WEBVTT 1 00:00:01.080 --> 00:00:03.000 How'd you like to listen to dot net rocks with 2 00:00:03.040 --> 00:00:07.879 no ads? Easy? Become a patron for just five dollars 3 00:00:07.919 --> 00:00:10.800 a month. You get access to a private RSS feed 4 00:00:10.839 --> 00:00:14.279 where all the shows have no ads. Twenty dollars a month. 5 00:00:14.279 --> 00:00:16.879 We'll get you that and a special dot net Rocks 6 00:00:16.960 --> 00:00:21.000 patron mug. Sign up now at Patreon dot dot NetRocks 7 00:00:21.120 --> 00:00:37.079 dot com. Hey, it's dot net rocks. I'm Carl Franklin 8 00:00:37.159 --> 00:00:41.280 and Amirchard Campbell. We're here again for the nineteen hundredth 9 00:00:41.320 --> 00:00:42.840 and sixty third time. 10 00:00:44.039 --> 00:00:46.439 It's almost like an addiction or a pattern or something. 11 00:00:46.479 --> 00:00:46.880 I don't know. 12 00:00:47.159 --> 00:00:49.000 You think one of these days we'll figure it out. 13 00:00:49.119 --> 00:00:50.960 I don't know. If we're going out, we would have 14 00:00:50.960 --> 00:00:51.520 buy now right. 15 00:00:51.640 --> 00:00:54.679 Maybe we will talk about what happened in the year 16 00:00:54.759 --> 00:00:58.000 nineteen sixty three in just a minute. But first let's 17 00:00:58.119 --> 00:00:59.840 roll the music for better no framework. 18 00:01:07.480 --> 00:01:08.799 All right, dude, what do you got? 19 00:01:08.840 --> 00:01:09.000 Well? 20 00:01:09.040 --> 00:01:12.480 This came from Simon Cropp, who is a font of 21 00:01:12.640 --> 00:01:14.840 all good things, especially in the. 22 00:01:14.840 --> 00:01:16.519 Area of tests at Bexter. 23 00:01:16.840 --> 00:01:21.799 Yeah. He found this tool called xUnit dot Combinatorial Oh, 24 00:01:21.840 --> 00:01:24.439 which is a project from Andrew Arnott on the Visual 25 00:01:24.480 --> 00:01:28.239 Studio Platform team but instead of pointing you to the docks, 26 00:01:28.280 --> 00:01:32.239 which he said are okay, But this particular blog post 27 00:01:32.280 --> 00:01:39.120 by Andrew Locke really talks about it in detail. So basically, 28 00:01:39.319 --> 00:01:45.719 it's a the combinatorial is a weird name but fancy word, 29 00:01:45.719 --> 00:01:47.719 but it's a bunch of features that can make it 30 00:01:47.760 --> 00:01:50.519 easier to generate the test data you need with x 31 00:01:50.640 --> 00:01:54.680 unit nice right, So you can also auto generate parameters, 32 00:01:54.799 --> 00:01:59.560 generate all parameter combinations, or randomly generate values and it's 33 00:01:59.560 --> 00:02:04.400 all with you know, just a simple code you know 34 00:02:04.640 --> 00:02:10.400 theory tests right, and you can use more more attributes 35 00:02:11.000 --> 00:02:20.840 from the combination combinator combinatorial data nice x unit combinatorial. Anyway, 36 00:02:20.840 --> 00:02:22.719 it's really good and there's a lot of examples on 37 00:02:22.719 --> 00:02:27.199 this blog post, so you know, like I said, it's 38 00:02:27.319 --> 00:02:32.240 very easy. Just audit, auto generate permutations and parameters and 39 00:02:32.439 --> 00:02:38.280 custom defined values. Generating values for a single parameter, you 40 00:02:38.319 --> 00:02:42.360 can reduce the number of combinations. So there you go, 41 00:02:42.680 --> 00:02:45.479 know it, learn it, love it. Who's talking to us? Yeah? 42 00:02:45.520 --> 00:02:46.919 I like about that. Do you know what I think 43 00:02:46.960 --> 00:02:49.319 about that particular situation. It's like it's one guy to 44 00:02:49.360 --> 00:02:51.719 write it, but another person to explain it. 45 00:02:51.759 --> 00:02:53.240 Well, enough that you know, how do we want to 46 00:02:53.319 --> 00:02:56.599 use it? Yeah, yeah, yeah, it happens. The two talents 47 00:02:56.759 --> 00:02:58.039 don't necessarily go together. 48 00:02:58.159 --> 00:03:01.120 They don't necessarily go together. Absolutely true. So who's talking 49 00:03:01.120 --> 00:03:03.000 to us today? Richard Graud to comment heal for show 50 00:03:03.039 --> 00:03:05.840 eighteen seventy six, which is back in December twenty three, 51 00:03:05.879 --> 00:03:08.319 when we talk to our friend Laura Belle Maine, who 52 00:03:08.560 --> 00:03:12.599 is a regular conversationalist about security and runs a security 53 00:03:12.599 --> 00:03:16.680 related company. And this was about agile application security, the 54 00:03:16.680 --> 00:03:21.599 idea that you can incorporate security into your workflow, sprint 55 00:03:21.599 --> 00:03:24.120 to sprint, it's not crazy. Don't just try and retrofit it. 56 00:03:24.120 --> 00:03:26.319 At the end, and Rob had this great comedy, says 57 00:03:26.360 --> 00:03:29.759 great show. I especially appreciated discussion centered around making security 58 00:03:29.759 --> 00:03:32.680 easier for the average person and for that matter, the 59 00:03:32.680 --> 00:03:36.159 average developer to implement. So often it has taken that 60 00:03:36.199 --> 00:03:39.479 the cost of security is inconvenience, but I think that 61 00:03:39.560 --> 00:03:42.159 turning this idea on its head and is actually what 62 00:03:42.319 --> 00:03:44.879 needs to happen. In order to get people to do things. 63 00:03:44.879 --> 00:03:48.039 Security must make secure solutions to be the convenience solution. Convenances, 64 00:03:48.199 --> 00:03:52.319 the behavior modification tool need to dimploment better security. I mean, 65 00:03:52.319 --> 00:03:54.360 it's not that convenient about a lock, but you don't 66 00:03:54.360 --> 00:03:56.960 want to give them up. What you would like is 67 00:03:56.960 --> 00:04:00.599 a lock that you can unlock reliably when you want to. 68 00:04:00.919 --> 00:04:05.680 So there's some balance there, I agree, Rob, But it's 69 00:04:05.719 --> 00:04:08.000 good to have the tooling in place. But also, and 70 00:04:08.080 --> 00:04:09.319 I think this is one of the things we talked 71 00:04:09.360 --> 00:04:11.439 about a lot with Laura, was just getting it into 72 00:04:11.479 --> 00:04:13.800 the workflow so that security is never the after. 73 00:04:13.960 --> 00:04:14.199 Yeah. 74 00:04:14.240 --> 00:04:15.919 So Rob, thank you so much for your commented. A 75 00:04:15.960 --> 00:04:17.399 copy of music Coby is on its way to you, 76 00:04:17.439 --> 00:04:19.040 And if you'd like a copy of music go by, 77 00:04:19.240 --> 00:04:21.040 write a comment on the website at dot m Rocks 78 00:04:21.079 --> 00:04:23.319 dot com or on the facebooks publish every show there 79 00:04:23.360 --> 00:04:24.800 and if you comment there and I reading the show, 80 00:04:24.959 --> 00:04:26.120 we'll send you copy of music. O. 81 00:04:26.199 --> 00:04:29.720 All right, shall we talk about the year nineteen sixty three? Sure, 82 00:04:29.879 --> 00:04:33.199 it's a few. Yeah, things that happened in sixty three. 83 00:04:34.759 --> 00:04:40.600 Kennedy assassination, yikes, Vietnam War, it's getting worse. Beatlemania, yeah, 84 00:04:40.680 --> 00:04:43.160 the antidote to the Vietnam War. I guess I remember 85 00:04:43.160 --> 00:04:46.959 Paul McCartney says, yeah, you know, when they were telling 86 00:04:47.079 --> 00:04:49.160 us how to behave in the press, and somebody says, 87 00:04:49.160 --> 00:04:51.560 bring up the Vietnam War. We'd just say, oh, bad woo, 88 00:04:51.839 --> 00:04:52.360 bed war. 89 00:04:52.879 --> 00:04:59.360 That's it. Bet there's any good wars. Yeah, right, bad woo. 90 00:05:01.079 --> 00:05:05.199 Some civil rights things were going on. In sixty three 91 00:05:05.480 --> 00:05:09.480 March on Washington, Martin Luther King delivered his famous I 92 00:05:09.600 --> 00:05:10.839 Have a Dreams speech. 93 00:05:11.199 --> 00:05:15.279 Good speech and then bad war, good speech, good speech. 94 00:05:16.079 --> 00:05:20.079 On the bad side of civil rights. The Sixteenth Street 95 00:05:20.240 --> 00:05:24.639 Baptist Church bombing on September fifteenth, Birmingham, Alabama, killed four 96 00:05:24.720 --> 00:05:29.560 young girls absolutely intensified national outrage and support for the 97 00:05:29.600 --> 00:05:36.199 civil rights movement. Push button telephones, the touchdown, and some 98 00:05:36.279 --> 00:05:40.759 things happened in the nuclear front, right, the Nuclear Test 99 00:05:40.759 --> 00:05:44.000 Band Treaty on October twenty fourth, and the first commercial 100 00:05:44.079 --> 00:05:47.720 nuclear reactor began operation in the US. Anything you want 101 00:05:47.759 --> 00:05:48.279 to say about that. 102 00:05:48.319 --> 00:05:51.639 Richard, Oh, there were so many reactors at that time. 103 00:05:52.160 --> 00:05:54.319 They go back to the fifties, so it depends on 104 00:05:54.360 --> 00:05:59.199 which one we're talking about. But yeah, no, they were 105 00:06:00.079 --> 00:06:02.959 a lot of military related reactors, but then you had 106 00:06:02.959 --> 00:06:08.000 the Westinghouses and the General Electrics building the commercial editions 107 00:06:08.079 --> 00:06:12.480 just to make them reliable. That those were two Gen 108 00:06:12.600 --> 00:06:15.600 one reactors and they were tricky to operate, and they 109 00:06:15.639 --> 00:06:18.040 had very skilled people to operate them, and most part 110 00:06:18.079 --> 00:06:20.439 went well. It's when it grows out over the next 111 00:06:20.480 --> 00:06:22.040 decade that we started to have more problems with. 112 00:06:22.120 --> 00:06:24.600 And was it last week we talked about the integrated circuits. 113 00:06:24.800 --> 00:06:25.720 That was sixty two. 114 00:06:26.040 --> 00:06:28.639 Yeah, we talked a bit about integrated circuits there because 115 00:06:28.680 --> 00:06:31.199 they were struggling still struggling to make them. Then too, 116 00:06:31.680 --> 00:06:36.439 they were part of the equation on the computer front there. 117 00:06:36.519 --> 00:06:39.360 So there's a couple of interesting things. Last week we 118 00:06:39.399 --> 00:06:42.399 talked about the Link computer are really the first personal computer, 119 00:06:42.720 --> 00:06:44.360 but just because you could take one home even though 120 00:06:44.360 --> 00:06:48.079 it was six foot tall. But the following year at DAK, 121 00:06:48.600 --> 00:06:52.480 inspired by that machine, they made the PDP five, which 122 00:06:52.560 --> 00:06:55.040 arguably is the first mass produced mini computer. There were 123 00:06:55.079 --> 00:06:58.000 only over fifty links made, so these were twelve bit 124 00:06:58.079 --> 00:07:00.680 words and you could get between one and up to 125 00:07:00.759 --> 00:07:04.319 thirty two K words of core memory. This is before 126 00:07:05.079 --> 00:07:08.000 you know integrated circuit memory, so you literally have the 127 00:07:08.040 --> 00:07:13.959 little wound fires cores in wound in copper to store stuff. 128 00:07:14.399 --> 00:07:16.439 Came with an editor, assembler or four track compiler and 129 00:07:16.480 --> 00:07:19.720 a debugger for about twenty seven thousand US dollars and 130 00:07:19.759 --> 00:07:22.879 it was a less expensive computer than the PDP four, 131 00:07:23.639 --> 00:07:26.279 which was also a less expensive computer than the PDP one. 132 00:07:26.360 --> 00:07:29.160 So the original machine made by Deck was very expensive, 133 00:07:29.160 --> 00:07:30.680 and so they made a cheaper one, and this was 134 00:07:30.720 --> 00:07:33.759 even cheaper than that, and this machine, the more advanced 135 00:07:33.800 --> 00:07:35.879 version of the PDB five, will become the very famous 136 00:07:35.920 --> 00:07:42.160 PDP eight. One piece of software from nineteen sixty three 137 00:07:42.240 --> 00:07:45.120 is sketch Pad. So this is Ivan Sutherland who was 138 00:07:45.360 --> 00:07:49.120 writing his PhD thesis, and he was really the ancestor 139 00:07:49.160 --> 00:07:52.680 of CAD software of computer aided design and arguably the 140 00:07:52.759 --> 00:07:56.279 very first guy. It ran on the TX two, which 141 00:07:56.360 --> 00:07:58.759 is a completely unique, one of a kind machine from 142 00:07:58.839 --> 00:08:01.439 nineteen fifty eight built in it only lasted about twenty 143 00:08:01.519 --> 00:08:05.480 years or fifteen years, which had sixty four k of 144 00:08:05.560 --> 00:08:08.000 thirty six bit words and you were able to draw 145 00:08:08.040 --> 00:08:10.879 directly on the screen with a light pen. Yeah there 146 00:08:10.920 --> 00:08:13.360 was no mouse yet Nope, that was Xerox part The 147 00:08:13.399 --> 00:08:17.560 mouse is still coming. Yeah yeah, but you know, these 148 00:08:17.560 --> 00:08:19.600 are all the beginning efforts with these early machines, but 149 00:08:19.839 --> 00:08:23.720 also totally bespoke. This was software that ran on exactly 150 00:08:23.759 --> 00:08:26.079 one computer in the world at the time. 151 00:08:26.399 --> 00:08:28.680 Right, Wow, Yeah. Well, I can't wait to go through 152 00:08:28.720 --> 00:08:33.159 the years here leading up to the computer revolution, because 153 00:08:33.200 --> 00:08:35.799 this is this is where it gets exciting, you know. 154 00:08:36.039 --> 00:08:39.679 Yeah, And it's we're pulling these bits and pieces together 155 00:08:39.720 --> 00:08:43.440 and just seeing like that PDP five it's all transistors. 156 00:08:43.440 --> 00:08:47.080 There's not a single I see in it. It's before that. Right, Wow, 157 00:08:47.720 --> 00:08:48.320 good stuff. 158 00:08:48.679 --> 00:08:51.240 All right, stay tuned for more history lessons from Richard 159 00:08:51.240 --> 00:08:56.080 Campbell and myself. But I suppose it's time to talk 160 00:08:56.159 --> 00:09:01.000 to our guest, Michael Howard. So. Michael is a senior 161 00:09:01.039 --> 00:09:04.399 director in the Microsoft Red Team. If you don't know 162 00:09:04.399 --> 00:09:05.960 what a Red Team is, they're the ones that go 163 00:09:06.080 --> 00:09:09.000 and hack. You'll tell you all about it, and the 164 00:09:09.039 --> 00:09:13.519 hackers focused on improving security design and development across Microsoft. 165 00:09:13.639 --> 00:09:17.519 Based on RT findings. He has been at Microsoft for 166 00:09:17.559 --> 00:09:20.600 thirty three years, almost always in security except for at 167 00:09:20.600 --> 00:09:24.120 the start. We're at Microsoft in New Zealand. He supported 168 00:09:24.159 --> 00:09:28.320 Windows three point x, the Windows SDK, and the Microsoft 169 00:09:28.399 --> 00:09:32.799 C compiler. Currently lives in Austin, Texas. Is an avid 170 00:09:32.960 --> 00:09:36.679 scuba diver and life is now much better because his 171 00:09:36.799 --> 00:09:42.799 wife dives now too fantastic, so she didn't scuba dive 172 00:09:42.879 --> 00:09:45.440 FORR The early years of your relationship, is that it? 173 00:09:45.480 --> 00:09:49.519 Well, I've been diving since ELA's seven. Oh well, okay, 174 00:09:49.720 --> 00:09:54.200 so no, she was absolutely terrified of diving. She felt 175 00:09:54.240 --> 00:09:58.480 very claustrophobic and also like, I live in Austin, so 176 00:09:58.519 --> 00:10:00.960 the closest lake to us for die thing is Lake Travis. 177 00:10:00.960 --> 00:10:02.879 And honestly, the only nice thing about Lake Travis is 178 00:10:02.919 --> 00:10:05.679 it makes every single diving destination looks so much better. 179 00:10:08.559 --> 00:10:09.039 It's just a light. 180 00:10:09.159 --> 00:10:11.799 Not that much diving in Texas really, No. 181 00:10:11.840 --> 00:10:14.919 Actually, there actually is. Actually there's a yeah Travis. Some 182 00:10:14.919 --> 00:10:18.200 of the lakes are really commonly dived. And there's also 183 00:10:18.279 --> 00:10:25.639 abandoned nuclear rocket silo in West Texas called Valhalla, which 184 00:10:25.720 --> 00:10:27.519 I plan on diving this year as well. Its about 185 00:10:27.519 --> 00:10:31.600 one hundred and twenty feet down. How many rads hopefully zero? 186 00:10:33.559 --> 00:10:35.440 There's not a game of fallout, you know, you should 187 00:10:35.519 --> 00:10:37.559 check that out first, take it out. 188 00:10:37.440 --> 00:10:37.960 That's right. 189 00:10:39.159 --> 00:10:42.320 But yeah, it's funny. When my wife got her her certification, 190 00:10:42.519 --> 00:10:44.360 she refused to do it in Lake Travis. So she 191 00:10:44.399 --> 00:10:47.639 flew with a girlfriend to the Virgin Islands. Oh nice, 192 00:10:47.840 --> 00:10:49.639 did a certification there instead? 193 00:10:49.799 --> 00:10:53.039 You find some warm water to swim around in, right, Yeah. 194 00:10:52.759 --> 00:10:54.799 Absolutely, she's a blue water princess. 195 00:10:54.960 --> 00:10:55.200 Yeah. 196 00:10:55.360 --> 00:11:00.360 There so a couple of things RTI Red Team. So 197 00:11:00.480 --> 00:11:02.600 tell me about the Microsoft Red Team. I know what 198 00:11:02.639 --> 00:11:04.919 red teams are because I do a podcast with two 199 00:11:04.960 --> 00:11:08.159 guys on our Red Team about security security this week. 200 00:11:08.519 --> 00:11:11.559 But tell us what the Microsoft Red Team does. Yeah. 201 00:11:11.600 --> 00:11:14.200 We you know, we're basically treated as a real threat 202 00:11:14.240 --> 00:11:19.399 actor in every possible way you could consider that. Nothing's 203 00:11:19.399 --> 00:11:22.279 else on the table except JA. That's good. That's actually 204 00:11:22.279 --> 00:11:25.240 a very good point. There's a story. There's a story 205 00:11:25.279 --> 00:11:27.919 I can probably tell you there about I don't want 206 00:11:27.960 --> 00:11:30.039 to get it, only very careful what I say here, 207 00:11:30.039 --> 00:11:32.919 But I remember showing something on a on a on 208 00:11:32.960 --> 00:11:35.440 a session and someone said, oh you could you know 209 00:11:35.480 --> 00:11:38.320 you can get fired because of that. And then this 210 00:11:38.440 --> 00:11:40.879 friend of mine who's also on the Red Team, colleague 211 00:11:40.919 --> 00:11:42.799 of mine, chimed up and said, well, actually know he's 212 00:11:42.799 --> 00:11:44.519 on the Red team. He can get out of get 213 00:11:44.519 --> 00:11:50.039 a raise. Yeah, the Red Team is really kind of interesting, right. 214 00:11:50.080 --> 00:11:53.120 So our job is ultimately we start off with an objective, 215 00:11:53.360 --> 00:11:57.240 whatever that objective is, and we go for it. And 216 00:11:57.279 --> 00:11:58.799 that's a I mean whatever it takes to get to 217 00:11:58.799 --> 00:12:02.279 that objective. And a big part that I'm involved with 218 00:12:03.200 --> 00:12:07.879 is the readouts as I look at what actually happened, 219 00:12:07.919 --> 00:12:10.360 what was actually done, all the steps along the way, 220 00:12:11.360 --> 00:12:14.120 and so okay, so what was the for example, the beachhead, 221 00:12:14.240 --> 00:12:16.440 you know, what got the Red team into the environment 222 00:12:16.480 --> 00:12:18.120 and where did they go from there? And how did 223 00:12:18.120 --> 00:12:21.080 they get there? Was it a security vulnerability? Was it, 224 00:12:21.600 --> 00:12:23.919 you know, like from a code level perspective, or was 225 00:12:23.960 --> 00:12:27.440 it a week commission on something? Was it insecure this 226 00:12:27.559 --> 00:12:29.200 that and the other? Was it a combination of things? 227 00:12:29.240 --> 00:12:31.240 The whole point is for me to learn those things 228 00:12:31.679 --> 00:12:35.720 and then turn that into appropriate material for inside of Microsoft, 229 00:12:35.919 --> 00:12:38.200 and eventually we'll make a lot of that available outside 230 00:12:38.240 --> 00:12:40.559 Microsoft as well. But we're starting internally obviously. 231 00:12:40.840 --> 00:12:43.360 Are you primarily focused on Azure because I know that 232 00:12:43.360 --> 00:12:45.919 that's kind of where you where you live, But what 233 00:12:46.039 --> 00:12:49.080 about internal offices and things like that? 234 00:12:49.320 --> 00:12:49.559 Yes? 235 00:12:50.000 --> 00:12:51.960 Both, Yes, I'll just leave it at that. 236 00:12:52.240 --> 00:12:54.440 Nothing's off the table, nothing's on the table at all. 237 00:12:55.120 --> 00:12:58.679 What's that's kind of interesting is the Red Team. Now. 238 00:12:58.720 --> 00:13:01.240 The Microsoft Red Team is really a sort of conglomeration 239 00:13:01.399 --> 00:13:05.679 of multiple Red teams that existed across Microsoft, now reporting 240 00:13:05.759 --> 00:13:10.000 under one essentially management chain, essentially on the Scott gu three. 241 00:13:10.080 --> 00:13:13.519 Ultimately if those cuts you know, primarily Asia, I mean 242 00:13:13.519 --> 00:13:15.200 he obviously Windows rolls up there as well. 243 00:13:15.559 --> 00:13:18.759 Right, Penetration tests are kind of expensive. Do you do 244 00:13:18.799 --> 00:13:19.799 them around the clock? 245 00:13:20.039 --> 00:13:22.440 We do so. So pen testing is not red teaming, right, 246 00:13:22.480 --> 00:13:25.720 I mean pent testing is you almost say, hey, I 247 00:13:25.799 --> 00:13:27.679 want you to go and you know, kick the you 248 00:13:27.759 --> 00:13:30.840 know what out of this product, right. Red Team starts 249 00:13:30.840 --> 00:13:35.279 from an objective and objective yeah, oh yeah, we don't 250 00:13:35.279 --> 00:13:38.759 tell anybody. We don't tell anybody. You know, we want 251 00:13:38.799 --> 00:13:42.720 to create tokens or we want to air quotes, steal 252 00:13:42.799 --> 00:13:46.559 money from something whatever. Right, that's the objective. And whoever 253 00:13:46.600 --> 00:13:49.960 we trample along the way get strampled along the way. 254 00:13:50.559 --> 00:13:53.279 Whereas pen testing is quite different. It's like, you know, hey, 255 00:13:53.440 --> 00:13:56.759 find bugs and share point online, find bugs in I 256 00:13:57.120 --> 00:13:58.039 S or find bugs and. 257 00:13:58.120 --> 00:14:00.000 Dot it find vulnerabildings. 258 00:14:00.480 --> 00:14:01.679 Yeah, quite different. 259 00:14:01.720 --> 00:14:04.080 So the difference is a pentest they ask you to 260 00:14:04.159 --> 00:14:06.759 do X. In Red Team, they don't even know what 261 00:14:06.799 --> 00:14:09.159 you're up to. You're just hack hack hack hack. 262 00:14:09.200 --> 00:14:13.840 Yeah, and you know we'll leaven, not just like attackers. Right, 263 00:14:13.919 --> 00:14:18.279 So if we are detected, we will you know, change 264 00:14:18.360 --> 00:14:21.279 course and we will try to will try to obfuscate, 265 00:14:21.679 --> 00:14:24.039 if me deleting logs or whatever, We'll do it whatever 266 00:14:24.120 --> 00:14:27.159 needs to be done right, and you know, it's a 267 00:14:27.200 --> 00:14:27.840 beautiful thing. 268 00:14:27.919 --> 00:14:28.159 Really. 269 00:14:28.320 --> 00:14:32.080 I asked Twayne Laflatte, who's the head of the Red 270 00:14:32.120 --> 00:14:35.320 Team at Pulsar Security, where then I do the podcast with? 271 00:14:36.639 --> 00:14:38.919 I asked every once in a while, like, do you 272 00:14:38.960 --> 00:14:41.840 ever get asked, why aren't you a criminal? You know, 273 00:14:42.000 --> 00:14:44.240 you know all this stuff you can get, you know 274 00:14:44.240 --> 00:14:47.559 how to get it. He's always giving away criminal career advice, 275 00:14:48.159 --> 00:14:54.039 you know, and he says, because I'm a good human. Duh. 276 00:14:54.120 --> 00:14:55.879 Yes, it's interesting. I mean, you know a lot of 277 00:14:55.919 --> 00:14:58.320 people that I work with, I mean it's the same thing. 278 00:14:58.440 --> 00:15:01.399 I mean, they're incredibly nice people, like truly nice people, 279 00:15:02.720 --> 00:15:07.039 but they just have this way of thinking about things 280 00:15:08.039 --> 00:15:11.759 that a lot of people don't. There's an analogy I 281 00:15:11.879 --> 00:15:14.120 like to give. You. Even heard the story right where 282 00:15:14.120 --> 00:15:15.960 people said, you know, we'll only make things more secure 283 00:15:16.000 --> 00:15:18.639 when we get more people thinking like attackers. Well, my 284 00:15:18.759 --> 00:15:21.080 argument is you can't do that unless you are one. 285 00:15:22.240 --> 00:15:24.480 And the example I gave because I mentioned this to 286 00:15:24.519 --> 00:15:26.799 my wife, this is years ago. We were some word 287 00:15:26.799 --> 00:15:28.720 I don't know where it was, I mean camera to 288 00:15:28.799 --> 00:15:32.360 this ATM machine and it said hey on the screen, 289 00:15:32.399 --> 00:15:34.360 it said, hey, hey, if this temper evident tape is 290 00:15:34.399 --> 00:15:37.480 tampered with, don't use the device. And I said to 291 00:15:37.519 --> 00:15:38.759 my wife, said, do you think that's a good thing? 292 00:15:38.799 --> 00:15:40.879 So well, I don't know what it's even protecting against. 293 00:15:41.279 --> 00:15:42.919 And I said, well, so you know, quick, give her 294 00:15:42.879 --> 00:15:47.279 a quick skimming one oh one, and it's a magnificent difference. 295 00:15:47.320 --> 00:15:49.639 And that's stupid. She said, what do you mean, Well, 296 00:15:49.720 --> 00:15:51.279 don't you think the criminals can make their own temper 297 00:15:51.360 --> 00:15:54.960 evident tape number one number two? It's actually worse than that. 298 00:15:55.120 --> 00:15:57.919 I can knock out every single ATM in town. So 299 00:15:58.039 --> 00:15:59.279 what do you mean, I still just take my pocket 300 00:15:59.360 --> 00:16:01.120 knifeound just every single piece of. 301 00:16:01.039 --> 00:16:02.240 Type, start cutting the tape. 302 00:16:02.279 --> 00:16:04.679 Yeah, so I'm using the defense against yourself. It's like, 303 00:16:04.919 --> 00:16:06.399 how did you even think of that? 304 00:16:06.720 --> 00:16:08.399 Because ease e. 305 00:16:09.759 --> 00:16:13.000 But you have to have an evil mind. 306 00:16:13.120 --> 00:16:15.440 You have to think, oh I would I would consider 307 00:16:15.480 --> 00:16:19.480 myself I don't know, probably chaotic good, Okay, Yeah. 308 00:16:19.919 --> 00:16:22.559 It's a contrarian mind, just to think of the opposites 309 00:16:22.600 --> 00:16:24.600 of things too. I did a show on run As 310 00:16:25.440 --> 00:16:27.080 not that long ago, maybe I'll just go back in 311 00:16:27.120 --> 00:16:29.919 May with your ideogenous who did a book on how 312 00:16:29.919 --> 00:16:32.200 to get a career in cybersecurity, excellent book and the 313 00:16:32.240 --> 00:16:34.000 thing and he talked about the fact that, you know, 314 00:16:34.080 --> 00:16:37.159 most things insecurity are teachable. The thing that isn't teachable 315 00:16:37.360 --> 00:16:41.639 is this sort of insatiable curiosity to just keep wanting 316 00:16:41.639 --> 00:16:44.799 to pay poke away things, try a different way, keep 317 00:16:44.840 --> 00:16:47.799 on pressing. If you don't have that, this isn't the 318 00:16:47.919 --> 00:16:48.480 job for you. 319 00:16:50.159 --> 00:16:52.000 Whenever I'm interviewing people, one of the things I do 320 00:16:52.080 --> 00:16:55.080 look for is that fire in the belly. Right, It's 321 00:16:55.120 --> 00:16:59.279 that passion to learn, that passion to dig deeper. I 322 00:16:59.320 --> 00:17:01.000 don't know you. I'm you guys probably the same as me. 323 00:17:01.039 --> 00:17:02.080 Right when I was a little kid, I was the 324 00:17:02.080 --> 00:17:05.680 guy in the corner of reading encyclopedias, you know I was. 325 00:17:05.799 --> 00:17:07.880 I was taking apart my tape recorders and trying to 326 00:17:07.880 --> 00:17:09.680 put them back together unsuccessfully. 327 00:17:10.039 --> 00:17:12.359 Right, But you learned a lot right getting. 328 00:17:12.039 --> 00:17:14.279 Whacked by my mother. M Yeah, I learned that I 329 00:17:14.279 --> 00:17:19.720 probably shouldn't take my taper. Yeah, can I have another one? 330 00:17:22.519 --> 00:17:25.799 I might have made my tape recorder explode. Actually that's 331 00:17:25.839 --> 00:17:26.359 probably worse. 332 00:17:27.240 --> 00:17:31.359 Oh, the stuff I the thermite substitute for batteries. 333 00:17:32.359 --> 00:17:34.319 So I got to actually got an explosion story there. 334 00:17:34.319 --> 00:17:35.400 When I was a kid, I went to that, this 335 00:17:35.480 --> 00:17:37.160 is New Zealand. I went to the local chemist and 336 00:17:37.240 --> 00:17:39.559 of course I went, hey, can I get some you know, 337 00:17:40.160 --> 00:17:45.519 carbon potassium? I said, saltpeter and sulfur. The guy's like, come. 338 00:17:45.400 --> 00:17:47.000 On making gunpowder? 339 00:17:47.119 --> 00:17:49.400 It is like but you know what he said though, 340 00:17:49.480 --> 00:17:51.359 He said, I've got two options. I can send you 341 00:17:51.400 --> 00:17:53.519 on your on your way, but you're gonna. 342 00:17:53.240 --> 00:17:54.799 Do it anyway. 343 00:17:54.960 --> 00:17:57.240 Or I can show you how to do it safely. 344 00:17:58.039 --> 00:17:59.440 And he showed me how to do it safely. 345 00:17:59.680 --> 00:17:59.960 Nice. 346 00:18:00.079 --> 00:18:04.119 Wow, that's good. Yeah, don't ask about explosion stories your fingers. 347 00:18:04.920 --> 00:18:08.599 You know. I told the thermiting the old server so 348 00:18:08.640 --> 00:18:10.720 that we ended up with funky jewelry and a memory 349 00:18:11.400 --> 00:18:16.160 story the other day. Yes, and it was a bad 350 00:18:16.240 --> 00:18:19.880 child that it was a practical end for a server 351 00:18:19.960 --> 00:18:22.920 that everyone hated. Well, I was talking about your teenager 352 00:18:23.039 --> 00:18:25.680 or the other the many other expos in this day 353 00:18:25.720 --> 00:18:28.480 and age. I just be labeled as a terrorist, probably 354 00:18:29.200 --> 00:18:35.400 Canadian polite tarress. What I was was under supervised, clearly, all. 355 00:18:35.359 --> 00:18:38.400 Right, So what did you come here and talk about? 356 00:18:38.599 --> 00:18:40.960 Because we could. We could talk about this stuff all day. 357 00:18:41.079 --> 00:18:43.319 Mm hmm, yeah, I mean, I mean it's in my background. 358 00:18:44.359 --> 00:18:46.599 That's you know, sort of mentioned in the brief bio 359 00:18:46.680 --> 00:18:53.440 at the beginning. IS is essentially security however, is an 360 00:18:53.440 --> 00:18:56.839 interesting topic, right because I originally started when I moved 361 00:18:56.839 --> 00:19:01.279 to Redmond from from New Zealand. I got a job 362 00:19:01.279 --> 00:19:04.720 in IIS and the web server intet Information Internet's information 363 00:19:04.799 --> 00:19:07.960 server as it was then now at Services, but same difference, 364 00:19:10.640 --> 00:19:13.160 and I eventually took on the role as the security 365 00:19:13.160 --> 00:19:17.240 PM in IS. Three. I know, you guys are going 366 00:19:17.319 --> 00:19:19.200 to start giggling to yourself, and I sort of mentioned 367 00:19:19.240 --> 00:19:19.680 this stuff. 368 00:19:19.680 --> 00:19:22.240 Now that made a lot of money off the challenge 369 00:19:22.880 --> 00:19:23.279 in there. 370 00:19:23.400 --> 00:19:25.039 There's a challenge to keep that secure. 371 00:19:26.640 --> 00:19:28.599 There's so many stories. When I retire, I think I'll 372 00:19:28.599 --> 00:19:29.400 write a book on it. 373 00:19:30.119 --> 00:19:33.279 But three four you've already written a bunch of books there, 374 00:19:33.400 --> 00:19:33.799 I have. 375 00:19:33.880 --> 00:19:37.160 I have, that's right, yeah. But I three four, five 376 00:19:37.240 --> 00:19:39.720 were interesting, right because they were full of security features, 377 00:19:39.799 --> 00:19:42.920 especially five five was full of security features. We had 378 00:19:42.960 --> 00:19:45.960 Cerbros integration, we had certificate services. I think it may 379 00:19:46.000 --> 00:19:49.160 have been actually the first web server that did serve 380 00:19:49.160 --> 00:19:53.759 aside certificate revocation of client certificates. I think it was 381 00:19:53.799 --> 00:19:57.680 the first one. We're really hardcore actually about that if 382 00:19:57.720 --> 00:19:59.960 we couldn't reach the crill distribution point. But that's all 383 00:20:00.000 --> 00:20:03.720 whole nother discussion. But you know, did they have security features? Yeah, 384 00:20:03.720 --> 00:20:07.119 had a ton of security features, But were they secure features, right, 385 00:20:07.200 --> 00:20:09.160 ann answers potentially No. 386 00:20:09.480 --> 00:20:11.839 I remember path traversal was a problem. 387 00:20:13.000 --> 00:20:17.599 Yeah, a canonicalization, right, Colonicalization was was a huge problem 388 00:20:17.759 --> 00:20:21.599 and we even saw it in in dartn Air, right, 389 00:20:21.599 --> 00:20:25.079 there was an anti cross site scripting library, right, and 390 00:20:25.319 --> 00:20:28.359 up being so many ways around it that we just thought, 391 00:20:28.519 --> 00:20:32.680 we just can't maintain this, right, And so yeah, I could. 392 00:20:32.759 --> 00:20:37.559 I could talk forever about colonicalization problems. I'm a big, big, 393 00:20:37.599 --> 00:20:42.079 big fan of canonicalization. In fact, canonicalization or two tokens 394 00:20:42.160 --> 00:20:44.400 kind of worry me. But that's a whole nother discussion 395 00:20:44.400 --> 00:20:47.440 where you basically doing string comparisons to make access decisions. 396 00:20:48.079 --> 00:20:50.160 Is there a more than one way of representing something 397 00:20:50.200 --> 00:20:54.799 that's valid that you're not looking for? But so, yeah, 398 00:20:54.839 --> 00:20:57.519 I mean so I S three, four, five, especially five. 399 00:20:57.599 --> 00:21:00.599 Lots of security features, but not particularly secure features, said Carl. 400 00:21:00.960 --> 00:21:06.599 Canonicalization pas traversal were big ones, and so I ended 401 00:21:06.680 --> 00:21:08.519