7c8efd2228
- MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2015 lines
76 KiB
Plaintext
2015 lines
76 KiB
Plaintext
Episode: 689
|
|
Title: HPR0689: Eurotrash Security Podcast Episode 19: Haroon Meer
|
|
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0689/hpr0689.mp3
|
|
Transcribed: 2025-10-08 01:02:35
|
|
|
|
---
|
|
|
|
to
|
|
Hello and welcome to syndicate a Thursday on HPR. Today we're introducing a new show
|
|
that we're syndicating here and it's Euro Trash, security with funny accents and from
|
|
the website. We are trying to do here is quite simple. Most podcasts and the information
|
|
security realm are us focused while we love and continue to listen to these. We thought
|
|
something was missing, an EU-focused info security podcast. And with that we're going to
|
|
bring you episode 19 which was originally aired on Thursday the 24th of February 2011
|
|
and it's with Haron Mir who apparently is one kickass dude from South Africa. We're
|
|
keeping Thursday's open as an open slot here on HPR with the view that if you know of
|
|
some creative comments, work that you would like played here then that's a free slot
|
|
from which to do it. Highlight new podcasts for instance like the show for today, interesting
|
|
speeches like the speech presentation given last week, even some creative comments music.
|
|
If you think of any of that type of stuff please feel free to send it on in and we'll
|
|
schedule it for the Thursday slots. We have 199 free slots still available so if you've
|
|
been thinking about recording a show now is a very good time to do it. And with that
|
|
I'll turn you over to our show for today.
|
|
Hello and welcome to episode 19 of the EuroTrash Security Podcast. I'm your host Dale Pearson
|
|
and I'm joined as usual by Wim Rimers, Chris John Marley and Craig Bording. Of course
|
|
it would be any complete show without our SS feed we could clown and we're joined by
|
|
our extra special guest Haron Mir. Hello Haron, how are you doing?
|
|
Hello, first time I've been called extra special but nice to meet you guys.
|
|
We'd like to VIPL special guest. We'll say anything you're in.
|
|
Just remember you owe us money. I think we owe him money.
|
|
Where's the Nigerian owes the money to? Is the Nigerian print somewhere?
|
|
That's right, because South Africa and Nigeria we owe us the same thing.
|
|
I knew that was coming.
|
|
You're foreign. I won the South African lottery once.
|
|
So we get all the essay jokes out of the way guys and then.
|
|
How long's the show?
|
|
So we kick it off over to you Ben. You can start us up with the news.
|
|
Okay, cool. Yeah, the first one, obviously it's happening, is HB anonymous attacking HB Gary
|
|
and him showing him that make him look a bit of a embarrassing situation.
|
|
Basically there's just a SQL injection on a website, weak passwords, poor patching,
|
|
people trusting too much, typical fail on all sides.
|
|
That's pretty cool. The thing I also liked is that we'll give Crest to anonymous,
|
|
because obviously we don't upset them. That actually shown how they did it.
|
|
Like other people, yeah, I packed this, I've done this, but they've got no proof.
|
|
At least they've actually put some proof up there and it's good information for security
|
|
and other people interested in that type of stuff to see what is happening
|
|
and how to actually do the attacks, especially these very, very simple ones or so.
|
|
But wasn't that just part of the humiliation routine that they wanted to put HB Gary through?
|
|
Yeah, but it's also the part of it is because it was so easy to get into him,
|
|
one, not into him. That's what his partner said.
|
|
We know nothing about it, it's sexuality, moving along.
|
|
So that's the beauty of it, because it was so easy for them to get in.
|
|
It's like the passwords to the people had really weak passwords and they got in
|
|
and there was no poor patch management. The servers were open to an exploit from last year, October last year,
|
|
so they don't even look after their machines.
|
|
So that's the humiliation part of it. It's more embarrassing because it's such an easy attack for them.
|
|
It was the CEO and the CEO whose passwords were weak and obviously not great,
|
|
but just extrapolating this out. Isn't this just how a lot of companies operate
|
|
and we should talk specifically about InfoSec industry because obviously they are part of it?
|
|
Then you get the sense that this is how quite a few small consulting companies
|
|
operate or do you feel that things are particularly different?
|
|
I think this is the same, isn't it?
|
|
No security basics, that's a problem.
|
|
Exactly, small companies and big companies have all the same issues,
|
|
where they get a bit of software, they roll it out, think it's fine,
|
|
they don't really check in and go, yeah, that's great.
|
|
They have a password policy, so the IT manager has a slightly complex password
|
|
but everyone else doesn't.
|
|
So they go, oh, we don't need to patch that because we've got a firewall
|
|
and then it just all falls down.
|
|
It's like...
|
|
It comes to passwords, size does matter, and complexity, it's got to look strange.
|
|
That's why my password could tell person because I just thought it looks strange.
|
|
That's right.
|
|
With the HP getty stuff, I kind of feel...
|
|
So on the one hand, I feel sorry for them,
|
|
but just any time you see someone's male spool on the internet,
|
|
you have to figure what you'd look like with your male spool opened up to everyone.
|
|
And in terms of...
|
|
I know lots of guys have been saying how easy it was, how simple the hack was,
|
|
and there wasn't much complexity to it, but I think it's one of those...
|
|
Your keys are always the last place you look,
|
|
because why would you keep looking after you find them?
|
|
So the way a company gets breached is the way they got breached.
|
|
And like you guys will know when you pen testing,
|
|
you almost always hear the customer say,
|
|
ah, but you got lucky if it wasn't for that one thing
|
|
you wouldn't have got the next pivot point.
|
|
And the answer is, no, you would have found another way in if that way was closed.
|
|
So it was certainly embarrassing and certainly props to anonymous.
|
|
But yeah, I suspect the male spools have kept everyone busy
|
|
for the better part of a week just listening into juicy fruit.
|
|
Yeah, and also I think a lot of people would change in...
|
|
probably changing passwords as well, I should imagine.
|
|
I mean...
|
|
I take my password from password to password 2.
|
|
Yeah, I mean, that's the kind of sophistication we're after then.
|
|
But it just reminds me since the anonymous is, you know,
|
|
let's say a movement that's not specific to an individual target,
|
|
but any targets that kind of get in the line of fire
|
|
in terms of what their overall objectives are,
|
|
it does remind me of some of the previous bouts
|
|
where people have gunned after in particular info set companies
|
|
and it's just really depressing to see,
|
|
especially from small to medium sized security companies
|
|
where in some ways you don't expect there to be a lot of discipline,
|
|
but they reach, but there's so much talent, but they can't,
|
|
you know, they just can't organize, you know,
|
|
and that's the problem, they're just not organized.
|
|
So they consider IT operations to be...
|
|
it's a crap job, you know, it's like documentation.
|
|
IT operations, you know, proper IT ops,
|
|
having the right policies and actually not being the doctor
|
|
who smokes 60 cigarettes a day and then is advising customers not to smoke.
|
|
That's kind of sums up and unfortunately,
|
|
the large amount of info set consulting firms,
|
|
at least that's the impression I get based on,
|
|
number of reaches that happened in previous years.
|
|
Haroon, I know, and I'm not asking you to speak about, you know,
|
|
current or previous, but what's your sense?
|
|
Is it the kind of loads of talent,
|
|
but unless you've got someone there who's very strong on the operational side?
|
|
Yeah.
|
|
They're just busy consulting and doing research
|
|
and doing the interesting stuff rather than the so-called boring stuff.
|
|
Yeah, I think it's, I think it's super interesting.
|
|
So previously, I spent like 10 years at SENS post
|
|
and I was super paranoid there,
|
|
but paranoid to the point where you almost obstructing work.
|
|
So for example, our public blog looks like WordPress,
|
|
but it's actually just a scaled-down,
|
|
pulled script with almost zero interaction.
|
|
Yeah, it was nice, actually.
|
|
I didn't know it was a pretty static.
|
|
It's that sort of stuff where you kind of go,
|
|
no, no, we haven't had time to audit WordPress.
|
|
Let's not get owned that way.
|
|
And let's make sure mail passes through two mail hops.
|
|
And with all that, there would have been the time when you check on the server
|
|
and you'll find our customer report sitting in a web directory
|
|
that someone forgot to clean up.
|
|
Yeah.
|
|
And if we were owned that week,
|
|
then we would have looked like idiots that week.
|
|
But having said that, I know with some of the past onage,
|
|
like with Mattisano or with Kaminsky,
|
|
there's a good amount of forehead slapping where you go,
|
|
come, that's customer report sitting on a public host.
|
|
And again, like, I think there's some measure of the doctors smoking 60 cigarettes.
|
|
And probably for a darker message,
|
|
we have to wonder if it means that the stuff can be done right ever.
|
|
Like, I know it's kind of a gut reaction thing that non-technical people will say,
|
|
well, if they can't do it, can anyone do it?
|
|
And we kind of like to think that that's not true.
|
|
But when you see so many people getting owned
|
|
and we know that we can't guarantee that we not next,
|
|
you have to wonder how much of the stuff we actually getting right.
|
|
Yeah, I totally agree with you.
|
|
I mean, I'm pretty paranoid and I try to keep things locked down
|
|
and be operationally sound.
|
|
So you put them in the cloud?
|
|
Absolutely. Well, then if somebody else is fault, isn't it?
|
|
I can give them any excuse.
|
|
Sorry.
|
|
But that wasn't a bad idea to get them.
|
|
Yeah, so I think the deal there, if I could get my words together,
|
|
is that with a very targeted attack?
|
|
Yeah, I don't think...
|
|
I don't know anybody that would stand a chance.
|
|
It was really targeted.
|
|
But obviously, it's how many...
|
|
It's the usual thing.
|
|
How much it costs the attacker to get at you and to achieve what they want.
|
|
And that's what I think security is about.
|
|
It's about increasing the attacker's cost.
|
|
I think there's that and I think if you throw back
|
|
and I'm not just saying this,
|
|
because I know that you're now close to him,
|
|
but if you take some of the stuff that Richard Betlick's been saying for a long time,
|
|
it's not the sexiest part of InfoSec,
|
|
but with all the onage that we've seen recently,
|
|
there should be an increased focus on detection.
|
|
If you take HB Gary, for example,
|
|
that's what, like, how many gigs of email
|
|
exfiltrated from your mail server.
|
|
In their case, it wasn't a cloud,
|
|
but nobody knew it was happening.
|
|
And the same for all the other onage.
|
|
The question is, it's one thing,
|
|
everybody gets popped zero day happens,
|
|
but to not know while gigs of data are leaving your network,
|
|
it changes the game slightly.
|
|
Yeah.
|
|
Yeah, I think you're exactly right.
|
|
And there's a couple of interesting things,
|
|
and now, perspective, you're exactly right,
|
|
it was Google app stuff.
|
|
And you've got to wonder, well,
|
|
I don't know if there's any special arrangements for any special people there,
|
|
but generally, obviously, there's no DLP setup,
|
|
or even if we say that's a solution,
|
|
but I think a lot of this stuff,
|
|
which people poop are, I think it goes a long way,
|
|
it just doesn't work in all scenarios.
|
|
And obviously, you know, since there's nothing does,
|
|
then that's what we go for.
|
|
We go for a series of measures.
|
|
But yeah, I think it's,
|
|
I mean, if you just look at trying to protect your mail spool,
|
|
if you just think about what's involved in that,
|
|
and I'm sure you have,
|
|
that's just a nightmare thing,
|
|
because you're like, well,
|
|
okay, I don't want all my history.
|
|
I don't want it if I'm going to get doxed.
|
|
I don't want my whole historical mail spool going out.
|
|
Okay, so now I'm going to have some process in place
|
|
that says, you know, let's keep,
|
|
you know, only the most recent number of days
|
|
or weeks or months worth of messages,
|
|
you know, easily accessible to me,
|
|
the other's going to be in some kind of encrypted archive,
|
|
which I can index and search.
|
|
But then I'm going to need a bunch of, you know,
|
|
processes in place to do that.
|
|
So add a single, you know,
|
|
infosec, you know,
|
|
full-time type level.
|
|
You can think like that,
|
|
and you can come up with measures,
|
|
but it just doesn't really scale.
|
|
And so that's the challenges that even if,
|
|
even if I can figure out some way to protect my own stuff,
|
|
which I think is really hard.
|
|
And I would be desperately embarrassed if I got doxed, you know,
|
|
because there's going to be all sorts of stuff in there.
|
|
And whenever I see people get doxed,
|
|
I always have that sinking feeling of like, you know,
|
|
what do you mean?
|
|
And I think everyone who disses HP Gary
|
|
has to apply that same thinking to themselves.
|
|
And because I just don't think there's many people
|
|
that are really doing it,
|
|
particularly special.
|
|
They might be harder targets,
|
|
but that's it.
|
|
The main point I'm saying that is that it's like,
|
|
it's people.
|
|
So if you're like a one-man banner or small,
|
|
a race, more company,
|
|
then you've got more control.
|
|
But if you're a slightly a medium-sized company,
|
|
you got like Mr. Dick doing IT.
|
|
He doesn't know anything about IT security.
|
|
You got Mr. Intelligence doing other,
|
|
a guy like Jonathan Penta,
|
|
security work,
|
|
but it's not produced doing the stuff at home,
|
|
so he's just relying on other people internally
|
|
to do his stuff for him.
|
|
And I think that's where it happened here.
|
|
Well, it's because it doesn't make any money.
|
|
And then they're concentrating as a medium company
|
|
on going off for making money.
|
|
And HP Gary, in this case,
|
|
we're concentrating on writing malware
|
|
and back doors for everyone else's systems,
|
|
and not paying enough attention to their own.
|
|
If their passwords were so weak,
|
|
it's just another case of security researchers
|
|
and people working in security
|
|
not eating their own dog food.
|
|
I mean, everyone says use separate passwords
|
|
on every single system.
|
|
I can't say I am using separate passwords
|
|
on every single system.
|
|
I mean, I can say that I'm using enough differentiating passwords
|
|
to make it so that if one password is exposed
|
|
that I'm not completely out in the open,
|
|
it's enough to be able to say,
|
|
okay, maybe they're going to access
|
|
the two or three different systems,
|
|
but they haven't got access to everything.
|
|
But so many people are just using like password 1234
|
|
for everything,
|
|
and then as soon as they get that one password,
|
|
that's it.
|
|
Yeah, I think for the most part,
|
|
but so other than much of the ugliness
|
|
that came out from the mail schools themselves,
|
|
I think the one thing that we take away from it is
|
|
is not to grow as much when we win on pen tests,
|
|
because it's one of the things
|
|
that I used to tell the guys for a long time,
|
|
like you engage in a social engineering exercise.
|
|
You will win because you'll only stop when you win.
|
|
Like I don't think we've ever done a social and not won,
|
|
because you can just eventually cry
|
|
until the person gives in and does your bidding.
|
|
And the only reason security companies
|
|
don't get taken out so much is because nobody's aiming at them.
|
|
You aim at a security company with a well written proposal
|
|
and sewage them the proposal,
|
|
and they'll try their hardest to open that proposal
|
|
because they want your business.
|
|
And yeah, I think we just need to learn
|
|
that we need to find solutions
|
|
that last longer than our pen tests.
|
|
Cool.
|
|
Since HB Gary proved that actually anybody can get owned,
|
|
and I've read a few articles in the past month
|
|
that companies should focus on PR
|
|
more for reacting to breaches.
|
|
How do you think HB Gary particularly acted right
|
|
or not a right hearing question?
|
|
Anyone else?
|
|
Oh yeah.
|
|
Is that the rate of it Haroon or Haroon?
|
|
I think the right thing went down the pub,
|
|
so I think he did a good job.
|
|
I'm fucked down the pub.
|
|
I'll say it guys, and that's it.
|
|
I think the stuff was horrific.
|
|
So initially I said I wouldn't read the emails on principle
|
|
and I quickly folded started doing searches for certain terms.
|
|
I know I'm a terrible person,
|
|
but some of them,
|
|
when you start going into their first realization
|
|
that they'd angered the hire,
|
|
the reaction was just pure arrogance.
|
|
And at that point you start to think guys,
|
|
if you know you're kicking over a hornet's nest,
|
|
at this point you probably want to be going over
|
|
and checking every system that you've got exposed.
|
|
Yeah.
|
|
And I suspect at some point Eagles just ran away with people,
|
|
but they handled it probably as poorly as could have been handled.
|
|
Does anybody think they will survive this?
|
|
No, come on, you know what happens when a company gets privileged.
|
|
They disappear,
|
|
they reconfigure,
|
|
they reconfigure, come back, different brand name.
|
|
Do you change their names?
|
|
Yeah, it's worked consistently,
|
|
and it always will do.
|
|
Totally.
|
|
Are Rumbaar becomes Rumbaar or something?
|
|
I just think Rumbaar might be looking for a job.
|
|
I'm not sure he'll stay with Federal,
|
|
because the other guys were quick to cut him loose.
|
|
Yeah.
|
|
And so it doesn't look like they've got long-term plans.
|
|
What surprised me was how quickly other security companies
|
|
like Polenta and Berkot tried to cut HB Gary loose.
|
|
It was, I'm not sure if you guys saw,
|
|
but they issued a press release saying, hey listen.
|
|
Yeah, that's fair.
|
|
We wasn't the same as those guys.
|
|
But it was also surprising when you consider that that PPT
|
|
that went out was on a Polenta background.
|
|
It's kind of disingenious to say, yeah, not us.
|
|
We feed them loving.
|
|
Oh yeah, that was leg waving.
|
|
My legal guided mindset otherwise.
|
|
It was complete BS, wasn't it?
|
|
I mean, it was absolutely the fastest in Saras.
|
|
You can imagine, but I guess that's press releases.
|
|
In general.
|
|
Yeah.
|
|
It goes through the special press release machine.
|
|
But next one.
|
|
Next one.
|
|
It's actually full of software Sim to that one.
|
|
Is that McAfee have decided to have done an article on
|
|
a night dragon?
|
|
I don't know if they're trying to be like Bruce Lee or Ninja 5.
|
|
It's, you know, like, wow, we're ninjas.
|
|
Ninja Dragon.
|
|
But it's very similar.
|
|
They talk about like, at least five oil gas firms have been hacked
|
|
over the last few years.
|
|
But they say by the Chinese yet again.
|
|
But it's very similar attack vector.
|
|
How HB guys got done, you know,
|
|
SQL website, weak passwords, poor patch management.
|
|
It's SC going into it.
|
|
So again, it just shows that it's not just the small companies
|
|
that have been exploited this or so.
|
|
And actually the big ones by Bruce Lee.
|
|
So.
|
|
The legend lives on.
|
|
Yeah.
|
|
So the one after that one is that.
|
|
Coffee is Starbucks.
|
|
Had a nice little app on the right of the iPhone,
|
|
which if you can get a lot of someone on the phone,
|
|
you can get free coffee for life, which I think is pretty cool.
|
|
So not only can change the language to Japanese.
|
|
And you can get free coffee.
|
|
So yeah, the Starbucks out.
|
|
They got a little barcode on the phone.
|
|
So you can top it up.
|
|
And when you go to Starbucks, certainly in the States,
|
|
because the Americans aren't used to currency yet.
|
|
So the girls just put the money.
|
|
There's a little iPhone against the scanner.
|
|
And it deducts it off there and they get a free coffee.
|
|
Or they don't get a free coffee.
|
|
They pay for the coffee.
|
|
But the barcode is the same on.
|
|
Or on or the iPhone that account.
|
|
So if you just find someone's phone,
|
|
so when they go to it, pick it up.
|
|
Either take a picture on your phone or just email it to yourself.
|
|
And then you can use the barcode for your free coffee in the States,
|
|
which I think is pretty cool.
|
|
So it's called friend.
|
|
It's like a cheap version of near-field communications.
|
|
I just want to say if they do want for a club mate,
|
|
you know, I don't like it.
|
|
But everyone else seems to like it.
|
|
So that would be pretty cool.
|
|
I mean, obviously given how, you know,
|
|
enormously important that story is,
|
|
what do you think of Starbucks' new coffee beans?
|
|
They're actually switched.
|
|
I was being sold some other day actually.
|
|
I don't know if it's true.
|
|
But the bloke said that they were switching coffee beans
|
|
and slightly more, slightly stronger, slightly sweeter.
|
|
Any thoughts on that?
|
|
Well, they're gone for less coffee.
|
|
It's three in one.
|
|
They just rip it open in front of you.
|
|
Well, I don't really like thick creamy things in my mouth, so...
|
|
I rather like...
|
|
I don't know if there's a girlfriend.
|
|
You prefer it, right?
|
|
Is that what you're saying?
|
|
Yeah.
|
|
Yeah, like with a bloke.
|
|
Or with a deer.
|
|
I don't know.
|
|
Where are you in there?
|
|
Anyway.
|
|
Talkin' about porn.
|
|
Yeah.
|
|
Yeah.
|
|
This one is an epic...
|
|
It's handled in failure.
|
|
It's by Manchester Library.
|
|
Pretty much.
|
|
They had a bunch of USB keys.
|
|
Keyloggers on the internet workstations for the public to come and use.
|
|
So, these are all things massive incident failure.
|
|
So, they say the vigilant staff notice these devices
|
|
in the back of the keyboard.
|
|
Unplugged them.
|
|
Burn the police.
|
|
The police came and took them.
|
|
Now, okay.
|
|
So, they know these devices on there.
|
|
Manchester Library can't be that big, because people in Manchester can't read.
|
|
So, sorry.
|
|
So, they got into that keylogger,
|
|
which people use.
|
|
They want to start by CCTV.
|
|
And we'll see the person unplugging them and arrested them.
|
|
You know, it's just...
|
|
I just recognize how they handled it completely.
|
|
It says a big...
|
|
Good thing they've done, but now I think it's just...
|
|
I think it's there, right?
|
|
Oh, hello.
|
|
Do you think it's really true?
|
|
I mean, who's going to notice a keylogger?
|
|
Especially someone who works on a library.
|
|
They can hardly find a book.
|
|
Exactly.
|
|
So, probably just someone who's just having a deep head in there
|
|
and they've got...
|
|
Oh, look, what's this?
|
|
You know.
|
|
Yeah.
|
|
Some geeky eyeglasses one.
|
|
Now, that's a keylogger that's used.
|
|
It's on trains.
|
|
What's this?
|
|
Oh, is it?
|
|
I remember that comment.
|
|
Well, sorry.
|
|
Did it lovely in Alarack?
|
|
Lovely.
|
|
But do we have any idea?
|
|
I mean, because I think that's pretty observant to pick that up.
|
|
I think there's plenty of companies that...
|
|
No, the reason why it picks that is because the keyboard wasn't working.
|
|
Oh.
|
|
There's not really observant, is it?
|
|
So, you've got to go fix it and realise there's a device in there between the two.
|
|
It probably was.
|
|
It's probably a PS2 changer to USB.
|
|
You know what?
|
|
Thank you for saying the thing.
|
|
For what, it's worth a little while back.
|
|
South African banks were getting hit ridiculously hard
|
|
with people stealing credentials.
|
|
And it turned out that what the guy was doing was putting hardware keyloggers
|
|
at internet kiosks basically all over the country.
|
|
And the same thing, when you hear it, you go,
|
|
well, who the hell internet banks from an internet kiosk?
|
|
But apparently, lots of people do.
|
|
And the guy made millions before they caught him and sent him to prison.
|
|
Apparently, lots of people were doing their internet banking at the internet kiosk RSA,
|
|
which I thought was quite humorous.
|
|
Yeah.
|
|
I mean, it's interesting because I come across quite a lot doing penetration testing
|
|
where you get vulnerabilities that can only be exploited
|
|
if someone has physical access to the box before you.
|
|
And the answer always comes from the customer.
|
|
Yeah, but no one does that from a shared terminal.
|
|
And this just goes to prove people do crazy crap from shared terminals.
|
|
Yeah, but isn't that the nice thing though, Chris,
|
|
you know, being an internal pen tester is in that scenario.
|
|
I just go, all right, let's grab access logs or whatever, you know, it is.
|
|
And let's just do some basic stats on, you know, where people,
|
|
which IP ranges are coming from as to, you know,
|
|
where those are more public or private residential stuff.
|
|
And I just, I like to nail all that kind of stuff because you're exactly right.
|
|
You hear this kind of nonsense and you're thinking, that's not true.
|
|
Let's go get some numbers and back it up.
|
|
Yeah, it's always nice to have some stats to back things up.
|
|
Yeah, exactly.
|
|
That's the security world all over there.
|
|
You know, we talk about things as we are ultimately paranoid.
|
|
And everyone said, are you about, just wouldn't happen.
|
|
But that's what happens all the time.
|
|
I mean, this is your area though, isn't it?
|
|
This is about how the mind works and how we perceive risk.
|
|
Both personally isn't and has a group.
|
|
Yeah, if it's not personal, we're not interested.
|
|
It's got to be personal, otherwise I'm just not buying into it.
|
|
Well, that's the thing.
|
|
How does it affect me?
|
|
That's the thing.
|
|
That's what people care about.
|
|
It's not until you either convince them of that or it does affect them.
|
|
That they get the nickels and then twist them while I spend some money.
|
|
But there's no, there's no me and I'm awesome.
|
|
Okay.
|
|
Yeah, I'd agree.
|
|
You're not in that.
|
|
Oh, I just, I felt that.
|
|
There's a little tinge on my cheek.
|
|
Next.
|
|
To all the cocks.
|
|
Oh, it's double whammy.
|
|
Donate this one to, let's call it cock of the month.
|
|
Mr Kevin Butler from PS3 Vice President.
|
|
Well, I don't know if you heard, but Sony is a big who have that PS3 got hacked and the information is released for the copyright protection of the games and stuff.
|
|
And if you have this key, Sony's going to sue you and get arrested.
|
|
But Kevin Butler's PS3 Vice President decided to tweeted the key out.
|
|
So he gave it out to everybody.
|
|
And I like to know if Sony's actually going to pull it up or maybe get him arrested and then get things good in prison or something like that.
|
|
It's just, you know, just so stupid that, you know, to put a massive epic fail on the security front.
|
|
They're going to arrest everybody.
|
|
Yes.
|
|
Think of the money they can make.
|
|
Actually, it's what everyone should buy Xbox.
|
|
But he's better.
|
|
Yeah, it's better.
|
|
It's more friendly and it's a lot better game.
|
|
Are we getting paid for this?
|
|
Well, we're hoping we're going to get some free Xboxes.
|
|
Oh, okay.
|
|
Then Ben, do you want to talk it up a bit more?
|
|
Yeah.
|
|
Xboxes grow.
|
|
Yes.
|
|
It's the same engine as the red ring.
|
|
No one likes the red ring.
|
|
Oh, no.
|
|
Not even the boot.
|
|
Oh.
|
|
Oh.
|
|
Oh.
|
|
Blast for the past.
|
|
So Ben, thanks again for the news.
|
|
Much appreciated.
|
|
So I guess now it's time to kick it off to the interview with Haroon.
|
|
So Haroon, thanks for joining us and putting up with our antics throughout the news.
|
|
Thank you.
|
|
So for those who don't know, do you want to tell us a bit about yourself
|
|
and how you got your starting in Fessek?
|
|
So I've been doing it for a while.
|
|
I started doing firewall network type stuff at the university where I got my degree
|
|
and then started working there full time.
|
|
I did dev stuff for them, did network security stuff for them.
|
|
So this is way back when checkpointed, their firewall one was still called
|
|
Solstice firewall one.
|
|
So it's a little bit showing my age.
|
|
And I basically did internet stuff for them for a long time until I joined
|
|
SENSPOST about 10, 11 years ago.
|
|
And so at the time, I met the SENSPOST.
|
|
SENSPOST had just started up.
|
|
We were literally operating out of Rulof's bedroom.
|
|
So I came up, met them, decided to join.
|
|
I had an incredible amount of fun for about nine or 10 years.
|
|
And last year, left to start something new called THINKST.
|
|
And the main reason for it, I guess we all get into.
|
|
But basically, when SENSPOST started, pen testing wasn't that well known.
|
|
So when you met people, they'd say, what do you do?
|
|
And you say you break into computers and nobody really understood what you are doing.
|
|
And then you tell them the company name is SENSPOST and nobody can pronounce it.
|
|
And after 10 years, SENSPOST was pretty famous.
|
|
So people knew the name and people understood penitation testing.
|
|
So I decided it was time to start a company with a more arcane name with more vague objectives.
|
|
The reason you left was because it started in PCI, wasn't it?
|
|
Ah, yes, I thought that.
|
|
No, no. So yes, the PCI conversation is all on its own.
|
|
But yeah, it was.
|
|
It's certainly, it's certainly interesting.
|
|
But yeah, that's, that's me.
|
|
So I've spoken at a few conferences, written a few papers, a few tools, a few books,
|
|
or parts of a few books, but mainly just had lots of fun for the last couple years.
|
|
So how are you finding doing your own thing?
|
|
It's not that different.
|
|
Like I say, SENSPOST was at a point just the six of us.
|
|
And it was pretty much doing our own thing back then.
|
|
And so it's kind of for me going back to the SENSPOST early days more than anything else.
|
|
Except this time I'm a little older, a little drier.
|
|
People, for some reason, trust me a little bit more than they did back then.
|
|
So it's, it's fun.
|
|
It's, it's fun. And it's interesting again to be small in and trying out new stuff.
|
|
And what services are you offering them with your needs?
|
|
Give me all the opportunities to hit me up now.
|
|
It's interesting because the, the services itself are tricky.
|
|
One of the, so I had a lot of freedom at SENSPOST to do lots of stuff.
|
|
I mean, we grew up and at a point we, we pretty much were in a good place.
|
|
But, but I think what happens is you, as, as a company, you, you kind of find a business model.
|
|
And after that, you end up being a slave to your business model.
|
|
So, so at a point we all got into security saying, let's solve the problem.
|
|
Along the way, we figured pen tests were a way to solve the problem.
|
|
And six years later, you find out that you're doing pen tests because pen tests are the business model.
|
|
People know what they're buying and people know what they're selling.
|
|
And so, pen tests become the thing on the table.
|
|
Commodity.
|
|
And yeah, and it's, it's not so much the fact that it's a commodity from, from the fact that it's,
|
|
it prices are dropping, like I think people will still pay for good quality pen tests.
|
|
But for me, it's a question of whether every customer who buys a pen test needs a pen test.
|
|
Or if we're just doing lots of really cool stuff that keeps us occupied,
|
|
but doesn't really help solve the problem.
|
|
Yeah.
|
|
And yeah.
|
|
Yeah, I was just going to interrupt you there.
|
|
I mean, I think it's the sort of, to use the parlance of my current employer,
|
|
it's the sort of blue versus red approach.
|
|
And yeah, I think there's so much mileage to be had with the kind of blue,
|
|
which means more on the kind of, you know, vulnerability analysis or design reviews,
|
|
all the, all the traditional security stuff that you can do before you kind of start saying,
|
|
all right, we're going to simulate a particular threat.
|
|
So I think, first of all, I think pen tests, you know, things are an obvious statement,
|
|
coming incredibly diluted.
|
|
It's an overloaded term that seems to mean different things to different people.
|
|
And that's particularly true when you start looking at CVs of people applying for jobs.
|
|
Some people think it literally means, oh, you know, I, if you see, it's like a unix pipe.
|
|
If you see end-matte pipe to metasploit pipe to report, you know, it's like odour.
|
|
That's really not what we're talking about.
|
|
And so certainly, one of the ways we've been thinking about it,
|
|
is more on the sort of threat simulation side of things,
|
|
which tends to make things a bit more realistic at least.
|
|
But yeah, but I think this, this, the whole pen test thing,
|
|
and I know there's a new initiative that's been started up by,
|
|
I think when you're, you're helping out and maybe Chris,
|
|
to do with kind of trying to better formulate what a pen test is about,
|
|
but also not just talk about what it should involve,
|
|
but also what the report, you know, should include.
|
|
And so that I think there's, there's some efforts that are going on to try and,
|
|
I don't say standardize, but articulate, you know, articulate what is it you should be getting.
|
|
But I think you're right, Harun, back to your point that there's a lot of consulting companies
|
|
that are just feeding, and this is where the InfoSec industry doesn't help itself,
|
|
feeding off of this like pen test mantra, because people get it, you know,
|
|
they get the offering now, they didn't, many years ago just like you say,
|
|
but now they get it, and they think if they have one, they're kind of done,
|
|
and it's, it's just scary, isn't it?
|
|
It's a hard thing to get away from.
|
|
I mean, so I try hard to tell people that I'm not doing pen tests anymore,
|
|
and, and literally I don't think a week goes by when I'm not,
|
|
when I don't have someone saying, but I hear you,
|
|
but can you do a pen test for us?
|
|
And it's, it's one of those things that, that's really hard to run away from.
|
|
And in, in part, what, what I want is like, if, so the way we always did pen tests,
|
|
so the way that I always pushed for pen tests was fast to find interesting challenges,
|
|
and then you kind of find a way around it.
|
|
If, if you look at the pen test as a challenge that needs solving,
|
|
you kind of throw determination at it, hopefully some brains at it,
|
|
you write some tools, you come up with some new technique,
|
|
and in the end you solve it.
|
|
And what I'm hoping instead is to take some of that energy
|
|
and use it on problems other than how to break in.
|
|
If you safely assume that you'll break in anyway given enough time,
|
|
then I'm saying, let's do the opposite.
|
|
So let's have someone say, look, we have a problem with fishing,
|
|
and we know what the problem is, we just can't solve it.
|
|
We, we're not coming right, we're still getting our users' fished six love.
|
|
So can't you help us solve this?
|
|
And, and I'm hoping that, that you can then throw the same kind of thinking
|
|
and the same determination, and maybe write a little tool,
|
|
and maybe stick two tools together, and come up with a solution that works for that customer.
|
|
Isn't, isn't the big problem that people don't really know what they want?
|
|
Yeah, so it's, they don't know what they want, and like I say,
|
|
it's, it's a lot easier for them to say, well, why don't you just give me a pen test,
|
|
and then I can say that I've done my security bit for the year.
|
|
And in truth, it's, it's the gamble I'm taking with things,
|
|
but also to be, like to be honest, I've got a lot of customers who, for some reason,
|
|
kind of trust me over the last few years.
|
|
And so for the most part right now, it's then coming to me,
|
|
I've solved some trust because basically they've got to say,
|
|
hey listen, we're not getting this problem right, let's solve it.
|
|
But, but for sure, I think the question needs to be asked more,
|
|
like I think if, if someone's done a web app assessment on your web app more than three times,
|
|
and broken you more than three times, then a pen test on your web app is not the answer.
|
|
You need to ask the question, why can't we write secure web apps?
|
|
And it's a different problem that needs solving.
|
|
Every time you do a pen test, guys break in through networks that you don't know are connected to you,
|
|
then having another pen test next year is not going to make you more secure.
|
|
And so for now, I'm mainly getting work from customers who are more experienced,
|
|
customers who bang their head against getting owned on pen tests for the past 10 years.
|
|
And I'm hoping that in time that stuff will spread.
|
|
But for me, it gives me a chance to work on more interesting problems.
|
|
And my bet is, or where I could lose is I'm actually hoping that I can solve the problem.
|
|
So this is the ultimate post exploitation, isn't it?
|
|
Absolutely.
|
|
That's pretty much it.
|
|
But yeah, that's the hope.
|
|
I'm hoping, or that's what I'm buzzing my time with at the moment.
|
|
So I'm saying, if people have interesting problems, I'll work on them.
|
|
It's kind of interesting that most companies spend a lot of time doing penetration testing,
|
|
as you say, which tends to be futile.
|
|
And I think one of the reasons why some companies don't really reap the benefits of penetration testing
|
|
is that they're willing to spend $20,000 on their penetration test and get someone to come in
|
|
and tell you how they broke into your network and where all the flaws are
|
|
and maybe hint to how you can make that better.
|
|
They'll then look at that report and throw out half of the stuff that you suggest
|
|
when you're saying things like this vulnerability didn't allow us to gain access,
|
|
but it was an information disclosure that allowed us to
|
|
easily research how to gain access to your system.
|
|
And it's those kind of small little bugs that can really add up after a amount of time.
|
|
If you've found five or six small bugs, it's amazing how you can chain them together to gain access to systems.
|
|
But companies don't seem to be willing to fix those kind of bugs.
|
|
And I think that's one of the serious issues.
|
|
If you don't write it in red pen and say, this alone is a critical vulnerability
|
|
and through this one flaw, we can gain access to your system.
|
|
Then it tends to get red-pinned as an expenditure that they're not willing to fix
|
|
because it's marked as a medium or a low.
|
|
I agree with it.
|
|
And for a long time, I felt very strongly that guys need to be fixing all the little
|
|
pivot points that we use that took us to the big ownership of the network.
|
|
And recently, I've started to change that thinking a little bit to say,
|
|
well, maybe we need to do it differently.
|
|
Maybe we need to say, all the stuff is going to happen on a network.
|
|
How can we make sure that's what's important still stays secure?
|
|
And again, it's so pretty fortunate that I've literally had a customer say,
|
|
can you fix fishing for us?
|
|
And I've had one saying, can you sort out so that we can transact even when both parties
|
|
in the transaction may be owned?
|
|
And one of the customers I'm working with right now is saying,
|
|
we know our network is Swiss cheese.
|
|
But can you make sure that whatever these 10 guys do doesn't make it out
|
|
onto the internet ever?
|
|
And it becomes an interesting problem.
|
|
It becomes a fightable fight.
|
|
And maybe that's where we'll go in the end.
|
|
This really gets us close to Chris Hoff.
|
|
And he always bangs on his blog.
|
|
He's titled this way about survivability,
|
|
and I think is what security is about in a business context
|
|
and probably in a government context as well, really.
|
|
It's about being able to continue operations even if it's degraded.
|
|
But knowing in advance what's important to you, what you need to protect.
|
|
So even though you may be half your ass has been owned,
|
|
you can still get done what you need to get done.
|
|
And you're aware when you can't see your degradation levels.
|
|
You're aware of that.
|
|
Absolutely.
|
|
The problem is it's a hard pitch.
|
|
Again, if you're competing with, sure, I'll give you a pen test.
|
|
It'll be two weeks and so many thousand dollars.
|
|
First, let me look at you, what you're doing,
|
|
and let's figure out what's important,
|
|
and let's figure out how we can secure that stuff
|
|
while allowing other stuff to get owned.
|
|
It requires some measure of client maturity first,
|
|
and then some measure of client trust,
|
|
because they basically ping you for a bit to sit and think about stuff.
|
|
But maybe sometimes I think the company thinks they know what they need to protect,
|
|
but really they're not protecting the right thing.
|
|
So we have a responsibility to help the company understand
|
|
really what they need to protect.
|
|
Absolutely.
|
|
Absolutely.
|
|
So part of it has to be figuring out with the customer
|
|
actually what's important, because they can't make a call sometimes
|
|
on how important their border router is, for example.
|
|
And I think that's where you add to the equation
|
|
where you say, listen, if that goes, this is what's going to go wrong.
|
|
This is why we need to protect that stuff.
|
|
And I kind of see it as the next generation
|
|
of consulting for lots of those guys.
|
|
But yeah, so to go back to the question,
|
|
so that's right now the pitch that thinks makes is
|
|
if you've got a hard problem, then I'd like to work on it.
|
|
Sorry, Karia.
|
|
No, no, and right now I'm pretty open on what that problem is.
|
|
So like I said, it's been pretty diverse so far from playing with guys
|
|
on fishing, to playing with guys with one time tokens
|
|
to trying to get a reasonable, say, even though it's going to get slaughtered,
|
|
a reasonable web application firewall going.
|
|
And again, my reasoning is you can't necessarily write some tools
|
|
to protect everyone, but you can write some stuff
|
|
to protect very specific people in very specific situations.
|
|
And so for now, I'm just having fun working on that stuff.
|
|
So talking to some things, you spoke already a little bit about
|
|
you spoke of some conferences, but also you've made the comment
|
|
about how there are so many conferences,
|
|
and maybe think you're trying to do about that.
|
|
Yeah, so a little while back.
|
|
So actually a customer, a customer of mine,
|
|
who basically just pays me, and this guy basically just pays me
|
|
to occasionally talk technical strategy and stuff to his company.
|
|
And he was asking me a while back,
|
|
well, which conferences should he attend?
|
|
And a little while after that, it was, well, he attended this conference,
|
|
but there were 120 talks, and he met some people,
|
|
but actually didn't get great value from it.
|
|
And I started thinking about it a little bit,
|
|
and you'll see the, if you go to my blog,
|
|
the cheesy infographic that I put together.
|
|
But one of the things is that conferences have gotten slightly
|
|
out of hand.
|
|
I mean, we've got a conference going on almost every day
|
|
of the year, just in InfoSec.
|
|
And when I mentioned it on Twitter, I know some guys,
|
|
some guys remarked like Charlie Miller said that,
|
|
yeah, the answer is less conferences.
|
|
But I also think that that's wrong.
|
|
I think we need conferences because we need young guys to come up
|
|
and we need new researchers to stretch their legs in the field.
|
|
But the problem is that it generates so much of noise
|
|
that we lose the signal.
|
|
And so one of the things that that customer, in fact,
|
|
asked me for is, if I could basically tell him, listen,
|
|
this stuff was interesting, but this stuff is super important.
|
|
And this stuff you really need to be thinking about
|
|
for the coming year.
|
|
And if you take a look at, just take the past year's conferences.
|
|
And pick a topic, pick a topic like memory corruption bugs.
|
|
I mean, across the literally hundred conferences
|
|
that happened last year, there were lots of guys
|
|
talking about new memory corruption techniques.
|
|
And the question is, which ones were fixed on the next patch cycle
|
|
versus which ones have moved the bore forward
|
|
and actually are going to be the new dominant bug class?
|
|
Which are the ones that you should get your developers on right now?
|
|
And I think some of that stuff, like I say, is just lost in the noise.
|
|
And so what I've got is ThinkScapes,
|
|
which is basically just a quarterly document that goes out
|
|
that says, this is what was interesting in the last four months.
|
|
And this stuff was marginally interesting,
|
|
but this stuff really bears watching.
|
|
And this guy did this talk and it's building on his work
|
|
that he did two years ago.
|
|
But you should watch it because it's on a trajectory
|
|
that's going to influence lots of stuff.
|
|
So basically, it's like having me whispering,
|
|
you're at a conference without the annoying South African accent.
|
|
That's the charming bit, right?
|
|
That's what my mother says.
|
|
That is the count.
|
|
Yeah, so that's a bit of a fool too, right?
|
|
Yeah, that was tough.
|
|
So where is your blog, if you want to?
|
|
Oh, sorry.
|
|
So if you go to blog.thinks.com,
|
|
that's a pretty low volume.
|
|
I don't blog nearly as much as I used to when I was back at SensePost.
|
|
But yeah, blog.thinks.com and you should find it on there.
|
|
And the service is called ThinkScapes,
|
|
just because I'm notoriously bad at naming stuff.
|
|
But yeah, that's pretty much what it is.
|
|
And it's priced at something like,
|
|
it's priced at $8,000 a year.
|
|
And in part, the pricing is just aimed at less than what you'd pay for good pen tests.
|
|
So if you consider you get four,
|
|
four of those reports and a whole bunch of ad hoc reports.
|
|
So for example, the HP Gary stuff would have gone out in an ad hoc report saying,
|
|
hey, listen, this is what went down.
|
|
This is who anonymous is.
|
|
This is who HP Gary is.
|
|
Interesting.
|
|
And here's what you can expect to happen in the next bit.
|
|
But the ad hoc reports are, like I say, pretty ad hoc.
|
|
Hopefully the joy comes just in figuring out the signal from the noise with all the conferences.
|
|
What's interesting is that obviously there's a lot of traditional IT analyst companies out there
|
|
who, you know, various IT leaders will be subscribed to,
|
|
listening to or just kind of like reading and maybe laughing.
|
|
But what struck me was that Threatscape really seems like a very specialized,
|
|
you know, version of the traditional IT analyst,
|
|
but with someone that actually knows what they're doing.
|
|
So someone that's hands on, that's got experience.
|
|
And as kind of seen enough to be able to judge stuff
|
|
from an offence point of view, is that how it is or?
|
|
Yeah, that's pretty much what I'm hoping for.
|
|
So I can tell you, in the past few years,
|
|
it's one of the things that I did, even at the previous company,
|
|
which is after a conference with fit with the guys and we'd go through,
|
|
hey, this is important and this area is worth looking into.
|
|
And so fortunately, it's one of the things that having done this for 10 years
|
|
kind of falls into kind of what I do.
|
|
And I'm sure that lots of the guys, lots of the guys here on the podcast
|
|
have some of the skill sets.
|
|
But I'm kind of lucky that I kind of have played in most of the areas,
|
|
even of InfoSec, to some extent.
|
|
So I've got a reasonable, reasonable amount of experience
|
|
in web app haxering and in network pen testing and in memory corruption attacks.
|
|
At least enough to be able to give a fairly nuanced view of,
|
|
hey, this was really cool.
|
|
But actually, this is going to be taken out by the next big bug fix.
|
|
And this stuff's cool and it's not going to be fixed for a while
|
|
because it has these implications.
|
|
And not being a full-time memory corruption guy also means that I don't
|
|
dis-everything web app and don't dis-everything network pen testing.
|
|
So it, yeah, it kind of allows me to play across the field
|
|
and allows me to give almost fair comment across the field.
|
|
So kind of, yes, this is really easy to do but it's going to mean that
|
|
you're going to have lots of kids using this attack class against you.
|
|
So you need to watch out for it even though it's not particularly sexy?
|
|
So does that mean you're going to be going to more conferences than Chris does?
|
|
Because Chris holds directly but being at so many conferences.
|
|
And so in order to compile these threats gates,
|
|
yeah, with the kind of intel on the latest talks.
|
|
And is it just you or do you have anybody else working?
|
|
So I've got one guy who's recently just joined me, God help him.
|
|
But for now, threats gates is mainly all me,
|
|
except he's currently putting together a database that will release shortly,
|
|
that will kind of allow people to browse.
|
|
So you should be able to click on a speaker like Craig Bolding
|
|
and it should tell you he gave these three individual talks
|
|
and those two were actually repeated at the following end conferences
|
|
and in past years.
|
|
I don't reveal my secrets around.
|
|
And these are the three blog posts that Chris wrote about it
|
|
while he was walking across the field.
|
|
Yeah, exactly.
|
|
He's talking.
|
|
That was a scary part.
|
|
He's so efficient.
|
|
Let's guess one of my questions is that,
|
|
if you're not so much a Chris because now you're not doing it to get paid
|
|
but you're doing it to spread the word sort of thing
|
|
but if you're attending conferences and having to have so much focus on
|
|
taking guest notes or feeding this information in to store it somewhere
|
|
and process it,
|
|
so you're not focusing on the networking stuff with individuals so much.
|
|
Does that take the enjoyment of the conferences?
|
|
So, in truth, I'm pretty anti-social.
|
|
So I've got a bit of a bad reputation for doing my talk
|
|
and then hiding in my room for the rest of the conference in general.
|
|
I think over the years I've run out of excuses.
|
|
So now people don't even ask me for excuses.
|
|
In truth, I don't necessarily plan to attend all of these conferences.
|
|
Like I said, it's pretty much what I've been doing till now.
|
|
So in terms of getting conference material, reading up on it,
|
|
speaking to people or close friends who I know who have attended,
|
|
basically it involves reading lots of the papers.
|
|
So where the papers are put out,
|
|
actually making sure that you go through them reasonably
|
|
where it's reasonable working through some of the stuff.
|
|
So going, hey, this looks interesting,
|
|
actually trying it out and figuring that the guy's research was good demoware
|
|
but never going to hold up on a real network.
|
|
So I end up doing lots of that anyway,
|
|
whether I attend the conference or not.
|
|
And in part, it's kind of an addiction.
|
|
It's something that I thought I'd be over once I left,
|
|
once I started the new company,
|
|
and I find that I'd do it anyway.
|
|
So yeah, it's something that I end up doing by default almost.
|
|
Well, doesn't that cause problems with more private and by only kind of conferences
|
|
where you tend to see,
|
|
I'm going to say better talks and different talks,
|
|
where people feel slightly freer to talk about their latest no days
|
|
or the latest attack vectors,
|
|
because they know they're not going to be publishing the paper
|
|
and they're not going to be publishing.
|
|
For sure.
|
|
And in cases like that, I won't talk about stuff
|
|
unless the guy gives me permission to.
|
|
So for any of the private con stuff,
|
|
if the stuff's going to come out,
|
|
it'll only be after speaking to the author
|
|
and finding out that he's okay with what I plan to say on it.
|
|
But for the most part, I think there's enough noise
|
|
that needs clearing up just in the public conferences.
|
|
In large part, the aim of this is to clear up the noise.
|
|
It's to say, hey, all the stuff was out there.
|
|
Here's the stuff that you need to pay attention to.
|
|
So it's very much kind of like a...
|
|
I've taken all 20 tracks at the latest black hat
|
|
and brought it down to two talks that were actually interesting.
|
|
Yeah, pretty much.
|
|
So probably a little more than that,
|
|
but it'll probably be something like...
|
|
I don't know.
|
|
But it'll make me...
|
|
It basically will be that.
|
|
It'll be like 120 talks just happened.
|
|
These two talks really pushed this new concept forward
|
|
and this stuff really bears watching
|
|
and this stuff looks interesting.
|
|
We should probably look at it.
|
|
Cloud security.
|
|
That is interesting, Matt.
|
|
Yeah, no, no, one is, I know this.
|
|
So, Haroon, question for you.
|
|
Yes.
|
|
In fact, this is the Zarkon.
|
|
How do you fancy this?
|
|
Is it Zarkon's Acon?
|
|
Z-Acon.
|
|
Sorry, okay.
|
|
So Z-Acon.
|
|
Oh, like an Acon.
|
|
Z-Acon.
|
|
Z-Acon.
|
|
Yeah.
|
|
Z-Acon.
|
|
Yes.
|
|
So, the functions without a tag length.
|
|
Yeah, that's unusual.
|
|
And riffle.
|
|
So what's the deal in terms of the...
|
|
When we get guests on, we often like to ask
|
|
what the InfoSec scene is like in their country
|
|
and interpret InfoSec however you want.
|
|
But what's it like in South Africa
|
|
and the sense I get from watching the videos
|
|
and I really did enjoy many of the videos
|
|
and from the last couple of years
|
|
was that you're really trying to develop
|
|
or get a voice to people
|
|
that maybe are doing the research at home,
|
|
maybe they're not even in a full-time security job
|
|
but they're kind of doing this stuff
|
|
and you kind of want to get their voice out there
|
|
and get them into somewhat into the circuit
|
|
because there's certain visibility benefits
|
|
and financial benefits that
|
|
do you want to just talk a bit about that
|
|
and how Z-Acon came about?
|
|
Yeah, sure.
|
|
So first of all, you smack on right.
|
|
So a big point of Z-Acon is just to get guys
|
|
fiddling with stuff and researching
|
|
and seeing the coolness.
|
|
And there's multiple reasons
|
|
why we thought we needed it.
|
|
But probably the big one
|
|
wasn't me.
|
|
That was my start.
|
|
And probably the big one is it's...
|
|
So Dave, I tell, who's always excellent
|
|
for biting quotes,
|
|
said something about how if somebody
|
|
had to start hacksering today
|
|
with all of the us-level protections that exist,
|
|
he'd probably never reach the level of proficiency needed
|
|
because it's too hard today.
|
|
Now, of course, young guys come along
|
|
all the time to prove that they're completely wrong
|
|
but the point is sound
|
|
that the field is really intimidating
|
|
for young guys to get into today.
|
|
And in South Africa,
|
|
a part of the problem is
|
|
that you've got lots of guys
|
|
who kind of are maybe interested
|
|
but it's really a bridge too far for them.
|
|
So they're doing their corporate job
|
|
and they may be here about black cat
|
|
and they maybe know someone who attended.
|
|
But actually, contributing
|
|
is really far away from their mind.
|
|
And so a few years ago,
|
|
Marco from SensePost,
|
|
Marco and I were talking about
|
|
putting together a conference
|
|
and basically the point of it being
|
|
a non-sponsored,
|
|
non-corporate driven event.
|
|
So both of us were at SensePost at the time
|
|
and the plan was for it to be
|
|
non-SensePost-driven.
|
|
And basically what we wanted was
|
|
a way to start getting people interested
|
|
and I know I mentioned it before,
|
|
but it's almost too lower the bar.
|
|
So I know it sounds counter-intuitive
|
|
because normally you want to go in there
|
|
and raise the bar and get synergy
|
|
and all of that stuff.
|
|
But in this case,
|
|
what we wanted was to show guys
|
|
that actually it's okay to come in
|
|
and talk about how you configured
|
|
SE Linux on your box
|
|
because maybe he'll do it
|
|
and maybe he'll get the experience
|
|
and maybe he'll start someone
|
|
in the crowd thinking about how
|
|
SE Linux is doing this stuff
|
|
and we should be doing something else.
|
|
But basically it's to start getting people
|
|
used to actually fiddling,
|
|
actually researching
|
|
and actually generating stuff.
|
|
Almost the central theme is
|
|
to make people produce instead of consume
|
|
because part of the problem now
|
|
and it's again tied to the fact
|
|
that there's such a wealth of information out there
|
|
is that people are consuming more and more
|
|
and they seem to think
|
|
that they're doing something useful
|
|
just by consuming.
|
|
So you start to listen
|
|
to excellent podcasts like this one
|
|
and you can basically
|
|
have a guess.
|
|
You say that slower than we can extract it
|
|
from the audio.
|
|
This is your trash, right?
|
|
You remember what podcast you are.
|
|
But seriously,
|
|
you can kind of fill up your
|
|
iPod or your
|
|
and you can have a full-on podcast
|
|
so that you're not thinking about doing stuff anymore.
|
|
You're just listening to stuff
|
|
that other people are saying they did
|
|
and you think you had a productive day
|
|
and actually what we trying to say to guys is,
|
|
no, come on, do stuff.
|
|
Like stop watching other people do it.
|
|
Do it yourself.
|
|
So a little bit, we have to
|
|
deliberately lower the bar
|
|
because we want to encourage people.
|
|
So there's some talks, for example,
|
|
that we look at and go like,
|
|
this guy's actually got it
|
|
fair but wrong.
|
|
But what you want is for him to get it right
|
|
and so you want to accept the talk
|
|
and talk him through it
|
|
and see if we can get it to a good state.
|
|
Yeah, so I'll tell you guys
|
|
a really, really long time ago
|
|
and again, it's going to show my age
|
|
and the pink from Black Hat was telling me
|
|
that they had this reverse engineer give a talk
|
|
and he was so nervous that his talk
|
|
went really badly
|
|
and basically couldn't string words together
|
|
without looking at the floor.
|
|
Except that Jeff from Black Hat felt
|
|
that the guy was worth betting on
|
|
and so they gave him another chance
|
|
and that guy was Helva
|
|
and Helva became Helva
|
|
and now is much larger than life
|
|
in for second reversing.
|
|
And so kind of what we're hoping for
|
|
is some of that
|
|
that young guys will try out
|
|
and may not be awesome the first time
|
|
but it's awesome that they try
|
|
and we'll get awesomer as they go.
|
|
If you want bad presentations
|
|
then just give them a shout.
|
|
So do you think Haroon?
|
|
I mean, just to take it on their cultural
|
|
side for a second.
|
|
Don't you think, I mean,
|
|
me sort of coming from England
|
|
I think it's got a lot to do with the way
|
|
that different nationalities
|
|
are kind of brought up and the way
|
|
that we feel comfortable expressing ourselves.
|
|
So if I think about,
|
|
so I've worked for a U.S. company for many, many years
|
|
and through that, you know,
|
|
I've met some really...
|
|
I know some people think,
|
|
oh, a U.S. company is going to be loaded
|
|
stupid course.
|
|
Yeah, elevate music.
|
|
I'm boring.
|
|
I've only been talking for 20 seconds.
|
|
20 seconds.
|
|
It's not really crazy.
|
|
10 minutes when I talk.
|
|
I do know this.
|
|
But I think the
|
|
kind of makes the guys
|
|
I'm really in trouble.
|
|
Is that, for example,
|
|
the U.S. much more comfortable
|
|
with show and tell.
|
|
So, you know, in the classroom
|
|
standing at the front
|
|
of the very young child
|
|
talking about something they did,
|
|
something they're proud of.
|
|
And, you know, certainly from,
|
|
hey, if you're in England,
|
|
you never did that.
|
|
That was just...
|
|
That was like the antithesis.
|
|
It was the opposite of anything
|
|
you would ever want to do.
|
|
And so, like, for example,
|
|
the first talk I gave,
|
|
which happened to, like,
|
|
in terms of info set,
|
|
was black hat.
|
|
I was cracking myself.
|
|
You know, I was really like,
|
|
why am I doing this?
|
|
This is, like, suicide.
|
|
You know?
|
|
And I thought,
|
|
well, I'll do just...
|
|
Yeah, I'll just do death
|
|
by bullet point.
|
|
And that's why I did
|
|
nice slides.
|
|
The slides got really good
|
|
reaction.
|
|
But, you know,
|
|
I was really scared.
|
|
I was fearing for my sanity.
|
|
And my future income.
|
|
But, you know,
|
|
I think it's that different.
|
|
So, I think what I see
|
|
with Zadek on is that,
|
|
you know, I get the feeling that
|
|
it's not so different in South Africa
|
|
in terms of the way you guys
|
|
are brought up, just as a sense,
|
|
you know,
|
|
the way that you express yourself
|
|
and carry things out,
|
|
is the same deal,
|
|
is that, if I think about
|
|
our American cousins,
|
|
they're really, you know,
|
|
very comfortable standing up,
|
|
talking about what they did.
|
|
They could be talking about
|
|
running an M-Map scan.
|
|
And they would talk about it,
|
|
like, it was,
|
|
brilliant.
|
|
And that's how they felt.
|
|
And they can encapsulate that.
|
|
They can feel good with that.
|
|
But...
|
|
Yeah, absolutely.
|
|
My perspective, you know,
|
|
is like,
|
|
oh, it's just that.
|
|
You know,
|
|
and that's the problem is that
|
|
there's some kind of middle ground
|
|
that we need to figure out,
|
|
where it's like,
|
|
you've got to get out,
|
|
you've got to better say this stuff.
|
|
And then, once you get out,
|
|
your system,
|
|
you'll move on to the next stuff.
|
|
Yeah, absolutely.
|
|
And look, for the most part,
|
|
what I'm really trying,
|
|
or what we really trying to get right,
|
|
is having guys do stuff.
|
|
So, I think there's the,
|
|
there's the talking about it,
|
|
which I think you smack on right.
|
|
I think there's a cultural hesitancy,
|
|
a kind of a cultural,
|
|
we're not good enough,
|
|
that creeps in,
|
|
that needs to be beaten out of people.
|
|
But I think that's like,
|
|
an easier fight to fight.
|
|
What the thing that really worries me,
|
|
is that I'm afraid that we,
|
|
that the guys get so used to just consuming,
|
|
that they don't think
|
|
that producing is possible.
|
|
So, so the guys kind of end up
|
|
in a rut where you,
|
|
you kind of think that it's your place
|
|
to run other people's tools
|
|
and learn other people's presentations,
|
|
without ever saying,
|
|
let's do the stuff.
|
|
And one of the things that you guys will know,
|
|
is that presenting isn't easy.
|
|
I mean, standing up on stage
|
|
and talking is not particularly difficult,
|
|
especially if you semi-nasticistic,
|
|
like we are.
|
|
I find it can finish quite easy.
|
|
Yeah, exactly.
|
|
I've been taking it for a long time,
|
|
and it comes naturally.
|
|
But, but I mean,
|
|
the difference between thinking you know N-Map
|
|
and saying,
|
|
I'm now going to teach you N-Map.
|
|
And then you stand up to teach someone,
|
|
you suddenly realize,
|
|
hold on a Christmas scan,
|
|
actually sounds the same as an X scan
|
|
that I had in my head.
|
|
So, clearly I don't understand this properly.
|
|
And if sequential ideas are predictable,
|
|
then why isn't spoofing possible?
|
|
For example,
|
|
and some of that stuff is hard.
|
|
It's it's the same,
|
|
so I heard you guys
|
|
prove that I actually listen to you guys.
|
|
A while back,
|
|
you guys were talking about how difficult
|
|
putting out a quality blog post is.
|
|
And it's one of those things
|
|
where I want guys to say,
|
|
let's take the trouble to create something.
|
|
Because actually creating something decent is hard.
|
|
And the danger that I'm worried about is where there's this little
|
|
dip that the guys have to go through
|
|
where it's difficult and maybe doesn't come naturally.
|
|
And at the same time,
|
|
they could use the time
|
|
listening to a high quality podcast like this one.
|
|
And so the guys end up thinking
|
|
that they don't have to do that blog post.
|
|
And yet I think that if they do,
|
|
they're going to be so much better for it.
|
|
Because the stuff's going to roll on
|
|
and other people are going to learn from it
|
|
and they're going to learn from having done it.
|
|
And it just works out better all around.
|
|
Yeah, totally.
|
|
You should listen to,
|
|
when we were at Bruchon last year,
|
|
we did a podcast as Meetup.
|
|
And the same thing came up
|
|
and it was about,
|
|
yeah, there was a bunch of things in there.
|
|
But one of them was about that create versus consume.
|
|
And I totally agree with you.
|
|
I mean, it is harder to create.
|
|
And every time I write a blog post,
|
|
which unfortunately isn't as frequent as it should be,
|
|
yeah, it's really hard.
|
|
It's hard to write.
|
|
It's hard to put down your thoughts.
|
|
It's easy to think you know your thoughts.
|
|
And then once you start trying to figure out who,
|
|
you know, who are you writing for?
|
|
That's one of the hardest decisions ever.
|
|
Because if you start switching that persona
|
|
that you're writing for,
|
|
and you know, then your blog post takes three hours
|
|
to write rather than maybe the half hour that it should.
|
|
But yeah, it's,
|
|
and that's the thing,
|
|
because I think back to when I started out,
|
|
and I was,
|
|
Unix just had been and then kind of got the calling
|
|
after reading a book,
|
|
and kind of discovering,
|
|
wow, there's all this security issues on the systems
|
|
I look after that I thought were all right.
|
|
Then you go into, you know,
|
|
consume mode,
|
|
but back then it was,
|
|
it was pretty easy.
|
|
You know, it was like,
|
|
you could read an awful lot,
|
|
but you would never be drowned.
|
|
Whereas now,
|
|
there's so many,
|
|
there's so much,
|
|
even in the,
|
|
if you just look at all the stuff that's out there,
|
|
there's so much quality signal,
|
|
once you can differentiate that,
|
|
that, you know,
|
|
you could really just consume for the rest of your life,
|
|
and never take the initiative,
|
|
and get up and do something.
|
|
And the thing with the,
|
|
I mean, that's,
|
|
so just tying it back to South Africans.
|
|
The thing that I found with the,
|
|
the essay,
|
|
I know is that,
|
|
actually, they're very much
|
|
get up and do it.
|
|
You know, they're kind of,
|
|
they're not the consumers
|
|
sit back on the sofa
|
|
and just take it.
|
|
And now I,
|
|
I know that,
|
|
that may be generational,
|
|
but.
|
|
Thank you.
|
|
Also, probably seeing a,
|
|
a selected bias.
|
|
Oh, I totally am.
|
|
I'm seeing the guys
|
|
that have percolated up,
|
|
so.
|
|
Yeah.
|
|
Yeah.
|
|
So,
|
|
yeah.
|
|
So,
|
|
yeah.
|
|
So,
|
|
yeah.
|
|
So,
|
|
a whole bunch of guys
|
|
then got behind it.
|
|
So, Matt Erasmus,
|
|
you guys mentioned
|
|
Rulof
|
|
and Dominik.
|
|
So,
|
|
Dominik,
|
|
quite singen on Twitter.
|
|
And basically,
|
|
it's been pretty great.
|
|
So, we ran the first one
|
|
and the crowd was good.
|
|
And last year's was even better.
|
|
We had quality speakers.
|
|
We had
|
|
alley White House
|
|
Skype in from
|
|
Skype in from the UK.
|
|
Nice.
|
|
Yeah.
|
|
Last year, we tried something new,
|
|
so we introduced a concept
|
|
that said,
|
|
if you want to do a talk,
|
|
but actually don't know where to start.
|
|
Like, you kind of think you want to talk
|
|
about a subject,
|
|
but that's about as far as you go in your head.
|
|
Then, speak to us
|
|
and we'll
|
|
tag someone on to you
|
|
and he'll basically walk you
|
|
through the talk,
|
|
push you in the right direction.
|
|
And obviously,
|
|
that guy gets no credit
|
|
as the tutor.
|
|
He's just going to be on your shoulder
|
|
and help make it happen.
|
|
And it was interesting
|
|
to see how that stuff worked out.
|
|
Like, initially,
|
|
there were maybe ten people
|
|
who signed up saying,
|
|
I'd love to do that,
|
|
always wanted to do a talk.
|
|
And after initial meetings
|
|
with the guys about half of them
|
|
dropped out.
|
|
And once it got down
|
|
to actual serious work,
|
|
another half of that dropped out.
|
|
And in the end,
|
|
there were just two guys
|
|
who presented
|
|
that came up through that
|
|
assisted presentation technique.
|
|
And I hired one of them.
|
|
So, so yeah.
|
|
Now we understand what it's about.
|
|
A rising tide lifts all ships.
|
|
That's what I say.
|
|
No, but you're right.
|
|
I mean, the thing is,
|
|
I remember going to some really early
|
|
pan-set west talks.
|
|
I was really lucky to be,
|
|
you know, my employer
|
|
was willing to spin out the main
|
|
to find out there.
|
|
And I remember
|
|
talking to Tragos
|
|
and just saying, you know,
|
|
one of the things he was working on
|
|
was trying to get some of the speakers
|
|
who had, you know,
|
|
they had masses amounts of talent.
|
|
But as you mentioned about,
|
|
you know, maybe Halvars first talk,
|
|
you know, just didn't have the confidence.
|
|
And whereas now,
|
|
if you listen to Halvars,
|
|
like you would never believe it, you know.
|
|
And that's the thing is about,
|
|
there's all these people
|
|
that have this talent.
|
|
And people have to coach them.
|
|
And so, there's probably a segue
|
|
for InfoSek mentors here,
|
|
isn't there, William?
|
|
But there is a lot to be said about,
|
|
you know, supporting people
|
|
and you're not going to get any credit for it.
|
|
But that's cool.
|
|
You know, it's kind of like,
|
|
just putting something back in, isn't it?
|
|
Yeah, absolutely.
|
|
And look, less altruistically,
|
|
it always helps to have more smart people at home.
|
|
Whether they end up at a customer
|
|
or whether they end up working with you,
|
|
it never hurts to increase the smarts.
|
|
But that's why I invite Ben on the podcast,
|
|
WikiClown, because we're hoping that
|
|
his negative IQ acts as like a multiplier for us.
|
|
That's absolutely good.
|
|
Did I miss something in mass?
|
|
You're a treasure for charity, no?
|
|
You're a treasure.
|
|
Of course, a special case.
|
|
Thank you, guys.
|
|
You are, you're really special.
|
|
You get an extra 10 meters per hour.
|
|
You're all special, we.
|
|
Gold star, gold star.
|
|
Nice.
|
|
Cool. So, Harry,
|
|
so I think we've been running for one,
|
|
so we probably have to wrap it up, don't we tell?
|
|
How long have we got?
|
|
Oh, I guess we've got a,
|
|
unless Harry's got anything else he wants to mention,
|
|
he's working on or upcoming companies,
|
|
he's talking about or anything like that.
|
|
Nope, so I've got a few things,
|
|
but I'm working on,
|
|
but they'll pop up sooner or later.
|
|
So I'm actually good.
|
|
Thanks for having me on, guys.
|
|
Okay, so if people want to follow you,
|
|
obviously you've mentioned your blog already.
|
|
So a website or Twitter anything
|
|
that you want people to hook you up on.
|
|
So my Twitter is hard on me,
|
|
but I'm probably one of the worst
|
|
tweeters there is,
|
|
like I frequently type something in the text box,
|
|
ask myself if it needs saying
|
|
and decide that it probably doesn't need saying.
|
|
You apply,
|
|
you apply quality control to your tweets.
|
|
You just don't get Twitter, do you?
|
|
I think you're something up.
|
|
Yeah, I've spoken to a few people
|
|
to try to teach me how not to be so anal about it.
|
|
But I can't.
|
|
So yeah, so anyway, on Twitter,
|
|
Harun Mir,
|
|
I've managed a total of 265 tweets.
|
|
All right.
|
|
I just trying to throw a remote shake.
|
|
What did you do?
|
|
Sorry.
|
|
Yes, absolutely.
|
|
I'm going to...
|
|
Yeah.
|
|
So that's me on Twitter.
|
|
And blog.things.com
|
|
is infrequently updated,
|
|
but is updated when stuff comes out.
|
|
And yeah, that's me.
|
|
So you can mail me
|
|
Harun Mir.things.com.
|
|
If you've got hard problems there,
|
|
do you want a guy with a bad ex?
|
|
Think about it.
|
|
And we're just...
|
|
We're probably like you.
|
|
Yeah, we got wind for that.
|
|
We were like,
|
|
there was the fig leaf talk,
|
|
and I didn't want to miss out on it,
|
|
because personally, I got a lot from it
|
|
and thought there were a lot of themes
|
|
that totally knocked my head there.
|
|
I'll just give like the...
|
|
I'm putting you on the spot there, I apologize.
|
|
The one minute version of the fig leaf talk,
|
|
like,
|
|
and where people can watch it,
|
|
because I think it was a linear recording of it.
|
|
Oh, yeah.
|
|
So if you go to the Zerecon site,
|
|
there should be a link to the video there.
|
|
Actually, there should be a link on my blog too.
|
|
But the crux of the talk was basically a,
|
|
hey guys,
|
|
let's stop hiding behind statements.
|
|
And I think in InfoSec we've got a whole bunch of them
|
|
that we hide behind.
|
|
And in part there's just a,
|
|
come on, let's stop talking about the stuff
|
|
and start doing it.
|
|
And it applies to where we stand with InfoSec,
|
|
and in part where we stand with research.
|
|
So all of the...
|
|
I didn't do it because of the following in good reasons,
|
|
or we didn't, we're not secure because of the following end reasons.
|
|
I'm saying, come, let's put that stuff behind us,
|
|
let's just put our head down and start doing stuff.
|
|
So that's about it in a minute.
|
|
I promised that the video actually includes more ums and us.
|
|
It's badly lit and badly shot.
|
|
Excellent.
|
|
So yes, somebody should definitely check that out.
|
|
Somebody.
|
|
So um, before we wrap up, we'll just go around the table,
|
|
see if there's any questions.
|
|
Ben, do you have anything?
|
|
No, I'm okay, thank you.
|
|
Chris?
|
|
No, I'm good.
|
|
I think we've covered a lot of ground,
|
|
and I think there's a lot of interesting information
|
|
that we can take away from the discussions.
|
|
Okay.
|
|
Whem?
|
|
Well, since the Brooklyn CFP launched this week,
|
|
would you consider submitting to the Brooklyn CFP?
|
|
Um, I shall indeed.
|
|
Um, so I shall means I shall ponder submitting.
|
|
So I've got something that I'm working on on OSX.
|
|
That's not quite ready yet.
|
|
And, um, right now talk ready.
|
|
I've got my, uh, the talk that I gave at Black Hat last year,
|
|
but I kind of hate repeating talks.
|
|
So mostly,
|
|
mostly only ever give talks, uh, once or twice.
|
|
So, uh, I'll mail you offline and,
|
|
and see, see if there's anything that I can do
|
|
that you guys won't hate too much.
|
|
Cool.
|
|
And it'll be cool to be there, yeah.
|
|
Cool.
|
|
Craig?
|
|
We're good.
|
|
It's good conference.
|
|
I've heard good stuff about it.
|
|
Matt tells me you'd go there almost for free.
|
|
So he paid to completely pay just to go out there,
|
|
so you guys did something right.
|
|
Craig, anything more for you?
|
|
Yeah, just one thing.
|
|
As a prize.
|
|
Yeah.
|
|
Big shock.
|
|
So if you had, like, one message for somebody that was, like,
|
|
just getting started in, uh, IT security,
|
|
maybe they were just at me, or whatever,
|
|
and they're kind of conversing over.
|
|
What would you, uh, what would you say to him?
|
|
Um, almost more than anything else.
|
|
And, uh, I'd say, do stuff.
|
|
So, so it sounds, uh, it sounds really tight,
|
|
but I think people really underestimate the value of actually,
|
|
uh, doing stuff.
|
|
Um, and, uh, what I mean by that is if he's a cessadmin
|
|
and he's just started out and is configured, uh,
|
|
SSH, uh, authentication on his box,
|
|
write it up and put it out there.
|
|
Uh, tell people why SSH authentication works that way.
|
|
And, uh, right now, I think I'd advise almost anyone
|
|
to make sure that they're developing.
|
|
Uh, so even if they're just scripting,
|
|
but I think right now, if they're not,
|
|
if they're not putting together some code,
|
|
it's going to hurt them in the long run.
|
|
And other than that, I think, uh, yeah.
|
|
So, it's, it's going to turn into a long story.
|
|
But there was a, there was a paper a long time ago called
|
|
you and your research by Richard Heming,
|
|
uh, the guy who, uh, the guy who put together,
|
|
uh, the Heming number and all of that.
|
|
And if, if you read that paper,
|
|
so go look for you and your research by Richard Heming.
|
|
And it's absolutely everything that you'd want to say
|
|
to anyone, uh, starting off in this field.
|
|
All of the stuff's in there.
|
|
It's going to say it's going to cost you, uh,
|
|
don't fool yourself into thinking life balance,
|
|
works out perfectly with achieving truly spectacular results.
|
|
But if you want it, it's worth it, uh, make it happen.
|
|
Well, I hate, and I'm terrible at coding.
|
|
So I guess I got a world of pain coming my way.
|
|
So on that bombshell.
|
|
Thank you very much Arun.
|
|
Thank you guys.
|
|
Coming on the podcast.
|
|
Yeah, much appreciated.
|
|
You know, thanks.
|
|
Thanks much, you guys.
|
|
Chats on.
|
|
Great.
|
|
Catch you guys next time.
|
|
Thanks a listen.
|
|
Cheers, those sounds.
|
|
Bye.
|
|
Bye.
|
|
It's all the grass sometimes.
|
|
It's something to tell you.
|
|
Your life is about to be all good.
|
|
And everything changes.
|
|
It's crazy, right?
|
|
This one goes out to everyone.
|
|
It's taking something unexpected and turning it around.
|
|
Life's the world.
|
|
The greatest minds of our time.
|
|
Begin a new flight.
|
|
Consider them as geniuses in their own way.
|
|
It's intelligent, innovative, running up the score.
|
|
The best co-workers in anyone can ask for.
|
|
Walking with desks boards.
|
|
Leaving the office.
|
|
Farms holding cardboard.
|
|
Lives in those boxes.
|
|
We wind up few hours.
|
|
Ain't no pushing code to test.
|
|
A few minutes back.
|
|
They were cleaning out the desk.
|
|
Tony was furious and ripping out the fixtures.
|
|
Pushed him out the door.
|
|
Didn't let him get his fixtures.
|
|
Nick was in shock.
|
|
The news just fitted.
|
|
Highs in the days as he turned off the system.
|
|
Justin was calm because he knew they'd find work.
|
|
And this was the bottom.
|
|
So we wouldn't get worse.
|
|
Let's hide aside.
|
|
Thoughts on his mind.
|
|
Let's see lock himself out.
|
|
For the very last time.
|
|
Here we go.
|
|
No telling what's next.
|
|
Life's up and down.
|
|
Never know what to get.
|
|
Be prepared when you're quick to the test.
|
|
Got a step up.
|
|
You can stand above the rest.
|
|
Here we go.
|
|
No telling what's next.
|
|
Life's up and down.
|
|
Never know what to get.
|
|
Never know what to get.
|
|
Got a step up.
|
|
And you stand above the rest.
|
|
The best four with three months.
|
|
Life's no joy.
|
|
Boat Tony and Justin.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|
|
It's still a long story.
|