Download and watch the episode here:
Coding 101 29
Shannon Morse: On this week’s episode of Coding 101, Raphael Mudge, security expert extraordinaire and guy who programs things and stuff for hackers.
Netcasts you love, from people you trust. This is TWiT! Band width for Coding 101 is provided by Cachefly; at C-A-C-H-E-F-L-Y dot com.
Fr. Robert Ballecer, SJ: This episode of Coding 101 is brought to you by Lynda dot com; learn what you want, when you want, with access to over twenty seven hundred high quality online courses, all for one low monthly price. To try it free for seven days, go to Lynda dot com slash C one zero one; that’s L-Y-N-D-A- dot com slash C one zero one.
Welcome to Coding 101, it’s the Twit show where we let you in the wonderful world of the code monkey; I’m Father Robert Ballecer.
Shannon: And I’m Shannon Morse. And for the next thirty minutes we’re going to get you all coded up and everything you need to know about a security expert.
Fr. Robert: That’s right folks; this is one of our wild card episodes. You may remember that we have done this before, where in between our eight week modules, we take a break to actually talk to someone who programs for a living. The idea behind this is to show you what can happen to you if you take these lessons to heart. So without further ado, we welcome our security expert, my security guru, Mister Raphael Mudge; The Armitiage Hacker from Pene; he’s a pene tester; Raphael, can you tell the folks where they can find you?
Raphael Mudge: Sure, yeah, Hi. I’m Raphie; Raphael. And you can learn a little bit about the work I do, I actually develop software to hack into systems to test their security, and you can learn about that at www dot advanced pene test dot com.
Fr. Robert: Okay, now we’re going to back up, we got the plug in. Now what we actually wanted to do is talk about you, because I know the work that you do and Snubbs knows the work that you do, because you have worked with her on her show as well, just as well as you have worked on mine. But your specialty is interesting. You go beyond white hack, black hack, gray hack; you’re a guy who programs who happens to know security really, really well. Can you tell us a little bit about your background?
Raphael: Oh sure, okay, so, what’s the best place to start? I always say I’m a developer first, and everything I have or do is because I like to program, and I happen to be working in the security space, and I have my own company now, but I was active duty Air Force, before, for four years…
Shannon: Thank you for your service, sir.
Raphael: Thank you very much, Snubbs, it was definitely a labor of love. I bleed blue, as they say.
Raphael: And… Yeah! Very nice! So, by the way, see this beard? This is what happens if you apply all the coding lessons. You will grow a nice, fluffy beard.
Shannon: You, do, you have a coding beard. I just shaved mine, so I’m very, very clean shaven.
Raphael: It looks nice.
Shannon: Yeah. He just shaved his too. But thank you, your beard is awesome.
Fr. Robert: I can’t grow a beard.
Raphael: Thank you. So, yeah, anyway, back to the question. My background: so I was active duty Air Force, I worked as a researcher for the Air Force, in Cyber Operations, and this is one Padre might not know about me: when I left the Air Force, I invented a spelling and grammar checker after the deadline. And I sold it to a guy named Matt Mullenweg, who created Word Press.
Shannon: Oh, that’s awesome.
Raphael: Yeah, so if you have a Word Press dot com blog, and you go check your spelling or grammar, you’re actually using my software right now to do that.
Fr. Robert: There’s always a little piece of you in there. I like that.
Raphael: Oh, yeah, after the deadlines meet.
Shannon: It’s a small world. Cool.
Raphael: I’m a grammar checker, a grammar teacher, to millions of people all over the world. Those are my programming efforts.
Shannon: So when did you actually learn programming; was it before you got into the Air force, or was it during the Air Force?
Raphael: It was in High School.
Raphael: I always wanted to be a journalist when I grew up, because I like writing, strangely enough; it helps.
Shannon: So how does journalism turn into programming?
Raphael: Oh man, what is the best way to put it? So how does journalism turn into programming? Well, when I was a teenager, I spent a lot of time on internet relay chat, and that’s where I learned everything; hi, chat room, you’re doing a good thing for yourself; and I was always on IRC, I was a fourteen year old kid, didn’t know that was anything cool, and I wanted to learn C plus plus, because that’s what you needed to know if you were going to be a hacker, and I didn’t know that was something I wanted to be, I didn’t know that could become a career, because at that time, nobody thought of it that way. So I always thought that by default I would go and be a journalist. And I eventually just got more and more into computers, and that became my career, I guess, if that’s the way to put it.
Shannon: Why were you so interested in hacking at such a young age, though?
Raphael: What else do you do with computers?
Shannon: So you were a nerd at heart?
Raphael: Always. Oh, man, if I were to meet my fourteen year old self, my fourteen year old self I think would be like, “Nice beard, but you should shave.” No, I think my fourteen year old self would be really happy, between all the anime art with my product, and the hacking stuff. I just had a fascination with it, probably from; like you know it’s computers, like, oh, it’s a computer, what do you do with it? So I started doing what every kid does, and it’s like, you know there was no Google back then, and you know BBS is where it starts, so downloading files, chatting with people, and meeting other people my age and them saying, “hey come look at this; hey take a look at this at this text file on this floppy disk,” and stuff I shouldn’t be looking at it and it was really intriguing to me.
Fr. Robert: Raphael, what was your first computer?
Raphael: My first computer, my mom bought a Commodore One Twenty Eight at a garage sale, and it had a monochrome monitor, it couldn’t do graphics, could do text, and I would do some basic programming on that. But I didn’t see myself as a programmer, just did some stuff with BASIC. And then it was a Pac-Dell, it a Four Eighty Six DX Two. Nineteen ninety four.
Fr. Robert: Oh yes. Woo hoo. Back in the DX Series. So your first programming language would have been what, on this Four Eighty Six DX Two?
Raphael: You ready to laugh? And Shannon’s saying, “Oh I better laugh because it’s going to be funny.” You guys ever heard of MIRC?
Fr. Robert: Of course.
Raphael: MIR Chat. I keep forgetting, we have an IRC chat room for the show, right there.
Fr. Robert: Right there.
Raphael: I’m watching the room too, so, yeah, it was MIRC scripting. MIRC has a scripting language built into it, and I learned programming, or got really into MIRC scripting, when I was a teenager.
Shannon: That’s awesome.
Fr. Robert: Well now that you have progressed past MIRC scripting…
Raphael: Oh, come on, there is no progressing past it, that it the pinnacle…do not diss on MIRC scripting.
Fr. Robert: We know better than that. You are a programming expert; you have been doing this for a long time. Your knowledge encompasses many languages. But beyond MIRC scripting, do you have a favorite language? Do you have language that you default to constantly?
Raphael: I have a very weird; yes, yes and no. I tend to believe in having three types of languages in your (unintelligible), really four. The first one, and I know from the chat room, cool breeze, LFS was not where I worked, that came out of Wright Patters, and that was the anti-tamper folks. So, guy asked an Air Force question about their lightweight portable security distribution, so I had to answer for that. Anyway, what should folks know? So for systems programming, I love programming in C, straight up C. And I do a lot more work in C now, which I really enjoy it, it makes me happy. I think everyone should know a scripting language, and for me, that was Perl, back in the day. I really loved Perl. And now, I actually have all the stuff here with me, some books, I actually program in a language now called Sleep, which I wrote about ten years ago.
Fr. Robert: Whoa, whoa wait, wait, wait. You wrote a language?
Raphael: I did.
Fr. Robert: I had college roommates like you, who were like, “You know what? I don’t like any of these languages,”
Shannon: “I’m just going to write my own.”
Fr. Robert: Exactly. What made you write a new language?
Raphael: I wanted to learn. I learn by programming, actually.
Raphael: So, Snubbs, you’ll appreciate this: a lot of people know me for something called Armitage, right? Which is the front end from Metasploit that allows a team to collaborate. I wrote Armitage to learn Metasploit.
Raphael: Everything I do, I build stuff to learn. Programming to me is a tool to explore a problem.
Shannon: And Metasploit, for anyone that doesn’t know it’s a pene testing program for hackers, basically.
Raphael: Yeah, it’s a great thing, it’s a great project.
Fr. Robert: You know, before we go any further, I’m thinking…
Fr. Robert: We know what you do, because we have worked with you in the past, but there is going to be a segment of our audience who, they don’t know anything about security, penetration tests, they don’t know anything about Metasploit, they don’t know anything about Cobalt Strike; tell them in the most basic terms you can think of, to someone who is just starting to code, what is it that you do? We know that you wrote a front end, for Metasploit…
Fr. Robert: And we know that you wrote your own language. But why; why do all of that for a framework like Metasploit? Why do all of that to write something like Cobalt Strike?
Raphael: Okay, sure. So, for those of you who aren’t familiar with Metasploit, let me tell you the basics of what that is. Hackers, to break into systems, one of the things we like to do is take advantage of mistakes other programmers have made, we call them vulnerabilities, and we use software called an exploit, which takes advantage of that hole, gives us access. And Metasploit is an open source collection of exploits written by many, many people. We’re talking hundred, I’d have to say it has to be in the high hundreds of contributors, but I don’t know the exact number, it’s a big community, in terms of people who write modules. Now, Metasploit is great, but used by itself it’s kind of a pain to do a lot of, to work its scale, to do a bunch of targets, or even collaborate. So, I came along, and wrote a tool called Armitage, that’s open source, which allows a team of hackers to collaborate using Metasploit. SO if you hack into a system, if Padre hacks into a system, Snubbs, Padre, and I, we can use that system at the same time. And that took off, it was a very successful project and I started my own company and I created a product called Cobalt Strike, and to really push the edge on some ideas I had about hacking and instead of building collaboration stuff, to focus on building new hacking tools that work with all this stuff. And that’s what I do for a living now, for the past couple years, actually.
Shannon: Now there is one question that I have for you and it involves the programming side, because one of the things that we have been teaching a lot is sanitizing your input, sanitizing your code whenever you do things. And this is because you have hackers in the world that can do different kinds of exploits. So what I want to know is, is there any kind of certain code flaw that you’ve run into a lot that you’ve exploited the most? Like, what is your favorite thing to exploit?
Raphael: Okay, so the question is; I’m so used to conference style; the question was, so what is my favorite exploit? So for me, philosophically, I actually prefer not to go after flaws, I prefer to abuse the way things work. That would make sense because I’m a programmer, right?
Shannon: Interesting. Yeah.
Raphael: I want to do things that work, because they are reliable. So in terms of getting access to a system, my favorite way to do it is through a way that we call “user driven attacks,” and that’s an attack that abuses a feature, but if the user follows through on that feature, it gives me the attacker code execution. Let me give you an example of a very simple, almost lame, user driven attack.
Shannon: Nothing is lame here.
Raphael: No, it’s fine. A favorite technique and we’re talking even allegedly nation state actors do this, it’s silly, a favorite technique ids to create an executable, and change its icon with a program called a resource editor to look like a document, okay? And send that to your target. And when the target sees that executable it thinks that it’s a document because it might be named “document dot PDF dot SER;” and by the way, an SER file is an executable, it’s just renamed; in a screensaver, you can just run it and it will work like a normal EXE. Anyway, if someone opens up that document, it runs your malware, and then in the background, it drops the document to disk and opens it up like nothing ever happened. And that’s an extremely common attack.
Shannon: That’s awesome.
Fr. Robert: That’s so weird because that’s like one of those attacks that should have become extinct long ago.
Shannon: Yeah, I think that’s how I got my first virus.
Fr. Robert: How many times do we tell people, “Don’t open attachments; don’t run documents.”
Shannon: “I thought it was a screensaver.”
Fr. Robert: Yeah, a screensaver. You know, when someone’s email is compromised, and it sends out a bulk email message to all the contacts saying, “Oh, this is a beautiful screensaver of puppies.”
Shannon: A pretty waterfall
Fr. Robert: Yeah.
Shannon: That’s what mine was. It was a waterfall, my dad got super mad at me, because I downloaded what I thought was a screensaver; it never worked, but I got a virus.
Fr. Robert: Is that the most consistent factor, would you say, are still taking advantage of users doing user things rather than weaknesses in the code base itself?
Raphael: Yes, and especially more so now. Right now I’m doing a series for my own YouTube channel, where I’m going through these reports from different threat intelligence companies, and those are companies that look at intrusion sets, people who are actually stealing intellectual property and write about how they do it, and on the most recent version of TWYAT, we actually went through one of those where we looked at (?) and how they do things, with Security Onion, JJ; there’s a guy in the chat room, talking about how boss Security Onion is, great project, by the way. Anyway, one of the things I’m doing is going through these reports and reproducing those attacks. And I’m getting frustrated because so many reports of how these people steal intellectual property start with the executable as a fake document attack. And I’m like, “Come on guys, do something more creative than this, please, so I can demo it.” So I’m struggling to find other things but Java is a very common vector to try and get execution as well, good execution. And my personal favorite is to imbed a macro into a Word document or excel spreadsheet, because Word macros, they sound harmless, they can do anything that a native program can do. And that goes for Macros ten two, by the way, not just Windows.
Fr. Robert: We’re speaking with Raphael Mudge, the Armitage Hacker, pene tester extraordinaire; he’s a security expert extraordinaire, who just happens to program. We’ll be right back, we’re going to talk to him a little about eh inspiration he finds when he looks for these exploits. But before we do that I thought we should take a break and talk a little bit about our first sponsor: that’s Lynda dot com.
Fr. Robert: Yeah, I love them.
Shannon: I love Lynda.
Fr. Robert: Now Lynda is your one stop shop for online knowledge. Anytime you need to know something about anything you’re probably going to find it on Lynda dot com. They’re not just about technology, they’re not just about programming, or about computers, you’ll find a wide variety of topics on Lynda dot com because that’s what they do. They want to be the place that you go to find your reference, to find your training. Now Lynda dot com helps you to learn and keep up to date with your software, to pick up brand new skills and explore new hobbies with these easy to follow videos that you see up on screen. Whether you want to master the fundamentals of programming, learn a new programming language like Python or design and develop engaging websites, Lynda dot com offers thousands of courses in a variety of topics. Lynda dot com recently released their new iPhone and iPad app for iOS seven, and they enhanced their Android app to provide Chrome Cast support, which means you have more options to watch their content. The iOS app includes a more visual intuitive interface, and both new apps offer off-line courses and video viewing, which makes it easy and convenient to learn even in environments that don’t have internet access. Lynda dot com users can move seamlessly between mobile and desktop applications, that’s one of the things I really like because it means you can start on your desktop and move to your tablet, then maybe drop over to your phone, and then back over to your laptop. Now what I have seen over the last couple of weeks is that I’ve seen Lynda really up their game, they have new course that include things like the Android Essential Training , The Creating Mobile Games with Unity Program, the Word Press Developer Tips, and much, much more. We’ve been using Lynda here at TWiT for a while, especially since we have been making the move over to Premier, our editors have all worked Final Cut Pro, so Lynda dot com was an invaluable site for them to either remember the things that they used to do on Premier and they forgot when they moved to Final Cut, or to earn it all anew, and that’s one of the things I love about Lynda which is with their transcripts, it means that you don’t have to watch an entire lesson to find that one nugget. For example, if you want to know, “how do I do chroma key in Premier?” you would type chroma key and it would direct you to the exact time code, the place that will show you the technique within Premier, that’s just invaluable. It’s one of the tools that Lynda dot com offers as part of the package. They have over twenty seven hundred courses, with more added weekly. And all Lynda dot com courses are produced at the highest quality, not like home made videos on YouTube, and we’re not knocking those You Tube videos, you know that’s how most of us here at TWiT started, but sometimes you want professional video done right, with good lighting and good audio, with good angles, with someone who knows how to work a camera, and that’s what Lynda does, it gets all that other distraction out of the way and gives you pure knowledge in a way that you want to learn. Lynda dot com works with software companies to provide you updated training the same day the new versions hit the street. That means that you will always have the very latest skills, and their instructors are accomplished professionals at the top of their fields, and they are passionate about teaching. It all shows through in their videos. Whether you have fifty minutes or fifty hours, Lynda dot com has the course for you. Beginner, intermediate or advanced, you know that they will have the knowledge you are looking for. Lynda dot com also offers certificates of completion when you finish a course, which you can publish to your Linkedin Profile, which is great if you are a professional in the field that you want potential employers to know what you have trained in. So here is what we want you to do: We want you to try Lynda dot com for all your knowledge needs. It’s only twenty five dollars a month for access to all of the Lynda dot com course library, or for thirty seven fifty a month you can subscribe to the premium plan, which includes exercise files that let you follow along with the instructor’s project, using the exact same project that they do. You can try Lynda dot com right now with a free seven day trial; visit Lynda dot com slash c one zero one to access the entire library. That’s over twenty seven hundred courses free for seven days. That’s L-Y-N-D-A dot com slash c one zero one. And we thank Lynda for the support of Coding 101. Raphael, getting back to you, my friend, one of the questions that I have for you is; I’m sorry, I’m getting a wave-off; I’m getting hits, okay, you can put a bug here. Thank you, that’s going to scare Josh. Okay. I’m going to come back to my question. Raphael, one of the questions that I have had is where do you get the inspiration for looking for these exploits? Because I’d say it’s this weird combination. You need to be a good programmer, because you need to know where they probably put the flaws in their code, or you need to know where they put the flaws in their process, which I think is what you go after, but you also need to have sort of the trollish glee of finding something wrong, finding something unique that only you would know about.
Shannon: Are you calling Mudge a troll?
Fr. Robert: In the best possible way; Mudge is a great troll. But Raphael, how do those things come together in your mind?
Raphael: Okay, sure. So, why is Twitter successful? This does relate to your question. Why is easy to write on Twitter; or to write a Tweet?
Shannon: They make it easy for consumers. They just simplified it, it’s very simple.
Raphael: There is one other reason, too.
Shannon: It’s pretty?
Fr. Robert: Yes, it’s attractive.
Raphael: One hundred and forty four.
Fr. Robert: Also short.
Shannon: Oh, yeah. It’s very short.
Raphael: One hundred and forty four characters. Okay. So, with Twitter, one of the reasons it is so popular is because of constraint. Everybody is given this default constraint to work with; one hundred and forty four characters; and you are allowed to be creative within that space. And I see hacking a lot like that. Sometimes I will find folks will try to pick something, anything, in this big universe of all possible things to do, when what will really make you successful as a hacker is narrowing in and focusing on something. Let me give you an example from my own experience when I was doing production red teaming, I do a lot of exercise and support now, but I had just done a reconnaissance shot against my target and what I did was is I sent a web application, or sent a link to a web application, to a few people in this organization. And those people clicked, it was a Linkedin invitation, and it came to my server, and my web application discovered all this information about their systems, and then sent them on to Linkedin dot com like nothing ever happened. And what that gave me was a constraint. It gave me: here is what my target has, this are the things running on their system. And now, when I had to come up with an attack, it wasn’t, okay, let me pick something cool that is random, it’s I need to sit here in this box I’ve been put into, and come up with something that’s going to work here. And for me, I find when I have good constraints, good assumptions, good things that narrow what I have to do, That’s where the magic really happens, because I can be creative within that space, and there’s not that much room to spin out of control and end up in a lot of different directions.
Shannon: So you like to constrain yourself when it comes to programming?
Raphael: Absolutely. I like to constrain myself when it comes to programming, and attacking something, finding the problem and putting it to use. And constraint is a beautiful, beautiful thing, and that’s what reconnaissance gives you, it gives you constraints, so you know what the reality of what you’re dealing with is.
Shannon: That’s really interesting. You know it kind of makes me think of in a lot of programming, you have constraints that you have to deal with; you are restrained to the rules of different program language and each one is so different, you have to stay within those rules to make your program work. So I totally get that.
Fr. Robert: Yeah, and I guess reconnaissance, or what Mudge does, he reconnoiters a particular system, he’s looking at the constraints that they work with, because that’s going to necessarily affect the way that the programmers work to both code and guide the process of data through the system. I’ve never thought about that but, yeah, I guess…
Shannon: It totally makes sense.
Fr. Robert: It really makes sense; that’s how you hunt for vulnerabilities.
Shannon: That’s why we have experts on the show. Now I have another question for you:
Shannon: Programming is awesome! And I get super excited whenever things work! But what was your “aha” moment? What was the moment when you were just like, “Yes, complete!”
Raphael: Oh wow. Okay, so, I have to tell you this: nobody believes me because I do so much programming now.
Shannon: I’ll believe you.
Raphael: When I was in high school, make no mistake about it, I did not know how a program would come together, like a bigger thing; I told you I could do the scripting, with like MIRC chat, but I could not put together in my head what it would become, like how to build or architect an application, I just didn’t know how to do this. Now I would actually in a way, I remember dreaming about what that would be like, to imagine something and create it, and I know I wanted that. And I want to say that one of the big “aha” moments for me, this sounds funny, is when I learned Perl. Because Perl gave me the ability to do a lot of things very quickly, and I just started to explore variment and spread my wings, and being able to do CGI script, so I can actually do web applications, if you will, allowed me to go beyond with that knowledge and start doing more with it. So I always consider Perl the first language which I became very strong with, and I owe it a deep debt of gratitude because it really gave me so much joy.
Fr. Robert: Raphael, I want to ask you this: it sounds as if a lot of your programming training came out of just your passion; you found a language, you liked it, you learned it, and you used it to do something with it. There is another group of people who have formal training in all of the languages that they have done, and by formal training I mean in a formal setting, either in a university, or in some sort of educational environment, who would look at that sort of training and they would say, “well, no, you just didn’t learn it right, that’s not the way you’re supposed to program, that’s not the way you’re supposed to think.” What would be your take away? I mean, both sides are valid, but why did you go down that one path than the other?
Raphael: Okay sure. So I kind of have, am familiar with having my foot in both worlds, I am a computer scientist and I have a bachelor’s and a master’s in is it as well so I have gone down the formal path as well, and as you know from my research background I have worked in a very formal, academic-ish environment, doing research. And that’s the way I look at it: research. Sorry, I’m just laughing at myself on Skype. I have to tell you though, I don’t see anything special about the quote unquote formal way. I think formal; and I butt heads with colleagues over this; I see the formal thing as a way of trying to capture the experienced of very experienced people. So if you are a self-taught person, you have a lot of experience, you are probably going to do a lot of the things the formal way, people who believe in different kinds of methodologies are doing it, naturally, because you have stumbled on a what works and what doesn’t, you’re going to gravitate away from what doesn’t work. So the formal method is different, but the formal way of doing programming, all these methodologies, it can work to help keep people on the same page and help an effort from getting out of control, keep people from making silly mistakes. So there is merit to that too, and one thing that I actually want to, I have it here, it’s along these lines…
Shannon: Show and tell
Raphael: Show and tell. If you ever get a chance, one of the people who have written best about this kind of thing is a guy named Joel Spolsky, and I am a really big Joel Spolsky fan, and he’s got this great book, it a little bit older now, but completely relevant, all of it, it’s called Joel on Software and in it he gives his philosophy on formal is enough to not get in the way, but still keep a team glued together, and he’s a great balance between those two worlds.
Fr. Robert: Nice, nice. I do want to ask you to maybe delve into something that you can or cannot talk about; I’ll leave t up to you. I know you have done a lot of red on blue exercises. Can you talk about what that is, where you do it and why you do it?
Raphael: Let’s see here.
Shannon: What is red on blue?
Raphael: I can talk about the ones I talk about. Well it’s kind of a funny thing. So, I do actually, I provide a lot of exercise support. There is one, just so you don’t think I’m being too dodgy, the after action report for the exercise I was in will come out in August, and it was a very big one. I was professional blue team, military blue team.
Fr. Robert: Before we go any further, can you tell us what a red on blue exercise is?
Raphael: Oh sure. A red team is, in an exercise, like a simulated cyber war, an exercise where you have a bad guy, usually the red team, and their job is to simulate a credible threat for people who are learning, or are training to defend networks and we call those people blue teams. And I provide a lot of support to those kinds of events, and one of the ones I most publically do is the Collegiate Cyber Defense Competition, and that’s actually with college students as blue teams and that is done on a volunteer basis. I have been doing that since 2008.
Fr. Robert: Does it take more experience to be on red team or blue team? Or is it about the same?
Raphael: That’s a good question. So usually you have, usually the training audience is the blue team, okay, but in my opinion, it takes a lot more skill to be a really good blue teamer than it does to be a decent red teamer. So good red teamers are usually very highly skilled, but we can get a lot out of a junior red teamer where on the blue team, if you‘re going to be successful as a blue team, you really need a lot of skill. It’s a very, very hard job.
Fr. Robert: Yeah, I would be thinking as a trainee, I would hate to be on the blue team because it seems like the blue team would always be getting its butt kicked, especially if you have a bunch of newbies.
Raphael: Oh, they do, always. That’s part of the fun.
Shannon: That’s part of the training, correct?
Raphael: Of course, training, we’ll call it training.
Shannon: The training.
Raphael: You know what the trick is to that, though; in that kind of scenario and that even goes into penetration testing? The trick is good client management. Like me, as an offensive professional, I do offensive work, it’s very important to, what’s the word, it’s very important to have good client management skills, and what I mean by that is make sure you never come across as adversarial or disrespectful to the people you are essentially working with.
Shannon: I absolutely agree with you. You know there have been a lot of times I have been to Hacker Cons, or to different clubs or whatnot, and people do, they kind of look down on you if you don’t understand everything that they are talking about. And I’m one to question everything so they always look down on me. Except for you, Mudge, except for you.
Raphael: Thank you, I try. Well, it’s because I’m leaning too.
Shannon: That’s how I feel. We’re all learning, so we all have to ask the question that the person who is too shy to ask won’t ask.
Raphael: You know what keeps me in check, though?
Raphael: This is going to sound funny, but to my girlfriend, all this stuff I go and do, like going out in the hacker community, going to conferences and all that, she’s not a technical person so all this stuff is not that cool to her, and everything I’m doing is one step above pick your fringe, alternate interest here, because I think anything is cool. I’m that guy, you know, so I’m all for it but to her it’s just as cool as if I was going to Star Trek conventions or Star Wars conventions and speaking. It’s like, okay, I used to bartend, you go do that. And that mildly keeps me in check, I think. If I go to a dinner party with her friends, they’re going to be like, oh, that’s interesting, what you do, but overall it’s more curiosity than oh my god that’s so cool.
Fr. Robert: Now, Raphael, we have to ask this, because we are Coding 101, because we teach beginning programmers how to get into this, because we want to get people excited about programming.
Raphael: Sure, Sure.
Fr. Robert: Let me ask you in two parts. The first part is, what advice would you give to a beginning programmer when he or she is just starting out, to make their code more secure? What do you think is one of the biggest mistakes they will make that they will regret once their code base starts getting attacked?
Raphael: Okay so the biggest mistake, in terms of security side that a novice programmer will make is putting their code on the internet.
Shannon: Oh that is so true.
Fr. Robert: You just, okay. The gauntlet has been thrown.
Shannon: So don’t open source your stuff before you know that’s its secure.
Fr. Robert: But wait a minute, I thought open source was always supposed to be good? What?
Raphael: Open source is fine. It depends on who is looking at it.
Fr. Robert: Okay, so you are telling your novice programmers, don’t ever let anyone look at your stuff?
Raphael: No! What I’m saying is…
Shannon: We’ve been telling everyone to share it on the Google Plus Community.
Fr. Robert: NO, no. I’m sorry.
Raphael: No, what I’m saying is one: don’t put your new, novice code in production on an internet server that data people care about, that’s for one. Two: I recommend getting familiar with the best practices of something. Because let me give you an example: PHP is a good example. PHP, years ago, there was a lot of example code on how to do a skill craze, right? And it would just be like, Hey, can Cat knead this stuff together into a string and pass it to this function, and voila! There is your SQL query. And that was the way to do it. And that community as a whole didn’t understand the risk of SQL injection. And now, newer material always takes that into account. So be aware of the maturity of security practices in terms what kind of framework or project you are working in. And along those lines, you guys just finished a Perl module, right? Eight lessons on Perl?
Fr. Robert: Yeah, that was today. Oh, no, that was last week.
Shannon: That was last week.
Fr. Robert: That was last week we finished; in the time machine.
Raphael: So, Perl. When I was doing Perl in the late nineties, I was writing web applications in Perl, and I didn’t think about command injection, I didn’t think about all these different ways somebody could hack my application. I guarantee, about everything I wrote, including an e-commerce site in 2000, were Swiss cheese, and just ripe for being broken into. Why? Because as a whole community of programmers, we just didn’t understand best practices. And I think awareness of that is different today, in 2014, or should I say 2015, when this airs?
Fr. Robert: Alright, Raphael, the other side of that question is: if you were giving lessons to a novice, and trying to encourage him or her in the field of programming, and they showed an inclination towards security work, what advice would you give them? What should they look at? What should they read? What should they watch?
Shannon: Our show, obviously.
Fr. Robert: Yes, and your talks, obviously.
Raphael: Okay, so someone who had inclination for programming, and they’re really interested in security, what would I steer them towards? Okay, well first, security is really broad, so it’s going to depend on what their interests are. But let’s say they tend towards more systems stuff. They like digging into the operating system, digging into ways that can be abused. I would steer them towards learning a systems language really well, and learning how to interact with the operating system. So I would steer them towards, hey, learn C, okay? And dig as deep into that, actually have a project, have something in mind you want to produce, because it’s very easy to passively take in a lot of things to read on stuff, but until, like for me, unless I go do it, I know I don’t actually pick it up, I don’t actually internalize it. And so for anyone learning programming, security or not, I would always steer them towards have a project.
Fr. Robert: Be project orientated. I think that’s actually incredibly good advice because again, that gives you the constraints, it gives you something to focus on. That’s fantastic. Raphael Mudge, we want to thank you for being on this episode of Coding 101, on this wild card episode. It’s always nice to speak with people who are actually doing this for a living because it’s a different point of view from just showing off code. You’re someone who has actually taken this and made quite a name for himself. Once more, can you please tell our audience where they can find you, where they can find your work and maybe where they can find your speaking schedule? So they can check out your next talk.
Raphael: Sure. Okay, so if you want to find my grammar checker, go to www dot after the deadline dot com. See? I had to throw a curve ball in there. So if you want to learn about what I’m doing in the hacker community now, go to, see, there’s after the deadline, that’s mine. Go to www dot advanced pene test dot com, and that’s Cobalt Strike, and you can check out my blog at blog dot cobalt strike dot com, and that’s where I tend to write something about what I’m doing and when I plan to give talks, I usually put a plug there as well. So yeah, that’s pretty much what I’m up to now.
Fr. Robert: What’s next? When will your next big conference be? I know you’ll be at Black Hat, I know you’ll be at Def Con, but what’s after that?
Raphael: At Black Hat, actually, I’m going to be in something called the Arsenal, which is an area for open source developers to talk about stuff. And I’m releasing a project next week, something brand new, designed for novice hackers to learn how to do spear fishing and targeted attacks.
Raphael: It’s a virtual machine called Morning Catch, it’s really fun, it’s like a fake fishing company.
Shannon: Is this the first time you’ve told us?
Raphael: Yeah I haven’t told anybody about it yet.
Fr. Robert: Will this thing be ready to demo at Black Hat?
Raphael: Yeah, oh yeah, it’s ready to go now.
Fr. Robert: Can I film you at Black Hat?
Shannon: Can I film you at Black Hat?
Raphael: Yeah, absolutely.
Raphael: We’ll rent a room and make a little studio, all that good stuff.
Shannon: Awesome, dude, congratulations.
Raphael: Well yeah, it’s something fun. I like to keep putting stuff out into the community I think that’s really important to do.
Shannon: I agree.
Fr. Robert: Fantastic. It’s always a pleasure to talk to you, Raphael, no matter what show you’re on, be it TWYAT, Act Five, or now Coding 101. We will; I’m going to tap you on the shoulder for a future project, something we want to do with Coding 101. We want to do something a little sinister.
Raphael: Ooh, I like sinister.
Fr. Robert: But legal, totally legal.
Raphael: Oh, well, aww boo. We’re not doing it. I mean, yes. Be cool, follow the rules, look both ways when you cross the street, eat your vegetables and brush your teeth.
Fr. Robert: Thank you for joining us so late at night. I know it’s really late, what is it, ten o’clock, eleven o’clock where you are? No, it’s midnight.
Raphael: It’s midnight. I’m slap happy man, I haven’t slept this week, that’s why I feel so crazy.
Fr. Robert: I hate to tell you this but you’re not sleeping next week either.
Raphael: No, I know.
Fr. Robert: I’ll see you in Las Vegas, I’ll take you out to some sushi, how about that?
Raphael: I’d love it.
Fr. Robert: Fantastic. Raphael Mudge, again, find him at his website, find him on his Twitter account: Armitage Hacker, and definitely find him At Black Hat and Def Con. Well that’s about it for this episode of Coding 101. We want to thank you for joining us for this wild card episode; we will be back next week, in the time machine, with another wild card episode, where we talk about another programming language.
Shannon: It’s called a TARDIS, it’s called a TARDIS.
Fr. Robert: It’s called a TARDIS. But Shannon, if they wanted to find out a little more about out show, where should they go?
Shannon: If you want to find out more about Mudge, or about the show, or find our show notes and all of our coding, you can find that over at TWiT dot TV slash coding one zero one.
Fr. Robert: That’s right, and also, you have to join out G Plus group.
Fr. Robert: Just search for Coding 101. You’re going to find it. It’s a nice place to go if you’re a beginner, if you’re intermediate, if you’re an expert programmer because there’s always a need for all of you. Every time someone asks a question in that community it spreads knowledge, and we’re all about spreading the knowledge. Now if you don’t like Google Plus you can also find us on Twitter, you can find me at Twitter dot com slash Padre Estre that’s at Padre Estre.
Shannon: Yup. And I am at Snubbs. That’s at Snubbs.
Fr. Robert: At Snubbs. And don’t forget that this show goes live, well most weeks this show goes live; you can find us two thirty PM on Thursdays, that’s Pacific Time.
Shannon: One thirty!
Fr. Robert: I’m sorry, one thirty PM, it’s late. One thirty PM Pacific time on Thursdays at live dot TWiT dot TV. And as long as they’re there…
Shannon: And…yeah we have a chat room going we read it throughout the show so if you guys have any questions, or we accidently skip over something while we’re showing you guys a certain programming language, definitely ask it in the chat room, in IRC. And that is over at IRC dot TWiT dot TV.
Fr. Robert: Absolutely. Until next time, it’s been an absolute pleasure to spend some geek quality time with all you out in the internets.
Shannon: I agree.
Fr. Robert: Until next time, I’m Father Robert Ballecer.
Shannon: I’m Shannon Morse.
Fr. Robert: End of line!
Shannon: End of line.