas Malware is equivalent, and we haven't seen the end of the worm. Other technology has stopped it, but it's certainly good We had that that big, serious ones early on in the business.
spk_1: 12:24
And what's interesting to me is about the nature of the response. On the one hand, when Microsoft came out with 95 it did something brilliant in that it moved the boot sector. So if you overrode the boot sector, which was a common tactic for viruses at the time you took over with Windows 95 that whole attack just vanished. It was dropped in its tracks. Similarly, the Morris worm did teach us things about firewalls, although that was still down the road a bit about their reality. A risk. But yet the one of the mechanisms, the worst were used to continue its attack was a buffer overflow. And today that it's still one of the major automated techniques for ah, piece of self propagating code. Send itself on words. You overflow a buffer. You override some code you take over the system and reproducing Sally forth.
spk_0: 13:16
Yet still, we don't talk about codes security Much. Although I did meet during the week with Alan Schimmel, which is great seeing him again who runs started a lot of the deaf sack ops discussions, and it really changed the focus to Dev ops. Security. Just the reality now is that you can't pre approve code anymore in the lake. It's just the cycles moved too quick. So you have to build it into the death process,
spk_1: 13:37
right? Right. Continuous validation. Which is never a bad idea. Anyway, I pursued a C s, a designation from my sack. And one of the new things coming in the late nineties was the notion of continuous audit Rather than stop by every three months and check to see if things are the way they were when I was last here you just put in place and procedures that automatically gather information about performance and deviations from specifications. So you don't have to look at the clock and just look at the council says, Oh, my gosh. Is this out of range out of bounds now? It seems normal. Once upon a time, it was seen as tremendous innovation.
spk_0: 14:14
Yeah, we talked about a I and to go back to that is, you know what a great opportunity for code security is the use of a I. So again, you know, there's a code run familiar with. We've had coach scanners and things like that with limited success, primarily because they're only gonna be used for areas we control. But what about finding code that we own that we don't control Laurie or a server we can't manage and using a Iot machine learning to help secure that better or even the rewriting of code? Run it through at least some kind of tool like that at the compile about what a great opportunity to do better security there. And that's the kind things I'd love to hear about
spk_1: 14:47
more that. And that's an interesting space because I spent some time in the testing side of things during my IBM days and you do two classes of testing. There's the black box testing where you don't know what's going on, and so you just simply feed it some inputs and check to see what the outputs our problem with that is that you almost never pick up the dangerous side effect you almost never have anyway, in black black artistic to know what's being done that alters the state of the machine that won't be relevant until much later. The white box testing, on the other hand, means you inspect the code. You take a look at it. It's all open to you. You can see where there are EJ conditions. You can see where there are sub optimal performance. If that's, you know, part of the criteria looking for and using a I for for white box is terrific. For instance, the buffer overflow problem. I think we yield dude like moon. We don't check the length on this input string. Therefore, we have to assume if it could be too long and that will cause havoc,
spk_0: 15:44
right? Right.
spk_1: 15:45
Not a not a hard
spk_0: 15:47
and some Sematary neighborhood will put their hands up and showed out about. So we only need two teach our developers Maur we have to train them in security. But when people do those white box testings and they look at the code and they say, Wow, that's what it looks like. Wow, we never even we never even like design security in. So how could we tested for security?
spk_1: 16:04
Exactly right and that gets to the whole question of quality. Another bugaboo of mine is that if you are tasked with testing something, then the first thing you need to take a look at is the specifications. Because you only need to test what the specifications says. The behavior is about to be. If the specs says and this actually happened to me once upon a time, this code is going to be great because we're gonna test it a lot. I signed off saying, You know, my test plan will cost us $0 because I'm going to assert that we tested it a lot and won't be able to disprove that guy came back. What do you want? I said, I want you to put down in black and white exactly how this is supposed to behave, and then I will design a set of tests that validate that and such things as buffer. Overflow is something I can test for. But I'm not going to do it just for the heck of I'm not an explorer. I'm a software engineer, and I have a certain set of requirements that I've got a B s. Oh, yeah, can be taught at a conceptual level but sadly has. With so much education, you got to do the job for a long time before you get good at it. Taking a class on software testing does not make you a software tester taking a class of getting a job working at it for pick a number of random Malcolm Gladwell's 10,000 hours. That's five years if you're not doing overtime. For most software testers, that means about three years. In two months you are going to become an expert, and now you will actually see things. And by the way, here's a handy hit If anybody out there really is interested in this problem. Glen Meyers wrote a book called The Art of Software Testing. It is, in fact, the best book that has ever been written on it. It is decades ahead of its time. It's still underused, and I hardly recommend it everybody. Anyway. The idea of using a computerized assistant to amplify the intelligence of the tester is terrific and ml and a I R places where we can really add that to the to the software developers portfolio ML for doing root cause analysis. A eye for providing better coverage and speculation on how this code might misbehave. Having said that and I'll get off this hobby horses, we met her, too. Coverage is a phantom that the theory from a mathematical point of view is, let's say code has, on average, one conditional branch every seven instructions. So if you get a 700 line of code program and I'm talking about low level assembler kinds of instructions, you're talking about 100 conditional branches 100 points where you may or may not diverge from sequential flow. That means the number of total variations that could cover all possible pass through that code is two to the 1/100
spk_0: 18:43
power, and that's
spk_1: 18:44
a 700 fine. Dakota. That's that's 111 line Edit Command and Microsoft Word. So don't think about coverage is the goal. Think about the edges. Think about the places where things go. The counter is scheduled to go to 99. See what happens at 01 to 98 99 100. Check those cases. Forget about the fifties and sixties. If you look at the edges, then you'll be smart because that's where the bugs live. It's the interface is it's the edge conditions. That's where you roll account hurts. We go beyond the edge of an array. It's where you spill past the end of a buffer. Those are the places where defects live and defects of the kinds of things that give opening that just tow crashes and misbehavior but to a malicious actors. In fact, one last point, I saw an ad for a company, a tweet in which it claimed that it had perfect security that, unlike other vendors, it could guarantee coded in the cloud. Was a Nosair salable? And I thought, I wonder if this means that they can retroactively fix code bucks? I wonder if this means that they can dynamically adjust mis configured as three buckets. And it occurred to me that that's the kind of drivel you expect from a company that's just gotten it's be round. It is uncorking the champagne on its way to its five foot booth at our say,
spk_0: 20:05
working the B s and the champagne. At the same time, I think they've come together. That was very important, by the way I really liked what you described the use of Ml and I being different in what you described there, that was that was very important. Too
spk_1: 20:18
often it's it's nothing but a buzzword and therefore isn't worthy of any further investigation. And that's a shame, because there really are real uses for that trend. Micro started using ML back in 2004 is a way to block spam. That was when the spammers would come out with a fake ad for the one g eight are a by using fuzzing of the input. But
spk_0: 20:44
I think he's trying
spk_1: 20:45
to say something else will block that, too. And it was tremendous step forward. It's been It's been done. It's been out in the industry for 16 years, folks, This isn't brand new stuff. In the original people behind A I and ML generation just passed, passed on any apartments He died. I guess it was last year and this year Seymour Papert there there was some real giants and they've handed it off to the next generation and those who are people in their in their seniors as well. So we're looking at the third generation of folks to have discovered a I
spk_0: 21:18
Yeah, and the fact that there are complimentary one of the things I learned in doing security architectures for approximately 2000 companies was that its layers and filters and always mentally had things architecturally used of increasing sort of fineness of filters. And those initial course filters can weed out a lot of the junk. So what you describe, for example, of rejects expression matching first and then moving on to machine learning? Why would you use expensive cycles of machine learning in a I to find something? You'll be just fine. So obviously, right now, why don't I knew you need to use DNA testing when that thing on my lawn looks like a horse as stripes and I see its parents, which are two zebras, you know, right beside it, it's probably a Z Bryant. If my rule is to block zebras, then I'm going to block it in. If we need more analysis as it moves forward and we're seeing, well, horse like things were kind of important to let through while okay, yes, we can use increasing tests, but we don't need to use really advanced things. I think that's part of the problem in security right now is it's an all or nothing It's the magic bullet. It's the silver bullet, or what kind of whatever your bowl it's going to be. And these things are complimentary. You have to use techniques. So instead of being one thing, it's a Siri's of things to come to a decision. I think that's where the eye is. Increasingly valuable is taking seemingly low value individual data items, which you can't make a defendant of Decision on joined them together to make a really, really good one. In fact, probably a better one than with one definitive source of information. I think that that's Ah, that's what gets missed is is the smarter bit some victims of our own success
spk_1: 22:49
exactly, And and what tends to happen when people try to look at large amounts of data as they get fatigued? They miss things. When I was a kid, I saw the Andromeda strain, and I remember there was one episode where when one of the scientists is looking at the results being presented in a rather boring fashion, and she kind of nods off and then gets back to consciousness and the runs over and nothing sticks out. So I think we're okay. And in fact, she missed a clue. I like the idea of the silver bullet. One of my absolute all time favorite cartoons from The Economist was describing a medical diagnostic procedure, and the title of the article was the Silver Shotgun, three scientists with high powered rifles and dart boards. And then there's this forthe elderly guy with a lab coat, and he's got ah, blunderbuss and half the wall is missing in there. Starts on the floor of the ceiling of all the targets. Sublet a
spk_0: 23:50
good virus, A great, by the way. Good. It was good Thio. We had security fatigue before where we had too many tools and there's a lot of shell for, and that was a bad thing, and that was because they weren't connected. But now what we have a need of is connected things that themselves, a whole bunch of connected things that work together. So I mentioned Alan Schimmel before, and you brought up a really good point. Time back to the skill shortage is what you said about testing and cold review. He mentioned that it's very important for Debs now to be able to use their own tools like what they prefer. So when people are looking to capture or, you know, hire a great depth, which they otherwise would you know where in short supply they're saying while you know, what tools do you want? A news rather than this is our environment. So that is a challenge now a new challenge of security because not like you know, hey, we have this suite of tools and we use this damn environment instead. It's going to be pleased. Come to us, you can use what you're comfortable with, and we'll work around that. So that's a whole new security challenge that we haven't had to address and increases the complexity.
spk_1: 24:45
We'll definitely and you also have their psychological factors. People who are great developers tend not to be great testers simply because if you're a great developer, you know how to make silicon behave. And so you're an artist. You are crafting something, but that is gonna have. Ideally, it's gonna have properties of elegance and simplicity and clarity and function and no spare parts and no obscure little little nooks and crannies in the code. And having done that to then take that hat off and put on the hats is now Let's try to break it. Where do you think the bugs are? Well, jeez, I just spent six months on design and, you know, a week on code, and I don't believe they're already bugs. And so I'm not the right person to test my own coat. I'm wondering how the Dev Ops Sable incorporates that kind of rigorous analysis. Now I know if it's a group, it's best to have somebody else with your code and you look at there's the trade off is important. If I write an important piece before I send it out, I'm gonna ask somebody to give it a glance. And I've done that for for others, kind of enjoy it, flattering to be asked. And I wonder if, in the Dev Ops community there's a general acceptance of the synergy of a team where you have people with different strengths,
spk_0: 26:03
I think we need to have Alan known as a guest, and one area came away with from the week, something I need to learn more about his service. So I think Mark Noona Koven is on our guest list is well, so we definitely have people. We, uh, we need to learn from, I think, in these two areas. So I need to learn more about what's going on in Deb, like really going on and and also the changes in the environment they work in, which is, for example, surveillance containers. I know if I think, but there's I think Cyril is gonna really change
spk_1: 26:27
things. Yes, yeah, it's It's a very exciting, dynamic world. Those of you who have entered this field recently, I can assure you you will have the most fascinating, intellectually engrossing, emotionally satisfying career that anybody on this planet has ever had for most of humanity. You did what your folks did and your kids would be. What you did hear. My grandson is using python to control a raspberry pi, which directs a Lego robot to map the house
spk_0: 27:05
because he had his around. Yet
spk_1: 27:09
the opportunities are are staggering. The transformation mentioned coating an assembler. My son in law recently took an opportunity doing solid modeling, and he was bemoaning the fact that most people who learned programming now don't understand what's actually happening at the silicon level with logic Gates with assembler language with conditional branches and loops. I maybe the 15th century. You could get a master's of mathematics by coming up with a unique proof of the path agree and syrup. And in fact, the Pythagorean theorem was the poems of scenery. It was the bridge over which ass is could or could not cross. And if you could do it, you are now an official mathematician. Nowadays it's the Bixel Loop. If you know how to do in 360 assembler branch on index lower equal, then you are a superstar and assembly language coating. If you've ever tried to work with X 86 architecture or 80 88 architecture, God bless you. Equally complex, more challenging, at least in 360. We just at 16 registers and you could use all of them for anything. Address register was so by designation, not because it had a different operative escape with How the hell did we get
spk_0: 28:21
into this? And yeah, it's with the path of the security is not solved. My highlight of the week was seeing people, though. So for all the friends, I got to see people. That was definitely the highlight. I come away always a little scarred up from our conference, but come away energized by having seen old friends in the lake. So great note, Dan Don, I think
spk_1: 28:38
Absolutely a shout out to all the good people who did show up colleagues near and far.
spk_0: 28:42
Well, thanks, Bill. This has been an excellent. So that's us for today. That brings us to the end of this edition of really cybersecurity. I'm Greg Young,
spk_1: 28:50
and I'm Bill Malik.
spk_0: 28:51
Thanks for your time and attention today in joining us on our journey. Remember to follow us on Twitter at real cyber security. And our email address is podcast at Realist Arbor security dot net. Thanks.