lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
caa022c4d8ae3ad9b1daad19289ee988d22bb65d
hpr-knowledge-base/hpr_transcripts/hpr0467.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

208 lines
17 KiB
Plaintext
Raw Blame History

Episode: 467
Title: HPR0467: AutoNessus News
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0467/hpr0467.mp3
Transcribed: 2025-10-07 21:11:36
---
Let's go.
Hello and welcome, podcast listeners to another Hacker Public Radio show. I'm your host
for the show, Phoenix, and I'm joined online with Frank. Hi Frank, could you introduce yourself
to the Hacker Public Radio audience? Yeah, my name is Frank Gadek. I'm, by day, a security
engineer for Schubert Phyllis, and in the other hours, I work on a project called Autonesis
and I blog for CupFighted on that. Now, those HBR listeners that have tweaked, it is Frank Autonesis
on the line, and we have spoken to him before. Frank, it's really great to have you on the
line again. Yeah, a great regular noise, always good to get a good chat with you. But
actually, you've joined us on the line today to talk a little bit about your project and
some of the plans that you've got for the future. It might be worth for some of the people
on Hacker Public Radio land that haven't heard about your project. Maybe if you tell us
a little bit about it and what it does, that'd be awesome. Yeah, Autonesis is a project
that I started. Well, basically, to fix one of my own frustrations, we're doing a vulnerability
scan of the same infrastructure more than one, basically. I was doing that for my job, and yeah,
I found that you're actually looking at the same report or nearly the same report every month.
And that's sort of like having two copies of Rembrandt's Nightwatch and trying to find the
differences in that. So humans are not really good at that. So I decided to write a program
to, first of all, schedule a NASA scan for that moment. And second of all, compare the
one NASA scan to the other to figure out what was changed. That sort of got, well, out of
hand, there's a wrong word, but the ID grew. And it's now a automated platform to fire off
NASA's and open fast scans, compare them. And yeah, by comparing, making a Delta also getting into a
workflow kind system where you can actually see which findings you have to look at, which
ones you can safely ignore and which ones you can cross off your list.
Yeah, I mean, for those that remember Bach, I've originally heard about your project from
when the HBO legend Ken Fallon spoke to you and Bach then. And at the time, you were only
supporting NASA's and I'm right in saying it's OpenVAS as well that you're supporting now. And
as well, if you've got plans for any other vulnerability scanners to be supported.
Yes, that's right. Extending Autonases to also support OpenVAS was not that hard because
the binaries are pretty much alike. There's not a great difference between OpenFast and NASA's.
There are some some small details that are different, which are easily handled.
But then it sort of struck me that I should move to a more more open structure
because looking for instance, starting NICTO through Autonases doesn't give a great result
because that NICTO finding is almost always going to be different. So you really want to break that
out. And as I started to think about okay, proof of concept, Autonases works, but there's a few
fundamental bugs in there, things that I didn't think out as well as I would have liked.
And so I need to fix them. And then in the spirit of open systems, I should really open it up so
that we can support more scanners. And the ones I really want to include, there are Native
and MAP, Native NICTO, NASA's OpenVAS. So that would be the first list.
And then my idea is also to have that plug-in architecture API
configured, documented well enough so that it's not hard to add new scanners.
Okay, I mean, like I say, in the time that I've spoken to you and I've originally heard
your great interview with Ken Fallon, I've seen from aside that your projects just moved
with incredible speed and it's really good to see, it's really good to see. But one of the reasons
that you're on the line today is to actually ask the Hacker Public Radio listeners to give you
a hand or something. Would you like to ask the Hacker Public Radio? What question do you want it to
ask them? Yeah, as I'm moving and developing the next version, it looks like a really outgrown
or the other tool has outgrown its name. Autonesis is too necessary.
Especially as we want to support OpenVAS and the other scanners as well. So yeah, really
Autonesis is looking for a new name. I've been invited to speak at Confidence in Poland
in November and I really would like to announce a new name there. So I'm looking for inspiration
because I'm not good at coming up with names. So yeah, any help is appreciated and I talked my
employer into giving me one bottle of first-click or champagne for whoever comes up with the best name.
Awesome. So basically someone from listening to HBR now could get in contact with you and make
a suggestion for what's known as Autonesis now but we'll change in November. So someone from
Hacker Public Radio listening now could get in contact with you, come up with this suggestion
and hopefully be part of naming an open source security project as well as winning an bottle of
champagne. Yeah and I'm still trying to, I'm still on this scavenger hunt to get some more prizes
in there. Awesome. So I mean, is there any requirements that the name has to meet or is there
or is there some stuff that you know, all sorts of suggestions or is this stuff that just
definitely out of the window? Well, the name is really free format. I've had suggestions
ranging from Autovass, from the open-fast guys to Frank's NSX and then spelled the web 2.0
way with all lower and capital interchange. So as the name goes, I'm open to just about any
suggestion. Obviously by participating, you give up any claims you have to the name.
Because if I want to, yeah, we're going to use it. I don't want to before
be faced with anybody's taking claim to the name. So no royal attacks on top, man. Exactly.
You have to be okay with me picking the name in a very undemocratic process.
Yes. And yeah, ideally the name should be free on things like Twitter and the domain name should be free.
So that. But so basically, yeah, it's a really good chance for the kind of like the
own source kind of community and and the security community to, you know, be a part of a
be a part of a process and name and name and an awesome tool. And what did you say that you're
going to announce this? Are you going to announce a new name for Autovass? When was that November?
November, I think it's either November 18 or November 19. They haven't said the exact
date for my talk yet. And that will be in Warsaw for the conference conference.
Awesome. Now, what's the best way for people to get in contact with you, Frank?
Well, I'm on Twitter as Autoneses. So if you send a message to me through Twitter,
I'll definitely pick that up. If you go to Autoneses.com, there's a contact form there.
Which which works well as a way to send in suggestions or just by email to suggestions at
autoneses.com. That will work as well. Okay. So either get you through Twitter,
through your suggestion or get you through the email address. Suggestions are autoneses.com.
Yeah. I presume you'll be changing your Twitter handle after the 18th line.
Yeah, that will be obviously when I announce the new name. It won't be a big bank transition.
So I have some work to to get claim the main names and Twitter accounts and stuff like that.
Also, if you want to look at the details, I've created a tiny URL. So if you go to tinyurl.com
slash Autoneses, you'll get on the blog post that describes all the details.
So you'll announce the you'll announce on the 18th or 19th November what the new name of the
project will be and how will people find out who won the Champagne? Will you blog it or I'm
presuming you'll Twitter it? I'll definitely Twitter and blog about it.
And yeah, who knows? I'll maybe do an announcement. I can public radio as well if you let me waste
some more air time. It's all right. They let me waste loads of it so they shouldn't have a problem
with you, but... So apart from a name change, what else have you got planned for autoneses?
Or what will soon to be to be announced project, I suppose, will be the new name for now?
Yeah, the project formerly known as Autoneses.
One of the things that a longer term users of Autoneses will know this is that it's
the way it handles data. It basically uses a directory, structure as in a hierarchical database.
That doesn't scale very well. I found that out through trying it and by trying it,
it... Yeah, if you really have, we have projects now at my employer where we have
what we have two years of live vulnerability scans in there and it just grind it to hold.
So obviously you need to add a database layer below it. So for now that will be my SQL.
So that's on the engine side. It will be a complete rewrite in the sense that I will be going
through every single bit of code that's currently in the air to see if it's still got value.
There's things that could have done better and then port that into the new project.
And thirdly, well, obviously support for new scanners.
One of the big scanners I forgot to mention is manual findings.
One of the lessons I also learned again just a week ago was I did some scanning and I found
cross-site scripting and I looked at the plugin and fair enough everything I put in there was being
echoed perfectly and then I got in manually and tried to exploit it and it turned out it wasn't
exploitable because it was in a string between quotes and every quote I tried to put in was nicely
escape. So really ideally you want to capture that evidence and put that in as a manual finding.
To sort of say, okay, this is not a vulnerability.
The other thing that I found hard in working with the current version of Autonases is tracking
which finding belongs to which issue. So to take a simple example, if you leave your exact
version numbers on in your HTTP header that sort of gets put into your face by NASA's on
the web server identification, the operating system identification, the NICTEL plugin,
and probably two more. And ideally you want to be able to link those three findings all to a
single issue saying we've configured the web server wrong. So really transform it more into a
platform that helps you write your vulnerability report all month. It's kind of like a framework
for RC reporting in a more unified manner almost isn't it? Yeah, well I found myself doing after
after a time is even when I did a single single open fast scan, I would actually instead of looking
at it through the native GUI, take the output and because I know the system, I know how to import
that into the database, import it into the database, and then work it as if it was the first
Autonases run for that infrastructure because it's just easier to take off what you've already had.
But yeah, once you start working with it and findings come and go, it's sort of hard to keep
track of, okay, I have this finding which issue does it belong to? Let me comment field helps,
but it's not ideal. Okay, um, when are you, what version are you sitting at at the moment
or Autonases? I'm showing you. A tricky question, but luckily I've got this laptop on mine
and my lap, I think the most current version is one three,
let's look at that download side. One three two is the current version. One three two. Yeah,
and then if you want to get daring, one three three, yes, in CVS repository, then you're absolutely
crazy. Yeah, and I'm not sure what changed there. I don't know off the top of my head,
what bugs I fixed then, but not release yet. I don't think it's many.
And with your, with your kind of rewrite and the database stuff coming into that,
will that just be a, basically a straight version change or what's your name and
what's your number convention really for the project as well as asking when you be going into
with it, with it being looked into again when you be moving to like 2.0 or will it still be
in 1.4 or all? Or originally this would be 2.0 because it's really, really a new,
really a new creature almost. It's got a different, it's got a different
trunk in the CVS repository as well. There's already actually code in there, so if people are
interested, it's no way near a runable state yet, but there's already code in there and data model.
So, have people can see what's coming? Awesome. So, just to recap on everything we said,
just there, Autonessis is looking for a new name. Anyone can send you suggestions and
we'll find out on the 19th or 18th of November, and whoever wins the name suggestion,
obviously gives you full permission to use it. It will be part of your project and so on and
so forth and win a bottle of champagne. They can send you suggestions in lots of different ways
like Twitter or going to the Autonessis site and either using your contact form or sending
an email at suggestionsatautonessis.com. Is there anything that you've got some version
changing coming on soon as well? Is there anything I've missed in those recap front?
No, not in the recap. There's one thing we have to discuss yet. I did get some IDs in already,
which are maybe nice to share here, and I'll be sharing them in that blog post as well.
Let's see how it works. What's been good so far, man?
Well, one that's a bit cheeky, but also a bit in the GNU style is
and Autonessis is not necessary. Also, the suggestion that I unfortunately can't use is
scanner, SCANNR, because the domain name is already taken by somebody. Autonessant by Christian
Riley. Avid scanner. It's a good one. Automated vulnerability identification and discovery scanner.
Okay. Our friend Ethical Hacker sent in Autosacman.
AZ, AI-SY, MI Secure app. I thought that was a great suggestion as well.
Yeah, there's quite a couple of good ones as well.
Also, there's a movie out about the rename. If you go to tinyurl.com slash rename movie or
onward, that should be nice to watch as well.
You're on the viral market in train now.
Well, I do talk to a marketing lady at the office every now and then.
Now, basically, what's parked me as I saw somebody tweeting about an extra
normal movie that was made with extranormal.com. I thought it was a nice concept, so I decided to
create my own. And where can I get it? No. Where can people find that again?
tinyurl.com slash rename movie. Awesome. And Frank, just touching off this, I know myself that people,
you're happy for people to follow you on Twitter and they can find you on Autonessis with twitter.com
forward slash Autonessis. You blog quite a bit as well. You blog, you've got a blog at Autonessis
70 and you've got a blog at copfire. Am I right?
Yeah, there's Autonessis news get blogged via Autonessis.com. There's also details about
what's still known now as Autonessis 2. And then, many of my colleagues at work,
we blog for copfire.net as well. Awesome. Frank, is there anything else that you'd like to
talk about while I've got you on the line? No, I think this is about wraps it up.
Really looking forward to doing presentations on confidence and security tube comp
about Autonessis and announcing the name at confidence in wash out.
And so you've seen, I've blended something every time I speak to you, Frank. Are you doing stuff
to secure the cyber security con through security tube as well, are you?
Yeah, I've also submitted, we'll be doing an Autonessis presentation there as well.
Awesome. You can count me on, you can count me for watching that and being part of that definitely.
For people that may have not heard of this before, there's a very good say that I've constantly
mentioned on the show called securitytube.net. They're having their first, I think it is the first
security conference being held in cyberspace. So open to everyone and kind of with the tagline,
you know, if you can't travel, it's fine as long as you've got an internet connection.
And I didn't realise that you were doing some Autonessis stuff there. So awesome, brilliant.
All that's really left for me to do is to thank my guest, Frank, and especially for letting me
Yes, again, monopolise some of its time, but I thought that the HBR would love the opportunity
to find out more about your project, plus the chance to maybe get involved in the renaming process.
So, Frank, as I said, thank you very much for joining us.
Pleasure to all mine.
And also, thank you very much at home for listening to Hacker Public Radio.
If you want to get involved in Hacker Public Radio, one of the best ways that you can help
is to help produce shows. You can produce shows on lots of different stuff. You can speak to
your friends who do open source projects or all sorts of projects. Talk about a TV series that you
may have seen or a technical how-to guide. There's lots of things that you can do episodes on
and Hacker Public Radio is all about the community getting involved and making their own episodes.
So, if you want to do an episode, you can do all sorts of stuff.
If you produce a show, if you contact either Enigma or Klaatu, and they can be found at Hacker
Public Radio.org, there's some contact details up there, and they can help you get your show out.
So, once again, I would like to thank Frank, and I would like to thank the HBR listeners,
and I'll catch you the next time on Hacker Public Radio.
Thank you for listening to Hacker Public Radio. HBR is sponsored by caro.net,
so head on over to C-A-R-O dot N-T for all of us here.
Reference in New Issue View Git Blame Copy Permalink