FLOSS Weekly 703, Transcript
Please be advised this transcript is AI-generated and may not be word for word.
Time codes refer to the approximate times in the ad-supported version of the show.
Doc Searls (00:00:00):
This is FLOSS Weekly. I'm Doc Searls. This week Katherine Druckman and I talk with Marcus Sailor about the Hacker's ethical dilemma. He works in cyber security, has a huge background on that. He's an extremely responsible position and he has to actually play, in some cases the actor thinking of what bad things somebody might do. It's a really rich and interesting conversation we had. And that is coming up Next.
ANNCR (00:00:28):
Podcasts you love from people you trust. This is TWiT
Doc Searls (00:00:37):
FLOSS Weekly, episode 703. Recorded Wednesday, October 19th, 2022. Hacker's Ethical Dilemma. This episode of FLOSS Weekly is brought to you by Bit Warden that the password manager that offers a robust and cost effective solution that can drastically increase your chances of staying safe online, yet started with a free trial of a teams or enterprise plan, or get started for free across all devices as an individual user@fitwardand.com slash TWiT And by Collide, that's Collide with a K Collide is an end point security solution that gives IT teams a single dashboard for all devices regardless of their operating system. Visit collide.com/FLOSS to learn more and activate a free 14 day trial today. No credit card required. Hey there everybody, everywhere on Earth and elsewhere. I am Doc Searles. This is FLOSS Weekly and this week I'm joined by Catherine Druckman herself. Now about to appear on screen for those who have them. Hello. Hey Catherine. Hey. Do
Katherine Druckman (00:01:47):
You're, Hey, how are you?
Doc Searls (00:01:48):
You're still in Houston?
Katherine Druckman (00:01:50):
Of course. Assume
Doc Searls (00:01:51):
Yes, of course. Yeah. And yeah, I have a great picture of the airport flying into it and out of it. <laugh> a few days ago. That's
Katherine Druckman (00:01:58):
There. Not about airport, all things consider
Doc Searls (00:02:01):
A, I would call it that. I'd say it's not bad what little I saw rushing between I'm a Lifer United and I have a lifelong SAM Club membership, so I could go to the club there, which is cool. It's a club airport for that. So I guess today is Marcus Sailor and I think I did, He's a hard guy to find online. But you found him, I think, right? Do you think you did?
Katherine Druckman (00:02:30):
Yeah, I'm clever <laugh>. I have my ways
Doc Searls (00:02:34):
You're gonna ask the good questions <laugh>. Well, I'm still in Bloomington, Indiana. No,
Katherine Druckman (00:02:40):
I've scared him to death and he's running up.
Doc Searls (00:02:42):
No, I hope he's still there.
Katherine Druckman (00:02:44):
Shut down the Zoom <laugh>. Yeah,
Doc Searls (00:02:46):
Well well bring him on. I to wanna rush into, we got a tiny bit of a late start and let you know. Marcus Sailor is the head of offensive security at a large financial services company as 22 years of IT cybersecurity experience. Started his career in the US Army as an information systems operation analyst for the third US Infantry of regimen and parenthesis as the old guard might ask about that. Served as a Unix Windows administrator for the Defense Information Systems Agency Pacific. That's D I s apac, deak, maybe. I am not a military guy, so I have to take this stuff. And was the head of the S six communications department for the 228th combat support hospital held in cleared contract positions of various D O D DIA support agencies. And his current role is head of offensive security. He is responsible for executing threat in adversary simulation, which sounds like fun penetration testing and security research and development in its information security department. So Marcus, welcome to the show. There he is. Hi.
Marcus Sailler (00:03:55):
How's it going? Yeah,
Doc Searls (00:03:56):
Still here.
Marcus Sailler (00:03:56):
Didn't run away,
Doc Searls (00:03:58):
<laugh> good. So tell me about offensive security and what about security is offensive <laugh>, I find myself wondering
Marcus Sailler (00:04:11):
It. Yeah, I think it's kind of the higher level term for the origin story of red teaming. And so red teaming is a traditional military tactic in which a faction is kind of charged with testing defenses. So offensive security is kind of the broader term that could include red teaming, penetration testing threat and adversary simulation. So it's kind of the catch off for those subjects.
Doc Searls (00:04:45):
So a whole lot of things in your bio there. What do you spend most of your time doing? Do you come to work, Do you worry? It's an interesting question. Do you work at home or does this require onsite for you to do what you do? I can't guess. Well, so I think usually guess what people are doing, but with you I can't,
Marcus Sailler (00:05:04):
Yeah, I do work in a hybrid environment. Sometimes I'm in the office, sometimes I'm at home. I think for this particular role, you typically see a lot of remote work especially when you work for an internal team because the people that you're testing day to day could be literally sitting in the cubes couple of aisles over. And if you don't have a good poker face, you know, could blow your operational security pretty quick. So I'm a favor of working at home, obvious for obvious reasons, but when you really try to emulate and simulate the threat actor you really need to think of it from a external perspective and instead of an insider. But yeah, I am not intentionally elusive but there is some paranoia that's inherent with being a hacker and being with someone in this space. Just we try to eat our own dog food in terms of the threat profile and the attack profile we have out there so that folks don't try to use information about us against us, which is what we try to preach in the community.
Katherine Druckman (00:06:18):
I'm wonder, I, I'm sure you get this question a lot, but do you also engage in physical security penetration testing, get all mission impossible? I assume that people ask you that all the time, but it seems like a good story if it's true.
Marcus Sailler (00:06:32):
Yeah, it's definitely part of it. I think when you guys interviewed Maxie Reynolds, who's the founder of Subsea Cloud, she has much cooler stories than I do about mm-hmm <affirmative> jumping in dumpsters and running from security guards. We do some lightweight physical security. It's mostly about the door jing, right? So using tools under the door tool where you can actually jiggle the handle from the outside. One of the cool tricks is taking compressed can air, which I've got some here at my desk, and you turn it upside down, you turn it upside down and you spray it. And that actually creates a little bit of a mist that will typically set off the door sensors on the other side, unlocking the door. So stuff like that is kind of cool. They're a little bit more like parlor tricks but physical security can be tricky especially when there's guards and armed guards and stuff like that. So you definitely have to scope that pretty well. Or you might end up in some hot water. Some ethical hackers did I think it might've been in Houston where they broke into the courthouse and they didn't quite have all the permission that they needed and they got into a little bit of trouble. But yeah, it tends to happen. It's a tricky thing, but it is cool. It's very fascinating to me, especially lock picking and stuff like that. <affirmative>.
Katherine Druckman (00:07:59):
Yeah, I've never gotten really all that good at that, sadly. I feel it's in, that might be an important life skill, but yeah,
Marcus Sailler (00:08:08):
Especially when you lose your mailbox key and you can check your mail. So
Katherine Druckman (00:08:13):
<laugh> true, actually have a lot of questions because I think this is a really interesting field. I personally feel like it's something I wish I knew more about and I'm definitely learning all the time. So security's about mitigating risk and exercise and caution, generally speaking, I wonder, do you have any advice for creating a balance of a culture of innovation which would frequently require risk taking that also fits in with your goals of improving security? I I always wonder this, how do you maintain that balance of caution and risk?
Marcus Sailler (00:09:02):
Yeah, so my earlier career especially what I know about how hackers operate and the tools and the capabilities, I was very risk-adverse. So with the extreme of trying to mitigate all risk, and that's just not possible really what information security professionals should be striving for is to drive the business, to make the business operate safely, not stop it from operating. So we often get a bad name in terms of being the no police or being the obstructionist to progress and innovation. And what really resonated to me was one of my mentors his name is Mike Catlin said something that was really fascinating to me about the role of security and it's a metaphor that he said that security doesn't exist for us to stop. It exists for us to go faster. And so when you think about it from that perspective of driving the business and enabling folks to move faster, security is the brakes, right? It's the caution, but it's not necessarily there so that you can stop. It's there so that if you need to or if you need that protection or safeguard, it's there. And so that's kind of the philosophy that I've been taking into account now, knowing that you can't always mitigate all risk. It's a balance, like you said, that you have to strike with being able to function as a company or as an organization and making make money, staying in business <laugh>.
Katherine Druckman (00:10:43):
So yeah, not getting shot by a security guard probably a good idea too. That's a risk you wanna mitigate
Marcus Sailler (00:10:51):
Very much. Not in my threat profile of wanting to do so. Yeah.
Katherine Druckman (00:10:57):
Yeah. Awesome. Since this is FLOSS weekly, I wondered if we could start the open source conversation. I'm very curious about many things, but we could start with why do you prefer open source or do you prefer open source? What I'd like to know a little bit about your toolbox. I think our listeners would too.
Marcus Sailler (00:11:16):
Yeah, I think it's open source and offensive security tools in the open source community is a little of a, I would say touchy subject for some. From my perspective, I'm a fan of it because as I lead a team or even when I was behind the keyboard, which was a dangerous time for me using offensive security tooling that was open sourced was particularly useful in terms of not having to always create my own tools and being able to collaborate with peers, which is, in my opinion that collaboration, participation and transparency is a really kind of the open source principles.
(00:12:01):
But what kind of it enables you to do is to not have to be a programmer necessarily, not necessarily know and understand code. And a lot of the tool sets were driven towards highlighting security problems. And so if I'm having a problem from a collaboration perspective, there's a chance that other organizations also have that problem. And so off offense and security tooling was kind of a way to baseline and highlight some of those security flaws that we see in technology and help address or at least highlight what those flaws are. But in terms of tooling, gosh, it's almost like there, there's a friend of mine named Andrew Robbins who also writes really cool offensive security tooling that said, if you can dream it or think of it, it's probably already happened or somebody's already built it. And I think that's pretty true when it comes to offensive security tooling.
(00:13:02):
Every time I think about something like, Oh, this would be really cool to have this capability and one Google search away, you find it. So in terms of what's in my toolbox, it's probably a lot of customization or repurposing of other people's work but it ranges depending on what I need it for. So if I need to test, can something get out of some of the security tools, like proxies on firewalls, you would get a egress tool. The other one is pretty popular is the remote access tools. So something that allows me to have command and control outside of the environment. Enumeration tools are also very powerful in the offensive security tool space because looking at a lot of data and collecting a lot of data all at once is as a challenges an operator to have to manually do that. So the more tooling the better. But definitely knowing and understanding the fun fundamentals of how those tool work tools work is what I would say is distinguishes somebody as an operator versus somebody that's like a script kitty.
Speaker 4 (00:14:10):
Okay,
Doc Searls (00:14:12):
So I assume questions queued up, but first I have to let everybody know that this episode of FLOSS Weekly is brought to you by Bit Warden. Bit Warden is the only open source cross platform password manager that can be used at home, at work, or on the go and is trusted by millions. With Bit Warden, you can securely store credentials across personal and business worlds. October Seber Security Awareness month. And Bit Warden would like to remind everyone about Key Actions. You should take one, use Strong Passwords, Bit Warden can generate and store strong passwords for you. Two is enable multifactor authentication on all your accounts, including your password manager. Multifactor authentication is the easiest way to add extra security to your accounts. Enabling two-step login on Bit Warden improves the security of your password vault with options like verifications through email or Authenticator app available for all accounts and 5 0 2 or UBI key OTP available for premium subscriptions bit more than just rolled out a bunch of things.
(00:15:17):
First is password protected encrypted export. Export your vault in an encrypted format using the password of your Choice mobile username generator. It's finally here. It also includes support for three of the five aliases that Bid Warden supports Duck Duck Go email Alias support for their service has been integrated bringing the number of supported alias services up to five Duck Duck Go Mac OS browser integration. Bid Warden partnered with Duck Dot Go to create an integration with their forthcoming MAC OS browser. Stay tuned for when they'll launch this feature. Bit Warden is also a must need for your business that's fully customizable and adapts to your business needs. Use Bit Warden send a fully encrypted method to transmit sensitive information. Whether text or files generate unique and secure passwords for every site with enterprise grade security, that's gdpr, ccpa, HIPAA and SOC two compliant. Their team's organization option is $3 a month per user and their enterprise organization plan is $5 a month per user.
(00:16:23):
Share private data securely with coworkers across departments or the entire company. Individuals can use their basic free account forever for an unlimited number of passwords or upgrade any time to their premium account for less than $1 a month. The Family Organization option gives up to six users premium features for only $3 and 33 cents a month. At twit, we are fans of Password Manager Bit Warden is the only open source cross platform password manager that can be used at home on the go or to work and is trusted by millions of individuals, teams, and organizations worldwide. Get started with a free trial of a teams or enterprise plan or get started for free across all devices as an individual user@bitwarden.com slash TWiT. That's bit warden.com/TWiT.
(00:17:18):
So Marcus the theme of this podcast is ethical hacking and what is an ethical hacker? I'm wondering, and I'm asking that in part because Hacker is used in two completely different ways. I mean I think most people muggles out there think the hacker's a bad guy and within it, I mean we've got the hacker's dictionary, it's an honorific almost. If you're good at programming or whatever, you're good at making things work. You're a hacker. So what is the ethical thing? And it sounds like it's your job, so obviously you have an ethical not sure what the right word is, but go ahead and fill one in <laugh>.
Marcus Sailler (00:18:12):
Yeah, so I think the ethical component was that title is sort of to, I don't know, alleviate concerns with the ideology that, like you said, hacker is a bad guy. So to me, I'm a hacker that practices ethical practices. And so I think what distinguishes a good hacker from a bad hacker is intent. So as a hacker, my intent is to help identify vulnerabilities and use my intellectual curiosity as well as skill sets to highlight those vulnerabilities so that they can get picks and that we can prevent breaches before bad guys get there. So the ethical component, I really don't hear anybody saying an unethical hacker, right? It's either hacker or ethical hacker. So it's kind of interesting that that's a common theme that oftentimes people think hacker synonymous with bad guy but it really is about intent. So the ethics component is driven by the intent and the unethical component is driven by mall intent. So to me that's kind of the distinguishing factor in terms of being a hacker or an ethical hacker. Does that make sense?
Doc Searls (00:19:33):
Yeah, it does. I'm wondering, you know, mentioned intense, what are the profiles of kinds of intentions? I imagine there are ones that are just like, we wanna mess with you. There are others where maybe there's a political intent, there may be misdirection in it where it looks like one kind of thing, but is really another kind of thing. There may be almost always I think not, or at least often there are financial incentives. So I what are the profiles that you're looking for that you see in the world and how is that changing?
Marcus Sailler (00:20:08):
Yeah, I think it's very much you would think about any criminal organization. So some are hacktivists, right? That's where they have a political motivation. You see I'm almost scared to say their name cuz it's quite ominous, the stuff that they do. But you see anonymous out there that they find a political target of someone that they feel is not playing morally, is not a good moral person. So they go after them reputationally. So activism is one. Then you see the cyber criminals that are kind of what I would consider like cyber mafia kind of things where they have a financial intent they run it like a business, they ran some hospitals for money. The ideas is to, it's literally a business for them. They develop products and have customers. The customers are not people that signed up for it with consent. So there's the cyber criminals and then you have nation states.
(00:21:10):
So nation states are the scarier ones because their motives are a little bit kind of dual. Both of those, it's a little bit of a political reason as well as a financial potential financial incentive to would benefit the nation that they represent. So the nation state threat actors are typically well funded, have quite a bit cause they have an entire GDP behind them and they have literally armies of hackers that are designed to take out targets or accomplish a particular mode, politically motivated goal. So I think that those are probably not all of them, but that is a pretty broad stroke for the three of the major ones. And then there's I guess the enthusiasts or hobbyists that are just belligerently playing in the gray and not necessarily more personally motivated than they are at fitting in any of the three other categories.
Doc Searls (00:22:17):
Which ones, I mean are you wrestling with the most? I mean from the way you describe it, it sounds like nation state actors are maybe the most powerful or the most well equipped or maybe the most experienced, I'm not sure but I'm not sure you're being can about who you work for. But I imagine let's say in the retail world gets one kind of hacker and a financial world gets the health actors I the health a healthcare place for example, a hospital, maybe a target of a ransomware. I think I've read about that one or a school or something like that. But I'm kind of wondering where, what the routing is with some of this stuff and who's best at it. And
Marcus Sailler (00:23:08):
It's pretty interesting. I don't know that you can necessarily put a finger on one being better than the other in terms of skill sets. It's more about capabilities and funding. So obviously the nation state, you know, look at the People's Republic of China, They have probably somewhat of nine to 10,000. I mean it's not even known to us how many hackers that they employ as part of their cyber attack force. But it really just depends on the industry. So when you think about the nation state folks, they are typically targeting other nations. It's cyber warfare for them. But that there's a lot of collateral damage that goes into that. So when you look at rsa, when they got breached about a decade ago, it actually wasn't about rsa, it was about trying to get access into D O D systems through RSA as kind of a proxy because of the multifactor capabilities that they had that the DOD heavily operated.
(00:24:09):
And then the example you gave hospitals, the cyber criminals typically go after them because patient data and health services are important to people, especially if you're on life support. So they use that motive of fear and in fear to propagate or to get the money that they want out of it. So in financial services it's a mix. So anytime there's a lot of money attributed to a particular country, going after that company could be a nation state focus. But for the most part it's the cyber criminals, the ransomware folks that do have some reputational damage that they want to occur or they use that as their motive to get the ransom forward. Large companies also, data's pretty important to them. So the attacks tend to be data centric, whether it's disclosure or disrupting operations or IT functions that a lot of these hackers go after for financial services companies.
Katherine Druckman (00:25:26):
So speaking of going after the targeted attacks I wondered if we could shift focus. Cause I know you wanted to talk a little bit about commercial software using open source and potential security vulnerability vulnerabilities. You mentioned Log for Shell I actually wanted to ask you what you think about things like the securing open source software act the recent executive order on improving cyber security. I wonder if you think is that going in the right direction for addressing issues? What do you think the issues are? How do you feel generally about commercial software using so much open source? I mean it's ubiquitous certainly but as we all know, security vulnerabilities are increasing, the time to fix them is increasing dependencies or number of dependencies is increasing. So I wondered if you could speak to all of that.
Marcus Sailler (00:26:29):
Yeah, I'm two minds on the open source being used in commercial software to me and you guys are the open source experts. I just kind of play in this space. To me it doesn't feel like it quite embodies the principles of open source. When a company takes open source capabilities or libraries or software and then packages it and resells it it certainly doesn't lend itself to that collaboration and participation. And I know a lot of companies do give back in terms of contributing to those communities and contributing to that code source to improve it and make it better. But to me it always felt you're stealing somebody else's work for a financial gain. But on the other side of things, and this is where my second mind on this kind of kicks in as there's a lot of great products that have come out that are built off this open source community and platform that have made organizations like that are dealing with cyber attacks better.
(00:27:38):
Whether it's using a logging facility that was we saw in Log for Jay or Spring for show or using other capabilities that the open source committee is really great about creating and collaborating and putting forward. I think the challenge is these companies just can't move with the agility that open source can. So oftentimes they get caught with these vulnerabilities that come out through responsible disclosure from a security researcher or through a threat actor that's found them and they just can't pivot and adapt implementing those fixes or those code changes because there's so many other downstream dependencies that call that library rely on that library and you can't just hot swap them out. So it's a challenge I think, and I kind of go back and forth with it and struggle with the idea, especially when things like Log for, Shell come up and you know, see the whole world and the whole IT community having to react to it.
(00:28:36):
Big scary ones like that come out hopefully not every year, but it seems to be more frequently, like you said in terms of legislation. I think it's always interesting to see legislation in this space and how it gets interpreted, how it gets enforced and how it gets implemented. And you look at things like HIPAA and SOC and GDPR now in Europe and even in the us the California Privacy Act and stuff like that are starting to pick up on this in the states. It's always interesting to see how organizations react to that because sometimes it starts to become a check the box fix or implementation it, it's not really in true spirit of the problem or fixing the problem. So I'll be interested to see how those particular forms of legislation get implemented or rolled out. I'm hoping, I'm optimistic that it'll put some tangible positive, productive security practices in place for companies in the us but at the same time thinking about it and navigating for small businesses. I mean this could potentially cripple startups or cripple organizations that can afford to have fully staffed security staff or can't afford to maybe have to check the box with some of the governance or the legislation that was put forward.
Katherine Druckman (00:30:11):
Interesting. I appreciate you answering because I, I'm obviously personally heavily biased toward open source. These aren't I wouldn't ask the question of why obviously there are ways to do corporate open source correctly and maybe incorrectly. And I'm very lucky that I've only really experienced a former, I've been paid by companies to contribute to open source, which is a great place to be. But I understand that there is this weird skepticism, Again, I'm so biased, I've only really ever been in the open source technology world. I know very little about proprietary technology, but I wonder if you think the focus on open source when we talk about vulnerabilities is maybe unfair. I know that there, why is it the securing open source software act? Why not just securing software? So proprietary software certainly has vulnerabilities. I wondered if you could had any thoughts about that.
Marcus Sailler (00:31:11):
Yeah, I think to me it's a little bit about when you think about proprietary software, there's that security theater, right? Because the source code is not as collaboratively known. Maybe there's a perception that it's not as easy to find vulnerabilities or I really don't understand it either because we've seen vulnerabilities come out in mass, I mean literally hundreds, not thousands every year across the commercial proprietary space. So I think what makes it uniquely challenging for open source is through the sheer nature of being open security researchers or bad guys can actually more quickly and more easily find those vulnerabilities. And so from my perspective, those are more bugs or defects. We've just kind of called them vulnerabilities because of the security implement implications to them. But yeah, it does feel a little bit challenging and unfair to target the open source community. But the unfortunate side of it is that because of the nature of the collaboration and openness, it kind of puts a target on their back versus proprietaries a little more closed.
Doc Searls (00:32:22):
I had a couple thoughts. One was going back to regulation and policy. You mentioned the gdpr ccpa, Those for the most part, those are addressing unwelcome behaviors by companies themselves. They mainly, it's about tracking. We don't want people tracking us all over the place. We're marked animals and it's easy to do and so companies can get away with it. And there really is theater going on around that because every one of those completely insincere consent notices you see in the front of a website are basically say, we're gonna obey the letter of the law while completely screwing its spirit. But I'm not sure, and I'm bringing this up because this is something I am expert on. I'm not a developer myself, so I'm been writing about opensource for a long time. That doesn't mean I develop any, but I don't think my theory, and it just occurs to me now, there is when you're dealing with people and you're dealing with actors who are by their nature criminals, <laugh>, they don't wanna obey any laws, they always almost doesn't matter to them. What can you do to it? What can you say to an honest company that's gonna make it easier for them to deal with people who are inherently dishonest to begin with? So I'm not sure there is a policy answer to that. Is that, do you think there is one? I'm not sure.
Marcus Sailler (00:33:50):
Well, I think it's interesting because obviously bad guys don't obey the laws, otherwise they wouldn't be bad guys. So it's always difficult to see the attempt to legislate out of that. So I think privacy is something that I'm particularly passionate about for as you may have been able to tell when trying to find information on me <laugh>. But yeah, it, it'll be interesting to see how effective it is. But I certainly think privacy is something that we can do better at. And I think it's a shared responsibility. So individuals need to demand that privacy. But it's almost like we're, our hand is forced, right? Cause you get that consent or you get that. Do you agree to the terms and what are you gonna do? Click? No. I mean, very few people do that. Very few people read them either. So I'm not a legal counsel, I can't read the legal ease and understand the implications outright as to what they're doing or what they would do with my data. But you know, always try to challenge organizations and understanding where that data lives and what they're doing with it.
Doc Searls (00:35:00):
It's an interesting thing to me that there many interesting things here. But one of them is that you know, just said, well you don't read the legalese any of these things, it's not even worth reading because it's meaningless. And inherently they hold all the cards, they can change the cards time they want. <laugh>, a privacy policy is meaningless. Any company can change it any time it wants. There's nothing obligating them to tell you anything about them. There's just sort of a promise to have good behavior in almost every case, at least with the commercial companies and the publishers, they're busy selling or harvesting and sharing information about you or meta information about you to thousands of actors on the back end. And the question I have about that is, has anybody looked at the security vulnerabilities at that end? I mean, it's not like you have them at the, I mean, we all know that we're vulnerable, but mostly we're vulnerable too is we may get an irrelevant ad, you know, may get a creepy ad that is too relevant perhaps.
(00:36:01):
But what happens that, I mean there's such a gigantic market, trillion dollar market really in personal information that is largely unknown to the individuals who are giving up this data that not intentionally is just being harvested and it fans out to companies you never heard of. Not just Google and Facebook, which is what most of the regulators are after because they're kind of an easy target and maybe a legitimate target in some ways. But lots of other parties have people in your profession looked at that area and said, this is a show back here, <laugh> trying to avoid profanity here, but <laugh> or is or is it it no interest because it's just a mess, but it's not our mess, it's some other mess out there. Let Google and Facebook deal with it and we don't care. I'm just curious.
Marcus Sailler (00:37:05):
Yeah, I think so. I think it's interesting going to and seeing how, when you think about it from a commercial financial motive, we tend to give those companies or organizations have passed, but we also, there's a large market in the underground market in the dark web for data brokers and commod treating that like a commodity. But that's perceived to be very negative and we go after those folks and putting your social out on the dark web and that's perceived to be malicious and criminal. But when you talk about data brokers that do it for a business, legitimate business and air quotes it's common and acceptable practice. So yeah, I see, especially when you think about the motives of threat actors or bad threat actors. These are the companies that those guys will go after because they have all that data, they've collected all that data and there's a gambit of things that they can do with it.
(00:38:11):
They can use that to launch future attack set individuals or identity theft, which is also potentially financially emotive, motivated social engineering of many types, whether it's trying to get as something simple and silly as getting your Instagram account or getting into your bank by knowing your personal questions. So yeah, it's privacy is something that I feel like we need to come a long way on. I think Europe is starting to focus on that and getting that temp predominantly. I know a couple times I've had to do some investigations or some hunting of individuals in Europe and it was just so much harder to find that information because that data brokerage kind of market doesn't exist there. They don't sell that data or that information doesn't regularly get correct collected. But finding anybody in the us I mean you're got so many information sources to choose from and it's like if you're trying to secure that and get that removed because they all proliferate, they all talk to each other, they all sell and resell. And it's a almost impossible thing to do here in the US
Doc Searls (00:39:28):
That I have not heard that before, that that is harder to find somebody or to track down an individual in Europe because the, there's not that market for personal information operating there or at least not operating like it is here. Whereas here it's this weird kind of free for all, it's this. So it's a public bizarre almost, except it's a kind of big private bizarre that the public doesn't go to, but information about them is being bandied about there. I was thinking in Germany for example, when I've gone there, so I thought, okay, let's see what this place looks like at Google Street View is not there. <laugh>, they get kick street view out, they don't want anybody looking at your house. So you can't see exactly what this house looks like that you're gonna go after. And frankly, in here in the US in Santa Barbara where I normally live, there's often fog in the mornings up in the hills. And for several rounds with Google Street View our house was obscured <laugh> and we thought that's cool. Oh wow, you can't see it. Just by chance the Google Street view thing was rolling through at times, but right now actually it is pretty visible. But are you often tracking down individuals or is it just as a way to get to a larger actor or, I'm just kind of curious how you go about locating a source of a bad action. It's probably hard to typical it, I suppose
Marcus Sailler (00:40:54):
It depends. So I used to also do a lot of volunteering and community work for agencies that look for particular things that bad guys might do. And so helping them reproduce and track that to help law enforcement was part of that. But also in my day to day thinking a bad guy is a big part of what we do. And so when you think about where a bad guy might start, he's not just gonna pick an organization and just, if he wants to be successful, at least they're not just gonna pick an organization and just splatter it with emails or phone calls. They're going to want to have an informed opinion on how to attack that organization. So yeah, sometimes that's part of that is looking at employees or executives or looking at folks in their roles and what they do and what they predominantly information about them that you can use as almost like a dossier to profile them. And that's what threat actors do. They think of ways creatively that's believable that's motivated by potentially emotion as a tactic of influence. So yeah, that's something that I'm imbued in. So Maxi Reynolds, the other first person that you interviewed were both open source intelligence kind of experts. And so that's just part of it is just knowing it's a passive or connaissance portion of being a hacker is knowing and understanding the demographics and dosier of people.
Doc Searls (00:42:33):
Yeah. I wanna remind listeners and viewers that Maxi was on and she's given us several guests including you, <laugh>, great contact on a podcast we had about underwater data centers, which I just thought was a terribly interesting topic. So Catherine I know has at least one question queued up at first, I have to say this episode of FLOSS Weekly is brought to you by Collide. That's collide with a K. The challenge with device security has always been that it's difficult to scale. The bigger you are, the more edge cases you introduce and the easier it is for significant issues to escape. Your notice when remote work took over, that challenge got exponentially harder. Whether you're a fast growing startup that needs to graduate from managing device inventory and Google Sheets or an enterprise trying to speed up service desk issues, you need visibility into your fleet of devices in order to meet security goals and keep everything running smoothly.
(00:43:29):
But how do you achieve that visibility when your design team uses Max accounting is on Windows, your most talented developers are on Linux. Well, you get Collide. Collide is an endpoint security solution that gives IT teams a single dashboard for all devices regardless of their operating system. Collide can answer questions, MDMs can't. Questions like do you have production data being stored on devices? Are all your developers SSH keys encrypted, and a host of other data points that you'd have to write a custom she script in order to learn about? Think about it. If a Linux vulnerability is exposed tomorrow, how will you figure out how many machines are at risk? File a ticket with the team that manages your MDM and weight days to get a report back, send a mass email and hope the Linux users open it with collide. You have real time access to your fleet's data and instead of installing intrusive agents or locking down devices, collide takes a user-friendly approach that communicates security recommendations to your employees directly on Slack. You can answer every question you have about your fleet without intruding on your workforce. Visit coli.com/FLOSS to find out how. If you follow that link, they'll hook you up with a goodie bag including a t-shirt just for activating a free trial. That's k l ID e.com/floss.
Katherine Druckman (00:44:58):
Cool.
Marcus Sailler (00:44:58):
So you guys have some really great security
Doc Searls (00:45:01):
<laugh>. I know
Marcus Sailler (00:45:02):
Some really great security like sponsors.
Doc Searls (00:45:05):
I know that that's why they're here. They know you're on. Yeah, there's That's true. I mean before it did, Catherine has a question. I just wanna mention not everybody hears the ads because we have some premium subscribers that don't hear the ads, but they're so relevant sometimes that are, it's just sort of weird cuz I'm reading the ad and I'm thinking, Hey, we need to talk about this <laugh> Anyway, go ahead Catherine. So
Katherine Druckman (00:45:30):
Bonus. Yeah, yeah. So just for background, I come from a position that everyone, everyone should have some basic security competence. So to that end, and also to our aspiring security experts out there, I wondered if you could tell us a little bit about threat modeling, what it is, how you approach it how does your approach change depending on what you're doing, different industries are working in different circumstances, locations, all of that.
Marcus Sailler (00:46:00):
Yeah, I guess the easiest way I could describe be modeling is it's like whenever you walk into a room and you size things up and some folks, Oh sorry, I'm having some technical difficulties with my, Can you guys still hear me?
Doc Searls (00:46:18):
Yeah, I know you said fine.
Marcus Sailler (00:46:20):
Okay, sorry about that. So threat modeling, the ideology is like, I take it from a hacker's perspective, I think that makes for the best threat modeling, but really threat modeling is looking at your weaknesses. And so thinking about a specific technology or process some subject that you want, a threat model and identifying using different models like Stride or Dread which are just kind of scaled mechanisms that kind of help your profile risk and likelihood. But essentially when you threat model, you think of you have to put your bad guy, your hacker hat on, and think of how would a bad guy enact a threat against this particular subject or product? And you basically just put everything on the table. It's very collaborative in nature. You need to have folks that are technology SMEs that are experts, and they don't have to be security individuals. In fact, they should be the product managers or operators.
(00:47:26):
They work best in terms of threat modeling. And you pair 'em up with some security professionals and you just kind of hash it out, what are the threats that are relevant to this? And so once you've kind of documented all those out, you start thinking about compensating controls because not every threat is uncompensated for. So you may have some things like, Oh, we have multifactor. Oh, we're securing our passwords using Bit Warden. So there's some compensating controls that tend to mitigate some of those threats right out the gate. And there may be things you're already doing but then there may be some things that you've missed. And so that's when you start thinking about residual risk. So residual risk is basically what's left after you've tried to compensate for those threats. And really when you think about the outcomes of threat modelings, it's that residual risk that you really wanna focus on because that's gonna tell you where the bad guys are actually gonna try and go or what they're going to try to exploit. So as an organization, you kind of have a choice, either you address the risk or you accept it. But mitigating, like I said earlier, mitigating risk completely is never really always an option. It's not really an option cuz there's always some residual risk.
Katherine Druckman (00:48:39):
So I think personally, again everyone creates better threat models when you can see different angles, see things from different perspectives, from different lived experiences, different cultural backgrounds, all of those things. And I think for that reason it's important to recruit people into the security field with a variety of experiences and different backgrounds multidisciplinary backgrounds, for example. And I just wondered what advice you might have for career changers or people who may have a different technical background, but not security in particular, but who would like to build up their security skills in particular, or offensive security skills in particular.
Marcus Sailler (00:49:26):
So I actually, I hit up the offensive security program at my company and I think you hit something that's super important and I'm passionate about, and it's that diversity of thought <affirmative>. So the demographics of my team are just wild. I have someone that didn't even come from tech she came from international relations and political science. Oh wow. What does that have to do with hacking? Well, it's
Katherine Druckman (00:49:53):
People, everything. I think so.
Marcus Sailler (00:49:54):
Everything, yeah, everything. Yeah. And it's not something that you would see as a traditional background for a hacker, but it makes sense. So I think you're spot on in thinking about that. And so what I would say is if you're on the new career side of things, think about your angle, think about this particular person. She thought, well I know, know political science, I know international relations in how other countries think. So I can put my spell, if there's a threat actor that I can think about, I can put myself in their mind frame and their mindset. So I guess just likening whatever, what I would say your superpower is or what your current back background is and using that as a force of good insecurity. So for me, I come from assisted administrative background, so I know how admins think. I know the corners that we cut that no composer create security flaws. I had somebody that used to work on a help desk. So this person is hugely operationally driven. They're other person that I can count on that's gonna grind through the operational work of keeping the lights on and keeping things going. So it's really just about, and if you have no background at all, to me, sometimes the best person because they're multiple, they're malleable. But really because it's such a large space, it really is about finding what your passion is and finding what interests you and trying to get good at that.
Katherine Druckman (00:51:26):
I love it. Not to get on a soapbox, but I personally obviously feel like there aren't enough women working in cybersecurity. And at the same time, I think it's important to fix it because men and women think differently. A woman has a different lived experience. The experience of walking down a city street as a man or a woman or depending on your appearance or many other factors is completely different. And your approach to danger and safety and security is affected by that. And I think it's important to have those voices. So I appreciate you saying that.
Marcus Sailler (00:52:04):
Yeah, it's unfortunate to say this, but women make the best threat modelers, They can look into a room and size up all the danger immediately. Not to generalize or stereotype, but it's been my experience. And I think in terms of that demographics, you're absolutely right. I think the thing wanna see, the last statistic I read was something like 18% of women in information security, which is abysmal to me. And then I think it's even lower for hackers. I think it's something around the 8% for hackers that are women. So certainly creating those heroes and those people that look like you is, and representation is really what matters in terms of trying to change that. So I definitely have a fair, fairly diverse team. And I think it's just, it's leaders, right? Leaders have to be part of that change too.
Katherine Druckman (00:53:03):
Yeah, I agree for sure. I think it sounds like you have something you would like to ask. No,
Doc Searls (00:53:09):
I was just thinking that <laugh>, well, I like the term actor because this is theater in a way. I, you're on a stage, you're performing you're performing a role, you're looking at playing a hacker hacker as part of your threat modeling. How would a hacker think? Where would a bad hacker think? How would a good hacker deal with a bad hack, a bad hacker? What vulnerabilities would you wanna expose? I mean, you have any idea of exposing things and catching other people at stuff, and there's theater to it in the sense that you want things to move forward and move towards some kind of conclusion where you draw the curtains on that one <laugh> and you put another play on. I dunno if that ever occurs to you or not, but I have two young relatives who are actors and I'm thinking, Hey, maybe they should get into cybersecurity <laugh>.
Marcus Sailler (00:54:10):
Yeah, no, think that's a great correlation because we use the term threat actor and from my perspective, we're emulating or simulating a threat actor. And so we have to have that internal monologue, just like you said, I may know something about an organization that would reveal a vulnerability, but I need to do attribution in terms of what would a threat actor do to get from point A to point Z, me knowing that Z exists. So that internal monologue, that improv, we have to think on our feet. We have to react to defenders. So defenses can sometimes squash us and catch us and we have to pivot and move and think about it from a different perspective or a different angle to try to get around defenses. So I a hundred percent, especially in the social engineering space, really think it is acting. I, I think some of the best social engineers that I know have taken improv classes or even done standup comedy to try to help hone that skill to be able to think on your feet and think critically in a potentially stressful environment. So a hundred percent actors. Yes.
Doc Searls (00:55:26):
Smart. Yeah, that is smart. I <laugh> was thinking, yeah, improv would be great for this, but you're already doing it so you're thinking ahead of me for sure. And I'm wondering, do you have enough people and are you looking to hire more, I mean mean this in a more general sense, not just your company, but I'm thinking for example, the curb weight of every open source code base gets bigger and bigger. There are now 4 million code bases that are active on or at least projects that are active on GitHub alone. There's a lot out there. I would think that you kind of need a bigger and bigger team and not just better tools to deal with all.
Marcus Sailler (00:56:11):
Yeah, I think information security has it's really, I call it Schrodinger's candidate because everybody needs information security professionals, but everybody's also trying to get into information security. It's very hard as an individual to break into the industry. And so nobody I think really gets it right in terms of how do we inject that workforce into a shortage and maintain it and keep it, and folks do leave the industry because it can be sometimes frustrating being understaffed and being under underequipped tool wise. So definitely there's always a need but there's always a need for seniors for experience and season people. And so I think for me, this is why I like early career pipelines because you know make seniors, you don't get them, right. So if I'm a particular unicorn that I want, it's much easier for me to start with a junior person and help grow them to be a unicorn. So yeah, it's definitely something that's a problem in our community. We always need more, always need funding growing. It's evolving. Just the sheer number of commercial products out there that are security related. It's staggering. I think they've started to come run outta names to call it. And so they're just calling it weird fancy names that I've never heard of <laugh>. But yeah, <laugh> certainly a big problem. And I think in the community is just resources. It's finding people to sit in the chairs, to be honest.
Doc Searls (00:57:55):
I almost wonder if there's an end point where it gets too difficult. I mean where <laugh> all the code gets too big, too complex I don't know. I mean almost feel I've felt for way too long a time. There's some kind of paradigm shift that's gonna come and we're gonna do everything differently. We'll still have networks, but the way we've gotta process stuff is gonna be different. Is there a sense of that maybe everything we're working on now gets thrown out? Kind of like what happened with mainframes? Mainframes ever went away. We've had a guest on recently who talked about that the mainframe business is alive and well. But PCs came in and they were ignored at first, then all of a sudden everybody had 'em. And I'm wondering if you think that, wait a minute, some big thing may happen here is not gonna be web three or the metaverse is gonna be some other thing.
Marcus Sailler (00:58:40):
Well I'm still waiting for the singularity. So when AI, and I'll take over. So I see a AI and ML being a drive for force and change in a lot of other industries. I tend to look at it in the security space is not quite there yet cuz there's a lot of critical thinking and interpretation that goes into risk management. So I wanna see a tipping point where it gets better and actually helps reduce the load on the individuals because a lot of it is just manual analysis, knowing what you're looking at and knowing if it's good or bad when it's in sea, sea or an ocean or universe of normal. So base lining is difficult and often takes a human eye, but that's the hope that progresses and maybe it puts me out of a job, but I don't think anytime. So not in my career.
Doc Searls (00:59:38):
Well we've down pretty much at the end of the show at this point and this is where we often ask what's one final question that we haven't asked, but one I haven't asked and is we made the title of the show before we started The Hacker's Ethical Dilemma. What is the dilemma? Could you summarize by saying what that exactly is?
Marcus Sailler (01:00:01):
Yeah, I think this goes, yeah, it go back to the open source element of creating tool sets, the open office and security tool set. And the dilemma is like, do I shine light on a problem and collaborate an open way using open source? Or do I hope knowing that threat actors with intent could pick up on them and use them. And we've seen it happen. I mean we've seen Breach as a result of them using ethical hackers tools. So the dilemma is like what do you do about it? You not do that security research and hope that the threat actors don't get there first or is there a way that you can still do that and protect the community or protect organizations from threat actors using your tools for bad? And I think it's a dilemma that I've seen a lot of security researchers kind of struggle with and oftentimes really feel bad about in terms of what their tools were used for after they release them. But it also has advanced the security space and security products in my opinion, infinitely. So we've seen a lot of good things get fixed the threat actors have used maybe because of these tools, but me, maybe not because some of the open source offset tooling. So I think the dilemma that I wanted to highlight in terms of that title
Doc Searls (01:01:25):
That That's great. I also liked what you said earlier, I didn't think it was you were quoting somebody that the key ist to stop, it's actually to move faster. That's a <laugh> That kind of goes with what you were just saying about there are a lot of improvements coming along at, it's all moving well with more things coming into the world. And I may be putting that wrong, but we don't have time to make me write yet <laugh>, unless you insist
Marcus Sailler (01:01:51):
You got it. No, that's right. You got
Doc Searls (01:01:52):
It. That's close enough. Okay, that'll do that. That's a patch. It'll work. We always close that. These two questions, what are your favorite text editor and scripting language?
Marcus Sailler (01:02:04):
So I'm probably gonna get popcorn thrown at me no matter how many languages I pick up or play with, whether it's Python or C Sharp or whatever, I still really enjoy Unix, command line corn, shell and Bash. I still write tools using those. So scripting language, whatever. And so I'm also very old school on the editor. I'm a VI guy. It was just how I was taught. Yeah, people always joke about not being able to exit vi. I have problems with Nano. I can't save or get outta nano to save my life but I can do some fancy crazy stuff or them, which I use more these days.
Doc Searls (01:02:45):
I don't think either. Approve of your answers, Gordon. Yeah, no those are,
Katherine Druckman (01:02:49):
Yeah, totally approve. Those would probably be my answers too. That's
Marcus Sailler (01:02:52):
All good.
Doc Searls (01:02:55):
Well there's been great heavy on the show and I'd love to have you back some time to talk about whatever has changed <laugh> and hopefully you haven't stayed ahead of everything along the way.
Marcus Sailler (01:03:10):
Yeah, would love to come back. Thank you for having me.
Doc Searls (01:03:14):
Thanks again. So Catherine, how was F for you? That Yeah,
Katherine Druckman (01:03:18):
It was great. This is a topic question. Well, I enjoy this topic. It's something that I do in the day job and I do evangelize open source at Intel. I should mention that as a, I guess that's a disclaimer or my opinions.
Doc Searls (01:03:33):
It could also be a plug. I mean you're you.
Katherine Druckman (01:03:36):
Yeah. Or a disclaimer. Both of those. I do and I talk to security people and I talk about security and I research and it's a lot of fun. So this is a great topic for me and I really enjoyed it and I enjoy hearing other people's perspectives. I am so entrenched in open source thinking and open source ethos and everything that I really, really enjoy hearing perspectives from people who maybe see things slightly differently from me. And I think that's incredibly valuable. So yeah, it was great.
Doc Searls (01:04:13):
Yeah, this is solid. And I, a big takeaway for me is that I like to tell my young actor friends that are, don't like their jobs cuz no actor, most actors are doing something else anyway. <laugh> not acting for a living. There's not much of a living in that. But there might be something in this area cuz you're actually doing some good in the world and or you're keeping bad things from happening, you're helping. Yeah.
Katherine Druckman (01:04:42):
I
Doc Searls (01:04:42):
Mean hopefully companies, the military public institutions safe and I think there's adventure to it because it changes all the time. It's not staying in one place. So anything
Katherine Druckman (01:05:01):
Else? I think that's probably, Yeah,
Doc Searls (01:05:02):
Yeah.
Katherine Druckman (01:05:04):
<laugh>. Oh, I was just saying, yeah, that kind of attracts me to it for too. Always changing. You will never get bored talking about security.
Doc Searls (01:05:14):
Yeah, I think the security shows are among the most popular here on the TWiT network as well. For good reason. Well, anything else you'd like to plug before we move on? I'll have to look at
Katherine Druckman (01:05:26):
Who's next. I think so follow me on Twitter and then I'll think of something to plug. I'll plug it there. <laugh>,
Doc Searls (01:05:33):
And I'm looking here. It'ss coming up next week. I never keep up with this. Okay, I got it. Heart Montgomery he's with the Hyperledger Foundation is part of the Linux Foundation but that's changed a lot over time. That's sort of the blockchain identity says stuff that's going on there. We had Brian Bellor fund earlier. He was there, he's moved on and now heart's there. So he's coming up next week and until then, it's been great having you. I'm Doc Searles. This is FLOSS Weekly. See you next week.
Speaker 5 (01:06:13):
Hey folks, I'm Ant Pruitt and what do you get Your favorite tech? Tick Eat that has everything. A club TWiT gift subscription. Of course, TWIT podcasts keep them informed and entertained with the most relevant tech news podcasts available. With the Club TWiT subscription. They get access to all of our podcasts ad free. They also get access to our members only Discord, access to exclusive outtakes behind the scenes in special content such as AMAs, which I just love hosting. Plus exclusive shows such as Hands on Mac, End Zone Windows, and The Untitled Linux Show. Purchase Your Geeks gift at twit.tv/club twit and it will. Thank you every day.
