lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hpr-knowledge-base/hpr_transcripts/hpr0353.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

857 lines
51 KiB
Plaintext
Raw Permalink Blame History

Episode: 353
Title: HPR0353: Pete Wood Interview
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0353/hpr0353.mp3
Transcribed: 2025-10-07 17:07:21
---
Music
Well, hello, and welcome back to public radio and listening to another Finnex's Student
Hackers Guide to Linux.
Well, it's another interview this month.
I was very lucky enough to hop on Skype and speak to Pete Wood from First Big's Technologies.
It was a very interesting time.
I had the benefit of listening to Pete Wood speak before.
So I enjoyed it very much, but enough with me and let's go on with the interview.
I'll catch you all again next time on Hacker Public Radio.
Hello, Hacker Public Radio listeners.
I'm having a conversation with Pete Wood.
Pete, could you introduce yourself to the Hacker Public Radio audience?
Yeah, we'd pleasure.
Hi, I'm Peter Wood.
I'm founder and chief of operations at First Big's Technologies,
which is an ethical hacking firm founded back in 1989 when nobody knew what it was.
And I'm also a conference committee member for ISARCA, the Audit Institute.
Okay, thanks very much for joining us Pete.
It's a real pleasure to speak to you.
I was lucky enough to see you talk at my university last year.
So, you know, I'm really glad to have got you on.
I suppose one of my first questions for you is what's your advice for people getting into ethical hacking?
Oh, there's an interesting question.
I think we've done quite a bit of interviewing over the years.
If you can imagine we get quite a lot of people approaching us who are interested in the whole profession.
And I guess I've got a few comments.
The first is really to understand that it's not just about technical skills,
unless you're going to be a back room person or researcher working for government, I guess, or something like that.
But one of the key factors, I think, is being able to think outside the box.
I know that's a really boring thing to say.
And I might even be quoting someone else in the information security community
and saying that someone who stands on stages and awful lot and says that.
But it's true.
To look at things in my terms, I think, like a combination of an engineer and a child.
You have to say, what happens if I do this?
Not, you know, a number of people of my age who aren't techies,
they tell me that their kids end up pressing every button on some device rather than they can never get it back to normal.
Or if it is group, then they have to get their kids to sort it out for them.
Well, hackers, I think, if we're talking about the sort of job that you and I do,
they're the ones that can do that.
They were a step near old, but with the engineering head on.
Which is an interesting blend, I think.
Possibly the fact I've never had any kids who have left me childish, but anyway, I worked for them.
So kind of this schizophrenic state of being an engineer plus tank, you know, playing around with this?
Yeah, what it's quite different than when I was like seven years old and warring up stuff.
I blew myself across the room putting a 12-up torch bulb into a lag when I was seven.
And stuff like that, I think.
If I could survive it anyway, I couldn't get you the right spirit.
I think I was about the same age when I got electrocuted with 240 volts out of the house.
Have you found you get immune to it?
I think it's probably all right.
And once you shot, shot, shot.
I used to keep everything going on as daily basis at one point, but that was working on it.
At the same time though, I think obviously you've got to be ethical and professional.
It comes with a job title, but it's something that people don't understand fully, I think.
One of good...
Yeah, I don't think people appreciate that so much that we have to be...
We have to be good, we have to be the white hats, we have to be the good guys.
And that means keeping ourselves way to the white because the road to grey from them,
the road from grey to black is, I think, is a quick and slippery road to be honest.
It is, and I've seen it, with a lot of people I've spoken to,
they don't quite understand where the boundary is.
And it sounds already boring and a bit starched to say that we don't touch anything
unless either we built it ourselves or that purpose or if we've got the bit of paper
that says that we're allowed to do it.
But in fact, it's a lot more fun if you have permission in the way
because you end up being able to explore things without fear of being captured
and you actually get in and look deeper and look quicker.
And so it kind of helps you create an impulse early knowing that your boundaries,
you're free within the boundaries.
Yeah, and that was my next point.
In fact, you've hit the very work which is the boundaries
because where we have had problems with people that we've trialled or that we've interviewed
is that they're going to understand the boundaries properly.
And obviously there's a huge amount of boring work in discussing this with the clients
at the start of the engagement and saying these are the sort of things that we want to do
and then explaining to them the potential impact to make sure that we don't,
for example, run exploits against a system that's critical to their business during working hours
or something like that nature.
It sounds obvious.
It's basically the trust thing though, isn't it?
You know, you're asking people to trust you.
And if you're asking people to trust you, then you have to stick to your work.
I mean, it's like having a house guest, isn't it?
And the green in principle, what the boundaries are and then finding that they,
I don't know, have drunk all your beer or something.
And not replacing them.
And of course that requires discipline and one of the things I find absent
in some people who talk to us about job is understanding exactly what our discipline is
because you might be really keen to explore something that you've located.
But our stance is when you find something like that, you go and talk to the client about it.
This is assuming you're on site or you've hung them up if you're not.
And you talk it through with them and say, look, we could do this, what do you think?
And in those situations we have a sort of additional consent form that we use.
And if the client agrees that that particular system is worth digging into in more depth,
then we get them to sign off for that specifically and that way we keep everybody on the same page
and everybody legal.
Do you think, in that case, to many companies kind of take you up on that
or do they, if you find a new vulnerability or an assistant that they didn't expect,
do you find that they're proactive with you or do you find that they kind of say, no, no, no,
it's okay, we only want you here for this.
It's a cultural thing of course.
And I guess there are many firms to the most formal and others.
And some of these are just interesting as you're given who I'm talking to,
but what are the most interactive and creative clients we've dealt with is based in Edinburgh
and they're in the investment side of things.
And they're very intelligent.
We see them talk with them about what we found, all the IoT guys engage with it.
We dig into it a bit further.
Almost as a corporate team.
Other firms we deal with literally just one.
It's a kind of vulnerability profile.
And a very nervous about anything that's proactive or penetrative.
So, you know, it's a cultural thing.
I think, I mean, I've been lucky to listen to some of the podcast stuff that you've done before
and written and stuff you've done on that.
I've heard you talk about certain institutes, you know, typically institutes that are aware of security
have been institutes or companies that have been aware of security for years and years and years.
Almost like the physical security.
I've heard you kind of, you know, mentioned that banks are so used to guarding their property
that it comes second nature to them, whereas maybe an insurance company
and maybe not so, you know, not in the business of asking people who they are at the door and that sort of thing.
You're right.
And that's particularly true of any organisation that started out
since we've really been using the website aggressively.
The firms that we've dealt with who are not so, not so established, if you like.
I mean, maybe they've been numbing for 10 years or so.
And have a very web-based mindset, or they're trying to defecise,
they're trying their understanding of physical security, and they're zero and very often.
Well, I mean, I think that the example of that is, you know, when you've got a bank
that's been used to guarding cash for years and years and years, you know,
if you've not got a company that's not actually had to guard something, physically guard something,
then I think that's probably that difference, Lane.
Yeah, and that's an all called a down-out sourcing and side sourcing and whatever sourcing it is.
Because the more different players are involved, the less personal responsibility people take for banks.
And that seems to cause a lot of problems.
You know, we've done tests on site for banks
who, like most large organisations these days, have done an out sourcing agreement
to look after their idea of infrastructure or an out sourcing agreement to develop software or both.
And whilst the employees of the institution are assaulted,
we very frequently find that the third parties that they've been involved are not.
And you would hope, you know, if you were a large organisation
and you were providing these services as a mainstream business,
if you'd understand security, but honestly, they really do.
I mean, would it be fair in some ways to suggest that maybe some of the technology companies are not,
maybe don't think in security, maybe they just think so much in technology.
That technology technology, let's get our product out there,
let's sell it on the internet, let's do this, let's do that.
I mean, don't think about, you know, the enemy will then put the USB stick
taking customer databases.
No, sure.
I think that's interestingly true about almost all businesses, I think.
If you're physically inside the building, you're okay.
Whether you remember a staff or not.
I mean, I don't think I've found very many companies
I can think is maybe one or two who defend their internal network adequately.
I don't think anybody wants to make it unusable, but, you know,
their physical and their technical controls internally, usually.
Well, I don't think in other words, I'm a pathetic look.
I'd rant about this a lot when I'm giving presentations
and doing talks and webinars and things.
It's frustrating because in some respects, it doesn't stretch us very much.
And that's how we know it itself is.
I wanted to kind of just jump back to something you said earlier on.
You know, with companies outsourcing their IT, how much does that actually impact
when you go and do a test?
Because obviously, your permissions for the company that you're testing,
but does your permit, I'm sure your permission probably doesn't jump the boundaries
to a third party supply in IT services.
Well, the stance we have on this is to make sure we involve all parties
in the consent process.
You know, if we've got a bank who've asked us to run tests,
then we ask them to make sure that they discuss what's going to happen
with their provided so that they know what's going on as well.
Having said that, of course, usually there,
and not all that cooperative, and I don't like it that much because they're concerned
that they'll get exposed, which usually they are.
But, you know, we can't test something that isn't owned by the company
who's engaged.
So, you know, if we're in a hosting environment, for example,
we have to work closely with hosting firms as well to make sure
we're not touching something that belongs to another of their clients.
I suppose as well.
Yeah, I suppose as well when you have their client coming back to them
and saying, we really want to do a security test.
It's important to us, we need you to sign the consent.
And presumably, you know, I'm presuming if they turn around and say,
no, no, no, we're not letting you test our security.
I can imagine that that makes the wheels turn within that organization
and saying, oh, you know, are we getting value for service?
We can't even test if our systems are secure anymore.
Yeah, it's a good one.
So, almost pay almost customer pressure might push these third party supplies
to be a little bit more helpful.
I think one of the difficulties is that people are asking us to
actually conduct a test specifically in audit or security departments.
And the people are engaged.
The third party may have some firm or not.
And you get into a kind of political scenario where the security people
within the organization within the client are typically perceived
to be paid anyway because, of course, they're getting in the way of business
as usual in a lot of business people tonight.
And if they start complaining about the outsourcing as well,
frequently, not very much happens unfortunately.
And one example was one of our bigger clients we're talking about
a multinational with several billion pounds turnover.
And they were looking at outsourcing their wide area network
which covered a large number of countries.
And they asked us to review the submissions by four different tendering organizations
against what we considered to be best practice from security point of view
encompassing things like the ISO 27,000 standards and policies and procedures
as well as technical controls.
And we gave them a very valuable report and we ranked the submissions
when we gave a commentary on each including very much a sort of start-up,
not very professional organization.
It's just when they went for the non-professional, I imagine.
Yeah, the cheapest.
Yeah, it's spoken to a few people in this kind of as many serious thing
that's going on.
And it seems to be this theme that kind of rolls through everyone.
Companies keep on putting in price over security.
And I think the one thing that we all champion is you can't put a price on decent security.
No, I mean it's got to be reasonable.
You've got to have some sort of balance there.
I mean we do, of course, even a number of small organizations.
We have to look at this on a regular basis because we have to try and walk the wall.
And there are costs that I know a lot of small firms in our size wouldn't there,
which we do because we feel it's essential.
But, honestly, in the end, decent quality security isn't any more expensive
if it's done properly because it's all about doing a proper job anyway in engineering terms.
And getting the staff involved in security and having them understand what it means
to not give out phone numbers, believe me, or to challenge people when they're right at the front door.
They actually enjoy it.
They actually feel as though they're contributing.
They are without question the first and most important line of defense.
They self-correct.
I listen to our team.
You know, there's only ten of us, but I listen to our team discussing things
and correcting the members staff who hasn't locked his desk drawers at night
or left the US speech, they go on the desk or something.
You know, we don't hardly have to police it at all because the team looks after itself.
So do you, and I know that everybody will say that's much easier in a small team than of course it is.
But in the end, big organizations and these groups of small teams.
So do you think that it would maybe be fair to suggest that companies that have maybe been on the receiving end of security breaches
and I'm probably more prepared to kind of think about better security than companies that have never experienced the security breach?
With our question.
The most common reason we're asked to do a social engineering test is because someone in the organization,
the most recent one, is a chief executive, which is very flattered.
I want to make a demonstration to convince the staff how vulnerable they are because in the end, of course,
a good criminal social engineer will never be detected.
So, you know, when firms say they've never had an incident, of course they don't actually know.
Well, the great thing with social engineering is that the great ones don't get caught.
The other ones are in jail. They're out of circulation.
Don't I like to get in the net net net net, you'd be really fed up, but I think you're right.
I spoke about this on the last interview. Did you hear about Kevin Mittnik and Facebook?
No.
He got blocked off Facebook and couldn't get his account re-enabled.
He'd registered with a false name, for security purposes.
Of course.
And they went through and checked all the details.
And because he's calling his cabin Mittnik on the registry of the account, the register of the account was under a different name.
And he was saying, you know, it's quite ironic that I spent most of my life being able to quite convincingly get people to believe
I'm not who I am, who I say I am.
And now I need to prove I am who I am.
I'm having problems doing that.
So, I mean, he managed to get it re-done again.
But, you know, for the heck of a radio listeners that haven't heard of Kevin Mittnik was, you know,
he's probably a god to anyone who appreciates social engineering.
I mean, the guy was, you know, never mind his technical ability, but he's a bit, you know, a social engineering ability is well known.
And I think he's written a book as well on it.
To say, to say he's actually on the receiving end of this, most of us in the security industry find it quite funny.
Yeah, cool.
I suppose the other question that I would ask in kind of tow with the companies that have experienced breaches compared to the companies that haven't,
do you think that companies that I thought about, you know, network security and internet security
and dare say penetration and testing and all of this are far more prepared when it comes to an incident happening than the company that doesn't invest any time in it.
Yeah, I guess so. My experience is that most firms suffer from being large and from a staff turnover that's quite fast these days.
I mean, we haven't anybody lead the firm since 2001.
And we've got a team that enjoys working together, but in a big firm, you've got a very rapid turnover staff.
And that causes a problem because lessons disappear when people leave.
And it's a particularly, especially through the board level and see-through level.
Because if you get a senior person who understands the issues and has, you know, pushed security down the stack and put real effort into it.
If I leave and go to another firm, things tend to just flop back into a much more casual and less professional state.
Pretty much any firm I've looked at.
So, I mean, what would your advice be for organizations, you know, with their staff?
I mean, my view is on it that, you know, security training is something that's not going to take half an hour in the afternoon that has to be done properly.
You know, I have seen some of these companies and their ideas of security training is rather worried, you know, 20 minutes before lunch.
And that's the problem and how much, you know, what sort of advice would you give for organizations that I wanted to increase their security?
Yeah, they have a real challenge because, you know, human beings don't like it. That's a bottom line. Human beings like to be friendly and like to be trusting.
It's built into our nature. And then I think we could live with the population density we have if we weren't, in fact, very sociable, very easy-going animals.
And to try and counter that or counter it, but to try and open people's eyes to what's good practice is very difficult because it isn't in society at all.
You know, people learn to lock their houses and they learn to lock their cars.
And that's the kind of social pressure as much as it is an intelligence company.
Do you think demonstrations are maybe more of an effective means of proving your point?
No question, that's an excellent point. One of my favorite demos is a laptop hack. You know, the average...
Well, we still said that when the press or somebody loses a laptop was on last week, it got longer than it was.
And it was a council, I think. And they said the laptop was password protected.
We know it's running windows because it's a call for laptop. And we know that you and I know anyway that if you take the windows laptop and you set it up with windows and you don't protect it in any other way, you've got a situation where any hacker is able to do a bit of research on the way.
The research on the web is able to just look for a...
Let's put it even honestly, anyone who can download an ASL.
Yeah, exactly.
Let me talk about it.
I proved it to a client the other day because they were talking about this and we were debating the benefits of the whole description.
And I said, go to Google, try and then crack my windows password and look at the results.
And they did. And they were convinced because they'd never done that. They don't think like a hacker that thought about those things.
But of course, immediately they get links to off-crack, to the NTFS reader software, that sort of stuff.
And they don't realize, second down, as you say, download an ASL burner at CD and immediately they've got access to the laptop.
And you know, the problem is that people who are interested like you and I, people who want to make money from it, only need to spend a few minutes learning how to do it. And my band, they own the laptop.
So I demonstrate that. Usually it takes about 20 minutes, half an hour to go through it, including explaining it in words of one syllable.
I show, I did demo for the BBC recently, where I installed a Trojan on Journalist's laptop, which you left with me for 20 minutes.
He then went home and I remote controlled his laptop for him, showed him screenshots of him accessing his email.
Got his password for his horrible Google thing, which is for the insecure, you know, where he's got all these diary and emails and everything.
And it was just amazed. And yet, you know, to people in the profession, it's second nature.
But for the average go out there, they've got no idea at all. So demo like that.
Just completely changes the organization's attitude to something like that top security.
And it's the same thing when we walk into a building, hopefully, we can demonstrate that no one challenges you.
No one asks you, you're bad, you'll be asked why you're sitting in a meeting room with your laptop plugged in.
And we do it over and over and over again. But I'm trying desperately to do as many of these demonstrations and talks to the general public, as I can, as well as to specific clients.
It's only for people to think about it.
The one thing that I champion all the time is that, you know, we've tried lots of different means.
And I really think that the proofs in the pudding, I think the only way that now that we can convince people of the implications is to keep on demonstrating.
And not just look like this TechnoGeek, this wizard, but show them, look, this is Google, you use it every day, type in this tab, look at what you find.
Yeah, I agree so strongly. I've never tried to put myself forward as a really technical person, a lot of these elements that I love and can do.
The work I'm doing in terms of public speaking, so on isn't about, you know, although I love doing it.
Of course, you get you go straight from doing it, but you know, it's not about airy chest, you know, these supersonic, very clever scripts and whatever.
It's, oh, look, I walked into your building. I picked up this laptop, I inserted a page on it, and now I'll control your network remotely.
I did this just by doing this, this, this, and this. Look, nothing clever. Make myself a fake big British telecom pass.
You know, this takes what last on A.H. did a bit as well, pretty much in the washing machine.
But more convincing that way, but you haven't taken very long. And obviously, the tools around there is, as we both just said, you know, just for helping yourself.
But the problem is, I think outside the box, again, isn't it, people who are working in a corporate who have a professional job in security may understand this.
But everybody else in the company doesn't. They don't go on to Google and try to crack my windows password unless they've got the intention of doing something criminal.
Yeah, I think people are just shocked by the plethora of information that's available. And I do. I think education is an incredible thing because in reality, people do need to start taking responsibility for their own security.
And I understand that that sounds like a daunting task at first. But really, it's about a mindset. And I think that, you know, I've been being a benefit of doing a degree in ethical hacking.
I think it's hard to teach everyone all the technical aspects of hacking is about teaching a mindset.
And like everyone I've spoken to has indicated that this isn't a 95 job that it's about playing around and reading blog posts and asking a question and finding the answer out to the bitter ends.
It's a lifestyle.
Yeah. It's a choice.
Actually, it's a vocation. And I think it's important because, you know, in the last, although I've been doing it for 20 years in the last 10, it's become a real and present danger for citizens as well as for businesses.
And, you know, as all the talks I give are for people who, you know, come from every walk of life. And I show them about, you know, how fishing scum works, how tried by website infections work.
What they haven't updated anything they have, why they're still a personal firewall, all stuff that's secondated to people in that profession.
But which, you know, it seems the average person is there something no idea about at all. And if they do have an idea, it's usually wrong.
Yeah, I've seen people who haven't been running, you know, home users that haven't been running firewalls or antivirus.
There's been running a straight windows box connected to the internet. And, you know, and you know that in reality, there is thousands and thousands and thousands of people that are doing the same thing.
Or if they are running an antivirus, it's the 90 day trial that they got with there when they bought the laptop and they're sitting there in the wrong belief that they're protected against, you know, intrusions.
It's scary.
The most successful of our clients who, in terms of security awareness for their staff have taken a stance.
And there are two I'm thinking of here, of running awareness sessions for their staff, which are focused on them being secured home.
And there's immediate benefits and enthusiasm amongst both users because they have their eyes opened as to what is a strong windows password.
They have their eyes opened about things like antivirus and personal firewalls and so on.
And when they see the direct benefits to them in the home environment, they transfer those skills into the workplace.
It's one of my favorite demonstrations. I love doing the rainbow table hacks because it's such a good way of delivering the importance of password security.
You know, that's such an easy one for people to implement and yet the ramifications of decent passwords of security, you know, it's just, you know, if more people use stronger passwords, we'd be a lot more secure.
Yeah, well, I've never yet found an audience member amongst IT professionals who understands why your windows password has to be longer than 14 characters, for example, how long it could be, how to make a password, why it's more secure, what rainbow tables are.
And I'm talking about some of the biggest firms in the UK in Europe and we're talking about professional IT people.
Well, I'm not saying none of them know that's on my point, but I've never had an audience member who could answer the question and they're understood it.
And we did a 45-minute session and password sort of big chunk of it about windows and manager hashes and why those are in issue.
And it's just open people's eyes every time we've talked about it and every time we've demonstrated that sort of rainbow table attack.
And they had no idea that windows works that way.
And that's just one vulnerability in it. I mean, even without even without Landman, you know, the fact that people use on secure passwords, it doesn't matter what you use to encrypt it, you can just sit there and start guessing.
Oh yeah, yeah, yeah, yeah, running. I should say it's a very very rare windows network that we meet that we can't guess at the main admin level password just by using our brains.
Well, I was looking off that, well, not looking off, I suppose, but I did, I worked for a large ISP over the summer.
And their password security scared the living daylights out of me. Really, really, really scared me.
You find the same thing in every time, like, everywhere we go, where we do an internal network test.
But this wasn't a case of, this wasn't just the case of it being internal. This was, these people, it was a technical test.
And these people were also by proxy passing on that port password security onto all of those customers.
And this is the way, you know, that scared the living daylights out of me. And when you have, you know, when you have a trainer turning around to you and saying,
like, my God, that's a long password. You sit there and think, you know, you're in charge of teaching these people how to teach customers what password security is turning around and saying,
my God, that's a long password that, you know, it quite clearly shows that you don't understand why it's a long password.
I agree.
You know, you know, if I said someone typing a long password, I'd be like, oh, that's secure.
You know, but we're brought up in that mindset.
I mean, kind of, what do you see, what do you see usually like your biggest security fear?
Rob design Trojans.
Well design Trojans.
Yeah, I'm a big room kick fan myself, but Trojans, I was my lecturer's, I believe he was one of your white hat talks and was,
you know, he was saying he was talking to the guy from Microsoft who was saying that there's been a sharp, you know, sharp decrease in the amount of viruses and a sharp increase in the amount of Trojans slash malware software coming up.
And I thought it just very clever.
I thought it just beautifully showed that how commercial hacking has become.
It's just open for that question, yeah.
I think, you know, that it's horrifying how it all defended most organizations are against things like that.
It's really, really naughty.
But that they're just such an easy low risk high return route through criminal.
But I think that's going to be, that's going to be the growth area in the next couple of years.
And it does seem like it's very clever programmers out there, very clever.
And it does show kind of the difference in the mindset where it's, you know, in the commercial aspect of it is producing a piece of software that's going to infect as many people as possible in the shortest amount of time.
This is probably a geeky hacker by myself.
I'm, you know, I'm a big root kit fan, but there's no legs then producing it.
You know, I state the art root kit because that's such a specialized infection that you're going for there.
And you know, when you're doing the Trojans, you're going to put it in a bit of a bit of software, screensaver or so on and so forth.
Well, I think we both know someone who's done work off the skating trojans.
And you know, just making them invisible to 20 virus for long enough.
There's such an amount of information out on the internet on doing this as well.
You know, it's scary.
Now, that's, that's my real concern because most of my clients aren't properly defended against this.
Again, it's in my opinion that the first line defences are well-educated, number of staff, you know, just not going to fall for this.
Did you see the zero day that just came out for PowerPoint?
I have seen it, yes.
Yeah. I mean, things like that, you know, I'm still getting people sending me PowerPoints as joke attachments, you know.
That sort of stuff. I don't just imagine having a problem with others.
I mean, I, you know, I've touched on this and I've been covered in a few other people that I've spoken to.
And it just, it seems to be the year of zero days.
I think if that, if that term is ever going to get coined and people in the street are going to start using it, I think it's going to happen this year.
Because if you just think that we're in April, the amount of widespread zero days that we've had is just very, very public as well.
Yeah, I think, I think you're absolutely right.
I mean, whilst we still see huge numbers of businesses as well as I'm using as well, patched up to date.
Patching is still, you know, pushed us as one of the key things you need to do. And of course it is.
But, you know, just ain't enough. People don't patch their applications in the same way as they do the operating system.
And anyway, more, as you say, more and more exploits are coming out for which there isn't effects.
And the only solution is, is, is, you know, hygienic practice on behalf of the user.
You know, there's a lot of education in doing that though.
It's a terrifying job, but I mean, it's, it's the only way to deal with it.
Do you see, do you see Trojans being, I mean, I suppose you said yes to this, really?
The question I'm, I suppose I'm trying to ask is, you know, what do you see as the biggest one in the future?
There'd be bigger security throughout the future and Trojans being one of them.
But do you see anything else, you know, starting to compete with Trojans as a threat?
I think it's all, it's all an agricultural engineering in the end.
You know, we, there is, I've, I've actually watched the webcast a couple of weeks ago,
which I can't remember who it was, but they told through their view that there's a cycle of hacking activities
that they haven't much proof for it, I have to say, because if it is a cycle, it's only gone around once.
But it started with social engineering, the sort of stuff we saw with Mitt Neck
and with the Legion of Doom and all those guys back in the 80s.
And then, you know, when, when we got more connectivity, it moved to online hacking.
And when people started beefing up their firewalls and doing a proper job, it moved to web application hacking.
And of course, that's still huge as well.
But there's people finally start to learn about how to, how to build a reasonably secure
web service alone and it would literally be secure.
And then it moves on again.
And I can't remember all the points on that, on that cycle that they claimed,
but I could see the logical that, you know, in effect, there's like a huge gold Russian opportunity
when we all started using Internet aggressively in commerce.
And as that whole learning cycle for businesses has happened,
and they've just spent a lot of money on silver bullets to fix their electronic vulnerabilities, if you like.
It just becomes a natural part of criminal thinking to start to introduce some part of human trickery into the process.
And that's really what social engineering is in the end, isn't it?
And whether it's by email or website or telephone or onsite,
you know, some degree of exploiting human trust and exploiting human, sorry, gullibility will always remain.
I think a key factor in criminal activity.
And that's what we're seeing. It's getting more and more sophisticated.
It's hugely complex, blend of social manipulation and clever software,
stuff like the Flash Player movie that uses UP&P to access your broadband router
and open its management port onto the Internet side and stuff like that,
really complex and clever stuff.
And most people have no hope of understanding that all hinged on people being gullible
because all look huge celebrity photos or all look somebody fancy's you.
I think in all his, this is really funny. Look how stupid Gordon Brown is.
Or whatever the trigger is, people will continue to fall for that.
I think when I was speaking to Christian on Riley, you know,
he made the great point about when you actually think about our industry,
you know, hacking as a whole, you have us, you know,
have the white hats that are paid to find vulnerabilities, exploit them,
prove them and patch them and get paid for it.
And then you look at, you know, the black hats who are paid to find vulnerabilities,
exploit them, use them and get paid for it.
And it's, you know, for everyone that we've got trying to fix problem,
there's someone just as technically gifted trying to find a new one.
So it's a very, yeah.
The criminals give much more time to it than the majority of defenders.
I mean, who do you see as being probably the biggest, you know,
who would you say is your hero and hacking that kind of really fired your imagination
to get involved in this whole industry?
I have a lovely question, isn't it?
Because you gave me some heads up on this.
I think you'd think about it yesterday.
And actually my, the book that really inspired me,
in which I continue to make required readings,
the only required reading for anybody who joins our firm is Cliff Stolz,
the cook is there.
Well, no Cliff at Stolz was not technically a hacker,
although a lot of the activities became very white hats,
and defense.
But that whole book told me more about the evil hacker mindset.
And the mechanisms and the dedication needed to counter it.
It's taught everyone who's joined our firm.
It maybe hasn't been involved in security before,
because we tend to cite, you know, people who are competent in their field
and then train them in the hacking mindset.
It's the one thing that triggers everybody's head.
And if any of the listeners haven't read Cliff at Stolz,
if we could say, Guy, I couldn't recommend it more.
Super.
I mean, I suppose you can't ask about heroes without asking about villains,
who would you think is your biggest hacking villain?
Yeah, I've talked about that one too,
and I have to say I'll give you a try to answer on the phrase.
That's any of the criminals out there,
who are making everybody's use of the internet of misery.
I don't think, you know, in terms of bad guys,
that it's very easy to really see through the media hype
as to how really naughty they were.
Well, I met Kevin Paulson,
and I haven't met him a few years ago.
And he was pretty naughty,
because I mean, he used, again, social engineering techniques,
primarily in a bit of technology,
to make money for himself and rip off a radio station and stuff.
But in the global picture,
it's chicken feed, isn't it?
There are people out there developing really clever software,
some of which is really devious and nasty,
but I don't think that other than that,
who they really are, not on a personality level.
So for me, it's the criminalisation of the technology
that you and I both in love with,
I think, don't really choose it.
Yeah, I mean, the bit that irks me the most about it
is going off on a side tangent about it here.
It's the disclosure aspect,
that villains never disclose what they find
because it's to their profit.
You know, and the problem is,
hero-wise as well.
Man, you know, how much would they disclosing as well?
It goes back to that education point
that you need to disclose these vulnerabilities,
but it's not in the best interest of a villain.
It's not in there, you know,
it's not, they're not, you know,
it loses them their paycheck.
And which, you know,
I think that's probably the importance of honeypots
and stuff like that,
is to actually watch these people
in their own ground and see what they're,
you know, see what they're bringing out and what they're trying.
Yeah, I sure am.
I'm thinking of one very clever person,
Sarah Koska,
who's the polar shaker,
and she's a security researcher.
I've shared a platform
with her at conferences,
and I've had some degree conversation with her.
And certainly last time I talked to her,
which is a couple of years ago,
now perhaps her attitude on this closure
was not mine, shall we say?
And, you know, she's done some very clever things
like the political attacks,
and the kinds of public slum,
you know, by awesome things.
And she actually said that people
who didn't have this reserve conference
from the platform,
she said people that didn't patch up today,
and I think that these things
were stupid and deserved to be had.
Steve, maybe they did.
And my mate Fred Piper was in the audience,
and Fred said, you know,
if I can't speak Russian,
does that make me stupid?
And she didn't really answer the question,
he said, this is ignorance, not stupidity.
And it's our job to educate people
and to raise their awareness
so that they can help defend themselves.
But, you know, just because you're a ninja,
in a particular area,
doesn't give you the right to aid this,
everybody else who isn't,
and be to reveal to the world
the attacks which may otherwise
have been found by criminals,
or certainly would expedite criminal activity,
without taking a responsible line on it.
Now, I don't know if she still thinks like that,
and I'm not trying to do any character assassination,
but her attitude at that time did worry.
So, do you say that you discovered something?
I mean, my views on disclosure
are as such that if you do find something,
that you need to give the parties involved,
adequate time to come to a solution to fix it.
I don't.
Yeah, I don't.
I don't.
We have a very great broad approach to that.
We report all any vulnerabilities we find to CKNI,
and CKNI contact the manufacturers on our behalf,
and they deal with that,
and they get the resolution,
and I have to say, you know,
so far the results have been very positive.
Yeah, I mean, to my views,
I, you know, to get all of the parties involved,
and give them the chance to fix the problem.
But I, you know, the,
there is aspects where, you know,
you worry about organizations that, you know,
don't take a disc, you know,
don't take the warning,
say we found something that's pretty serious,
we need to work away fixing it,
and just ignore it.
I don't think we involved,
but I don't think we involved,
but this could be this dispersal opinion,
or like this founder of CKNI,
I guess it's CKNI's opinion as well.
But we don't, and a lot of people
don't involve legitimate channels as leverage
in the way that we try to,
we try to use, you know,
government agencies to bring pressure to bear
on the authors and manufacturers.
And that's, I think, likely to be
a lot more successful than our own board.
I think this year as well,
we've also seen an increase in different techniques
and vulnerabilities.
I can't remember the instant directly,
but I think it was to do with security certificates
that how they did a disclosure,
they disclosed it to basically all the major users
of the security certificates,
and then disclosed it to the security certificate producers
at the last moment.
But that was a lot to do with a fear
of them being shut down before the information came out,
rather than the vendors of this technology,
a fear that those vendors rather than patch it,
would silence them,
and that they'd use this process instead
to disclose this information.
And it seemed to me that it was very OTT,
but I could also see why maybe using that process
was the best, you know,
was best for that solution.
Yeah.
What would you,
I can't sort of ask this before,
but what would you see your top security tip is
for people listening today and then?
What kind of phone users and Mac?
Yeah, a phone user,
I can't click on it a little bit.
Just a couple of quick questions for you.
I'm really looking forward to the answer to this one,
what's your most memorable security answer then?
Oh, well, that was the first time that I walked
into an organization,
straight past reception,
walked into a meeting room,
plugged in my lamp at that top,
got Windows domain admin privilege,
and sucked everything off the network in the time.
Was your heart pounding?
Was your heart pounding?
Yeah, yeah, a bit.
Although I detach a little bit when I'm doing it,
I think it's like an actor,
you take yourself into another person I don't think,
it's afterwards that it hits me,
but that first time was of course,
and the first of many,
but the first time I did it,
I just couldn't believe how soft organizations are in that sense,
and I can't tell you what it was,
but it's happened in every sector that we did business with,
it's really, it's really worrying.
That was a very exciting day,
yeah, you're right,
and I also realized that it was something that I needed
to really focus on,
to really campaign about,
because there's enough people out there campaigning about
particularities and enough people out there campaigning
to sell product and flashy blue lights
and I've sexy front panels and plants,
but it's not such a popular area,
because you can't make lots of money doing it,
you can't sell sexy silver bullet solutions for this,
you know, you have to encourage organizations to do deep-potting.
For their key staff,
you have to encourage organizations to understand that,
IT admins have access to everything,
you have to encourage them to invest a lot of time and effort
in the staff education in a very creative way,
and they don't like to do it because it's difficult.
It's different, it's a change.
You're asking people to change and change,
so it changes always,
people are never very happy with change, are they?
No, no, it's much nicer to go out and buy the latest gadget,
and much more so.
Pete, what plans have you got for the future,
or anything plans for the future?
Well, personal front time focusing more and more
on sharing knowledge about these issues,
about the sort of blended attacks
that we're saying to try and get to people
to realize that security is about humans,
not production gadgets,
and that's my soap box that's what I'm trying to talk about
at every opportunity.
Professionally, my role for the future
is to try and keep the first-place technology
is vision going to make sure that we are under the cent ethical
that we remain pragmatic and business focused
so that we're not doing things
because we've proved what AirHS we've got,
rather than actually genuinely useful to business
and to remain professional.
And in terms of the ethical hacking,
or even if you just keep learning,
I think it's a lifetime occupation.
Yeah, I've said this before.
I mean, it's such a great job that we have.
It's like kids in a kids store and a sweet store.
I mean, if you, anything that you're interested in,
it's our industry that you get to follow it to the better end
and see what happens to them.
That's where I think we're probably very, very lucky
to be in that profession.
Well, I agree.
Everybody I speak to say,
oh, that sounds like a fantastic job.
I wish I could do that.
Yeah, but...
I wish I could of course.
Pete, is there anything that you kind of want to paint
for the HPR listeners?
You've got a blog or anything like that?
Yeah.
My colleagues have dubbed me
a frame of speak with security,
which is highly amusing and a good...
a good ridding about my interest in being a media haul.
I know you won't understand that.
I have no understanding of being a media haul whatsoever
as to almost the words.
So, yeah, the FPWS,
the famous people of security blog is something
that I try to use to get people to think about stuff.
So, that's on the blog spot,
FPWS blog spot.
I'll link to it in the show notes as well.
And...
And the other is our white hats group,
which is a free to join closed group
for people interested in ethical hacking
and information security in general.
And that's something that has an active list
that people seem to find useful.
We'll also run four meetings a year down in London
on different interesting topics,
which are just run at a cost-covering basis.
If people are interested in that,
it's white hyphen hats, white hyphen hats.
And who and what people can join.
Anybody who works in the security industry
who's genuinely employed in security,
we do do a bit of vetting before we allow people to join.
Journalists aren't allowed.
And people who want to make a science pitch aren't allowed.
But otherwise,
if they're working in or interested in information security,
then they'll get them super.
Is there anything else you'd like to talk about, Pete?
I did think about a few points.
I think one of the questions you asked me right at the beginning
was advice that people are interested in getting into.
This is a profession.
And some of the points that we have to explain to people
at interview or earlier in the recruitment process
is that one of the key attributes
to which you'll understand,
I think, is patience.
Because there's one thing about ethical hacking
or any form of technical fault finding
and engineering is panning for gold really.
You know, I've had to go through a lot of poor and old walks
before we find the gold nugget.
And I don't think anybody realizes
that whilst this is a huge amount of fun
and by the time you're doing it,
as long as I have, you can, to some extent,
they can choose, I guess.
It is an awfully tedious exercise
for a proportion.
A lot of research.
A lot of time I spend reading, reading, reading, reading, reading.
Yeah, yeah, yeah.
And it's, you know, if we're doing a back-down research
on a client or looking for a vulnerability
in their human defenses as much as their technical defenses,
it can take a very long time.
And I guess it's also not necessarily,
unless you're in a big firm,
it's not something where you can hide behind a desk
and just have your head buried the whole time.
You do need a good commander, you know,
a good language and good report writing skills
because unless you can put something together
that actually explains to a often somewhat disinterested recipient
and a non-technical recipient at the top of the tree,
exactly why it's an issue,
what could happen to them realistically,
not in hyperbole?
Understand the issues and how to fix them.
Then all of the work's wasted really.
So I think my summary is you've got to be inquisitive
in that childish engineer mode.
You've got to be technically competent,
you've got to be disciplined,
and you've got a big, good communicator.
And last but not least,
you must be able to set your ego aside.
Right, and I think that's,
I think that's great advice.
I mean, the ego aside parts, you know,
I think for everyone involved in security,
for people receiving security advice,
as well as people doing it,
that ego is really something that should be left at the door.
I mean, you can beat your chest after the event is done,
but while we're doing it,
it's not about being the cleverest and the biggest kid on the block.
It's about securing their objectives
and making those people secure.
Yeah, it is.
You know, the last thing we wanted,
someone who's slightly used to themselves,
they start bragging about it from the public,
even the disappointing thing is,
you really are going to discuss it with people
and sign an MBA with you.
Brilliant.
Well, Pete, I'm going to wrap up the interview.
I'd like to once again thank you very much
for hopping on the line and talking to me.
It was a very interesting time.
I've enjoyed it very much.
Is there anything you'd like to say
to the Hacker Public Radio audience before we sign off?
Yeah, sure.
Keep listening.
This is such a great service.
I think Phoenix is doing a great job.
So, big props to you, my friend.
There we go.
That's my ego stroke for the day.
And, like I say, Pete, thank you very much.
Thank you very much for listening to Hacker Public Radio listeners.
And I'll catch you the next time on Phoenix Student Hacker's Guide to Linux.
Thank you for listening to Hacker Public Radio.
HPR is sponsored by Carol.net.
She'll head on over to C-A-R-O dot N-E-T for all of her students.
Thank you very much.
Thank you.
Reference in New Issue View Git Blame Copy Permalink