Coding 101 29 (Transcript)
Shannon
Morse: On this week’s episode of Coding 101, Raphael Mudge,
security expert extraordinaire and guy who programs things and stuff for
hackers.
Netcasts you love,
from people you trust. This is TWiT! Band width for
Coding 101 is provided by Cachefly; at
C-A-C-H-E-F-L-Y dot com.
Fr.
Robert Ballecer, SJ: This
episode of Coding 101 is brought to you by Lynda dot com; learn what you want,
when you want, with access to over twenty seven hundred high quality online
courses, all for one low monthly price. To try it free for seven days, go to
Lynda dot com slash C one zero one; that’s L-Y-N-D-A- dot com slash C one zero
one.
Welcome to Coding 101, it’s the Twit
show where we let you in the wonderful world of the code monkey; I’m Father
Robert Ballecer.
Shannon: And I’m
Shannon Morse. And for the next thirty minutes we’re going to get you all coded
up and everything you need to know about a security expert.
Fr.
Robert: That’s right folks; this is one of our wild card episodes. You may
remember that we have done this before, where in between our eight week
modules, we take a break to actually talk to someone who programs for a living.
The idea behind this is to show you what can happen to you if you take these
lessons to heart. So without further ado, we welcome our security expert, my
security guru, Mister Raphael Mudge; The Armitiage Hacker from Pene; he’s a pene tester; Raphael,
can you tell the folks where they can find you?
Raphael Mudge: Sure, yeah, Hi. I’m Raphie;
Raphael. And you can learn a little bit about the work I do, I actually develop
software to hack into systems to test their security, and you can learn about
that at www dot advanced pene test dot com.
Fr.
Robert: Okay, now we’re going to back up, we got the plug in. Now what we
actually wanted to do is talk about you, because I know the work that you do
and Snubbs knows the work that you do, because you
have worked with her on her show as well, just as well as you have worked on
mine. But your specialty is interesting. You go beyond white hack, black hack,
gray hack; you’re a guy who programs who happens to know security really,
really well. Can you tell us a little bit about your background?
Raphael: Oh sure, okay,
so, what’s the best place to start? I always say I’m a developer first, and
everything I have or do is because I like to program, and I happen to be
working in the security space, and I have my own company now, but I was active
duty Air Force, before, for four years…
Shannon: Thank you
for your service, sir.
Raphael: Thank you
very much, Snubbs, it was definitely a labor of love.
I bleed blue, as they say.
Shannon: Yea!
Raphael: And… Yeah! Very nice! So, by the way, see
this beard? This is what happens if you apply all the coding lessons. You will
grow a nice, fluffy beard.
Shannon: You, do,
you have a coding beard. I just shaved mine, so I’m very, very clean shaven.
Raphael: It looks
nice.
Shannon: Yeah. He
just shaved his too. But thank you, your beard is awesome.
Fr.
Robert: I can’t grow a beard.
Raphael: Thank you.
So, yeah, anyway, back to the question. My background: so I was active duty Air
Force, I worked as a researcher for the Air Force, in Cyber Operations, and
this is one Padre might not know about me: when I left the Air Force, I
invented a spelling and grammar checker after the deadline. And I sold it to a
guy named Matt Mullenweg, who created Word Press.
Shannon: Oh, that’s
awesome.
Raphael: Yeah, so
if you have a Word Press dot com blog, and you go check your spelling or
grammar, you’re actually using my software right now
to do that.
Fr.
Robert: There’s always a little piece of you in there. I like that.
Raphael: Oh, yeah,
after the deadlines meet.
Shannon: It’s a small
world. Cool.
Raphael: I’m a
grammar checker, a grammar teacher, to millions of people all over the world.
Those are my programming efforts.
Shannon: So when
did you actually learn programming; was it before you got into the Air force,
or was it during the Air Force?
Raphael: It was in
High School.
Shannon: Okay.
Raphael: I always
wanted to be a journalist when I grew up, because I like writing, strangely
enough; it helps.
Shannon: So how does journalism turn into programming?
Raphael: Oh man, what
is the best way to put it? So how does journalism turn into programming? Well,
when I was a teenager, I spent a lot of time on internet relay chat, and that’s
where I learned everything; hi, chat room, you’re doing a good thing for
yourself; and I was always on IRC, I was a fourteen year old kid, didn’t know
that was anything cool, and I wanted to learn C plus plus,
because that’s what you needed to know if you were going to be a hacker, and I
didn’t know that was something I wanted to be, I didn’t know that could become
a career, because at that time, nobody thought of it that way. So I always
thought that by default I would go and be a journalist. And I eventually just
got more and more into computers, and that became my career, I guess, if that’s the way to put it.
Shannon: Why were
you so interested in hacking at such a young age, though?
Raphael: What else
do you do with computers?
Shannon: So you
were a nerd at heart?
Raphael: Always.
Oh, man, if I were to meet my fourteen year old self, my fourteen year old self
I think would be like, “Nice beard, but you should shave.” No, I think my
fourteen year old self would be really happy, between all the anime art with my
product, and the hacking stuff. I just had a fascination with it, probably
from; like you know it’s computers, like, oh, it’s a computer, what do you do with it? So I started doing what every kid
does, and it’s like, you know there was no Google back then, and you know BBS
is where it starts, so downloading files, chatting with people, and meeting
other people my age and them saying, “hey come look at this; hey take a look at
this at this text file on this floppy disk,” and stuff I shouldn’t be looking
at it and it was really intriguing to me.
Fr.
Robert: Raphael, what was your first computer?
Raphael: My first
computer, my mom bought a Commodore One Twenty Eight at a garage sale, and it
had a monochrome monitor, it couldn’t do graphics, could do text, and I would
do some basic programming on that. But I didn’t see myself as a programmer, just did some stuff with BASIC. And then it was
a Pac-Dell, it a Four Eighty Six DX Two. Nineteen ninety
four.
Fr.
Robert: Oh yes. Woo hoo. Back in
the DX Series. So your first programming language would have been what,
on this Four Eighty Six DX Two?
Raphael: You ready
to laugh? And Shannon’s saying, “Oh I better laugh because it’s going to be
funny.” You guys ever heard of MIRC?
Fr.
Robert: Of course.
Shannon: Yeah.
Raphael: MIR Chat.
I keep forgetting, we have an IRC chat room for the
show, right there.
Fr.
Robert: Right there.
Raphael: I’m
watching the room too, so, yeah, it was MIRC scripting. MIRC has a scripting
language built into it, and I learned programming, or got really into MIRC
scripting, when I was a teenager.
Shannon: That’s
awesome.
Fr.
Robert: Well now that you have progressed past MIRC scripting…
Raphael: Oh, come
on, there is no progressing past it, that it the pinnacle…do not diss on MIRC scripting.
Fr.
Robert: We know better than that. You are a programming expert; you have been
doing this for a long time. Your knowledge encompasses many languages. But beyond MIRC scripting, do you have a
favorite language? Do you have language that you default to constantly?
Raphael: I have a
very weird; yes, yes and no. I tend to believe in having three types of
languages in your (unintelligible), really four. The first one, and I know from
the chat room, cool breeze, LFS was not where I worked, that came out of Wright
Patters, and that was the anti-tamper folks. So, guy asked an Air Force question
about their lightweight portable security distribution, so I had to answer for
that. Anyway, what should folks know? So for systems programming, I love
programming in C, straight up C. And I do a lot more work in C now, which I
really enjoy it, it makes me happy. I think everyone should know a scripting
language, and for me, that was Perl, back in the day. I really loved Perl. And
now, I actually have all the stuff here with me, some books, I actually program
in a language now called Sleep, which I wrote about ten years ago.
Fr.
Robert: Whoa, whoa wait, wait, wait. You wrote a
language?
Raphael: I did.
Fr.
Robert: I had college roommates like you, who were like, “You know what? I
don’t like any of these languages,”
Shannon: “I’m just going to write my own.”
Fr.
Robert: Exactly. What made you write a new language?
Raphael: I wanted
to learn. I learn by programming, actually.
Shannon: Wow.
Raphael: So, Snubbs, you’ll appreciate this: a lot of people know me for
something called Armitage, right? Which is the front end from
Metasploit that allows a team to collaborate. I wrote Armitage to learn Metasploit.
Shannon: Really?
Raphael: Really.
Shannon: Wow.
Raphael: Everything
I do, I build stuff to learn. Programming to me is a tool to explore a problem.
Shannon: And Metasploit, for anyone that doesn’t know it’s a pene
testing program for hackers, basically.
Raphael: Yeah, it’s
a great thing, it’s a great project.
Fr.
Robert: You know, before we go any further, I’m thinking…
Shannon: Sure.
Fr.
Robert: We know what you do, because we have worked with you in the past, but
there is going to be a segment of our audience who, they don’t know anything
about security, penetration tests, they don’t know anything about Metasploit,
they don’t know anything about Cobalt Strike; tell them in the most basic terms
you can think of, to someone who is just starting to code, what is it that you
do? We know that you wrote a front end, for Metasploit…
Raphael: Right.
Fr.
Robert: And we know that you wrote your own language. But why; why do all of
that for a framework like Metasploit? Why do all of that to write something
like Cobalt Strike?
Raphael: Okay,
sure. So, for those of you who aren’t familiar with Metasploit, let me tell you
the basics of what that is. Hackers, to break into systems, one of the things
we like to do is take advantage of mistakes other programmers have made, we
call them vulnerabilities, and we use software called an exploit, which takes
advantage of that hole, gives us access. And Metasploit is an open source
collection of exploits written by many, many people. We’re talking hundred, I’d
have to say it has to be in the high hundreds of contributors, but I don’t know
the exact number, it’s a big community, in terms of people who write modules. Now,
Metasploit is great, but used by itself it’s kind of a pain to do a lot of, to
work its scale, to do a bunch of targets, or even collaborate. So, I came
along, and wrote a tool called Armitage, that’s open source, which allows a
team of hackers to collaborate using Metasploit. SO if you hack into a system,
if Padre hacks into a system, Snubbs, Padre, and I,
we can use that system at the same time. And that took off, it was a very
successful project and I started my own company and I created a product called
Cobalt Strike, and to really push the edge on some ideas I had about hacking
and instead of building collaboration stuff, to focus on building new hacking
tools that work with all this stuff. And that’s what I do for a living now, for
the past couple years, actually.
Shannon: Now there is one question that I have for you
and it involves the programming side, because one of the things that we have
been teaching a lot is sanitizing your input, sanitizing your code whenever you
do things. And this is because you have hackers in the world that can do
different kinds of exploits. So what I want to know is, is there any kind of
certain code flaw that you’ve run into a lot that you’ve exploited the most?
Like, what is your favorite thing to exploit?
Raphael: Okay, so
the question is; I’m so used to conference style; the question was, so what is
my favorite exploit? So for me, philosophically, I actually prefer not to go
after flaws, I prefer to abuse the way things work. That would make sense
because I’m a programmer, right?
Shannon: Interesting. Yeah.
Raphael: I want to
do things that work, because they are reliable. So in terms of getting access
to a system, my favorite way to do it is through a way that we call “user
driven attacks,” and that’s an attack that abuses a feature, but if the user
follows through on that feature, it gives me the attacker code execution. Let
me give you an example of a very simple, almost lame, user driven attack.
Shannon: Nothing is lame here.
Raphael: No, it’s
fine. A favorite technique and we’re talking even allegedly nation state actors
do this, it’s silly, a favorite technique ids to create an executable, and
change its icon with a program called a resource editor to look like a
document, okay? And send that to your target. And when the target sees that
executable it thinks that it’s a document because it might be named “document
dot PDF dot SER;” and by the way, an SER file is an executable, it’s just
renamed; in a screensaver, you can just run it and it will work like a normal
EXE. Anyway, if someone opens up that document, it runs your malware, and then
in the background, it drops the document to disk and opens it up like nothing
ever happened. And that’s an extremely common attack.
Shannon: That’s
awesome.
Fr.
Robert: That’s so weird because that’s like one of those attacks that should
have become extinct long ago.
Shannon: Yeah, I
think that’s how I got my first virus.
Fr.
Robert: How many times do we tell people, “Don’t open attachments; don’t run
documents.”
Shannon: “I thought
it was a screensaver.”
Fr.
Robert: Yeah, a screensaver. You know, when someone’s email is compromised,
and it sends out a bulk email message to all the contacts saying, “Oh, this is
a beautiful screensaver of puppies.”
Shannon: A pretty waterfall
Fr.
Robert: Yeah.
Shannon: That’s
what mine was. It was a waterfall, my dad got super mad at me, because I
downloaded what I thought was a screensaver; it never worked, but I got a
virus.
Fr.
Robert: Is that the most consistent factor, would you say, are still taking
advantage of users doing user things rather than weaknesses in the code base
itself?
Raphael: Yes, and
especially more so now. Right now I’m doing a series for my own YouTube channel,
where I’m going through these reports from different threat intelligence
companies, and those are companies that look at intrusion sets, people who are
actually stealing intellectual property and write about how they do it, and on
the most recent version of TWYAT, we actually went through one of those where
we looked at (?) and how they do things, with Security Onion, JJ; there’s a guy
in the chat room, talking about how boss Security Onion is, great project, by
the way. Anyway, one of the things I’m doing is going through these reports and
reproducing those attacks. And I’m getting frustrated because so many reports
of how these people steal intellectual property start with the executable as a
fake document attack. And I’m like, “Come
on guys, do something more creative than this, please, so I can demo it.” So
I’m struggling to find other things but Java is a very common vector to try and
get execution as well, good execution. And my personal favorite is to imbed a
macro into a Word document or excel spreadsheet, because Word macros, they
sound harmless, they can do anything that a native program can do. And that
goes for Macros ten two, by the way, not just Windows.
Shannon: Wow.
Fr.
Robert: We’re speaking with Raphael Mudge, the
Armitage Hacker, pene tester
extraordinaire; he’s a security expert extraordinaire, who just happens to
program. We’ll be right back, we’re going to talk to him a little about eh
inspiration he finds when he looks for these exploits. But before we do that I
thought we should take a break and talk a little bit about our first sponsor:
that’s Lynda dot com.
Shannon: Lynda?
Fr.
Robert: Yeah, I love them.
Shannon: I love
Lynda.
Fr.
Robert: Now Lynda is your one stop shop for online knowledge. Anytime you
need to know something about anything you’re probably going to find it on Lynda
dot com. They’re not just about technology, they’re not just about programming,
or about computers, you’ll find a wide variety of topics on Lynda dot com
because that’s what they do. They want to be the place that you go to find your
reference, to find your training. Now Lynda dot com helps you to learn and keep
up to date with your software, to pick up brand new skills and explore new
hobbies with these easy to follow videos that you see up on screen. Whether you
want to master the fundamentals of programming, learn a new programming
language like Python or design and develop engaging websites, Lynda dot com
offers thousands of courses in a variety of topics. Lynda dot com recently
released their new iPhone and iPad app for iOS seven, and they enhanced their
Android app to provide Chrome Cast support, which means you have more options
to watch their content. The iOS app includes a more visual intuitive interface,
and both new apps offer off-line courses and video viewing, which makes it easy
and convenient to learn even in environments that don’t have internet access.
Lynda dot com users can move seamlessly between mobile and desktop applications, that’s one of the
things I really like because it means you can start on your desktop and move to
your tablet, then maybe drop over to your phone, and then back over to your
laptop. Now what I have seen over the last couple of weeks is that I’ve seen
Lynda really up their game, they have new course that include things like the
Android Essential Training , The Creating Mobile Games with Unity Program, the
Word Press Developer Tips, and much, much more. We’ve been using Lynda here at TWiT for a while, especially since we have been making the
move over to Premier, our editors have all worked Final Cut Pro, so Lynda dot
com was an invaluable site for them to either remember the things that they
used to do on Premier and they forgot when they moved to Final Cut, or to earn
it all anew, and that’s one of the things I love about Lynda which is with
their transcripts, it means that you don’t have to watch an entire lesson to
find that one nugget. For example, if you want to know, “how do I do chroma key in Premier?” you would type chroma key and it would direct you to the exact time code, the place that will show
you the technique within Premier, that’s just invaluable. It’s one of the tools
that Lynda dot com offers as part of the package. They have over twenty seven
hundred courses, with more added weekly. And all Lynda dot com courses are
produced at the highest quality, not like home made videos on YouTube, and
we’re not knocking those You Tube videos, you know that’s how most of us here
at TWiT started, but sometimes you want professional
video done right, with good lighting and good audio, with good angles, with
someone who knows how to work a camera, and that’s what Lynda does, it gets all
that other distraction out of the way and gives you pure knowledge in a way
that you want to learn. Lynda dot com works with software companies to provide
you updated training the same day the new versions hit the street. That means
that you will always have the very latest skills, and their instructors are
accomplished professionals at the top of their fields, and they are passionate about
teaching. It all shows through in their videos. Whether you have fifty minutes
or fifty hours, Lynda dot com has the course for you. Beginner, intermediate or
advanced, you know that they will have the knowledge you are looking for. Lynda
dot com also offers certificates of completion when you finish a course, which
you can publish to your Linkedin Profile, which is
great if you are a professional in the field that you want potential employers
to know what you have trained in. So here is what we want you to do: We want
you to try Lynda dot com for all your knowledge needs. It’s only twenty five
dollars a month for access to all of the Lynda dot com course library, or for
thirty seven fifty a month you can subscribe to the premium plan, which
includes exercise files that let you follow along with the instructor’s
project, using the exact same project that they do. You can try Lynda dot com
right now with a free seven day trial; visit Lynda dot com slash c one zero one
to access the entire library. That’s over twenty seven hundred courses free for
seven days. That’s L-Y-N-D-A dot com slash c one zero one. And we thank Lynda
for the support of Coding 101. Raphael, getting back to you, my friend, one of
the questions that I have for you is; I’m sorry, I’m getting a wave-off; I’m
getting hits, okay, you can put a bug here. Thank you, that’s going to scare Josh. Okay. I’m going to come back to my question. Raphael, one
of the questions that I have had is where do you get the inspiration for
looking for these exploits? Because I’d say it’s this weird combination. You
need to be a good programmer, because you need to know where they probably put
the flaws in their code, or you need to know where they put the flaws in their
process, which I think is what you go after, but you also need to have sort of
the trollish glee of finding something wrong, finding
something unique that only you would know about.
Shannon: Are you
calling Mudge a troll?
Fr.
Robert: In the best possible way; Mudge is a great
troll. But Raphael, how do those things come together in your mind?
Raphael: Okay,
sure. So, why is Twitter successful? This does relate to your question. Why is
easy to write on Twitter; or to write a Tweet?
Shannon: They make
it easy for consumers. They just simplified it, it’s very simple.
Raphael: There is
one other reason, too.
Shannon: It’s
pretty?
Fr.
Robert: Yes, it’s attractive.
Raphael: One
hundred and forty four.
Fr.
Robert: Also short.
Shannon: Oh, yeah. It’s
very short.
Raphael: One
hundred and forty four characters. Okay. So, with Twitter, one of the reasons
it is so popular is because of constraint. Everybody is given this default
constraint to work with; one hundred and forty four characters; and you are
allowed to be creative within that space. And I see hacking a lot like that. Sometimes I will find folks will try
to pick something, anything, in this big universe of all possible things to do,
when what will really make you successful as a hacker is narrowing in and
focusing on something. Let me give you an example from my own experience when I
was doing production red teaming, I do a lot of exercise and support now, but I
had just done a reconnaissance shot against my target and what I did was is I
sent a web application, or sent a link to a web application, to a few people in
this organization. And those people clicked, it was a Linkedin invitation, and it came to my server, and my web application discovered all
this information about their systems, and then sent them on to Linkedin dot com like nothing ever happened. And what that
gave me was a constraint. It gave me: here is what my target has, this are the
things running on their system. And now, when I had to come up with an attack,
it wasn’t, okay, let me pick something cool that is random, it’s I need to sit
here in this box I’ve been put into, and come up with something that’s going to
work here. And for me, I find when I have good constraints, good assumptions,
good things that narrow what I have to do, That’s where the magic really
happens, because I can be creative within that space, and there’s not that much
room to spin out of control and end up in a lot of different directions.
Shannon: So you
like to constrain yourself when it comes to programming?
Raphael: Absolutely. I like to constrain myself when it comes to programming, and
attacking something, finding the problem and putting it to use. And constraint
is a beautiful, beautiful thing, and that’s what reconnaissance gives you, it
gives you constraints, so you know what the reality of what you’re dealing with
is.
Shannon: That’s
really interesting. You know it kind of makes me think of in a lot of
programming, you have constraints that you have to deal with; you are
restrained to the rules of different program language and each one is so different,
you have to stay within those rules to make your program work. So I totally get
that.
Fr.
Robert: Yeah, and I guess reconnaissance, or what Mudge does, he reconnoiters a particular system, he’s looking at the constraints that
they work with, because that’s going to necessarily affect the way that the
programmers work to both code and guide the process of data through the system.
I’ve never thought about that but, yeah, I guess…
Shannon: It totally
makes sense.
Fr.
Robert: It really makes sense; that’s how you hunt for vulnerabilities.
Shannon: That’s why
we have experts on the show. Now I have another question for you:
Raphael: Sure.
Shannon: Programming is awesome! And I get super excited whenever things work! But what
was your “aha” moment? What was the moment when you were just like, “Yes, complete!”
Raphael: Oh wow. Okay,
so, I have to tell you this: nobody believes me because I do so much
programming now.
Shannon: I’ll
believe you.
Raphael: When I was in high school, make no mistake
about it, I did not know how a program would come together, like a bigger
thing; I told you I could do the scripting, with like MIRC chat, but I could
not put together in my head what it would become, like how to build or
architect an application, I just didn’t know how to do this. Now I would
actually in a way, I remember dreaming about what that would be like, to
imagine something and create it, and I know I wanted that. And I want to say
that one of the big “aha” moments for me, this sounds funny, is when I learned Perl.
Because Perl gave me the ability to do a lot of things very quickly, and I just
started to explore variment and spread my wings, and
being able to do CGI script, so I can actually do web applications, if you
will, allowed me to go beyond with that knowledge and start doing more with it.
So I always consider Perl the first language which I became very strong with,
and I owe it a deep debt of gratitude because it really gave me so much joy.
Fr.
Robert: Raphael, I want to ask you this: it sounds as if a lot of your
programming training came out of just your passion; you found a language, you
liked it, you learned it, and you used it to do something with it. There is
another group of people who have formal training in all of the languages that
they have done, and by formal training I mean in a formal setting, either in a
university, or in some sort of educational environment, who would look at that
sort of training and they would say, “well, no, you just didn’t learn it right,
that’s not the way you’re supposed to program, that’s not the way you’re
supposed to think.” What would be your take away? I mean, both sides are valid,
but why did you go down that one path than the other?
Raphael: Okay sure.
So I kind of have, am familiar with having my foot in both worlds, I am a
computer scientist and I have a bachelor’s and a master’s in is it as well so I
have gone down the formal path as well, and as you know from my research
background I have worked in a very formal, academic-ish environment, doing research. And that’s the way I look at it: research. Sorry,
I’m just laughing at myself on Skype. I have to tell you though, I don’t see
anything special about the quote unquote formal way. I think formal; and I butt
heads with colleagues over this; I see the formal thing as a way of trying to
capture the experienced of very experienced people. So if you are a self-taught
person, you have a lot of experience, you are probably going to do a lot of the
things the formal way, people who believe in different kinds of methodologies
are doing it, naturally, because you have stumbled on a what works and what
doesn’t, you’re going to gravitate away from what doesn’t work. So the formal
method is different, but the formal way of doing programming, all these
methodologies, it can work to help keep people on the same page and help an
effort from getting out of control, keep people from making silly mistakes. So
there is merit to that too, and one thing that I actually want to, I have it here, it’s along these lines…
Shannon: Show and
tell
Raphael: Show and
tell. If you ever get a chance, one of the people who have written best about
this kind of thing is a guy named Joel Spolsky, and I
am a really big Joel Spolsky fan, and he’s got this
great book, it a little bit older now, but completely relevant, all of it, it’s
called Joel on Software and in it he gives his philosophy on formal is enough
to not get in the way, but still keep a team glued together, and he’s a great
balance between those two worlds.
Fr.
Robert: Nice, nice. I do want to ask you to maybe delve into something that
you can or cannot talk about; I’ll leave t up to you. I know you have done a
lot of red on blue exercises. Can you talk about what that is, where you do it
and why you do it?
Raphael: Let’s see
here.
Shannon: What is
red on blue?
Raphael: I can talk
about the ones I talk about. Well it’s kind of a funny thing. So, I do
actually, I provide a lot of exercise support. There is one, just so you don’t
think I’m being too dodgy, the after action report for the exercise I was in
will come out in August, and it was a very big one. I was professional blue
team, military blue team.
Fr.
Robert: Before we go any further, can you tell us what a red on blue exercise
is?
Raphael: Oh sure. A
red team is, in an exercise, like a simulated cyber war, an exercise where you
have a bad guy, usually the red team, and their job is to simulate a credible
threat for people who are learning, or are training to defend networks and we
call those people blue teams. And I provide a lot of support to those kinds of
events, and one of the ones I most publically do is the Collegiate Cyber
Defense Competition, and that’s actually with college students as blue teams
and that is done on a volunteer basis. I have been doing that since 2008.
Fr.
Robert: Does it take more experience to be on red team or blue team? Or is it
about the same?
Raphael: That’s a
good question. So usually you have, usually the training audience is the blue
team, okay, but in my opinion, it takes a lot more skill to be a really good
blue teamer than it does to be a decent red teamer. So good red teamers are
usually very highly skilled, but we can get a lot out of a junior red teamer
where on the blue team, if you‘re going to be successful as a blue team, you
really need a lot of skill. It’s a very, very hard job.
Fr.
Robert: Yeah, I would be thinking as a trainee, I would hate to be on the
blue team because it seems like the blue team would always be getting its butt
kicked, especially if you have a bunch of newbies.
Raphael: Oh, they
do, always. That’s part of the fun.
Shannon: That’s
part of the training, correct?
Raphael: Of course,
training, we’ll call it training.
Shannon: The training.
Raphael: You know
what the trick is to that, though; in that kind of scenario and that even goes
into penetration testing? The trick is good client management. Like me, as an
offensive professional, I do offensive work, it’s very important to, what’s the
word, it’s very important to have good client management skills, and what I
mean by that is make sure you never come across as adversarial or disrespectful
to the people you are essentially working with.
Shannon: I
absolutely agree with you. You know there have been a lot of times I have been
to Hacker Cons, or to different clubs or whatnot, and people do, they kind of
look down on you if you don’t understand everything that they are talking
about. And I’m one to question everything so they always look down on me. Except for you, Mudge, except for you.
Raphael: Thank you,
I try. Well, it’s because I’m leaning too.
Shannon: That’s how
I feel. We’re all learning, so we all have to ask the question that the person
who is too shy to ask won’t ask.
Raphael: You know
what keeps me in check, though?
Shannon: What?
Raphael: This is
going to sound funny, but to my girlfriend, all this stuff I go and do, like going
out in the hacker community, going to conferences and all that, she’s not a
technical person so all this stuff is not that cool to her, and everything I’m
doing is one step above pick your fringe, alternate interest here, because I
think anything is cool. I’m that guy, you know, so I’m all for it but to her
it’s just as cool as if I was going to Star Trek conventions or Star Wars
conventions and speaking. It’s like, okay, I used to bartend, you go do that.
And that mildly keeps me in check, I think. If I go to a dinner party with her
friends, they’re going to be like, oh, that’s interesting, what you do, but
overall it’s more curiosity than oh my god that’s so cool.
Fr.
Robert: Now, Raphael, we have to ask this, because we are Coding 101, because
we teach beginning programmers how to get into this, because we want to get
people excited about programming.
Raphael: Sure,
Sure.
Fr.
Robert: Let me ask you in two parts. The first part is, what advice would you give to a beginning programmer when he or she is just starting
out, to make their code more secure? What do you think is one of the biggest
mistakes they will make that they will regret once their code base starts
getting attacked?
Raphael: Okay so
the biggest mistake, in terms of security side that a novice programmer will
make is putting their code on the internet.
Shannon: Oh that is
so true.
Fr.
Robert: You just, okay. The gauntlet has been thrown.
Shannon: So don’t
open source your stuff before you know that’s its secure.
Fr.
Robert: But wait a minute, I thought open source was always supposed to be
good? What?
Raphael: Open
source is fine. It depends on who is looking at it.
Fr.
Robert: Okay, so you are telling your novice programmers, don’t ever let
anyone look at your stuff?
Raphael: No! What
I’m saying is…
Shannon: We’ve been
telling everyone to share it on the Google Plus Community.
Fr.
Robert: NO, no. I’m sorry.
Raphael: No, what
I’m saying is one: don’t put your new, novice code in production on an internet
server that data people care about, that’s for one. Two: I recommend getting
familiar with the best practices of something. Because let me give you an
example: PHP is a good example. PHP, years ago, there was a lot of example code
on how to do a skill craze, right? And it would just be like, Hey, can Cat
knead this stuff together into a string and pass it to this function, and
voila! There is your SQL query. And that was the way to do it. And that
community as a whole didn’t understand the risk of SQL injection. And now,
newer material always takes that into account. So be aware of the maturity of
security practices in terms what kind of framework or project you are working
in. And along those lines, you guys just finished a Perl module, right? Eight lessons on Perl?
Fr.
Robert: Yeah, that was today. Oh, no, that was last week.
Shannon: That was
last week.
Fr.
Robert: That was last week we finished; in the time machine.
Raphael: So, Perl.
When I was doing Perl in the late nineties, I was writing web applications in
Perl, and I didn’t think about command injection, I didn’t think about all
these different ways somebody could hack my application. I guarantee, about
everything I wrote, including an e-commerce site in 2000, were Swiss cheese,
and just ripe for being broken into. Why? Because as a whole community of
programmers, we just didn’t understand best practices. And I think awareness of
that is different today, in 2014, or should I say 2015, when this airs?
Fr. Robert: Alright, Raphael, the other
side of that question is: if you were giving lessons to a novice, and trying to
encourage him or her in the field of programming, and they showed an
inclination towards security work, what advice would you give them? What should
they look at? What should they read? What should they watch?
Shannon: Our show,
obviously.
Fr.
Robert: Yes, and your talks, obviously.
Raphael: Okay, so
someone who had inclination for programming, and they’re really interested in
security, what would I steer them towards? Okay, well first, security is really
broad, so it’s going to depend on what their interests are. But let’s say they
tend towards more systems stuff. They like digging into the operating system,
digging into ways that can be abused. I would steer them towards learning a
systems language really well, and learning how to interact with the operating
system. So I would steer them towards, hey, learn C, okay? And dig as deep into
that, actually have a project, have something in mind you want to produce,
because it’s very easy to passively take in a lot of things to read on stuff,
but until, like for me, unless I go do it, I know I don’t actually pick it up,
I don’t actually internalize it. And so for anyone learning programming,
security or not, I would always steer them towards have a project.
Fr.
Robert: Be project orientated. I think that’s actually incredibly good advice
because again, that gives you the constraints, it gives you something to focus
on. That’s fantastic. Raphael Mudge, we want to thank
you for being on this episode of Coding 101, on this wild card episode. It’s
always nice to speak with people who are actually doing this for a living
because it’s a different point of view from just showing off code. You’re
someone who has actually taken this and made quite a name for himself. Once
more, can you please tell our audience where they can find you, where they can
find your work and maybe where they can find your speaking schedule? So they
can check out your next talk.
Shannon: Yeah.
Raphael: Sure.
Okay, so if you want to find my grammar checker, go to www dot after the
deadline dot com. See? I had to throw a curve ball in there. So if you want to
learn about what I’m doing in the hacker community now, go to, see, there’s
after the deadline, that’s mine. Go to www dot advanced pene test dot com, and that’s Cobalt Strike, and you can check out my blog at blog
dot cobalt strike dot com, and that’s where I tend to write something about
what I’m doing and when I plan to give talks, I usually put a plug there as
well. So yeah, that’s pretty much what I’m up to now.
Fr.
Robert: What’s next? When will your next big conference be? I know you’ll be
at Black Hat, I know you’ll be at Def Con, but what’s after that?
Raphael: At Black
Hat, actually, I’m going to be in something called the Arsenal, which is an
area for open source developers to talk about stuff. And I’m releasing a
project next week, something brand new, designed for novice hackers to learn
how to do spear fishing and targeted attacks.
Shannon: Cool.
Raphael: It’s a
virtual machine called Morning Catch, it’s really fun, it’s like a fake fishing company.
Shannon: Is this
the first time you’ve told us?
Raphael: Yeah I
haven’t told anybody about it yet.
Fr.
Robert: Will this thing be ready to demo at Black Hat?
Raphael: Yeah, oh
yeah, it’s ready to go now.
Fr.
Robert: Can I film you at Black Hat?
Shannon: Can I film
you at Black Hat?
Raphael: Yeah,
absolutely.
Shannon: Yes!
Raphael: We’ll rent
a room and make a little studio, all that good stuff.
Shannon: Awesome,
dude, congratulations.
Raphael: Well yeah,
it’s something fun. I like to keep putting stuff out into the community I think
that’s really important to do.
Shannon: I agree.
Fr.
Robert: Fantastic. It’s always a pleasure to talk to you, Raphael, no matter
what show you’re on, be it TWYAT, Act Five, or now Coding 101. We will; I’m
going to tap you on the shoulder for a future project, something we want to do
with Coding 101. We want to do something a little sinister.
Raphael: Ooh, I
like sinister.
Fr.
Robert: But legal, totally legal.
Shannon: Aww.
Raphael: Oh, well,
aww boo. We’re not doing it. I mean, yes. Be cool, follow the rules, look both
ways when you cross the street, eat your vegetables and brush your teeth.
Shannon: What?
Fr.
Robert: Thank you for joining us so late at night. I know it’s really late,
what is it, ten o’clock, eleven o’clock where you are? No, it’s midnight.
Raphael: It’s
midnight. I’m slap happy man, I haven’t slept this
week, that’s why I feel so crazy.
Fr.
Robert: I hate to tell you this but you’re not sleeping next week either.
Raphael: No, I
know.
Fr.
Robert: I’ll see you in Las Vegas, I’ll take you out to some sushi, how about
that?
Raphael: I’d love
it.
Fr.
Robert: Fantastic. Raphael Mudge, again, find him at his
website, find him on his Twitter account: Armitage Hacker, and definitely find
him At Black Hat and Def Con. Well that’s about it for this episode of Coding
101. We want to thank you for joining us for this wild card episode; we will be
back next week, in the time machine, with another wild card episode, where we talk
about another programming language.
Shannon: It’s
called a TARDIS, it’s called a TARDIS.
Fr.
Robert: It’s called a TARDIS. But Shannon, if they wanted to find out a
little more about out show, where should they go?
Shannon: If you
want to find out more about Mudge, or about the show,
or find our show notes and all of our coding, you can find that over at TWiT dot TV slash coding one zero one.
Fr.
Robert: That’s right, and also, you have to join out G Plus group.
Shannon: Yes.
Fr.
Robert: Just search for Coding 101. You’re going to find it. It’s a nice
place to go if you’re a beginner, if you’re intermediate, if you’re an expert
programmer because there’s always a need for all of you. Every time someone
asks a question in that community it spreads knowledge, and we’re all about
spreading the knowledge. Now if you don’t like Google Plus you can also find us
on Twitter, you can find me at Twitter dot com slash Padre Estre that’s at Padre Estre.
Shannon: Yup. And I
am at Snubbs. That’s at Snubbs.
Fr.
Robert: At Snubbs. And don’t forget that this show
goes live, well most weeks this show goes live; you can find us two thirty PM
on Thursdays, that’s Pacific Time.
Shannon: One
thirty!
Fr.
Robert: I’m sorry, one thirty PM, it’s late. One thirty PM Pacific time on Thursdays at live dot TWiT dot TV. And as long as they’re there…
Shannon: And…yeah
we have a chat room going we read it throughout the show so if you guys have
any questions, or we accidently skip over something while we’re showing you
guys a certain programming language, definitely ask it in the chat room, in
IRC. And that is over at IRC dot TWiT dot TV.
Fr. Robert: Absolutely. Until next
time, it’s been an absolute pleasure to spend some geek quality time with all
you out in the internets.
Shannon: I agree.
Fr.
Robert: Until next time, I’m Father Robert Ballecer.
Shannon: I’m
Shannon Morse.
Fr.
Robert: End of line!
Shannon: End of
line.
