lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
020d324edba8c5bab6dfdc9d45b0267059868edd
hpr-knowledge-base/hpr_transcripts/hpr0525.txt

183 lines
21 KiB
Plaintext
Raw Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 525
Title: HPR0525: Seccubus
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0525/hpr0525.mp3
Transcribed: 2025-10-07 22:28:13
---
So
Hello and welcome Hacker Public Radio listeners and welcome to another podcast.
I'm your host Finnex and I'm joined today by good friend of Hacker Public Radio Frank.
Frank, do you want to introduce yourself to the Hacker Public Radio audience?
Yeah, my name is Finnex.
I work for a company called Schubert Phyllis.
They are security engineer.
I also write a public free software program called Secubus and I blog for CupFighter.net.
Now, some of you regular HBR listeners will remember Frank.
From a couple of shows previously but we spoke to Frank in episode 467 when his project,
Auto Nessus, was seeking a new name.
As you've probably already guessed, Frank's got a new name.
What we did is we asked not just the Hacker Public Radio audiences but everyone on internet land
if they could come up with a new suggestion for Frank that he might be interested in.
And we're even luckier to have Jason Mansfield, isn't that?
Who made a suggestion to Frank.
Jason, could you introduce yourself to the Hacker Public Radio audience?
Sure, my name is Jason Mansfield.
Sometimes I'm online known as Crunch, particularly on free node.
I am a research engineer, which basically means I do lots of weird things on the internet.
Well, as you're surely about to mention, I was listening to the episode.
I heard the call for name, had an idea and sent it out.
Right, I mean, so long story short, this is kind of the renaming show for Frank.
All that Frank's announced, the name that Jason suggested a little while ago.
It was just the first chance that we all managed to get on the line.
And Jason submitted the name Secubus for the new name of the project formally known as AutoNASIS.
So first and foremost, congratulations, Jason.
There's a little story behind the Secubus name.
Would you mind sharing it with us?
Well, actually.
I had a little bit of a story with it, but when Frank sent me an email saying that he had chosen that name,
he had taken the little bit of a story that I made, and he really embellished on it.
So it's certainly Frank's story is superior.
Oh, yeah, there's some problems that life's on to it.
Yeah, I was wondering where you got the inspiration to go for Secubus at first, Jason.
This will sound a little bit silly, perhaps kind of like a cop out on an explanation,
but I actually have to be really good at naming things.
I'm actually the designated name or at work.
People will come to me and ask me to name things.
It's kind of awkward, you know, I could put on a spot.
You know, when I'm trying to think of a name for something, it's, you know, a fun thing is pork mantos,
and it's obviously this is a pork mantel of Secubus and security,
and it didn't take me long to come up with it, and luckily it wasn't registered.
That was the thing that actually amazed me is that there wasn't already a domain for that.
Punched into Google, and miraculously, the only mentions of the word were people misspelling Secubus.
So I really got lucky in that regard.
I'm sorry, carry on, Frank.
I must admit, the first reaction when I Googled for Secubus was initially negative,
in terms of do I really want to name my program after a demon that sucks the energy out of people?
And then, at some point, it grew on me, and that's how I dreamt up the little story about what the Secubus is and what it does.
I'm hoping at some point that we'll get the story out, so Frank, what's the little story that goes behind Secubus?
I've had people who've come back to me and said that I absolutely love this little story,
and it'd be nice if you could share it.
Quoting from my own work, Secubus is a mythical creature that helps security professionals analyze and reports the result of repeated vulnerability scans.
I like its distant cousin, the Secubus and the Incubus.
The Secubus is also a creature of the night.
At night, or at any other scheduled time, the Secubus draws its energy from repeatedly performing vulnerability scans of infrastructures until the vulnerability becomes exhausted or die.
The Incubus is the male counterpart of the Secubus, while the Incubus draws his life energy from the assessor by repeatedly requiring him to re-analyze the same findings.
The Secubus gets her energy from pleasing the assessor by reducing the number of findings by means of delta reporting.
I've had lots of people come back to me that's absolutely love that story.
It's strange because we look at Secubus in this story as being a female, and I think it's the first time that I've certainly known a security tool being referred to as a well certainly implied and referred.
It's a female.
So you want to shore about the name at first, but it grew on you. Is that right, Frank?
Yeah, it has to grow on me.
I think at first I stepped into the trap of either going on to the auto-team or trying to make it an acronym.
And at some point I posted it, I used ping to post it to my LinkedIn profile and a couple of other profiles that I had.
And one of the advantages that came back is was go for something that's romantic and doesn't have a direct link to what the tool does.
And that's when when Secubus re-entered my mind, and I started thinking about it, bounced it around a bit with some co-workers.
And at some point came up with the story and thought, okay, this should be it. This feels good.
And then we went on to the conference in Poland and announced the name.
So Jason, what were your thoughts when you heard that the project formerly known as auto-nice this was going to be co-secuous?
Was it were you surprised or did you think you were a shoe-in or what were your thoughts?
Well, obviously I was pretty excited. And to some degree I guess I didn't provide a very good means of contacting me.
And so it was a couple of months after the name had actually been chosen that I got notified. And by that time I'd actually kind of forgotten that I had submitted it.
So it was a doubly surprising one to have this thing pop up that I'd completely forgotten about.
But two, that I'd actually won the contest. So it's pretty exciting to know that I picked the name for a piece of software that a lot of security professionals are going to be using.
And I was just thinking about this now. You know, in the media recently, well, in the last few years there's been this trend where you take the monsters, you know, the vampires and the werewolves and so on.
And you turn them into the good guys of the story. And you know, they're fighting, you know, other monsters that are the bad guys of the story.
And I think given the story that Front come up with, I can see security professionals telling their kids, you know, scary stories about the insectulous and how the secondus can protect them.
I have to be honest with you. I absolutely love the name. And I put it in a cobbler suggestion. Well, I put it in one suggestion. And I'm glad that I was beaten by something a lot better than I suggested.
It must be, it must be legacy. I mean, I said this in the show the last time. It must be awesome to actually be able to name a security tool. And you know that that tool is going to be
prolating into people's toolkits and, you know, you've got your tagline for it. I mean, were you using Auto Nasses before the name changed Jason or did you listen to the show and did that get you into the tool or had you come across it beforehand?
I'd actually just first heard of it on the show and subsequently I came back around and set it up on my home network. Obviously not a lot of things changed.
So I did have to kind of, you know, pull some virtual machines up and down and install some services and take them down to, you know, to actually see the tool working and showing me the differences in the network.
But, you know, even if, you know, even if I hadn't won the naming contest, you know, I still would have gotten to discover, you know, this great tool to help me know what's going on, you know, on my home network or on our network at work.
So what are you, sorry about that. I should really turn my phone off while I'm speaking to people.
So, have you, so you're saying that you've had a chance to run with it Jason? I mean, what are your impressions? Because I suppose this is a good chance for Frank to also hear some kind of dare use the term end user feedback.
But, I mean, what were your first impressions of Secubus then?
Well, I've, you know, I've used Necess directly in the past. And in this case, I just set it up using OpenVas. I didn't go straight for a really commercial Necess software.
And in my opinion, those interfaces were a little bit busy in some places. And so my expectation was that Secubus was going to be similarly busy in the interface because of the underlying software.
And what I found was that really wasn't the case. You know, I pull up the web interface. And on the left hand side, there's the list of different networks that I've configured it to scan.
And I click on one of those to load it. And there's just a few simple links for me to look at in terms of, you know, the changes that have been found and ones that are still open and need to be resolved.
And, you know, I guess that's really the essence of Delta reporting is getting, you know, getting it down to simplicity and just showing me the information that I need to see that I need to act on instead of showing me a great deal of information that I have to sort through to find what actually has meaning.
And so that's kind of what I had become accustomed to dealing with Necess and OpenVas. And I was pleasantly surprised to see, you know, how simple it was just to get the information that I needed out of the web interface and the email reports.
Okay. I mean, Frank, am I right in thinking that the branding, because the branding exercise of changing Autonomous to Secuvers is now been completed?
Yes, it's, well, there's always work to do, but the exercise is more or less done. I've cut over the website to Secuvers.com.
I had to change my Twitter account without people squirting it and that worked out as well.
So, yeah, it's pretty much done. I have to say thank you to a colleague of mine, Robert Hovel, for coming up with the logo as well, because when I had the name, I still didn't have a logo to go with it, but that's now also sorted.
Yeah, I mean, I was lucky enough to see you working through this very long, long list. I'm not sure if we have any wave users on listening on the show, but you've had like a development wave been made public where you've been kind of going through this long list of jobs to do.
And it, you know, it seemed a mammoth task at first, but you know, you seem to have scored through this list slowly, but surely.
I'm not slowly, but surely, but actually quite fast if I'm honest with myself. So, people can find you, people can find you basically on Twitter now on the Secuvers, which is SECUS.
That's correct, isn't it?
Yeah, that's correct.
And the website is secuvers.com as well, isn't it?
Correct. Yeah, at secuvers.com, Twitter account is there, so that's a good way of getting in touch with me, and also on the website, there's a contact form which drops right into my email.
Okay. Now, if I remember correctly, was there not a bottle of champagne up for the winner of this?
Yeah, it was actually quite a challenge to get a bottle of champagne delivered in another continent, because there's basically no carrier willing to take that amount of liquids into the airspace.
So, finally, we had a clever secretary here who was able to go to an online shop and order a bottle to be delivered to Jason's house, and that should have arrived in good order.
Oh, so you've already got your champagne.
Was it nice?
Well, I haven't tried it yet. I'm saving it for a special occasion. I was actually a little surprised to get, well, I mean, I was expecting it, but I've never received any kind of alcohol via the Postal Service before, and I think, you know, well, I need to do more naming context, frankly.
I was going to say, you were saving it for something special, like maybe naming a security tool or something.
So, moving on, kind of, Frank, I mean, from the last time we talked, am I right in thinking that you've had a version release?
I think we were planning it the last time we talked, but I'm not sure if it actually happened, but it has happened now.
I was just wondering if you could kind of recap what, you know, you knew version of the tool is, and basically just give us a rough outline of some of the features and so on and so forth.
Yeah, well, there's basically two projects going on at that time.
First of all, there's Secubus1.4, which is, which I call the christening release, which actually was a more or less search and replace on all the parts of the tool and replacing autonomous with Secubus.
Unfortunately, it also proved to me that writing Secure Software is still hard, even though I consider myself a security professional.
I did manage to get a directory traversal error in one of my programs, which is, yeah, security web security 101, I guess.
And I did put a small announcement in one of the helper programs, but that wasn't a big change.
The bigger release still coming up and battling over my spare time is Secubus release 2.
And that's a release that's really going to take the ideas of Secubus1 and basically be a re-implementation of the tool.
In the past, we've run into limitations of the file system. Secubus all stores everything in the file system, and that doesn't scale very well.
So if you've got scans with a lot of history in Secubus, it tends to get slow, but it also means we can't really cross correlate between different findings and group findings into issues.
So in my head, I'm quite a long way with planning Secubus version 2. Also the development way, if I said outlines a couple of the ideas that I have around Secubus version 2.
And the idea is for it to become a report writing, a security assessment report writing tool, which supports automated scanners, supports the delta reporting so that you know what changed from one scan to the other, but also supports manual findings.
And it's based on a proper SQL database in the backhand.
Okay, I suppose the other thing we should do for people who haven't come across previous shows with us or come across your project before, is probably do a quick elevated pitch of what actually Secubus is, just for those people who haven't come across it before.
Yeah, sure. When I set out to write a tool, the problem that I wanted to fix was to schedule, at that point, NASA scans to happen once in a week.
And then when I had my NASA scans that happened once a week or happened once a month, I found that it was draining quite a lot of my energy because I really was going through what basically was the same report every time.
And then I discovered how easy the NASA's backhand format is. That's the file format that NASA stores its findings in. And I decided to analyze them and analyze the differences between the two scans.
And what I found out is that instead of looking at the reports, which was 90% the same, I was able to present myself only the 10% of the findings that had changed gone away or were new findings.
So basically what Secubus does is allows you to automate your vulnerability scans, let them happen at a regular interval, and then only bother you with findings that you need to bother about. So which are changed or which are new?
Okay. And there is plenty of content about actually Secubus. There's been a few shows about alternate NASA slash Secubus. So if listens are wanting to find out more, please, honestly Google is your friend on this one.
No, Frank, it still remains an open source project. Is that correct? Yeah. Yeah, that is correct. There's no plans to go to go for a close source model.
Okay, go, and just for my love of free and open source software, I'm going to ask you maybe a semi technical question. What license is it released under?
Yes, it's a GPLV2. So version two of the general public license.
Okay. And what sort of tasks have you got ahead of you that maybe someone who's got some spare time and like, you know, wants to hope with your project, you know, how can listeners get involved?
Well, the best thing to do is first of all, get in contact with me and say you want me to, you want to help me out.
I probably have, well, obviously people who can code and can code and then Secubus is mainly written in Perl.
So anybody who can code in that language, please do help me out. You have to have a little bit of affinity with doing vulnerability scans so that you understand what it is we're trying to do.
I think a good interface designer, somebody that's maybe familiar with JQuery or another tool that can help make the user interface look even better than the work I've done, which shouldn't be too hard.
And yeah, then there's always the good thing to, I like to bounce my ideas around. So if you want to help link and give this a direction and help determine the future of Secubus, you're always welcome.
Brilliant. I think that's all the questions and that I have for Secubus. Is there anything in particular that you want to mention, Frank?
Well, I have to, yeah, I do want to mention that I'm very grateful to my, to the company that I work for Schubert Phyllis for allowing me to at least set some time aside to work on Secubus, although at the moment it's that time is a little bit limited.
I mean, every time I spoke to you and I, yeah, I mean, every time I spoke to you and I think respect where respect you've always mentioned at how supportive your employer has been and it seems to me that they've been very, very cool with you with this project, very, very cool indeed.
So I think props you for mentioning that as well. Anything else, Frank?
No, I think that's, that's it.
Where can, where can people find you, they can find you on Twitter with the Twitter alias Secubus. Do you have a blog that you blog on regularly or?
Yeah, I do write blog entries for Cup Final on that, which is the coworker blog of the company I work for.
Okay, and Jason, first and foremost, congratulations. I'm terribly jealous of you. Good good name.
Thanks again.
Have you got anything that you'd like to mention or talk about before we wrap up?
Well, I just like to mention everyone that they probably should give Secubus a try.
I know in the environment production network environment at my company, we have a huge amount invested in centralized logging kind of similar to vulnerability reporting.
And, you know, as everybody knows, if you have busy servers, you have, you know, more log entries than you know how to deal with.
And the, the, the rig that we've set up, basically we audit it daily and we go through, identify the messages that are benign and put in filters and don't show them the benign messages to us.
And so, only seeing the new information, the things that we haven't identified as benign, you know, just the new things on the network saves us so much, you know, cognitive load.
We don't have to sit there and go through these huge log files and figure out what's important and what's not.
And, you know, because really when you're doing that, you know, when you're looking at these big reports or these huge log files, you kind of start to grow a little bit complacent.
And, you know, you start to just assume that there's not going to be anything important in there because, you know, 99 times out of 100, you don't find anything important.
So, I think a tool like Sackibus is, is really critical for knowing that your, your systems are, are in good working order and are resting on a good security foundation.
Yeah, I mean it, it's an awesome tool. I mean it, it highlights what you need to know and I think that that's always a key asset.
I mean, it's obviously a better use of man hours than having someone have to come to mind and leave through and say that's the same report that I keep on clicking on every single day.
You know, so yeah, definitely everyone should have a go at it. Jason, do you blog or can you be found on Twitter? Do you, do you do any of that sort of stuff?
Well, I try to stay off the social networking sites. I do have a blog. That's essentially my website. It is clinically awesome.com.
You know, obviously my, my penchant for naming things in effect there.
Right. Well, all that's left for me to do is just wrap up the show and that's firstly I would like to thank Jason Mansfield and Frank for hopping on the call and taking the time for coming on and speaking to us all.
Thank you very much, you too. I would also like to thank you guys at home for listening. If you want to get involved with how to public radio, then the best way that you could help is think about making some shows and it really couldn't be any easier.
Maybe you have a friend with an open source project or you've hacked on something, go over the weekend or something that's interested you.
Then why don't you think about recording an episode? You can contact a NITMA or KALATU, a hack public radio and they can help you get it out.
All that's left for me to do is thank you for listening and we'll catch you the next time on hack public radio.
Thank you for listening to hack public radio. HPR is sponsored by Caro.net, so head on over to C-A-R-O dot N-T for all of us here.
Thank you very much.
Thank you very much.
Reference in New Issue Copy Permalink