Episode: 689
Title: HPR0689: Eurotrash Security Podcast Episode 19: Haroon Meer
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0689/hpr0689.mp3
Transcribed: 2025-10-08 01:02:35

---

to
Hello and welcome to syndicate a Thursday on HPR. Today we're introducing a new show
that we're syndicating here and it's Euro Trash, security with funny accents and from
the website. We are trying to do here is quite simple. Most podcasts and the information
security realm are us focused while we love and continue to listen to these. We thought
something was missing, an EU-focused info security podcast. And with that we're going to
bring you episode 19 which was originally aired on Thursday the 24th of February 2011
and it's with Haron Mir who apparently is one kickass dude from South Africa. We're
keeping Thursday's open as an open slot here on HPR with the view that if you know of
some creative comments, work that you would like played here then that's a free slot
from which to do it. Highlight new podcasts for instance like the show for today, interesting
speeches like the speech presentation given last week, even some creative comments music.
If you think of any of that type of stuff please feel free to send it on in and we'll
schedule it for the Thursday slots. We have 199 free slots still available so if you've
been thinking about recording a show now is a very good time to do it. And with that
I'll turn you over to our show for today.
Hello and welcome to episode 19 of the EuroTrash Security Podcast. I'm your host Dale Pearson
and I'm joined as usual by Wim Rimers, Chris John Marley and Craig Bording. Of course
it would be any complete show without our SS feed we could clown and we're joined by
our extra special guest Haron Mir. Hello Haron, how are you doing?
Hello, first time I've been called extra special but nice to meet you guys.
We'd like to VIPL special guest. We'll say anything you're in.
Just remember you owe us money. I think we owe him money.
Where's the Nigerian owes the money to? Is the Nigerian print somewhere?
That's right, because South Africa and Nigeria we owe us the same thing.
I knew that was coming.
You're foreign. I won the South African lottery once.
So we get all the essay jokes out of the way guys and then.
How long's the show?
So we kick it off over to you Ben. You can start us up with the news.
Okay, cool. Yeah, the first one, obviously it's happening, is HB anonymous attacking HB Gary
and him showing him that make him look a bit of a embarrassing situation.
Basically there's just a SQL injection on a website, weak passwords, poor patching,
people trusting too much, typical fail on all sides.
That's pretty cool. The thing I also liked is that we'll give Crest to anonymous,
because obviously we don't upset them. That actually shown how they did it.
Like other people, yeah, I packed this, I've done this, but they've got no proof.
At least they've actually put some proof up there and it's good information for security
and other people interested in that type of stuff to see what is happening
and how to actually do the attacks, especially these very, very simple ones or so.
But wasn't that just part of the humiliation routine that they wanted to put HB Gary through?
Yeah, but it's also the part of it is because it was so easy to get into him,
one, not into him. That's what his partner said.
We know nothing about it, it's sexuality, moving along.
So that's the beauty of it, because it was so easy for them to get in.
It's like the passwords to the people had really weak passwords and they got in
and there was no poor patch management. The servers were open to an exploit from last year, October last year,
so they don't even look after their machines.
So that's the humiliation part of it. It's more embarrassing because it's such an easy attack for them.
It was the CEO and the CEO whose passwords were weak and obviously not great,
but just extrapolating this out. Isn't this just how a lot of companies operate
and we should talk specifically about InfoSec industry because obviously they are part of it?
Then you get the sense that this is how quite a few small consulting companies
operate or do you feel that things are particularly different?
I think this is the same, isn't it?
No security basics, that's a problem.
Exactly, small companies and big companies have all the same issues,
where they get a bit of software, they roll it out, think it's fine,
they don't really check in and go, yeah, that's great.
They have a password policy, so the IT manager has a slightly complex password
but everyone else doesn't.
So they go, oh, we don't need to patch that because we've got a firewall
and then it just all falls down.
It's like...
It comes to passwords, size does matter, and complexity, it's got to look strange.
That's why my password could tell person because I just thought it looks strange.
That's right.
With the HP getty stuff, I kind of feel...
So on the one hand, I feel sorry for them,
but just any time you see someone's male spool on the internet,
you have to figure what you'd look like with your male spool opened up to everyone.
And in terms of...
I know lots of guys have been saying how easy it was, how simple the hack was,
and there wasn't much complexity to it, but I think it's one of those...
Your keys are always the last place you look,
because why would you keep looking after you find them?
So the way a company gets breached is the way they got breached.
And like you guys will know when you pen testing,
you almost always hear the customer say,
ah, but you got lucky if it wasn't for that one thing
you wouldn't have got the next pivot point.
And the answer is, no, you would have found another way in if that way was closed.
So it was certainly embarrassing and certainly props to anonymous.
But yeah, I suspect the male spools have kept everyone busy
for the better part of a week just listening into juicy fruit.
Yeah, and also I think a lot of people would change in...
probably changing passwords as well, I should imagine.
I mean...
I take my password from password to password 2.
Yeah, I mean, that's the kind of sophistication we're after then.
But it just reminds me since the anonymous is, you know,
let's say a movement that's not specific to an individual target,
but any targets that kind of get in the line of fire
in terms of what their overall objectives are,
it does remind me of some of the previous bouts
where people have gunned after in particular info set companies
and it's just really depressing to see,
especially from small to medium sized security companies
where in some ways you don't expect there to be a lot of discipline,
but they reach, but there's so much talent, but they can't,
you know, they just can't organize, you know,
and that's the problem, they're just not organized.
So they consider IT operations to be...
it's a crap job, you know, it's like documentation.
IT operations, you know, proper IT ops,
having the right policies and actually not being the doctor
who smokes 60 cigarettes a day and then is advising customers not to smoke.
That's kind of sums up and unfortunately,
the large amount of info set consulting firms,
at least that's the impression I get based on,
number of reaches that happened in previous years.
Haroon, I know, and I'm not asking you to speak about, you know,
current or previous, but what's your sense?
Is it the kind of loads of talent,
but unless you've got someone there who's very strong on the operational side?
Yeah.
They're just busy consulting and doing research
and doing the interesting stuff rather than the so-called boring stuff.
Yeah, I think it's, I think it's super interesting.
So previously, I spent like 10 years at SENS post
and I was super paranoid there,
but paranoid to the point where you almost obstructing work.
So for example, our public blog looks like WordPress,
but it's actually just a scaled-down,
pulled script with almost zero interaction.
Yeah, it was nice, actually.
I didn't know it was a pretty static.
It's that sort of stuff where you kind of go,
no, no, we haven't had time to audit WordPress.
Let's not get owned that way.
And let's make sure mail passes through two mail hops.
And with all that, there would have been the time when you check on the server
and you'll find our customer report sitting in a web directory
that someone forgot to clean up.
Yeah.
And if we were owned that week,
then we would have looked like idiots that week.
But having said that, I know with some of the past onage,
like with Mattisano or with Kaminsky,
there's a good amount of forehead slapping where you go,
come, that's customer report sitting on a public host.
And again, like, I think there's some measure of the doctors smoking 60 cigarettes.
And probably for a darker message,
we have to wonder if it means that the stuff can be done right ever.
Like, I know it's kind of a gut reaction thing that non-technical people will say,
well, if they can't do it, can anyone do it?
And we kind of like to think that that's not true.
But when you see so many people getting owned
and we know that we can't guarantee that we not next,
you have to wonder how much of the stuff we actually getting right.
Yeah, I totally agree with you.
I mean, I'm pretty paranoid and I try to keep things locked down
and be operationally sound.
So you put them in the cloud?
Absolutely. Well, then if somebody else is fault, isn't it?
I can give them any excuse.
Sorry.
But that wasn't a bad idea to get them.
Yeah, so I think the deal there, if I could get my words together,
is that with a very targeted attack?
Yeah, I don't think...
I don't know anybody that would stand a chance.
It was really targeted.
But obviously, it's how many...
It's the usual thing.
How much it costs the attacker to get at you and to achieve what they want.
And that's what I think security is about.
It's about increasing the attacker's cost.
I think there's that and I think if you throw back
and I'm not just saying this,
because I know that you're now close to him,
but if you take some of the stuff that Richard Betlick's been saying for a long time,
it's not the sexiest part of InfoSec,
but with all the onage that we've seen recently,
there should be an increased focus on detection.
If you take HB Gary, for example,
that's what, like, how many gigs of email
exfiltrated from your mail server.
In their case, it wasn't a cloud,
but nobody knew it was happening.
And the same for all the other onage.
The question is, it's one thing,
everybody gets popped zero day happens,
but to not know while gigs of data are leaving your network,
it changes the game slightly.
Yeah.
Yeah, I think you're exactly right.
And there's a couple of interesting things,
and now, perspective, you're exactly right,
it was Google app stuff.
And you've got to wonder, well,
I don't know if there's any special arrangements for any special people there,
but generally, obviously, there's no DLP setup,
or even if we say that's a solution,
but I think a lot of this stuff,
which people poop are, I think it goes a long way,
it just doesn't work in all scenarios.
And obviously, you know, since there's nothing does,
then that's what we go for.
We go for a series of measures.
But yeah, I think it's,
I mean, if you just look at trying to protect your mail spool,
if you just think about what's involved in that,
and I'm sure you have,
that's just a nightmare thing,
because you're like, well,
okay, I don't want all my history.
I don't want it if I'm going to get doxed.
I don't want my whole historical mail spool going out.
Okay, so now I'm going to have some process in place
that says, you know, let's keep,
you know, only the most recent number of days
or weeks or months worth of messages,
you know, easily accessible to me,
the other's going to be in some kind of encrypted archive,
which I can index and search.
But then I'm going to need a bunch of, you know,
processes in place to do that.
So add a single, you know,
infosec, you know,
full-time type level.
You can think like that,
and you can come up with measures,
but it just doesn't really scale.
And so that's the challenges that even if,
even if I can figure out some way to protect my own stuff,
which I think is really hard.
And I would be desperately embarrassed if I got doxed, you know,
because there's going to be all sorts of stuff in there.
And whenever I see people get doxed,
I always have that sinking feeling of like, you know,
what do you mean?
And I think everyone who disses HP Gary
has to apply that same thinking to themselves.
And because I just don't think there's many people
that are really doing it,
particularly special.
They might be harder targets,
but that's it.
The main point I'm saying that is that it's like,
it's people.
So if you're like a one-man banner or small,
a race, more company,
then you've got more control.
But if you're a slightly a medium-sized company,
you got like Mr. Dick doing IT.
He doesn't know anything about IT security.
You got Mr. Intelligence doing other,
a guy like Jonathan Penta,
security work,
but it's not produced doing the stuff at home,
so he's just relying on other people internally
to do his stuff for him.
And I think that's where it happened here.
Well, it's because it doesn't make any money.
And then they're concentrating as a medium company
on going off for making money.
And HP Gary, in this case,
we're concentrating on writing malware
and back doors for everyone else's systems,
and not paying enough attention to their own.
If their passwords were so weak,
it's just another case of security researchers
and people working in security
not eating their own dog food.
I mean, everyone says use separate passwords
on every single system.
I can't say I am using separate passwords
on every single system.
I mean, I can say that I'm using enough differentiating passwords
to make it so that if one password is exposed
that I'm not completely out in the open,
it's enough to be able to say,
okay, maybe they're going to access
the two or three different systems,
but they haven't got access to everything.
But so many people are just using like password 1234
for everything,
and then as soon as they get that one password,
that's it.
Yeah, I think for the most part,
but so other than much of the ugliness
that came out from the mail schools themselves,
I think the one thing that we take away from it is
is not to grow as much when we win on pen tests,
because it's one of the things
that I used to tell the guys for a long time,
like you engage in a social engineering exercise.
You will win because you'll only stop when you win.
Like I don't think we've ever done a social and not won,
because you can just eventually cry
until the person gives in and does your bidding.
And the only reason security companies
don't get taken out so much is because nobody's aiming at them.
You aim at a security company with a well written proposal
and sewage them the proposal,
and they'll try their hardest to open that proposal
because they want your business.
And yeah, I think we just need to learn
that we need to find solutions
that last longer than our pen tests.
Cool.
Since HB Gary proved that actually anybody can get owned,
and I've read a few articles in the past month
that companies should focus on PR
more for reacting to breaches.
How do you think HB Gary particularly acted right
or not a right hearing question?
Anyone else?
Oh yeah.
Is that the rate of it Haroon or Haroon?
I think the right thing went down the pub,
so I think he did a good job.
I'm fucked down the pub.
I'll say it guys, and that's it.
I think the stuff was horrific.
So initially I said I wouldn't read the emails on principle
and I quickly folded started doing searches for certain terms.
I know I'm a terrible person,
but some of them,
when you start going into their first realization
that they'd angered the hire,
the reaction was just pure arrogance.
And at that point you start to think guys,
if you know you're kicking over a hornet's nest,
at this point you probably want to be going over
and checking every system that you've got exposed.
Yeah.
And I suspect at some point Eagles just ran away with people,
but they handled it probably as poorly as could have been handled.
Does anybody think they will survive this?
No, come on, you know what happens when a company gets privileged.
They disappear,
they reconfigure,
they reconfigure, come back, different brand name.
Do you change their names?
Yeah, it's worked consistently,
and it always will do.
Totally.
Are Rumbaar becomes Rumbaar or something?
I just think Rumbaar might be looking for a job.
I'm not sure he'll stay with Federal,
because the other guys were quick to cut him loose.
Yeah.
And so it doesn't look like they've got long-term plans.
What surprised me was how quickly other security companies
like Polenta and Berkot tried to cut HB Gary loose.
It was, I'm not sure if you guys saw,
but they issued a press release saying, hey listen.
Yeah, that's fair.
We wasn't the same as those guys.
But it was also surprising when you consider that that PPT
that went out was on a Polenta background.
It's kind of disingenious to say, yeah, not us.
We feed them loving.
Oh yeah, that was leg waving.
My legal guided mindset otherwise.
It was complete BS, wasn't it?
I mean, it was absolutely the fastest in Saras.
You can imagine, but I guess that's press releases.
In general.
Yeah.
It goes through the special press release machine.
But next one.
Next one.
It's actually full of software Sim to that one.
Is that McAfee have decided to have done an article on
a night dragon?
I don't know if they're trying to be like Bruce Lee or Ninja 5.
It's, you know, like, wow, we're ninjas.
Ninja Dragon.
But it's very similar.
They talk about like, at least five oil gas firms have been hacked
over the last few years.
But they say by the Chinese yet again.
But it's very similar attack vector.
How HB guys got done, you know,
SQL website, weak passwords, poor patch management.
It's SC going into it.
So again, it just shows that it's not just the small companies
that have been exploited this or so.
And actually the big ones by Bruce Lee.
So.
The legend lives on.
Yeah.
So the one after that one is that.
Coffee is Starbucks.
Had a nice little app on the right of the iPhone,
which if you can get a lot of someone on the phone,
you can get free coffee for life, which I think is pretty cool.
So not only can change the language to Japanese.
And you can get free coffee.
So yeah, the Starbucks out.
They got a little barcode on the phone.
So you can top it up.
And when you go to Starbucks, certainly in the States,
because the Americans aren't used to currency yet.
So the girls just put the money.
There's a little iPhone against the scanner.
And it deducts it off there and they get a free coffee.
Or they don't get a free coffee.
They pay for the coffee.
But the barcode is the same on.
Or on or the iPhone that account.
So if you just find someone's phone,
so when they go to it, pick it up.
Either take a picture on your phone or just email it to yourself.
And then you can use the barcode for your free coffee in the States,
which I think is pretty cool.
So it's called friend.
It's like a cheap version of near-field communications.
I just want to say if they do want for a club mate,
you know, I don't like it.
But everyone else seems to like it.
So that would be pretty cool.
I mean, obviously given how, you know,
enormously important that story is,
what do you think of Starbucks' new coffee beans?
They're actually switched.
I was being sold some other day actually.
I don't know if it's true.
But the bloke said that they were switching coffee beans
and slightly more, slightly stronger, slightly sweeter.
Any thoughts on that?
Well, they're gone for less coffee.
It's three in one.
They just rip it open in front of you.
Well, I don't really like thick creamy things in my mouth, so...
I rather like...
I don't know if there's a girlfriend.
You prefer it, right?
Is that what you're saying?
Yeah.
Yeah, like with a bloke.
Or with a deer.
I don't know.
Where are you in there?
Anyway.
Talkin' about porn.
Yeah.
Yeah.
This one is an epic...
It's handled in failure.
It's by Manchester Library.
Pretty much.
They had a bunch of USB keys.
Keyloggers on the internet workstations for the public to come and use.
So, these are all things massive incident failure.
So, they say the vigilant staff notice these devices
in the back of the keyboard.
Unplugged them.
Burn the police.
The police came and took them.
Now, okay.
So, they know these devices on there.
Manchester Library can't be that big, because people in Manchester can't read.
So, sorry.
So, they got into that keylogger,
which people use.
They want to start by CCTV.
And we'll see the person unplugging them and arrested them.
You know, it's just...
I just recognize how they handled it completely.
It says a big...
Good thing they've done, but now I think it's just...
I think it's there, right?
Oh, hello.
Do you think it's really true?
I mean, who's going to notice a keylogger?
Especially someone who works on a library.
They can hardly find a book.
Exactly.
So, probably just someone who's just having a deep head in there
and they've got...
Oh, look, what's this?
You know.
Yeah.
Some geeky eyeglasses one.
Now, that's a keylogger that's used.
It's on trains.
What's this?
Oh, is it?
I remember that comment.
Well, sorry.
Did it lovely in Alarack?
Lovely.
But do we have any idea?
I mean, because I think that's pretty observant to pick that up.
I think there's plenty of companies that...
No, the reason why it picks that is because the keyboard wasn't working.
Oh.
There's not really observant, is it?
So, you've got to go fix it and realise there's a device in there between the two.
It probably was.
It's probably a PS2 changer to USB.
You know what?
Thank you for saying the thing.
For what, it's worth a little while back.
South African banks were getting hit ridiculously hard
with people stealing credentials.
And it turned out that what the guy was doing was putting hardware keyloggers
at internet kiosks basically all over the country.
And the same thing, when you hear it, you go,
well, who the hell internet banks from an internet kiosk?
But apparently, lots of people do.
And the guy made millions before they caught him and sent him to prison.
Apparently, lots of people were doing their internet banking at the internet kiosk RSA,
which I thought was quite humorous.
Yeah.
I mean, it's interesting because I come across quite a lot doing penetration testing
where you get vulnerabilities that can only be exploited
if someone has physical access to the box before you.
And the answer always comes from the customer.
Yeah, but no one does that from a shared terminal.
And this just goes to prove people do crazy crap from shared terminals.
Yeah, but isn't that the nice thing though, Chris,
you know, being an internal pen tester is in that scenario.
I just go, all right, let's grab access logs or whatever, you know, it is.
And let's just do some basic stats on, you know, where people,
which IP ranges are coming from as to, you know,
where those are more public or private residential stuff.
And I just, I like to nail all that kind of stuff because you're exactly right.
You hear this kind of nonsense and you're thinking, that's not true.
Let's go get some numbers and back it up.
Yeah, it's always nice to have some stats to back things up.
Yeah, exactly.
That's the security world all over there.
You know, we talk about things as we are ultimately paranoid.
And everyone said, are you about, just wouldn't happen.
But that's what happens all the time.
I mean, this is your area though, isn't it?
This is about how the mind works and how we perceive risk.
Both personally isn't and has a group.
Yeah, if it's not personal, we're not interested.
It's got to be personal, otherwise I'm just not buying into it.
Well, that's the thing.
How does it affect me?
That's the thing.
That's what people care about.
It's not until you either convince them of that or it does affect them.
That they get the nickels and then twist them while I spend some money.
But there's no, there's no me and I'm awesome.
Okay.
Yeah, I'd agree.
You're not in that.
Oh, I just, I felt that.
There's a little tinge on my cheek.
Next.
To all the cocks.
Oh, it's double whammy.
Donate this one to, let's call it cock of the month.
Mr Kevin Butler from PS3 Vice President.
Well, I don't know if you heard, but Sony is a big who have that PS3 got hacked and the information is released for the copyright protection of the games and stuff.
And if you have this key, Sony's going to sue you and get arrested.
But Kevin Butler's PS3 Vice President decided to tweeted the key out.
So he gave it out to everybody.
And I like to know if Sony's actually going to pull it up or maybe get him arrested and then get things good in prison or something like that.
It's just, you know, just so stupid that, you know, to put a massive epic fail on the security front.
They're going to arrest everybody.
Yes.
Think of the money they can make.
Actually, it's what everyone should buy Xbox.
But he's better.
Yeah, it's better.
It's more friendly and it's a lot better game.
Are we getting paid for this?
Well, we're hoping we're going to get some free Xboxes.
Oh, okay.
Then Ben, do you want to talk it up a bit more?
Yeah.
Xboxes grow.
Yes.
It's the same engine as the red ring.
No one likes the red ring.
Oh, no.
Not even the boot.
Oh.
Oh.
Oh.
Blast for the past.
So Ben, thanks again for the news.
Much appreciated.
So I guess now it's time to kick it off to the interview with Haroon.
So Haroon, thanks for joining us and putting up with our antics throughout the news.
Thank you.
So for those who don't know, do you want to tell us a bit about yourself
and how you got your starting in Fessek?
So I've been doing it for a while.
I started doing firewall network type stuff at the university where I got my degree
and then started working there full time.
I did dev stuff for them, did network security stuff for them.
So this is way back when checkpointed, their firewall one was still called
Solstice firewall one.
So it's a little bit showing my age.
And I basically did internet stuff for them for a long time until I joined
SENSPOST about 10, 11 years ago.
And so at the time, I met the SENSPOST.
SENSPOST had just started up.
We were literally operating out of Rulof's bedroom.
So I came up, met them, decided to join.
I had an incredible amount of fun for about nine or 10 years.
And last year, left to start something new called THINKST.
And the main reason for it, I guess we all get into.
But basically, when SENSPOST started, pen testing wasn't that well known.
So when you met people, they'd say, what do you do?
And you say you break into computers and nobody really understood what you are doing.
And then you tell them the company name is SENSPOST and nobody can pronounce it.
And after 10 years, SENSPOST was pretty famous.
So people knew the name and people understood penitation testing.
So I decided it was time to start a company with a more arcane name with more vague objectives.
The reason you left was because it started in PCI, wasn't it?
Ah, yes, I thought that.
No, no. So yes, the PCI conversation is all on its own.
But yeah, it was.
It's certainly, it's certainly interesting.
But yeah, that's, that's me.
So I've spoken at a few conferences, written a few papers, a few tools, a few books,
or parts of a few books, but mainly just had lots of fun for the last couple years.
So how are you finding doing your own thing?
It's not that different.
Like I say, SENSPOST was at a point just the six of us.
And it was pretty much doing our own thing back then.
And so it's kind of for me going back to the SENSPOST early days more than anything else.
Except this time I'm a little older, a little drier.
People, for some reason, trust me a little bit more than they did back then.
So it's, it's fun.
It's, it's fun. And it's interesting again to be small in and trying out new stuff.
And what services are you offering them with your needs?
Give me all the opportunities to hit me up now.
It's interesting because the, the services itself are tricky.
One of the, so I had a lot of freedom at SENSPOST to do lots of stuff.
I mean, we grew up and at a point we, we pretty much were in a good place.
But, but I think what happens is you, as, as a company, you, you kind of find a business model.
And after that, you end up being a slave to your business model.
So, so at a point we all got into security saying, let's solve the problem.
Along the way, we figured pen tests were a way to solve the problem.
And six years later, you find out that you're doing pen tests because pen tests are the business model.
People know what they're buying and people know what they're selling.
And so, pen tests become the thing on the table.
Commodity.
And yeah, and it's, it's not so much the fact that it's a commodity from, from the fact that it's,
it prices are dropping, like I think people will still pay for good quality pen tests.
But for me, it's a question of whether every customer who buys a pen test needs a pen test.
Or if we're just doing lots of really cool stuff that keeps us occupied,
but doesn't really help solve the problem.
Yeah.
And yeah.
Yeah, I was just going to interrupt you there.
I mean, I think it's the sort of, to use the parlance of my current employer,
it's the sort of blue versus red approach.
And yeah, I think there's so much mileage to be had with the kind of blue,
which means more on the kind of, you know, vulnerability analysis or design reviews,
all the, all the traditional security stuff that you can do before you kind of start saying,
all right, we're going to simulate a particular threat.
So I think, first of all, I think pen tests, you know, things are an obvious statement,
coming incredibly diluted.
It's an overloaded term that seems to mean different things to different people.
And that's particularly true when you start looking at CVs of people applying for jobs.
Some people think it literally means, oh, you know, I, if you see, it's like a unix pipe.
If you see end-matte pipe to metasploit pipe to report, you know, it's like odour.
That's really not what we're talking about.
And so certainly, one of the ways we've been thinking about it,
is more on the sort of threat simulation side of things,
which tends to make things a bit more realistic at least.
But yeah, but I think this, this, the whole pen test thing,
and I know there's a new initiative that's been started up by,
I think when you're, you're helping out and maybe Chris,
to do with kind of trying to better formulate what a pen test is about,
but also not just talk about what it should involve,
but also what the report, you know, should include.
And so that I think there's, there's some efforts that are going on to try and,
I don't say standardize, but articulate, you know, articulate what is it you should be getting.
But I think you're right, Harun, back to your point that there's a lot of consulting companies
that are just feeding, and this is where the InfoSec industry doesn't help itself,
feeding off of this like pen test mantra, because people get it, you know,
they get the offering now, they didn't, many years ago just like you say,
but now they get it, and they think if they have one, they're kind of done,
and it's, it's just scary, isn't it?
It's a hard thing to get away from.
I mean, so I try hard to tell people that I'm not doing pen tests anymore,
and, and literally I don't think a week goes by when I'm not,
when I don't have someone saying, but I hear you,
but can you do a pen test for us?
And it's, it's one of those things that, that's really hard to run away from.
And in, in part, what, what I want is like, if, so the way we always did pen tests,
so the way that I always pushed for pen tests was fast to find interesting challenges,
and then you kind of find a way around it.
If, if you look at the pen test as a challenge that needs solving,
you kind of throw determination at it, hopefully some brains at it,
you write some tools, you come up with some new technique,
and in the end you solve it.
And what I'm hoping instead is to take some of that energy
and use it on problems other than how to break in.
If you safely assume that you'll break in anyway given enough time,
then I'm saying, let's do the opposite.
So let's have someone say, look, we have a problem with fishing,
and we know what the problem is, we just can't solve it.
We, we're not coming right, we're still getting our users' fished six love.
So can't you help us solve this?
And, and I'm hoping that, that you can then throw the same kind of thinking
and the same determination, and maybe write a little tool,
and maybe stick two tools together, and come up with a solution that works for that customer.
Isn't, isn't the big problem that people don't really know what they want?
Yeah, so it's, they don't know what they want, and like I say,
it's, it's a lot easier for them to say, well, why don't you just give me a pen test,
and then I can say that I've done my security bit for the year.
And in truth, it's, it's the gamble I'm taking with things,
but also to be, like to be honest, I've got a lot of customers who, for some reason,
kind of trust me over the last few years.
And so for the most part right now, it's then coming to me,
I've solved some trust because basically they've got to say,
hey listen, we're not getting this problem right, let's solve it.
But, but for sure, I think the question needs to be asked more,
like I think if, if someone's done a web app assessment on your web app more than three times,
and broken you more than three times, then a pen test on your web app is not the answer.
You need to ask the question, why can't we write secure web apps?
And it's a different problem that needs solving.
Every time you do a pen test, guys break in through networks that you don't know are connected to you,
then having another pen test next year is not going to make you more secure.
And so for now, I'm mainly getting work from customers who are more experienced,
customers who bang their head against getting owned on pen tests for the past 10 years.
And I'm hoping that in time that stuff will spread.
But for me, it gives me a chance to work on more interesting problems.
And my bet is, or where I could lose is I'm actually hoping that I can solve the problem.
So this is the ultimate post exploitation, isn't it?
Absolutely.
That's pretty much it.
But yeah, that's the hope.
I'm hoping, or that's what I'm buzzing my time with at the moment.
So I'm saying, if people have interesting problems, I'll work on them.
It's kind of interesting that most companies spend a lot of time doing penetration testing,
as you say, which tends to be futile.
And I think one of the reasons why some companies don't really reap the benefits of penetration testing
is that they're willing to spend $20,000 on their penetration test and get someone to come in
and tell you how they broke into your network and where all the flaws are
and maybe hint to how you can make that better.
They'll then look at that report and throw out half of the stuff that you suggest
when you're saying things like this vulnerability didn't allow us to gain access,
but it was an information disclosure that allowed us to
easily research how to gain access to your system.
And it's those kind of small little bugs that can really add up after a amount of time.
If you've found five or six small bugs, it's amazing how you can chain them together to gain access to systems.
But companies don't seem to be willing to fix those kind of bugs.
And I think that's one of the serious issues.
If you don't write it in red pen and say, this alone is a critical vulnerability
and through this one flaw, we can gain access to your system.
Then it tends to get red-pinned as an expenditure that they're not willing to fix
because it's marked as a medium or a low.
I agree with it.
And for a long time, I felt very strongly that guys need to be fixing all the little
pivot points that we use that took us to the big ownership of the network.
And recently, I've started to change that thinking a little bit to say,
well, maybe we need to do it differently.
Maybe we need to say, all the stuff is going to happen on a network.
How can we make sure that's what's important still stays secure?
And again, it's so pretty fortunate that I've literally had a customer say,
can you fix fishing for us?
And I've had one saying, can you sort out so that we can transact even when both parties
in the transaction may be owned?
And one of the customers I'm working with right now is saying,
we know our network is Swiss cheese.
But can you make sure that whatever these 10 guys do doesn't make it out
onto the internet ever?
And it becomes an interesting problem.
It becomes a fightable fight.
And maybe that's where we'll go in the end.
This really gets us close to Chris Hoff.
And he always bangs on his blog.
He's titled this way about survivability,
and I think is what security is about in a business context
and probably in a government context as well, really.
It's about being able to continue operations even if it's degraded.
But knowing in advance what's important to you, what you need to protect.
So even though you may be half your ass has been owned,
you can still get done what you need to get done.
And you're aware when you can't see your degradation levels.
You're aware of that.
Absolutely.
The problem is it's a hard pitch.
Again, if you're competing with, sure, I'll give you a pen test.
It'll be two weeks and so many thousand dollars.
First, let me look at you, what you're doing,
and let's figure out what's important,
and let's figure out how we can secure that stuff
while allowing other stuff to get owned.
It requires some measure of client maturity first,
and then some measure of client trust,
because they basically ping you for a bit to sit and think about stuff.
But maybe sometimes I think the company thinks they know what they need to protect,
but really they're not protecting the right thing.
So we have a responsibility to help the company understand
really what they need to protect.
Absolutely.
Absolutely.
So part of it has to be figuring out with the customer
actually what's important, because they can't make a call sometimes
on how important their border router is, for example.
And I think that's where you add to the equation
where you say, listen, if that goes, this is what's going to go wrong.
This is why we need to protect that stuff.
And I kind of see it as the next generation
of consulting for lots of those guys.
But yeah, so to go back to the question,
so that's right now the pitch that thinks makes is
if you've got a hard problem, then I'd like to work on it.
Sorry, Karia.
No, no, and right now I'm pretty open on what that problem is.
So like I said, it's been pretty diverse so far from playing with guys
on fishing, to playing with guys with one time tokens
to trying to get a reasonable, say, even though it's going to get slaughtered,
a reasonable web application firewall going.
And again, my reasoning is you can't necessarily write some tools
to protect everyone, but you can write some stuff
to protect very specific people in very specific situations.
And so for now, I'm just having fun working on that stuff.
So talking to some things, you spoke already a little bit about
you spoke of some conferences, but also you've made the comment
about how there are so many conferences,
and maybe think you're trying to do about that.
Yeah, so a little while back.
So actually a customer, a customer of mine,
who basically just pays me, and this guy basically just pays me
to occasionally talk technical strategy and stuff to his company.
And he was asking me a while back,
well, which conferences should he attend?
And a little while after that, it was, well, he attended this conference,
but there were 120 talks, and he met some people,
but actually didn't get great value from it.
And I started thinking about it a little bit,
and you'll see the, if you go to my blog,
the cheesy infographic that I put together.
But one of the things is that conferences have gotten slightly
out of hand.
I mean, we've got a conference going on almost every day
of the year, just in InfoSec.
And when I mentioned it on Twitter, I know some guys,
some guys remarked like Charlie Miller said that,
yeah, the answer is less conferences.
But I also think that that's wrong.
I think we need conferences because we need young guys to come up
and we need new researchers to stretch their legs in the field.
But the problem is that it generates so much of noise
that we lose the signal.
And so one of the things that that customer, in fact,
asked me for is, if I could basically tell him, listen,
this stuff was interesting, but this stuff is super important.
And this stuff you really need to be thinking about
for the coming year.
And if you take a look at, just take the past year's conferences.
And pick a topic, pick a topic like memory corruption bugs.
I mean, across the literally hundred conferences
that happened last year, there were lots of guys
talking about new memory corruption techniques.
And the question is, which ones were fixed on the next patch cycle
versus which ones have moved the bore forward
and actually are going to be the new dominant bug class?
Which are the ones that you should get your developers on right now?
And I think some of that stuff, like I say, is just lost in the noise.
And so what I've got is ThinkScapes,
which is basically just a quarterly document that goes out
that says, this is what was interesting in the last four months.
And this stuff was marginally interesting,
but this stuff really bears watching.
And this guy did this talk and it's building on his work
that he did two years ago.
But you should watch it because it's on a trajectory
that's going to influence lots of stuff.
So basically, it's like having me whispering,
you're at a conference without the annoying South African accent.
That's the charming bit, right?
That's what my mother says.
That is the count.
Yeah, so that's a bit of a fool too, right?
Yeah, that was tough.
So where is your blog, if you want to?
Oh, sorry.
So if you go to blog.thinks.com,
that's a pretty low volume.
I don't blog nearly as much as I used to when I was back at SensePost.
But yeah, blog.thinks.com and you should find it on there.
And the service is called ThinkScapes,
just because I'm notoriously bad at naming stuff.
But yeah, that's pretty much what it is.
And it's priced at something like,
it's priced at $8,000 a year.
And in part, the pricing is just aimed at less than what you'd pay for good pen tests.
So if you consider you get four,
four of those reports and a whole bunch of ad hoc reports.
So for example, the HP Gary stuff would have gone out in an ad hoc report saying,
hey, listen, this is what went down.
This is who anonymous is.
This is who HP Gary is.
Interesting.
And here's what you can expect to happen in the next bit.
But the ad hoc reports are, like I say, pretty ad hoc.
Hopefully the joy comes just in figuring out the signal from the noise with all the conferences.
What's interesting is that obviously there's a lot of traditional IT analyst companies out there
who, you know, various IT leaders will be subscribed to,
listening to or just kind of like reading and maybe laughing.
But what struck me was that Threatscape really seems like a very specialized,
you know, version of the traditional IT analyst,
but with someone that actually knows what they're doing.
So someone that's hands on, that's got experience.
And as kind of seen enough to be able to judge stuff
from an offence point of view, is that how it is or?
Yeah, that's pretty much what I'm hoping for.
So I can tell you, in the past few years,
it's one of the things that I did, even at the previous company,
which is after a conference with fit with the guys and we'd go through,
hey, this is important and this area is worth looking into.
And so fortunately, it's one of the things that having done this for 10 years
kind of falls into kind of what I do.
And I'm sure that lots of the guys, lots of the guys here on the podcast
have some of the skill sets.
But I'm kind of lucky that I kind of have played in most of the areas,
even of InfoSec, to some extent.
So I've got a reasonable, reasonable amount of experience
in web app haxering and in network pen testing and in memory corruption attacks.
At least enough to be able to give a fairly nuanced view of,
hey, this was really cool.
But actually, this is going to be taken out by the next big bug fix.
And this stuff's cool and it's not going to be fixed for a while
because it has these implications.
And not being a full-time memory corruption guy also means that I don't
dis-everything web app and don't dis-everything network pen testing.
So it, yeah, it kind of allows me to play across the field
and allows me to give almost fair comment across the field.
So kind of, yes, this is really easy to do but it's going to mean that
you're going to have lots of kids using this attack class against you.
So you need to watch out for it even though it's not particularly sexy?
So does that mean you're going to be going to more conferences than Chris does?
Because Chris holds directly but being at so many conferences.
And so in order to compile these threats gates,
yeah, with the kind of intel on the latest talks.
And is it just you or do you have anybody else working?
So I've got one guy who's recently just joined me, God help him.
But for now, threats gates is mainly all me,
except he's currently putting together a database that will release shortly,
that will kind of allow people to browse.
So you should be able to click on a speaker like Craig Bolding
and it should tell you he gave these three individual talks
and those two were actually repeated at the following end conferences
and in past years.
I don't reveal my secrets around.
And these are the three blog posts that Chris wrote about it
while he was walking across the field.
Yeah, exactly.
He's talking.
That was a scary part.
He's so efficient.
Let's guess one of my questions is that,
if you're not so much a Chris because now you're not doing it to get paid
but you're doing it to spread the word sort of thing
but if you're attending conferences and having to have so much focus on
taking guest notes or feeding this information in to store it somewhere
and process it,
so you're not focusing on the networking stuff with individuals so much.
Does that take the enjoyment of the conferences?
So, in truth, I'm pretty anti-social.
So I've got a bit of a bad reputation for doing my talk
and then hiding in my room for the rest of the conference in general.
I think over the years I've run out of excuses.
So now people don't even ask me for excuses.
In truth, I don't necessarily plan to attend all of these conferences.
Like I said, it's pretty much what I've been doing till now.
So in terms of getting conference material, reading up on it,
speaking to people or close friends who I know who have attended,
basically it involves reading lots of the papers.
So where the papers are put out,
actually making sure that you go through them reasonably
where it's reasonable working through some of the stuff.
So going, hey, this looks interesting,
actually trying it out and figuring that the guy's research was good demoware
but never going to hold up on a real network.
So I end up doing lots of that anyway,
whether I attend the conference or not.
And in part, it's kind of an addiction.
It's something that I thought I'd be over once I left,
once I started the new company,
and I find that I'd do it anyway.
So yeah, it's something that I end up doing by default almost.
Well, doesn't that cause problems with more private and by only kind of conferences
where you tend to see,
I'm going to say better talks and different talks,
where people feel slightly freer to talk about their latest no days
or the latest attack vectors,
because they know they're not going to be publishing the paper
and they're not going to be publishing.
For sure.
And in cases like that, I won't talk about stuff
unless the guy gives me permission to.
So for any of the private con stuff,
if the stuff's going to come out,
it'll only be after speaking to the author
and finding out that he's okay with what I plan to say on it.
But for the most part, I think there's enough noise
that needs clearing up just in the public conferences.
In large part, the aim of this is to clear up the noise.
It's to say, hey, all the stuff was out there.
Here's the stuff that you need to pay attention to.
So it's very much kind of like a...
I've taken all 20 tracks at the latest black hat
and brought it down to two talks that were actually interesting.
Yeah, pretty much.
So probably a little more than that,
but it'll probably be something like...
I don't know.
But it'll make me...
It basically will be that.
It'll be like 120 talks just happened.
These two talks really pushed this new concept forward
and this stuff really bears watching
and this stuff looks interesting.
We should probably look at it.
Cloud security.
That is interesting, Matt.
Yeah, no, no, one is, I know this.
So, Haroon, question for you.
Yes.
In fact, this is the Zarkon.
How do you fancy this?
Is it Zarkon's Acon?
Z-Acon.
Sorry, okay.
So Z-Acon.
Oh, like an Acon.
Z-Acon.
Z-Acon.
Yeah.
Z-Acon.
Yes.
So, the functions without a tag length.
Yeah, that's unusual.
And riffle.
So what's the deal in terms of the...
When we get guests on, we often like to ask
what the InfoSec scene is like in their country
and interpret InfoSec however you want.
But what's it like in South Africa
and the sense I get from watching the videos
and I really did enjoy many of the videos
and from the last couple of years
was that you're really trying to develop
or get a voice to people
that maybe are doing the research at home,
maybe they're not even in a full-time security job
but they're kind of doing this stuff
and you kind of want to get their voice out there
and get them into somewhat into the circuit
because there's certain visibility benefits
and financial benefits that
do you want to just talk a bit about that
and how Z-Acon came about?
Yeah, sure.
So first of all, you smack on right.
So a big point of Z-Acon is just to get guys
fiddling with stuff and researching
and seeing the coolness.
And there's multiple reasons
why we thought we needed it.
But probably the big one
wasn't me.
That was my start.
And probably the big one is it's...
So Dave, I tell, who's always excellent
for biting quotes,
said something about how if somebody
had to start hacksering today
with all of the us-level protections that exist,
he'd probably never reach the level of proficiency needed
because it's too hard today.
Now, of course, young guys come along
all the time to prove that they're completely wrong
but the point is sound
that the field is really intimidating
for young guys to get into today.
And in South Africa,
a part of the problem is
that you've got lots of guys
who kind of are maybe interested
but it's really a bridge too far for them.
So they're doing their corporate job
and they may be here about black cat
and they maybe know someone who attended.
But actually, contributing
is really far away from their mind.
And so a few years ago,
Marco from SensePost,
Marco and I were talking about
putting together a conference
and basically the point of it being
a non-sponsored,
non-corporate driven event.
So both of us were at SensePost at the time
and the plan was for it to be
non-SensePost-driven.
And basically what we wanted was
a way to start getting people interested
and I know I mentioned it before,
but it's almost too lower the bar.
So I know it sounds counter-intuitive
because normally you want to go in there
and raise the bar and get synergy
and all of that stuff.
But in this case,
what we wanted was to show guys
that actually it's okay to come in
and talk about how you configured
SE Linux on your box
because maybe he'll do it
and maybe he'll get the experience
and maybe he'll start someone
in the crowd thinking about how
SE Linux is doing this stuff
and we should be doing something else.
But basically it's to start getting people
used to actually fiddling,
actually researching
and actually generating stuff.
Almost the central theme is
to make people produce instead of consume
because part of the problem now
and it's again tied to the fact
that there's such a wealth of information out there
is that people are consuming more and more
and they seem to think
that they're doing something useful
just by consuming.
So you start to listen
to excellent podcasts like this one
and you can basically
have a guess.
You say that slower than we can extract it
from the audio.
This is your trash, right?
You remember what podcast you are.
But seriously,
you can kind of fill up your
iPod or your
and you can have a full-on podcast
so that you're not thinking about doing stuff anymore.
You're just listening to stuff
that other people are saying they did
and you think you had a productive day
and actually what we trying to say to guys is,
no, come on, do stuff.
Like stop watching other people do it.
Do it yourself.
So a little bit, we have to
deliberately lower the bar
because we want to encourage people.
So there's some talks, for example,
that we look at and go like,
this guy's actually got it
fair but wrong.
But what you want is for him to get it right
and so you want to accept the talk
and talk him through it
and see if we can get it to a good state.
Yeah, so I'll tell you guys
a really, really long time ago
and again, it's going to show my age
and the pink from Black Hat was telling me
that they had this reverse engineer give a talk
and he was so nervous that his talk
went really badly
and basically couldn't string words together
without looking at the floor.
Except that Jeff from Black Hat felt
that the guy was worth betting on
and so they gave him another chance
and that guy was Helva
and Helva became Helva
and now is much larger than life
in for second reversing.
And so kind of what we're hoping for
is some of that
that young guys will try out
and may not be awesome the first time
but it's awesome that they try
and we'll get awesomer as they go.
If you want bad presentations
then just give them a shout.
So do you think Haroon?
I mean, just to take it on their cultural
side for a second.
Don't you think, I mean,
me sort of coming from England
I think it's got a lot to do with the way
that different nationalities
are kind of brought up and the way
that we feel comfortable expressing ourselves.
So if I think about,
so I've worked for a U.S. company for many, many years
and through that, you know,
I've met some really...
I know some people think,
oh, a U.S. company is going to be loaded
stupid course.
Yeah, elevate music.
I'm boring.
I've only been talking for 20 seconds.
20 seconds.
It's not really crazy.
10 minutes when I talk.
I do know this.
But I think the
kind of makes the guys
I'm really in trouble.
Is that, for example,
the U.S. much more comfortable
with show and tell.
So, you know, in the classroom
standing at the front
of the very young child
talking about something they did,
something they're proud of.
And, you know, certainly from,
hey, if you're in England,
you never did that.
That was just...
That was like the antithesis.
It was the opposite of anything
you would ever want to do.
And so, like, for example,
the first talk I gave,
which happened to, like,
in terms of info set,
was black hat.
I was cracking myself.
You know, I was really like,
why am I doing this?
This is, like, suicide.
You know?
And I thought,
well, I'll do just...
Yeah, I'll just do death
by bullet point.
And that's why I did
nice slides.
The slides got really good
reaction.
But, you know,
I was really scared.
I was fearing for my sanity.
And my future income.
But, you know,
I think it's that different.
So, I think what I see
with Zadek on is that,
you know, I get the feeling that
it's not so different in South Africa
in terms of the way you guys
are brought up, just as a sense,
you know,
the way that you express yourself
and carry things out,
is the same deal,
is that, if I think about
our American cousins,
they're really, you know,
very comfortable standing up,
talking about what they did.
They could be talking about
running an M-Map scan.
And they would talk about it,
like, it was,
brilliant.
And that's how they felt.
And they can encapsulate that.
They can feel good with that.
But...
Yeah, absolutely.
My perspective, you know,
is like,
oh, it's just that.
You know,
and that's the problem is that
there's some kind of middle ground
that we need to figure out,
where it's like,
you've got to get out,
you've got to better say this stuff.
And then, once you get out,
your system,
you'll move on to the next stuff.
Yeah, absolutely.
And look, for the most part,
what I'm really trying,
or what we really trying to get right,
is having guys do stuff.
So, I think there's the,
there's the talking about it,
which I think you smack on right.
I think there's a cultural hesitancy,
a kind of a cultural,
we're not good enough,
that creeps in,
that needs to be beaten out of people.
But I think that's like,
an easier fight to fight.
What the thing that really worries me,
is that I'm afraid that we,
that the guys get so used to just consuming,
that they don't think
that producing is possible.
So, so the guys kind of end up
in a rut where you,
you kind of think that it's your place
to run other people's tools
and learn other people's presentations,
without ever saying,
let's do the stuff.
And one of the things that you guys will know,
is that presenting isn't easy.
I mean, standing up on stage
and talking is not particularly difficult,
especially if you semi-nasticistic,
like we are.
I find it can finish quite easy.
Yeah, exactly.
I've been taking it for a long time,
and it comes naturally.
But, but I mean,
the difference between thinking you know N-Map
and saying,
I'm now going to teach you N-Map.
And then you stand up to teach someone,
you suddenly realize,
hold on a Christmas scan,
actually sounds the same as an X scan
that I had in my head.
So, clearly I don't understand this properly.
And if sequential ideas are predictable,
then why isn't spoofing possible?
For example,
and some of that stuff is hard.
It's it's the same,
so I heard you guys
prove that I actually listen to you guys.
A while back,
you guys were talking about how difficult
putting out a quality blog post is.
And it's one of those things
where I want guys to say,
let's take the trouble to create something.
Because actually creating something decent is hard.
And the danger that I'm worried about is where there's this little
dip that the guys have to go through
where it's difficult and maybe doesn't come naturally.
And at the same time,
they could use the time
listening to a high quality podcast like this one.
And so the guys end up thinking
that they don't have to do that blog post.
And yet I think that if they do,
they're going to be so much better for it.
Because the stuff's going to roll on
and other people are going to learn from it
and they're going to learn from having done it.
And it just works out better all around.
Yeah, totally.
You should listen to,
when we were at Bruchon last year,
we did a podcast as Meetup.
And the same thing came up
and it was about,
yeah, there was a bunch of things in there.
But one of them was about that create versus consume.
And I totally agree with you.
I mean, it is harder to create.
And every time I write a blog post,
which unfortunately isn't as frequent as it should be,
yeah, it's really hard.
It's hard to write.
It's hard to put down your thoughts.
It's easy to think you know your thoughts.
And then once you start trying to figure out who,
you know, who are you writing for?
That's one of the hardest decisions ever.
Because if you start switching that persona
that you're writing for,
and you know, then your blog post takes three hours
to write rather than maybe the half hour that it should.
But yeah, it's,
and that's the thing,
because I think back to when I started out,
and I was,
Unix just had been and then kind of got the calling
after reading a book,
and kind of discovering,
wow, there's all this security issues on the systems
I look after that I thought were all right.
Then you go into, you know,
consume mode,
but back then it was,
it was pretty easy.
You know, it was like,
you could read an awful lot,
but you would never be drowned.
Whereas now,
there's so many,
there's so much,
even in the,
if you just look at all the stuff that's out there,
there's so much quality signal,
once you can differentiate that,
that, you know,
you could really just consume for the rest of your life,
and never take the initiative,
and get up and do something.
And the thing with the,
I mean, that's,
so just tying it back to South Africans.
The thing that I found with the,
the essay,
I know is that,
actually, they're very much
get up and do it.
You know, they're kind of,
they're not the consumers
sit back on the sofa
and just take it.
And now I,
I know that,
that may be generational,
but.
Thank you.
Also, probably seeing a,
a selected bias.
Oh, I totally am.
I'm seeing the guys
that have percolated up,
so.
Yeah.
Yeah.
So,
yeah.
So,
yeah.
So,
yeah.
So,
a whole bunch of guys
then got behind it.
So, Matt Erasmus,
you guys mentioned
Rulof
and Dominik.
So,
Dominik,
quite singen on Twitter.
And basically,
it's been pretty great.
So, we ran the first one
and the crowd was good.
And last year's was even better.
We had quality speakers.
We had
alley White House
Skype in from
Skype in from the UK.
Nice.
Yeah.
Last year, we tried something new,
so we introduced a concept
that said,
if you want to do a talk,
but actually don't know where to start.
Like, you kind of think you want to talk
about a subject,
but that's about as far as you go in your head.
Then, speak to us
and we'll
tag someone on to you
and he'll basically walk you
through the talk,
push you in the right direction.
And obviously,
that guy gets no credit
as the tutor.
He's just going to be on your shoulder
and help make it happen.
And it was interesting
to see how that stuff worked out.
Like, initially,
there were maybe ten people
who signed up saying,
I'd love to do that,
always wanted to do a talk.
And after initial meetings
with the guys about half of them
dropped out.
And once it got down
to actual serious work,
another half of that dropped out.
And in the end,
there were just two guys
who presented
that came up through that
assisted presentation technique.
And I hired one of them.
So, so yeah.
Now we understand what it's about.
A rising tide lifts all ships.
That's what I say.
No, but you're right.
I mean, the thing is,
I remember going to some really early
pan-set west talks.
I was really lucky to be,
you know, my employer
was willing to spin out the main
to find out there.
And I remember
talking to Tragos
and just saying, you know,
one of the things he was working on
was trying to get some of the speakers
who had, you know,
they had masses amounts of talent.
But as you mentioned about,
you know, maybe Halvars first talk,
you know, just didn't have the confidence.
And whereas now,
if you listen to Halvars,
like you would never believe it, you know.
And that's the thing is about,
there's all these people
that have this talent.
And people have to coach them.
And so, there's probably a segue
for InfoSek mentors here,
isn't there, William?
But there is a lot to be said about,
you know, supporting people
and you're not going to get any credit for it.
But that's cool.
You know, it's kind of like,
just putting something back in, isn't it?
Yeah, absolutely.
And look, less altruistically,
it always helps to have more smart people at home.
Whether they end up at a customer
or whether they end up working with you,
it never hurts to increase the smarts.
But that's why I invite Ben on the podcast,
WikiClown, because we're hoping that
his negative IQ acts as like a multiplier for us.
That's absolutely good.
Did I miss something in mass?
You're a treasure for charity, no?
You're a treasure.
Of course, a special case.
Thank you, guys.
You are, you're really special.
You get an extra 10 meters per hour.
You're all special, we.
Gold star, gold star.
Nice.
Cool. So, Harry,
so I think we've been running for one,
so we probably have to wrap it up, don't we tell?
How long have we got?
Oh, I guess we've got a,
unless Harry's got anything else he wants to mention,
he's working on or upcoming companies,
he's talking about or anything like that.
Nope, so I've got a few things,
but I'm working on,
but they'll pop up sooner or later.
So I'm actually good.
Thanks for having me on, guys.
Okay, so if people want to follow you,
obviously you've mentioned your blog already.
So a website or Twitter anything
that you want people to hook you up on.
So my Twitter is hard on me,
but I'm probably one of the worst
tweeters there is,
like I frequently type something in the text box,
ask myself if it needs saying
and decide that it probably doesn't need saying.
You apply,
you apply quality control to your tweets.
You just don't get Twitter, do you?
I think you're something up.
Yeah, I've spoken to a few people
to try to teach me how not to be so anal about it.
But I can't.
So yeah, so anyway, on Twitter,
Harun Mir,
I've managed a total of 265 tweets.
All right.
I just trying to throw a remote shake.
What did you do?
Sorry.
Yes, absolutely.
I'm going to...
Yeah.
So that's me on Twitter.
And blog.things.com
is infrequently updated,
but is updated when stuff comes out.
And yeah, that's me.
So you can mail me
Harun Mir.things.com.
If you've got hard problems there,
do you want a guy with a bad ex?
Think about it.
And we're just...
We're probably like you.
Yeah, we got wind for that.
We were like,
there was the fig leaf talk,
and I didn't want to miss out on it,
because personally, I got a lot from it
and thought there were a lot of themes
that totally knocked my head there.
I'll just give like the...
I'm putting you on the spot there, I apologize.
The one minute version of the fig leaf talk,
like,
and where people can watch it,
because I think it was a linear recording of it.
Oh, yeah.
So if you go to the Zerecon site,
there should be a link to the video there.
Actually, there should be a link on my blog too.
But the crux of the talk was basically a,
hey guys,
let's stop hiding behind statements.
And I think in InfoSec we've got a whole bunch of them
that we hide behind.
And in part there's just a,
come on, let's stop talking about the stuff
and start doing it.
And it applies to where we stand with InfoSec,
and in part where we stand with research.
So all of the...
I didn't do it because of the following in good reasons,
or we didn't, we're not secure because of the following end reasons.
I'm saying, come, let's put that stuff behind us,
let's just put our head down and start doing stuff.
So that's about it in a minute.
I promised that the video actually includes more ums and us.
It's badly lit and badly shot.
Excellent.
So yes, somebody should definitely check that out.
Somebody.
So um, before we wrap up, we'll just go around the table,
see if there's any questions.
Ben, do you have anything?
No, I'm okay, thank you.
Chris?
No, I'm good.
I think we've covered a lot of ground,
and I think there's a lot of interesting information
that we can take away from the discussions.
Okay.
Whem?
Well, since the Brooklyn CFP launched this week,
would you consider submitting to the Brooklyn CFP?
Um, I shall indeed.
Um, so I shall means I shall ponder submitting.
So I've got something that I'm working on on OSX.
That's not quite ready yet.
And, um, right now talk ready.
I've got my, uh, the talk that I gave at Black Hat last year,
but I kind of hate repeating talks.
So mostly,
mostly only ever give talks, uh, once or twice.
So, uh, I'll mail you offline and,
and see, see if there's anything that I can do
that you guys won't hate too much.
Cool.
And it'll be cool to be there, yeah.
Cool.
Craig?
We're good.
It's good conference.
I've heard good stuff about it.
Matt tells me you'd go there almost for free.
So he paid to completely pay just to go out there,
so you guys did something right.
Craig, anything more for you?
Yeah, just one thing.
As a prize.
Yeah.
Big shock.
So if you had, like, one message for somebody that was, like,
just getting started in, uh, IT security,
maybe they were just at me, or whatever,
and they're kind of conversing over.
What would you, uh, what would you say to him?
Um, almost more than anything else.
And, uh, I'd say, do stuff.
So, so it sounds, uh, it sounds really tight,
but I think people really underestimate the value of actually,
uh, doing stuff.
Um, and, uh, what I mean by that is if he's a cessadmin
and he's just started out and is configured, uh,
SSH, uh, authentication on his box,
write it up and put it out there.
Uh, tell people why SSH authentication works that way.
And, uh, right now, I think I'd advise almost anyone
to make sure that they're developing.
Uh, so even if they're just scripting,
but I think right now, if they're not,
if they're not putting together some code,
it's going to hurt them in the long run.
And other than that, I think, uh, yeah.
So, it's, it's going to turn into a long story.
But there was a, there was a paper a long time ago called
you and your research by Richard Heming,
uh, the guy who, uh, the guy who put together,
uh, the Heming number and all of that.
And if, if you read that paper,
so go look for you and your research by Richard Heming.
And it's absolutely everything that you'd want to say
to anyone, uh, starting off in this field.
All of the stuff's in there.
It's going to say it's going to cost you, uh,
don't fool yourself into thinking life balance,
works out perfectly with achieving truly spectacular results.
But if you want it, it's worth it, uh, make it happen.
Well, I hate, and I'm terrible at coding.
So I guess I got a world of pain coming my way.
So on that bombshell.
Thank you very much Arun.
Thank you guys.
Coming on the podcast.
Yeah, much appreciated.
You know, thanks.
Thanks much, you guys.
Chats on.
Great.
Catch you guys next time.
Thanks a listen.
Cheers, those sounds.
Bye.
Bye.
It's all the grass sometimes.
It's something to tell you.
Your life is about to be all good.
And everything changes.
It's crazy, right?
This one goes out to everyone.
It's taking something unexpected and turning it around.
Life's the world.
The greatest minds of our time.
Begin a new flight.
Consider them as geniuses in their own way.
It's intelligent, innovative, running up the score.
The best co-workers in anyone can ask for.
Walking with desks boards.
Leaving the office.
Farms holding cardboard.
Lives in those boxes.
We wind up few hours.
Ain't no pushing code to test.
A few minutes back.
They were cleaning out the desk.
Tony was furious and ripping out the fixtures.
Pushed him out the door.
Didn't let him get his fixtures.
Nick was in shock.
The news just fitted.
Highs in the days as he turned off the system.
Justin was calm because he knew they'd find work.
And this was the bottom.
So we wouldn't get worse.
Let's hide aside.
Thoughts on his mind.
Let's see lock himself out.
For the very last time.
Here we go.
No telling what's next.
Life's up and down.
Never know what to get.
Be prepared when you're quick to the test.
Got a step up.
You can stand above the rest.
Here we go.
No telling what's next.
Life's up and down.
Never know what to get.
Never know what to get.
Got a step up.
And you stand above the rest.
The best four with three months.
Life's no joy.
Boat Tony and Justin.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.
It's still a long story.