lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c8efd222889735a4b6027023f25710b35817688
hpr-knowledge-base/hpr_transcripts/hpr0333.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

293 lines
26 KiB
Plaintext
Raw Blame History

Episode: 333
Title: HPR0333: BruCON Interview
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0333/hpr0333.mp3
Transcribed: 2025-10-07 16:34:10
---
Music
Music
Music
Hello and welcome Hacker Public Radio listeners to another episode of Finnex's Student Hacker's
Guy Tillinix. My name's Aaron Finnex, but as usual you guys can call me Finnex. Well,
yet again this month I've had a successful interview with Benny Keedis-Lekers. He is one
of the organisers of an event called BrewCon and he's also a security consultant as well. I should
want to need the sound quality of the interview. There is just like problems here and there, but for
most parts it's listenable. I can only apologise for this. I hope you guys enjoy and I'll speak to you all soon.
Welcome Hacker Public Radio listeners. I'm speaking to a good friend of mine Benny on Skype. Benny
could you introduce yourself to the Hacker Public Radio listeners? Yeah, thanks Aaron. My name is
Benny Keedis-Lekers. I'm a security consultant for Small Belgium Company in Belgium. I started as a
system administrator like a lot of us probably did. Then I moved on to a network admin and
network architectures after a few years. I've always been very interesting in the security aspects
of that so I was always firewall-related intrusion detection systems, etc. system hardening and
well actually stumbled into security consulting. I've always wanted to do and I've been doing
that for two and a half years. And you're enjoying it, yeah? Yeah, but it's like jumping in the
deeper end of the pool. There's so much you can do in security. I think a few years back you could
do a bit of everything and be a journalist and that's almost impossible today. I think a few of my
friends or pantasters and if I look at that you see that there's really a split into two domains,
network, fantastic and application fantastic and a lot of the people I know are specialized in one
of the two. It's almost impossible to be the best in both. Okay, so what sort of like your day-to-day
routine as a security consultant then? Well, I know it's hard but I still try to be a generalist,
so it's really the best of the assignments that were given to me one week I could be installing
a firewall the other week I could be writing security policies for companies. Because I was
really interesting in that part as well because our technical installation is still quite easy
to just follow the manual configurator but then if you really look at an organization on that
level what do you need to allow? What are the business risks? And well, it's been very interesting
to have a look on that side as well. What sort of advice would you give for people who are
interested in getting into security? What sort of, you know, after the lessons that you've learned
what sort of advice would you give someone who came to you and said, you know, I'd really want to
get into being a security consultant. What should I watch out for? There are a few good security
resources that you can start to follow. Of course there's a lot you can find off the internet but
I like to follow security blogs and there are a few good ones in a security blog network
so like in concentration of security feeds there are better ones in there and there are a few
that aren't that good but you can subscribe to that and then look at the best ones and then
unsubscribe and just subscribe on the ones you really like. Yeah, just kind of to test them and see
sort of thing. Yeah, because some are related to business risks or business continuity, some are
pandasine related forensics and you really need to look at what you're interested in because if you
try to follow them all and I've tried it, it's too much, it's information overload, especially if
you start with Twitter. So how much of the day would you think that you spend reading blogs there?
I mean I know I spend, God knows I must spend at least an hour a day and if I don't spend an
hour a day and then I'll have to spend two hours the next day but do you spend, like, it's exactly the
same. Yeah, we were speaking to Chris John Riley recently and he was saying that if you take
a week away from your email and you're in your blogs, you're going to have to spend about a
week reading it all back up again. I couldn't agree anymore with that. Yeah, I think Twitter depends
if you have a mobile that allows you to follow the tweets during the day or not. I use a
netbook and a tree G connection and if I have a break, I tend to try to really catch up to them
so I don't have to spend an hour in the evening catching up on all the messages because actually
well, there's the blogs that I follow that actually like a lot of people describe the Twitter
as micro blogging that's true I think because a lot of the interesting article and links
that I read, I get from Twitter and it's really faster and interactive and well, you can
respond to people, ask questions, give your opinion and it's really more interactive than just
blogging. I think Twitter is a very good way for people to distribute it quickly if they find
an interesting link if they write an interesting blog article. It just seems a,
I was a bit dubious about the 140 characters at the first but I kind of like the short sweet
snatch and come and have a look at this bum and I have quite a few people on my Twitter as well
and I couldn't agree more. You find out a lot of first-hand information through your Twitter
contacts, things that people have actually found in real time that they're actually dealing with
there and then rather than what you're coming across in feeds which might be a couple of days old
and so on and so forth but it is a great tool Twitter. I'm a big Twitter fan to be honest with you.
Yeah, it's after a time it starts to be a little bit addictive.
I mean I'm lucky, I don't have it on my mobile phone, I'm not much of a mobile phone person
to be honest with you. I spend enough time in front of a computer to you know if you can't get
me by email you really just can't get me. It's the long and short of that but I am incredibly lazy
and have Twitter Fox because my kind of whole logic to that is if I don't have a web browser window
open I'm just I'm not doing any you know I'm not working on anything so you know I've got my head
down in something so but yeah I mean I don't get caught up with clients or anything like that
I just get myself into trouble if I did. Yeah I understand. Do you know the security
towards list? I actually haven't come across that so it's news to me. Well it's like the security
blogger network from Alan Schimell but then Twitter focused on actually it's just a directory
of security people on Twitter and if you google security tweets you will find that it's on
the nowhere.org I think website it's managed by Zach and well there's a perfect list of
super. That's really interesting people. I'll have to look into that. That's a good bit of
information. Yeah, nowhere.org with a zero instead of zero. Can you hear me typing away in the
background here? Right I mean what sort of kind of security threats do you come across
and you date a day kind of business? Well it's more like the organizational risks that's
focused on productivity and new installation and they actually don't take the time of
five to resources to really maintain their system and with that I mean patch management
looking at locks really maintenance of the environment and you see that a lot.
So I mean would you say it's kind of when you go into an organization or company that
you know sometimes they're to kind of unprepared for the realism of what's actually out there?
Yeah. Well it depends on the activity of the company. If it's a financial institution those
people really have a higher risk of being attacked and they tend to be more aware of the importance
of security and a lot of other companies don't have the same mentality and it's really the
balance on really the governance and the IT management of the environment that you can have
two companies in the same industry and then still be a lot different from each other.
I think you know you raise a fair point especially with finance institutes because they've been
such targets for so long that you know I think it's a case of you know in sometimes maybe it's
a case of what Mrs. Jones has because another finance institute is looking at having a security
consultant come in then you know this fine you know we should have a security consultant come in
and because I suppose that atmosphere and finance is this so used to being targets. I suppose
it's a lot different for you know a company that you know makes engine parts or something where
you know they probably don't have to think about them being in a target for black hats is much.
Well I think most companies do have a basic level of security and it's actually a lot easier
to just target home users or the clients because while the average person isn't really aware
of security and how to secure this is the computer because it's become really really difficult
because even if you have automatic windows updates a lot of people tend to forget all of the
plugins and additional software that I have installed and there are there's in the north of
controls and checks on that. I'm talking about Acrobat reader, PDFs, readers there's a lot of issues
issues at the moment with that one a lot of discussion with the lack of patches that were available
from Adobe because there was an active exploitation on the internet in that one a quick time
flash player just to name a few of them. So would you say kind of one of the the biggest
thing is maybe the lack of I don't want you to occasion because that's such a strong term to use
but the lack of understanding that some home users have that their system is vulnerable to a whole
whole host of problems and thus from there can be used in a whole host of other things like
the BBC botnet scandal and all of this sort of stuff. Well we've been telling people to
patch this but with patching they know well the windows update button that isn't enough today
anymore and install an antivirus and then yeah install a firewall and antivirus and then you
should be safe and that was maybe true to it or to date it's just not enough anymore. The flip side
as well is you know that's just one vector as well I mean never mind how people are vulnerable
from you know web host attacks as well and you know the the forums that the members of having
email address and passwords stolen from those foreign databases and deploying such poor password
security as you know as them to have the same email address and password for the hotmail account
the PayPal account the Gmail account you know you know we're just talking about the threats that
they're having at the home computer never mind was actually happening in the internet as a whole as
well I mean it amazes me I mean I was listening to a talk yesterday about you know web hacking and
you know the the guy was saying you know if we take if we take a shared host and we pop all those
those websites and we get all of those databases and we have in the end 50,000 email addresses you
know even if a small percentage of those people are using the same hotmail address and password
as what the what is what their hotmail account is then you know the chances are they're going to
do the same for their PayPal and blah blah blah blah blah and and it just amazes me when you
think about how you know how many how few people you would meet in the street actually appreciate
the severity of something like that. Yeah and you see another problem arising that's the social
networks and then Facebook and because people tend to put too much information on their
profiles and then like you call the few incidents like the Yahoo account of Senator Paylon
at contact by just using public information and I've known. Did you hear about Kevin Mittner
on Facebook? Yeah it's really funny like just yeah this account was founded because there were that
many fake accounts and they told his was also a fake and well actually you could have proved
what he'd registered with a fake name didn't he he'd registered with a fake name as far as I
understand and he was having great problems improving he actually was Kevin Mittner and I think he
said I think I read it on the register and I think he said something like you know I've had
career of being able to prove that quite convincingly I'm whoever I say I am and now I need to prove
I'm exactly who I am I can't do it. But I thought I was a brilliant twist of fate to prove this.
So I mean I suppose then in reality it goes without saying that you kind of think one of the
biggest security threats in the future is as users not understanding that they need to they need
to start protecting themselves rather than than expecting someone else to do it. Well user education
quote out but the question is what's going to do it? I think it's a great point I think at the
end of the day you know you can't ask a company to take responsibility you know at the end of the day
I've said this before you know you wouldn't jump into a car without you know learning how to drive
first and you know and I think in reality with computing as well that you know it is up to the
responsibility of the user to go out and make sure what they're doing is a secure environment I mean
hacking is not a hidden term anymore I mean it's in the papers every single day I mean you know
I find it hard to believe that anyone who's using computer doesn't realize that there could be
someone out there trying to get their data and I think that you know they say this in UK law
ignorance isn't a defense you know I'm not saying that black hats are right or anything like that
but at the end of the day you know some users need to start taking responsibility for their own safety.
Well actually I had an interesting discussion with a friend online and we used the same comparison
that you just did but I said to him well we were making a little bit fun of anti-users that
they don't take enough responsibility and that they don't take enough measures to protect themselves
to pet your systems etc and actually I said to him while looking at all another
point of view I drive a car I know how to drive it but if anything happens to the engine
I wouldn't know how to fix it myself isn't that more a little bit more the same analogy
well yeah you know you you could go down that route but you know I'm not saying to users when
the hard drive breaks they should know how to fix it you know I'm not I'm not saying that
you know if if the graphics card burns up they shouldn't take it to a computer shop and they
shouldn't get it fixed that way I'm not that's not kind of my point in that I'm trying to mean
at the end of the day it was just the legacy I mean it's just about vigilance I mean I
suppose in fairness the other analogy we could use is that you you know you wouldn't leave the
house with the front door wide open so why would you leave the network wide open you know that
that sort of stuff but you're right as well I mean as an industry as well I suppose we need to start
taking some responsibility and you know educate and I think I think the security industry is doing
you know it's doing quite a lot of the money you think about how many of us guys are all out
that blogging and doing stuff and it's quite interesting I suppose yeah but I know some
of the other security consultants and security bloggers that's one of the tools that we really like
to check our systems for missing security patches is an online scanner from sequinia
don't know it's you know it's a kind of online security inspector yeah no I've not come across that no
well it actually looks at your system and it doesn't matter if it's when I'm for quick time
of if it's not the latest version it will just put it in the report and you are like missing
this version in that patch and and it's really hard to get a hundred percent up to date system
even who we who are security expert and our consultants well there's a lot of software on
your PC that you forget about that could be upgraded and I haven't run it in a while I'm a
little bit afraid to do it I tend to install the most important patches but I think you're right
I think the probably the worst culprit for secure systems is probably security people
you never take your own advice it's like telling people to back up you never do it yourself
dear well I'm I'm guilty on that one I never do it luckily most out of my information is
oh fine how in the cloud I'm much the same I'm in a cloud I didn't want to set it
it's because that will take us through the whole other discussion it's such it's such the buzzword
at the moment the cloud but yeah it's it's mine's I'm much the same everything's out on the internet
as well and what's kind of like uh I'll put you put you in the in the spot for a second I mean
watch your top security tip that for for use who uses well actually the one I just mentioned
isn't that one uh most security uh consultants or the people I um
uh chat with online use the kunya to just check the health of their own PCs and the best tip I
can give today if you go to kunya OSI online software inspector it's probably the first link
uh that rule okay and how do you spell security uh s-e-c-u-n-i-a
so that's s-e-c-u-n-i-a okay so you can you can install it I think it's free for home use uh
then it's the personal software inspector or just used it like an active plugin I think also
it works with Java so you don't need to have uh to use the active fix I am I think I've kind of
asked all the security questions that I want to ask and I've got a question that I want to ask
you now and I know this is going to take us down a very interesting plan but what are your plans
for the future of any I'm hoping you'll mention brook on well that's present and future
we started with the idea to have a security slash hacker conference in Belgium because there
are a few really cool ones uh in the Netherlands uh hiking at random and in Germany the kids
go to the congress and uh there were a few friends of mine and we said we didn't be cool to have
something like that in Belgium and before we knew it uh well we were talking about how we could
start it and looking for a venue was to organize it and I think in in January we said well
brook but ready to really start and uh we made a reservation for a venue uh we started with
websites we launched a call of papers and I think it's no three months far
the call of papers still open for people who are interesting and while we have some
people that we already confirmed like Christopher Hoff with his cloud computing talk which I'm
really looking forward to um and while actually I'm not going to give out too much details because
really a lot still have asked to be decided uh the call of papers still open uh the workshops
are getting organized uh some of the hacker spaces in Europe are are coming um you can actually
look up uh a directory of of different hacker spaces uh and in around the world
hackerspaces.org I don't know if uh you know about that website I think I've come across it before
actually um not for a while but I think I have yeah um so for the HPR audience you've basically
been organizing a a security congress in Brussels um so how much time has this been taking
out of your day-to-day life then Benning? Well a lot of my evenings are because there's a lot of
organization involved um just trying to figure out uh what kind of system we were going to use
for the website it's uh for the wiki that we want to launch the mailing list uh looking for
people volunteers who want to help uh reaching out to speakers because of course it was the first
edition and we are not that known to speakers so uh we just looked a bit around for people that
could be really interesting for our event and then just sent me mail uh some of the people
that we met at the other security conferences and uh well it's really starting to pick up
also on the volunteer side uh the sponsors because we said we don't want to have a big commercial
event more an event uh for the security community so we want to really try to have low
and comprised so that the event students could come and just well learn about uh security and
well maybe have a career in security I I notice your media sponsors uh uh a hot nine
well that's one of the media partners that we have that's a hiking uh mine magazine that
should be quite known with some of the security uh panthers uh have yeah we we have we have a
subscription to that of the university and everything like that it's a very popular
popular magazine with some of the boys F1 myself
so just uh I understand your events on September the 18th to September the 19th uh does that
correct yeah that's correct and for people who are wanting to try and find more information about
your event they can visit is it www.bruchon.org which is B-R-U-C-O-N.org is is that right yeah
that's right yeah and there's everything on there the most up to date information is more
in the form of a blog so if we're announcing workshops or speakers it's more on the blog at this
moment but if we have enough then we will put it really in in in in an overview the program
with all the speakers and all the workshops but that should be ready and of next month so
on the call of papers it's really dumb and we've finished with reviewing everything so if if someone
from the hack public radio audience um was was in Belgium and and thought they could give you know
thought they could add something to to Bruchon or if they knew someone they could get in contact
within the next couple of weeks and maybe submit something to you to see you know that those
options are still open at the moment then yeah normally the call of papers is uh ending
end of March but because some of the organizers will be taking a few days of holiday
begin of April uh we don't have time to review everything so if you submit something in the
first week of April it should be fine we'll you'll have a look no promises
well I think about after the first week by 10th of April we will take the entire list go through it
well make some decisions and then contact everyone to see what's really interesting and what's not
some uh like I've seen some submissions about SQL injection and well of course we won't have
five talks about SQL injection because well one one could talk about SQL injections more than
enough but it's quite diverse at this moment but the thing I'm a bit missing is the non-security talks
like law or privacy I haven't seen too many of those and well if you know someone could give
an interesting talk about privacy issues regarding RFID data surveillance CCTV well just go
to our website and let us know okay and if anyone's wanting to help out and volunteer can they
get in contact with you through the site as well yeah yeah there's a link to the email address
so just drop us a note if you want to give a workshop uh some of the hackers spaces are going to
do something with Arduino I don't know if I can nonsense correctly it's a really popular
PCB board that you can use to make uh sandwich robots apparently that's one of the things I see
online uh like pseudo pseudo make me a sandwich it's the best way of explaining pseudo to anyone
if people haven't seen that comic strip before there's a um I'll link to it in the show notes
it's absolutely hilarious yeah it's cool I um is there kind of anything you want to kind of
promote about book on this year is anything you want kind of want to get out to people well it's
really an open event if you have something that you think is interesting just submit it and can't
talk about it because um we made a decision to have at the end of the week and the second day is
on a Saturday uh we had the idea to make it a little bit of family event uh and maybe to have
some kind of a hacker workshop for kids so we're still looking for some fun ideas for that so
if it's you know something to do uh program robots or uh something something's like that
well let us know Benny do you do you have a blog I have a blog it's called security for all with
the number four uh and I've been blogging on that one for the last uh two years uh and a bit of
shame to say that uh a blue comb I haven't blocked much last month right well well there's I'll
I'll link I'll link to you your blog and and bluecon in my show notes and everything like that um
um is there kind of anything you you know I mean obviously I've actually about bluecon but is
there anything you kind of want uh to talk about with the hacker public radio listeners or if we
covered everything don't not mean to put you on the hot there sorry it's just like is as you know
just wrapping up there's anything else that you'd like people to know about um I cannot think of
anything at this moment um well no besides my blog and the bluecon organization has much time left
I was gonna say you're not gonna have much time at all um Benny I'd like to thank you very much
this opportunity to speak to you it's it's been fantastic and I've been very interested and I'd
like to wish you all the success with bluecon this year um we'll certainly be rooting for you
and everyone listening out in the hacker public radio land um if you do know anyone that can help
Benny out um volunteers or or calls of speakers please get in contact with him um it sounds like
this is gonna be a really really interesting event um and I'm looking forward to seeing what happens
here um and all that's left for me to do is thank you all for listening um and once again thank
my guest Benny Benny thank you very much thank you for the opportunity to also discuss
bluecon on my blog and while it's been a fun experience doing an interview in Skype for the first time
yeah I uh Skype for any people that that ever plan to do interviews on Skype um just I warn you
Skype is the most unreliable thing when it comes it must just be my my natural persona when I
touch anything to do with Skype it just seems to crack on break all the time uh the thing is
across this has come across come across well uh anyway thanks very much hacker public radio
um goodbye
thank you for listening to hacker public radio
hpr sponsored by caro.net so head on over to c-a-r-o dot n-e-c for all of us in the
um
You
Reference in New Issue View Git Blame Copy Permalink