Säkerhetspodcasten avs.94 - Dave Lewis, Steve Lord, Aaron Guzman
Lyssna
Innehåll
Detta är ett intervjuavsnitt inspelat under SecurityFest 2017. Avsnittet innehåller tre intervjuer med Dave Lewis, Steve Lord och Aaron Guzman, tre av talarna under konferensen. Timestamps för intervjuer: 0:00 Dave Lewis, 8:20 Steve Lord, 22:45 Aaron Guzman.
Inspelat: 2017-06-01. Längd: 00:41:00.
AI transkribering
AI försöker förstå oss… Ha överseende med galna feltranskriberingar.
1 00:00:00,000 --> 00:00:09,000
Hej och välkommen till Säkerhetspodcasten som idag spelar in från Securityfest på Eriksbergshallen i Göteborg.
2 00:00:10,680 --> 00:00:22,080
Vi har lyssnat på ett antal spännande framträden här och just nu så har jag med mig en av talarna, Dave Lewis från Akamai.
3 00:00:22,520 --> 00:00:23,160
Välkommen Dave.
4 00:00:23,420 --> 00:00:24,120
Tack för att jag har med mig.
5 00:00:24,120 --> 00:00:30,400
Jag vill först tacka dig för en fantastisk presentation. Jag tror att det var väldigt bra.
6 00:00:30,860 --> 00:00:40,100
Du visste ett par vissnader som jag tror att många människor borde lyssna på och ta till deras hjärta.
7 00:00:41,240 --> 00:00:48,400
Bara för vårt publik som inte är här idag, kan du bara kort säga vad du pratade om?
8 00:00:48,520 --> 00:00:49,240
Ja, säkert.
9 00:00:50,140 --> 00:00:53,820
En av sakerna som jag har försökt göra är att jag har gått igenom och plockat data breach.
10 00:00:54,000 --> 00:00:54,040
Publicity.
11 00:00:54,120 --> 00:01:00,160
Public disclosures for 2016 and started going through them trying to look for commonalities, root causes, things like that.
12 00:01:00,880 --> 00:01:08,940
And the one overarching problem that I saw was really related back to patch management issues or the lack of patches being applied in many cases.
13 00:01:09,260 --> 00:01:14,640
So I tried to set it up where I was going to do, oh, you know, this is the percentage of this, this is the percentage of that.
14 00:01:14,940 --> 00:01:22,580
And the way the data was reported or the information was presented was such a way that it was so much heavy lifting that actually the talk turned into a narrative.
15 00:01:22,580 --> 00:01:28,320
And I discovered that when I’m extremely jet lagged, the talk goes a little faster than I anticipated.
16 00:01:29,320 --> 00:01:39,500
The problem really does boil down to very old problems, as one person mentioned during questions, that these are a lot of these problems are old problems that we’ve known about for a long time, but that’s just it.
17 00:01:39,600 --> 00:01:45,980
We tend to have this bad habit of ignoring the old problems in face of the new shiny things that pop up.
18 00:01:45,980 --> 00:01:51,260
Yes. I mean, I think this applies to all industries.
19 00:01:52,060 --> 00:01:52,220
Yes.
20 00:01:52,580 --> 00:02:05,280
And when you look at systems with cobwebs all over them, I mean, that exists in all sectors.
21 00:02:05,280 --> 00:02:18,640
And like you said, we’re as security professionals, we can work in almost any sector because we have a skill set that’s applicable basically in all industries.
22 00:02:19,060 --> 00:02:19,660
Yeah, absolutely.
23 00:02:19,860 --> 00:02:22,280
And the one thing that we have to do collectively as security professionals.
24 00:02:22,580 --> 00:02:27,340
A better job of that is, is understanding the organization you’re working for.
25 00:02:27,520 --> 00:02:27,780
Yes.
26 00:02:27,880 --> 00:02:30,920
So the risks will change from one organization to the next.
27 00:02:30,920 --> 00:02:42,740
So what would be a vulnerability on a system for this particular organization may have absolutely nothing to do with another company who has that particular system segregated off in a zone that can’t be reached.
28 00:02:42,940 --> 00:02:43,400
Yeah, yeah.
29 00:02:44,660 --> 00:02:51,920
So in your experience, when you look at these…
30 00:02:52,580 --> 00:02:58,960
...security breaches, what would you say was the common denominator?
31 00:03:00,160 --> 00:03:10,140
Is it poor management or would you say it’s lack of understanding or is it simply lack of processes?
32 00:03:10,860 --> 00:03:17,860
So the lack of processes I can’t really speak to because that would be an organizational thing that each organization will do differently.
33 00:03:18,520 --> 00:03:22,420
From an external view, it appears to be a patch management issue.
34 00:03:22,580 --> 00:03:30,320
Because a lot of the times of the breaches that were discussed really could track back to a missing patch or something as simple as a configuration issue.
35 00:03:30,920 --> 00:03:39,980
For example, there was one, a defense contractor, just in the last 24 hours, it was discovered that he had posted all sorts of intelligence data on a publicly available AMI.
36 00:03:40,740 --> 00:03:44,120
So from a process perspective, that should never happen.
37 00:03:44,180 --> 00:03:47,300
And I’m willing to bet that organization is very clear that that shouldn’t have happened.
38 00:03:47,520 --> 00:03:49,460
So I think that was an outlier.
39 00:03:50,660 --> 00:03:52,020
But that’s one of those problems.
40 00:03:52,020 --> 00:03:57,180
We have to be ever vigilant because these mistakes will happen as well as patches will get missed.
41 00:03:57,540 --> 00:03:59,200
We look at the WannaCry stuff.
42 00:03:59,940 --> 00:04:04,680
Granted, the patch came out in March, but SMB version 1 could have been turned off a long, long time ago.
43 00:04:06,160 --> 00:04:11,860
You also said something that’s important.
44 00:04:12,480 --> 00:04:19,340
And it’s an important lesson, I think, for people working within this space of security.
45 00:04:19,340 --> 00:04:21,340
And that is being able to…
46 00:04:22,020 --> 00:04:26,780
To speak in a language that management understands.
47 00:04:27,100 --> 00:04:29,140
And that is putting it down in monetary terms.
48 00:04:29,320 --> 00:04:34,300
Okay, how much should we evaluate this risk to?
49 00:04:34,560 --> 00:04:41,580
And what could be the possible implications if this was exploited?
50 00:04:42,060 --> 00:04:43,200
And that’s just it.
51 00:04:43,240 --> 00:04:45,520
We have to be able to speak to them in a language they’ll understand.
52 00:04:45,800 --> 00:04:50,340
If we go in there literally with our hair on fire saying, vulnerability to this will pop a shell on…
53 00:04:50,340 --> 00:04:51,720
They don’t understand that.
54 00:04:52,020 --> 00:04:54,140
And that’s not their job to understand that.
55 00:04:54,360 --> 00:04:55,600
They understand risk.
56 00:04:56,260 --> 00:05:01,320
And if you can put terms in such a way they can understand as to what the risk is to the environment,
57 00:05:01,420 --> 00:05:05,880
how much it’ll cost, what will be the damage if this in fact came to pass.
58 00:05:06,320 --> 00:05:07,480
That’s stuff they can understand.
59 00:05:07,640 --> 00:05:08,760
That’s stuff they can action on.
60 00:05:09,080 --> 00:05:10,800
And that’s where you end up actually getting your budget.
61 00:05:10,920 --> 00:05:15,740
Not from running with your hair on fire, but giving a clear, concise business case as to how the risk is going to be managed.
62 00:05:15,740 --> 00:05:21,860
And I think it’s probably one of those areas where we…
63 00:05:22,020 --> 00:05:25,440
We see a lot of…
64 00:05:25,440 --> 00:05:32,700
There is a gap between what security people like to do and what they are good at.
65 00:05:33,060 --> 00:05:39,540
And what security people should do in order to actually make a difference.
66 00:05:40,520 --> 00:05:47,180
And that is, I mean, personally I’m working in the management team where I am right now.
67 00:05:47,180 --> 00:05:51,720
So I mean, I need to use their language all the time.
68 00:05:52,020 --> 00:05:52,740
So it’s…
69 00:05:52,740 --> 00:06:04,620
But I think a lot of people, they like to get around and do pen tests and find the vulnerabilities in the system
70 00:06:04,620 --> 00:06:06,600
and get all carried away with that.
71 00:06:07,300 --> 00:06:11,540
But we need to get good at talking to management as well.
72 00:06:11,980 --> 00:06:15,180
Yeah, and I’m absolutely guilty of the aforementioned.
73 00:06:16,200 --> 00:06:19,340
For example, I was at the Hack in the Box conference just recently.
74 00:06:19,800 --> 00:06:22,000
I was listening to a talk and I was thinking about it.
75 00:06:22,000 --> 00:06:26,800
And then all of a sudden I spun up my laptop and I was reversing Android apps because,
76 00:06:26,800 --> 00:06:28,800
well, it seemed like the thing to do at the time.
77 00:06:28,800 --> 00:06:31,340
And it’s one of those things where we literally will go,
78 00:06:31,340 --> 00:06:33,340
ooh, shiny, and chase the rabbit down the hole.
79 00:06:33,340 --> 00:06:35,340
But you’re absolutely right.
80 00:06:35,340 --> 00:06:37,340
While it’s fun to do that sort of thing,
81 00:06:37,340 --> 00:06:42,340
like when you’re doing a pen test and you’re able to gain access to a system that really you shouldn’t have been able to gain access to,
82 00:06:42,340 --> 00:06:44,340
there is a level…
83 00:06:44,340 --> 00:06:46,340
Exactly. There’s a level of euphoria there.
84 00:06:46,340 --> 00:06:48,340
And it’s a rush.
85 00:06:48,340 --> 00:06:50,340
And you kind of get addicted to the rush.
86 00:06:50,340 --> 00:06:50,840
Yeah.
87 00:06:50,840 --> 00:06:51,840
But on the same time,
88 00:06:51,840 --> 00:06:53,840
we have to be the adults in the room
89 00:06:53,840 --> 00:06:55,840
and be able to actually clearly articulate
90 00:06:55,840 --> 00:06:57,840
what the risk is to the organization.
91 00:06:57,840 --> 00:06:59,840
And that’s, you know,
92 00:06:59,840 --> 00:07:01,840
when I worked as a consultant,
93 00:07:01,840 --> 00:07:03,840
that was the boring part,
94 00:07:03,840 --> 00:07:05,840
like trying to quantify the risk
95 00:07:05,840 --> 00:07:07,840
and, you know,
96 00:07:07,840 --> 00:07:09,840
creating a good report.
97 00:07:09,840 --> 00:07:11,840
That took probably almost
98 00:07:11,840 --> 00:07:13,840
as much time as
99 00:07:13,840 --> 00:07:15,840
the actual security review.
100 00:07:15,840 --> 00:07:17,840
But that was
101 00:07:17,840 --> 00:07:19,840
the business value
102 00:07:19,840 --> 00:07:21,840
for the customer, that was that report.
103 00:07:21,840 --> 00:07:23,840
Exactly.
104 00:07:23,840 --> 00:07:25,840
If they don’t have that report in hand,
105 00:07:25,840 --> 00:07:27,840
they can’t in turn use that to build their business case
106 00:07:27,840 --> 00:07:29,840
to improve things for themselves.
107 00:07:29,840 --> 00:07:31,840
So yeah, granted, it’s boring.
108 00:07:31,840 --> 00:07:33,840
I never enjoyed report writing.
109 00:07:33,840 --> 00:07:35,840
I’d freely admit that.
110 00:07:35,840 --> 00:07:37,840
But I also understood, later on,
111 00:07:37,840 --> 00:07:39,840
I also understood that it was an essential work product.
112 00:07:39,840 --> 00:07:41,840
Organizations do live on those essential work products.
113 00:07:41,840 --> 00:07:43,840
Great.
114 00:07:43,840 --> 00:07:45,840
So have you listened to any of the other talks
115 00:07:45,840 --> 00:07:47,840
for the conference?
116 00:07:47,840 --> 00:07:49,840
Regrettably not yet.
117 00:07:49,840 --> 00:07:51,840
Jetlag got the better of me,
118 00:07:51,840 --> 00:07:53,840
so I only showed up just at the tail end
119 00:07:53,840 --> 00:07:55,840
of Franz Talk,
120 00:07:55,840 --> 00:07:57,840
but I will be catching the rest of them
121 00:07:57,840 --> 00:07:59,840
for the rest of the day.
122 00:07:59,840 --> 00:08:01,840
Unfortunately, when you have two crying babies
123 00:08:01,840 --> 00:08:03,840
on a transatlantic flight next to you,
124 00:08:03,840 --> 00:08:05,840
it doesn’t work out so well.
125 00:08:05,840 --> 00:08:07,840
It’s been a good conference
126 00:08:07,840 --> 00:08:09,840
and I’m very much looking forward
127 00:08:09,840 --> 00:08:11,840
to the finishing part now
128 00:08:11,840 --> 00:08:13,840
with the lightning talks.
129 00:08:13,840 --> 00:08:15,840
So thank you Dave for taking some time
130 00:08:15,840 --> 00:08:17,840
to talk to us and talk to our listeners.
131 00:08:17,840 --> 00:08:19,840
Thank you. Talk. Thanks.
132 00:08:19,840 --> 00:08:21,840
Hej och välkommen till Säkerhetspodcasten
133 00:08:21,840 --> 00:08:23,840
Hej och välkommen till Säkerhetspodcasten
134 00:08:23,840 --> 00:08:25,840
Hej och välkommen till Säkerhetspodcasten
135 00:08:25,840 --> 00:08:27,840
som idag spelar in ifrån Securityfest
136 00:08:27,840 --> 00:08:29,840
som idag spelar in ifrån Securityfest
137 00:08:29,840 --> 00:08:31,840
i Göteborg, där vi pratar lite
138 00:08:31,840 --> 00:08:33,840
med några av talarna.
139 00:08:33,840 --> 00:08:35,840
Och nu har jag med mig Steve Lord
140 00:08:35,840 --> 00:08:37,840
och nu har jag med mig Steve Lord
141 00:08:37,840 --> 00:08:39,840
som höll dagens keynote.
142 00:08:39,840 --> 00:08:41,840
Welcome Steve.
143 00:08:41,840 --> 00:08:43,840
Thanks.
144 00:08:43,840 --> 00:08:45,840
Thanks for taking some time to talk to us
145 00:08:45,840 --> 00:08:47,840
and talk a little bit about
146 00:08:47,840 --> 00:08:49,840
what you were
147 00:08:49,840 --> 00:08:51,840
presenting today in your keynote.
148 00:08:51,840 --> 00:08:53,840
First of all
149 00:08:53,840 --> 00:08:55,840
to introduce you
150 00:08:55,840 --> 00:08:57,840
to our listeners. Could you tell us a little bit
151 00:08:57,840 --> 00:08:59,840
about yourself and your
152 00:08:59,840 --> 00:09:01,840
engagement
153 00:09:01,840 --> 00:09:03,840
in the community and
154 00:09:03,840 --> 00:09:05,840
around 44Con and so on.
155 00:09:05,840 --> 00:09:07,840
So I co-founded
156 00:09:07,840 --> 00:09:09,840
44Con back in 2011.
157 00:09:09,840 --> 00:09:11,840
By day I pen test
158 00:09:11,840 --> 00:09:13,840
and have been doing so for nearly 20 years
159 00:09:13,840 --> 00:09:15,840
and spend quite a lot of time breaking
160 00:09:15,840 --> 00:09:17,840
IoT devices.
161 00:09:17,840 --> 00:09:19,840
I started to know
162 00:09:19,840 --> 00:09:21,840
that I enjoyed breaking stuff
163 00:09:21,840 --> 00:09:23,840
a lot less than building things securely.
164 00:09:23,840 --> 00:09:25,840
So I started working on things to try
165 00:09:25,840 --> 00:09:27,840
and improve the state of IoT security
166 00:09:27,840 --> 00:09:29,840
and in the process failed
167 00:09:29,840 --> 00:09:31,840
spectacularly.
168 00:09:31,840 --> 00:09:33,840
There simply
169 00:09:33,840 --> 00:09:35,840
wasn’t demand for it at the time.
170 00:09:35,840 --> 00:09:37,840
So I kind of
171 00:09:37,840 --> 00:09:39,840
pen tested stuff and I
172 00:09:39,840 --> 00:09:41,840
helped run 44Con, which is a
173 00:09:41,840 --> 00:09:43,840
conference in London. We have about 500
174 00:09:43,840 --> 00:09:45,840
people a year. Unfortunately
175 00:09:45,840 --> 00:09:47,840
it clashes with a conference here in Sweden.
176 00:09:47,840 --> 00:09:49,840
But there’s not a lot we can do about that.
177 00:09:49,840 --> 00:09:51,840
No, no.
178 00:09:51,840 --> 00:09:53,840
I’ve been to 44Con and it’s
179 00:09:53,840 --> 00:09:55,840
a really, really, really good conference.
180 00:09:55,840 --> 00:09:57,840
And I like the
181 00:09:57,840 --> 00:09:59,840
concept and
182 00:09:59,840 --> 00:10:01,840
although I didn’t find the hidden track though.
183 00:10:01,840 --> 00:10:03,840
Maybe I asked the wrong
184 00:10:03,840 --> 00:10:05,840
people.
185 00:10:07,840 --> 00:10:09,840
But I enjoyed it and it was
186 00:10:09,840 --> 00:10:11,840
a good conference
187 00:10:11,840 --> 00:10:13,840
because you
188 00:10:13,840 --> 00:10:15,840
got a good community feel and you
189 00:10:15,840 --> 00:10:17,840
were close to the speakers.
190 00:10:17,840 --> 00:10:19,840
That’s good.
191 00:10:19,840 --> 00:10:21,840
And
192 00:10:21,840 --> 00:10:23,840
the same sort of thing is
193 00:10:23,840 --> 00:10:25,840
what I like about Securityfest
194 00:10:25,840 --> 00:10:27,840
and SecT and the
195 00:10:27,840 --> 00:10:29,840
smaller conferences.
196 00:10:29,840 --> 00:10:31,840
Going to
197 00:10:31,840 --> 00:10:33,840
larger cons in Vegas
198 00:10:33,840 --> 00:10:35,840
is just
199 00:10:35,840 --> 00:10:37,840
people.
200 00:10:37,840 --> 00:10:39,840
Yeah, at some point it kind of turns into an exhibition
201 00:10:39,840 --> 00:10:41,840
really, doesn’t it?
202 00:10:41,840 --> 00:10:43,840
I really would like to go to SecT one year.
203 00:10:43,840 --> 00:10:45,840
But certainly Securityfest
204 00:10:45,840 --> 00:10:47,840
has been a really amazing event so far.
205 00:10:47,840 --> 00:10:49,840
Great to hear.
206 00:10:49,840 --> 00:10:51,840
Well, you delivered today’s
207 00:10:51,840 --> 00:10:53,840
keynote and
208 00:10:53,840 --> 00:10:55,840
a lot of insights and
209 00:10:55,840 --> 00:10:57,840
observations around
210 00:10:57,840 --> 00:10:59,840
the state
211 00:10:59,840 --> 00:11:01,840
of IoT and where it’s going
212 00:11:01,840 --> 00:11:03,840
and where we are in the
213 00:11:03,840 --> 00:11:05,840
Gartner hype cycle.
214 00:11:05,840 --> 00:11:07,840
Could you give us a very, very
215 00:11:07,840 --> 00:11:09,840
short summary of what you were
216 00:11:09,840 --> 00:11:11,840
talking about today for our listeners?
217 00:11:11,840 --> 00:11:13,840
Sure, so the main
218 00:11:13,840 --> 00:11:15,840
takeaways I guess are that IoT
219 00:11:15,840 --> 00:11:17,840
is much like any other type of technology
220 00:11:17,840 --> 00:11:19,840
that comes along. From a security perspective
221 00:11:19,840 --> 00:11:21,840
we have to understand the
222 00:11:21,840 --> 00:11:23,840
problem space, understand the solution
223 00:11:23,840 --> 00:11:25,840
space. We then have
224 00:11:25,840 --> 00:11:27,840
to iterate over
225 00:11:27,840 --> 00:11:29,840
point solutions to point problems
226 00:11:29,840 --> 00:11:31,840
and then as the technology matures
227 00:11:31,840 --> 00:11:33,840
we then consolidate
228 00:11:33,840 --> 00:11:35,840
those point solutions into frameworks
229 00:11:35,840 --> 00:11:37,840
into guidances,
230 00:11:37,840 --> 00:11:39,840
guidance standards and where needed
231 00:11:39,840 --> 00:11:41,840
regulatory requirements.
232 00:11:43,840 --> 00:11:45,840
Looking at those
233 00:11:45,840 --> 00:11:47,840
graphs that you were
234 00:11:47,840 --> 00:11:49,840
showing them, the maturity level
235 00:11:49,840 --> 00:11:51,840
and the hype cycle and so on.
236 00:11:51,840 --> 00:11:53,840
I was
237 00:11:53,840 --> 00:11:55,840
doing one
238 00:11:55,840 --> 00:11:57,840
sort of observation
239 00:11:57,840 --> 00:11:59,840
or reflection that
240 00:11:59,840 --> 00:12:01,840
it doesn’t necessarily need
241 00:12:01,840 --> 00:12:03,840
to correlate because if you look at
242 00:12:03,840 --> 00:12:05,840
another
243 00:12:05,840 --> 00:12:07,840
sort of IoT related area
244 00:12:07,840 --> 00:12:09,840
and industrial
245 00:12:09,840 --> 00:12:11,840
control systems which is a very
246 00:12:11,840 --> 00:12:13,840
mature
247 00:12:13,840 --> 00:12:15,840
market but
248 00:12:15,840 --> 00:12:17,840
they haven’t been exposed to
249 00:12:17,840 --> 00:12:19,840
security scrutiny for many years
250 00:12:19,840 --> 00:12:21,840
so they’re
251 00:12:21,840 --> 00:12:23,840
very early on in their
252 00:12:23,840 --> 00:12:25,840
adoption rate when it comes to
253 00:12:25,840 --> 00:12:27,840
security features and
254 00:12:27,840 --> 00:12:29,840
building secure systems.
255 00:12:29,840 --> 00:12:31,840
I think you can actually treat
256 00:12:31,840 --> 00:12:33,840
the control system stuff as a
257 00:12:33,840 --> 00:12:35,840
separate technology in the sense that
258 00:12:35,840 --> 00:12:37,840
there is the classical control system
259 00:12:37,840 --> 00:12:39,840
where the main
260 00:12:39,840 --> 00:12:41,840
security feature was we’re not connecting
261 00:12:41,840 --> 00:12:43,840
this to the internet so it’s all good
262 00:12:43,840 --> 00:12:45,840
and then the modern control system
263 00:12:45,840 --> 00:12:47,840
which main
264 00:12:47,840 --> 00:12:49,840
product feature is that we’re
265 00:12:49,840 --> 00:12:51,840
connecting this to the internet.
266 00:12:51,840 --> 00:12:53,840
If you treat them as two separate technologies you
267 00:12:53,840 --> 00:12:55,840
identify that the connected stuff is
268 00:12:55,840 --> 00:12:57,840
very immature from a security
269 00:12:57,840 --> 00:12:59,840
perspective whereas the
270 00:12:59,840 --> 00:13:01,840
classical setup is
271 00:13:01,840 --> 00:13:03,840
mature from a security
272 00:13:03,840 --> 00:13:05,840
perspective because the security requirements
273 00:13:05,840 --> 00:13:07,840
are understood and the security issues
274 00:13:07,840 --> 00:13:09,840
are understood. What we have is a branch
275 00:13:09,840 --> 00:13:11,840
off where in the modern control
276 00:13:11,840 --> 00:13:13,840
systems environment we no longer understand
277 00:13:13,840 --> 00:13:15,840
that problem space.
278 00:13:15,840 --> 00:13:17,840
If we don’t understand the problem space we can’t develop
279 00:13:17,840 --> 00:13:19,840
solutions for the problems.
280 00:13:19,840 --> 00:13:21,840
Right, and also if you have
281 00:13:21,840 --> 00:13:23,840
a situation where
282 00:13:23,840 --> 00:13:25,840
you rely on
283 00:13:25,840 --> 00:13:27,840
communication technology
284 00:13:27,840 --> 00:13:29,840
that sort of abstracts
285 00:13:29,840 --> 00:13:31,840
the layers of
286 00:13:31,840 --> 00:13:33,840
communication
287 00:13:33,840 --> 00:13:35,840
a lot of that is lost
288 00:13:35,840 --> 00:13:37,840
on the
289 00:13:37,840 --> 00:13:39,840
consumer or the companies
290 00:13:39,840 --> 00:13:41,840
buying control systems or installing
291 00:13:41,840 --> 00:13:43,840
control systems. They don’t understand that they
292 00:13:43,840 --> 00:13:45,840
are exposing their
293 00:13:45,840 --> 00:13:47,840
systems
294 00:13:47,840 --> 00:13:49,840
to a level of risk
295 00:13:49,840 --> 00:13:51,840
because they don’t understand
296 00:13:51,840 --> 00:13:53,840
the communication protocols
297 00:13:53,840 --> 00:13:55,840
that they are introducing.
298 00:13:55,840 --> 00:13:57,840
Indeed in some cases
299 00:13:57,840 --> 00:13:59,840
if you take for example a car manufacturer
300 00:13:59,840 --> 00:14:01,840
that has a
301 00:14:01,840 --> 00:14:03,840
production line
302 00:14:03,840 --> 00:14:05,840
with machines. When it’s not connected
303 00:14:05,840 --> 00:14:07,840
to the network these machines
304 00:14:07,840 --> 00:14:09,840
individually perform individual tasks
305 00:14:09,840 --> 00:14:11,840
on the production line. But when it’s
306 00:14:11,840 --> 00:14:13,840
connected really all that happens is
307 00:14:13,840 --> 00:14:15,840
that they become joined up into a
308 00:14:15,840 --> 00:14:17,840
single mega machine.
309 00:14:17,840 --> 00:14:19,840
And if that’s not properly managed
310 00:14:19,840 --> 00:14:21,840
both at the protocol level and at the
311 00:14:21,840 --> 00:14:23,840
business logic level then things can go wrong.
312 00:14:23,840 --> 00:14:25,840
And unless somebody fully understands
313 00:14:25,840 --> 00:14:27,840
how it’s all put together, things will go wrong.
314 00:14:27,840 --> 00:14:29,840
Yeah.
315 00:14:29,840 --> 00:14:31,840
Definitely.
316 00:14:31,840 --> 00:14:33,840
Now speaking of IoT
317 00:14:33,840 --> 00:14:35,840
you’re also
318 00:14:35,840 --> 00:14:37,840
one of the persons
319 00:14:37,840 --> 00:14:39,840
behind the
320 00:14:39,840 --> 00:14:41,840
badge for
321 00:14:41,840 --> 00:14:43,840
this conference. Could you tell us a little bit
322 00:14:43,840 --> 00:14:45,840
about what we’re walking around
323 00:14:45,840 --> 00:14:47,840
wearing around our necks? Sure.
324 00:14:47,840 --> 00:14:49,840
So about a year and a half ago
325 00:14:49,840 --> 00:14:51,840
my
326 00:14:51,840 --> 00:14:53,840
so
327 00:14:53,840 --> 00:14:55,840
some time ago my grandmother
328 00:14:55,840 --> 00:14:57,840
became quite ill and
329 00:14:57,840 --> 00:14:59,840
she was getting on quite a bit
330 00:14:59,840 --> 00:15:01,840
and we found that she was
331 00:15:01,840 --> 00:15:03,840
talking about her past a lot more than the future
332 00:15:03,840 --> 00:15:05,840
and when I went to see her because she was feeling quite depressed
333 00:15:05,840 --> 00:15:07,840
about things she
334 00:15:07,840 --> 00:15:09,840
would feel very down and
335 00:15:09,840 --> 00:15:11,840
we would struggle to find things to talk about
336 00:15:11,840 --> 00:15:13,840
to bring her out of that sort of stuff.
337 00:15:13,840 --> 00:15:15,840
So I started by doing some science
338 00:15:15,840 --> 00:15:17,840
experiments with electronics and trying to get
339 00:15:17,840 --> 00:15:19,840
her involved so it would give us things to talk about.
340 00:15:19,840 --> 00:15:21,840
One of the things that I was working on at the time
341 00:15:21,840 --> 00:15:23,840
was a board to do
342 00:15:23,840 --> 00:15:25,840
to play around with the
343 00:15:25,840 --> 00:15:27,840
USB hidden interface to do some research around there.
344 00:15:27,840 --> 00:15:29,840
So I started getting her involved
345 00:15:29,840 --> 00:15:31,840
in some of that
346 00:15:31,840 --> 00:15:33,840
and just having something
347 00:15:33,840 --> 00:15:35,840
to talk about with her. And then later on
348 00:15:35,840 --> 00:15:37,840
that kind of developed into what we’ve got now
349 00:15:37,840 --> 00:15:39,840
which is a thing called the HIDIOT which stands for the
350 00:15:39,840 --> 00:15:41,840
Human Interface Device Input
351 00:15:41,840 --> 00:15:43,840
Output Toolkit. So basically
352 00:15:43,840 --> 00:15:45,840
it’s a board that
353 00:15:45,840 --> 00:15:47,840
you build yourself. It’s like a scaled down
354 00:15:47,840 --> 00:15:49,840
Arduino and
355 00:15:49,840 --> 00:15:51,840
this is a little tiny
356 00:15:51,840 --> 00:15:53,840
computer that you build from the component up where
357 00:15:53,840 --> 00:15:55,840
you’re able to understand everything that it does.
358 00:15:55,840 --> 00:15:57,840
Everything at the
359 00:15:57,840 --> 00:15:59,840
hardware level, everything at the software level.
360 00:15:59,840 --> 00:16:01,840
So you program it with the Arduino IDE
361 00:16:01,840 --> 00:16:03,840
there’s a bunch of tutorials
362 00:16:03,840 --> 00:16:05,840
and projects over at
363 00:16:05,840 --> 00:16:07,840
docs.hidiot.com that
364 00:16:07,840 --> 00:16:09,840
take you from what is this electricity
365 00:16:09,840 --> 00:16:11,840
thing and how does it work through to
366 00:16:11,840 --> 00:16:13,840
let’s go and build a bunch of different projects
367 00:16:13,840 --> 00:16:15,840
that do different things and explore different
368 00:16:15,840 --> 00:16:17,840
aspects of interaction with
369 00:16:17,840 --> 00:16:19,840
humans and hardware. Cool.
370 00:16:19,840 --> 00:16:21,840
So the target audience
371 00:16:21,840 --> 00:16:23,840
is that for educational
372 00:16:23,840 --> 00:16:25,840
purposes or is it
373 00:16:25,840 --> 00:16:27,840
something else? It’s a
374 00:16:27,840 --> 00:16:29,840
combination of the educational and hobbyist
375 00:16:29,840 --> 00:16:31,840
market. So we’re
376 00:16:31,840 --> 00:16:33,840
looking at it from the point of view of 11
377 00:16:33,840 --> 00:16:35,840
to 16 year olds from
378 00:16:35,840 --> 00:16:37,840
the idea that if we pitch
379 00:16:37,840 --> 00:16:39,840
the reading
380 00:16:39,840 --> 00:16:41,840
level and the comprehension level
381 00:16:41,840 --> 00:16:43,840
at the 11 to 16 year old range
382 00:16:43,840 --> 00:16:45,840
then the rest of us who are a little bit
383 00:16:45,840 --> 00:16:47,840
older should be able to understand it.
384 00:16:47,840 --> 00:16:49,840
Hopefully.
385 00:16:49,840 --> 00:16:51,840
The idea is to make it so that we focus on the
386 00:16:51,840 --> 00:16:53,840
electronics and programming so that
387 00:16:53,840 --> 00:16:55,840
the English itself is not a barrier.
388 00:16:55,840 --> 00:16:57,840
Originally we looked at having 7 year olds
389 00:16:57,840 --> 00:16:59,840
do it but it turns out that while 7 year olds
390 00:16:59,840 --> 00:17:01,840
can solder, parents are
391 00:17:01,840 --> 00:17:03,840
incredibly uncomfortable with their 7 year old
392 00:17:03,840 --> 00:17:05,840
children holding 200 degree
393 00:17:05,840 --> 00:17:07,840
solder irons.
394 00:17:07,840 --> 00:17:09,840
I’m
395 00:17:09,840 --> 00:17:11,840
looking forward to trying this at home. I have
396 00:17:11,840 --> 00:17:13,840
a 10 year old and a 12 year old
397 00:17:13,840 --> 00:17:15,840
so I’ll have them
398 00:17:15,840 --> 00:17:17,840
assemble this and see how it goes.
399 00:17:17,840 --> 00:17:19,840
I’ll let you know.
400 00:17:19,840 --> 00:17:21,840
Alright.
401 00:17:21,840 --> 00:17:23,840
Now
402 00:17:23,840 --> 00:17:25,840
this conference has
403 00:17:25,840 --> 00:17:27,840
sort of been targeted
404 00:17:27,840 --> 00:17:29,840
towards internet of things
405 00:17:29,840 --> 00:17:31,840
and
406 00:17:35,840 --> 00:17:37,840
embedded devices and so on.
407 00:17:37,840 --> 00:17:39,840
Have you listened to
408 00:17:39,840 --> 00:17:41,840
any of the other speakers?
409 00:17:41,840 --> 00:17:43,840
Yeah, I found Aaron Guzman’s talk
410 00:17:43,840 --> 00:17:45,840
was quite enlightening.
411 00:17:45,840 --> 00:17:47,840
Especially as in my talk I referenced
412 00:17:47,840 --> 00:17:49,840
Belkin Wemo and he’d spent some time at Belkin
413 00:17:49,840 --> 00:17:51,840
working on Wemo. I think in terms
414 00:17:51,840 --> 00:17:53,840
of a product
415 00:17:53,840 --> 00:17:55,840
that’s probably the best example of a mature
416 00:17:55,840 --> 00:17:57,840
IoT device that’s been through the pain.
417 00:17:57,840 --> 00:17:59,840
Because Belkin
418 00:17:59,840 --> 00:18:01,840
bless their cotton socks,
419 00:18:01,840 --> 00:18:03,840
traditionally they make routers and they make
420 00:18:03,840 --> 00:18:05,840
switches. And it’s just like
421 00:18:05,840 --> 00:18:07,840
we mentioned with the control systems
422 00:18:07,840 --> 00:18:09,840
you connect these things to
423 00:18:09,840 --> 00:18:11,840
the internet and magical things that you never
424 00:18:11,840 --> 00:18:13,840
considered start to happen, some of which are not
425 00:18:13,840 --> 00:18:15,840
exactly good. And with
426 00:18:15,840 --> 00:18:17,840
Wemo they’ve really worked really
427 00:18:17,840 --> 00:18:19,840
hard over time and they’ve made
428 00:18:19,840 --> 00:18:21,840
mistakes which Aaron spoke
429 00:18:21,840 --> 00:18:23,840
about. And they’ve
430 00:18:23,840 --> 00:18:25,840
recovered from those mistakes as well.
431 00:18:25,840 --> 00:18:27,840
And I think that they’re a really good example
432 00:18:27,840 --> 00:18:29,840
of how you can go from
433 00:18:29,840 --> 00:18:31,840
having a product that has not
434 00:18:31,840 --> 00:18:33,840
had a security work stream embedded in the start
435 00:18:33,840 --> 00:18:35,840
and get to a point where you have
436 00:18:35,840 --> 00:18:37,840
a reasonable security
437 00:18:37,840 --> 00:18:39,840
program. There will always be flaws
438 00:18:39,840 --> 00:18:41,840
that will be found but
439 00:18:41,840 --> 00:18:43,840
they have a way of handling the issues
440 00:18:43,840 --> 00:18:45,840
that arise that’s reasonably mature.
441 00:18:45,840 --> 00:18:47,840
I think the only real thing that we could ask for more
442 00:18:47,840 --> 00:18:49,840
from Belkin and Wemo is
443 00:18:49,840 --> 00:18:51,840
that perhaps they publish more
444 00:18:51,840 --> 00:18:53,840
about their security experiences.
445 00:18:53,840 --> 00:18:55,840
Aaron was
446 00:18:55,840 --> 00:18:57,840
pointing out
447 00:18:57,840 --> 00:18:59,840
the supply chain of
448 00:18:59,840 --> 00:19:01,840
IoT as one of the major problems.
449 00:19:01,840 --> 00:19:03,840
Would you
450 00:19:03,840 --> 00:19:05,840
agree with that picture?
451 00:19:05,840 --> 00:19:07,840
Pretty much
452 00:19:07,840 --> 00:19:09,840
100%.
453 00:19:09,840 --> 00:19:11,840
It’s
454 00:19:11,840 --> 00:19:13,840
a really tough
455 00:19:13,840 --> 00:19:15,840
one because
456 00:19:15,840 --> 00:19:17,840
so many of the ODMs
457 00:19:17,840 --> 00:19:19,840
they have their own
458 00:19:19,840 --> 00:19:21,840
SDKs that are usually built on
459 00:19:21,840 --> 00:19:23,840
open source software but require you to
460 00:19:23,840 --> 00:19:25,840
sign fairly regressive NDAs
461 00:19:25,840 --> 00:19:27,840
to start working with them.
462 00:19:27,840 --> 00:19:29,840
And so
463 00:19:29,840 --> 00:19:31,840
you end up committing to spending a huge amount
464 00:19:31,840 --> 00:19:33,840
of money on a platform
465 00:19:33,840 --> 00:19:35,840
that you then open up and
466 00:19:35,840 --> 00:19:37,840
you get your SDK and you’re like this is GCC
467 00:19:37,840 --> 00:19:39,840
it’s a really old GCC
468 00:19:39,840 --> 00:19:41,840
there’s an old glibc
469 00:19:41,840 --> 00:19:43,840
I’m stuck on this particular Linux kernel
470 00:19:43,840 --> 00:19:45,840
version for the lifetime of this product.
471 00:19:45,840 --> 00:19:47,840
And there is
472 00:19:47,840 --> 00:19:49,840
things that you just can’t upgrade.
473 00:19:49,840 --> 00:19:51,840
It’s a really
474 00:19:51,840 --> 00:19:53,840
really frustrating process.
475 00:19:53,840 --> 00:19:55,840
And then at the other end of the scale you have
476 00:19:55,840 --> 00:19:57,840
things like at the moment I’m playing
477 00:19:57,840 --> 00:19:59,840
with a Mediatek
478 00:19:59,840 --> 00:20:01,840
system on chip mobile phone
479 00:20:01,840 --> 00:20:03,840
that I’m pulling apart for fun.
480 00:20:03,840 --> 00:20:05,840
And my goal is to try and
481 00:20:05,840 --> 00:20:07,840
port Linux to it.
482 00:20:07,840 --> 00:20:09,840
It’s a non-featured phone but it’s got an
483 00:20:09,840 --> 00:20:11,840
ARM chip that should be capable.
484 00:20:11,840 --> 00:20:13,840
And basically
485 00:20:13,840 --> 00:20:15,840
there’s no
486 00:20:15,840 --> 00:20:17,840
NDA because it’s
487 00:20:17,840 --> 00:20:19,840
not really, it doesn’t feel very legit
488 00:20:19,840 --> 00:20:21,840
when you look at this thing.
489 00:20:21,840 --> 00:20:23,840
And I can imagine
490 00:20:23,840 --> 00:20:25,840
that for people looking
491 00:20:25,840 --> 00:20:27,840
to build IoT when you’re engaging at that level
492 00:20:27,840 --> 00:20:29,840
it’s really annoying. But that’s why things like
493 00:20:29,840 --> 00:20:31,840
Electric Imp and Particle
494 00:20:31,840 --> 00:20:33,840
and to some extent SAP’s
495 00:20:33,840 --> 00:20:35,840
Internet of Things cloud and Bluemix
496 00:20:35,840 --> 00:20:37,840
stuff like that starts to come into play
497 00:20:37,840 --> 00:20:39,840
and it makes things so much easier by
498 00:20:39,840 --> 00:20:41,840
having patterns that you know work
499 00:20:41,840 --> 00:20:43,840
and taking some of that and abstracting it away
500 00:20:43,840 --> 00:20:45,840
from you.
501 00:20:45,840 --> 00:20:47,840
Cool.
502 00:20:47,840 --> 00:20:49,840
So before we end
503 00:20:49,840 --> 00:20:51,840
the interview I’d like to thank you for
504 00:20:51,840 --> 00:20:53,840
a good keynote today
505 00:20:53,840 --> 00:20:55,840
and thank you for taking
506 00:20:55,840 --> 00:20:57,840
some time with us and
507 00:20:57,840 --> 00:20:59,840
sharing with our listeners.
508 00:20:59,840 --> 00:21:01,840
And I’d like
509 00:21:01,840 --> 00:21:03,840
to give you a few
510 00:21:03,840 --> 00:21:05,840
minutes to pitch why
511 00:21:05,840 --> 00:21:07,840
our listeners should go to
512 00:21:07,840 --> 00:21:09,840
London and
513 00:21:09,840 --> 00:21:11,840
44Con.
514 00:21:11,840 --> 00:21:13,840
Aside from the wondrous climate?
515 00:21:13,840 --> 00:21:15,840
Yes, aside from the climate.
516 00:21:15,840 --> 00:21:17,840
So
517 00:21:17,840 --> 00:21:19,840
realistically probably the best reason to go to 44Con
518 00:21:19,840 --> 00:21:21,840
is because of the talks.
519 00:21:21,840 --> 00:21:23,840
So you get all the fun of
520 00:21:23,840 --> 00:21:25,840
all the fun of Vegas without the airfare cost
521 00:21:25,840 --> 00:21:27,840
the hotel cost, without
522 00:21:27,840 --> 00:21:29,840
being in a room with 10,000 people
523 00:21:29,840 --> 00:21:31,840
or in the same casino
524 00:21:31,840 --> 00:21:33,840
with 10,000 people.
525 00:21:33,840 --> 00:21:35,840
It’s kind of
526 00:21:35,840 --> 00:21:37,840
a medium sized event
527 00:21:37,840 --> 00:21:39,840
so it’s got a community feel but it’s still
528 00:21:39,840 --> 00:21:41,840
quite large in areas.
529 00:21:41,840 --> 00:21:43,840
I think
530 00:21:43,840 --> 00:21:45,840
also one of the main things as well
531 00:21:45,840 --> 00:21:47,840
is the workshops. We’ve really pushed
532 00:21:47,840 --> 00:21:49,840
hard on workshops this year
533 00:21:49,840 --> 00:21:51,840
and the workshops that we are going to get are
534 00:21:51,840 --> 00:21:53,840
absolutely off the chart. They’re two hour
535 00:21:53,840 --> 00:21:55,840
long sessions and
536 00:21:55,840 --> 00:21:57,840
we’ve really pushed some of the speakers
537 00:21:57,840 --> 00:21:59,840
who you would never ordinarily see do a workshop
538 00:21:59,840 --> 00:22:01,840
towards the workshops.
539 00:22:01,840 --> 00:22:03,840
So our CFP closed
540 00:22:03,840 --> 00:22:05,840
yesterday so I’ve still got to go through everything
541 00:22:05,840 --> 00:22:07,840
and meet with the
542 00:22:07,840 --> 00:22:09,840
CFP team and
543 00:22:09,840 --> 00:22:11,840
we’ll work out who’s speaking but some of the
544 00:22:11,840 --> 00:22:13,840
stuff we’ve seen is just amazing. It’s really incredible.
545 00:22:13,840 --> 00:22:15,840
Awesome.
546 00:22:15,840 --> 00:22:17,840
Cool. And also there’s Gin O’clock.
547 00:22:17,840 --> 00:22:19,840
There is indeed.
548 00:22:19,840 --> 00:22:21,840
Every afternoon we stop for gin.
549 00:22:21,840 --> 00:22:23,840
It would be rude not to.
550 00:22:23,840 --> 00:22:25,840
Well thank you Steve.
551 00:22:25,840 --> 00:22:27,840
It was a pleasure having you on our podcast.
552 00:22:27,840 --> 00:22:29,840
Thanks for having me.
553 00:22:29,840 --> 00:22:31,840
Have a good
554 00:22:31,840 --> 00:22:33,840
continuation of
555 00:22:33,840 --> 00:22:35,840
this conference. Thanks.
556 00:22:37,840 --> 00:22:39,840
Hej och välkommen till
557 00:22:39,840 --> 00:22:41,840
Säkerhetspodcasten.
558 00:22:41,840 --> 00:22:43,840
Idag så spelar vi in ifrån
559 00:22:43,840 --> 00:22:45,840
Securityfest
560 00:22:45,840 --> 00:22:47,840
i Göteborg
561 00:22:47,840 --> 00:22:49,840
och
562 00:22:49,840 --> 00:22:51,840
har lite intervjusessioner
563 00:22:51,840 --> 00:22:53,840
här med några av talarna
564 00:22:53,840 --> 00:22:55,840
och
565 00:22:55,840 --> 00:22:57,840
just nu så har jag
566 00:22:57,840 --> 00:22:59,840
Aaron Guzman. Välkommen Aaron.
567 00:22:59,840 --> 00:23:01,840
Tack.
568 00:23:01,840 --> 00:23:03,840
We’ve just listened
569 00:23:03,840 --> 00:23:05,840
to three
570 00:23:05,840 --> 00:23:07,840
good talks all about IoT
571 00:23:07,840 --> 00:23:09,840
and you delivered
572 00:23:09,840 --> 00:23:11,840
an excellent one.
573 00:23:11,840 --> 00:23:13,840
Tell me a little bit
574 00:23:13,840 --> 00:23:15,840
about yourself
575 00:23:15,840 --> 00:23:17,840
and bring
576 00:23:17,840 --> 00:23:19,840
in briefly about what your talk was about.
577 00:23:19,840 --> 00:23:21,840
Sure. So I’m based
578 00:23:21,840 --> 00:23:23,840
in Los Angeles.
579 00:23:23,840 --> 00:23:25,840
I’m also involved in the community in Los Angeles.
580 00:23:25,840 --> 00:23:27,840
So as a board member for
581 00:23:27,840 --> 00:23:29,840
OWASP Los Angeles as well as
582 00:23:29,840 --> 00:23:31,840
Cloud Security Alliance Southern California
583 00:23:31,840 --> 00:23:33,840
last four years now.
584 00:23:33,840 --> 00:23:35,840
I help co-organize
585 00:23:35,840 --> 00:23:37,840
our conference, our OWASP
586 00:23:37,840 --> 00:23:39,840
conference called Apps at California.
587 00:23:39,840 --> 00:23:41,840
So that’s held every January.
588 00:23:41,840 --> 00:23:43,840
And we get everybody from around the world
589 00:23:43,840 --> 00:23:45,840
as well.
590 00:23:45,840 --> 00:23:47,840
But aside from that I do a lot of research within
591 00:23:47,840 --> 00:23:49,840
embedded and IoT space,
592 00:23:49,840 --> 00:23:51,840
contribute to many
593 00:23:51,840 --> 00:23:53,840
white papers and guidance documents
594 00:23:53,840 --> 00:23:55,840
with Cloud Security Alliance,
595 00:23:55,840 --> 00:23:57,840
PRPL, OWASP as well,
596 00:23:57,840 --> 00:23:59,840
as well as lead a project
597 00:23:59,840 --> 00:24:01,840
embedded application security project
598 00:24:01,840 --> 00:24:03,840
that my talk
599 00:24:03,840 --> 00:24:05,840
was based upon today.
600 00:24:05,840 --> 00:24:07,840
Just to interrupt
601 00:24:07,840 --> 00:24:09,840
you there, I mean some of our listeners
602 00:24:09,840 --> 00:24:11,840
probably know you by your Twitter handle
603 00:24:11,840 --> 00:24:13,840
ScriptingXSS.
604 00:24:13,840 --> 00:24:15,840
Yes, ScriptingXSS is my Twitter handle.
605 00:24:15,840 --> 00:24:17,840
So other research I do is
606 00:24:17,840 --> 00:24:19,840
car hacking research
607 00:24:19,840 --> 00:24:21,840
and then just general
608 00:24:21,840 --> 00:24:23,840
IoT research and consumer space
609 00:24:23,840 --> 00:24:25,840
with like
610 00:24:25,840 --> 00:24:27,840
doorbells and like I said
611 00:24:27,840 --> 00:24:29,840
connected vehicles is one.
612 00:24:29,840 --> 00:24:31,840
And the guidance with that as well
613 00:24:31,840 --> 00:24:33,840
is how I kind of balance it out.
614 00:24:33,840 --> 00:24:35,840
I guess aside from that
615 00:24:35,840 --> 00:24:37,840
let’s see, what do I do?
616 00:24:37,840 --> 00:24:39,840
I guess I just love to teach
617 00:24:39,840 --> 00:24:41,840
and give back, help out
618 00:24:41,840 --> 00:24:43,840
and learn. And everywhere I go
619 00:24:43,840 --> 00:24:45,840
I always meet some crazy interesting
620 00:24:45,840 --> 00:24:47,840
smart people.
621 00:24:47,840 --> 00:24:49,840
Like last night, I mean totally
622 00:24:49,840 --> 00:24:51,840
at the speaker dinner, I learned some cool new things
623 00:24:51,840 --> 00:24:53,840
I can utilize in my research.
624 00:24:53,840 --> 00:24:55,840
That’s the scary part about going to
625 00:24:55,840 --> 00:24:57,840
conferences. You realize that you’re
626 00:24:57,840 --> 00:24:59,840
like a noob
627 00:24:59,840 --> 00:25:01,840
in a crowd of experts.
628 00:25:01,840 --> 00:25:03,840
Because everyone is an expert
629 00:25:03,840 --> 00:25:05,840
in their particular area.
630 00:25:05,840 --> 00:25:07,840
That’s what’s rewarding about going to
631 00:25:07,840 --> 00:25:09,840
conferences. Definitely, yeah.
632 00:25:09,840 --> 00:25:11,840
It’s totally a great experience. But it’s funny at the same
633 00:25:11,840 --> 00:25:13,840
time how our culture
634 00:25:13,840 --> 00:25:15,840
is so tightly knit. I mean,
635 00:25:15,840 --> 00:25:17,840
just hanging out with the guys here, the organizers
636 00:25:17,840 --> 00:25:19,840
I feel like, you know, I don’t feel
637 00:25:19,840 --> 00:25:21,840
like an outsider
638 00:25:21,840 --> 00:25:23,840
at all. I mean, we can talk and
639 00:25:23,840 --> 00:25:25,840
converse about various subjects
640 00:25:25,840 --> 00:25:27,840
and just go one subject to another
641 00:25:27,840 --> 00:25:29,840
and then talk about different
642 00:25:29,840 --> 00:25:31,840
techniques and then learn off each other.
643 00:25:31,840 --> 00:25:33,840
Literally, like just meeting
644 00:25:33,840 --> 00:25:35,840
the guys all last night.
645 00:25:35,840 --> 00:25:37,840
That’s great. And I mean, I think here
646 00:25:37,840 --> 00:25:39,840
in Sweden, Gutenberg, has a great
647 00:25:39,840 --> 00:25:41,840
community. It seems like they’re very tightly
648 00:25:41,840 --> 00:25:43,840
knit from what I understand.
649 00:25:43,840 --> 00:25:45,840
Yeah, pretty strong OWSP community as well.
650 00:25:45,840 --> 00:25:47,840
Awesome.
651 00:25:47,840 --> 00:25:49,840
You were talking about
652 00:25:49,840 --> 00:25:51,840
the sort of
653 00:25:51,840 --> 00:25:53,840
supply chain of IoT stuff
654 00:25:53,840 --> 00:25:55,840
and a little bit
655 00:25:55,840 --> 00:25:57,840
you showed some demos.
656 00:25:57,840 --> 00:25:59,840
Could you tell us about
657 00:25:59,840 --> 00:26:01,840
some of the problem areas that you
658 00:26:01,840 --> 00:26:03,840
see in the IoT field?
659 00:26:03,840 --> 00:26:05,840
Sure, yeah. So I discussed
660 00:26:05,840 --> 00:26:07,840
the supply chain, how the
661 00:26:07,840 --> 00:26:09,840
embedded devices are created. And that relates to
662 00:26:09,840 --> 00:26:11,840
IoT devices because
663 00:26:11,840 --> 00:26:13,840
in essence, you know, IoT devices
664 00:26:13,840 --> 00:26:15,840
are embedded devices at its core.
665 00:26:15,840 --> 00:26:17,840
So what I noted
666 00:26:17,840 --> 00:26:19,840
as far as or emphasized on is
667 00:26:19,840 --> 00:26:21,840
the ODM supply chain aspect
668 00:26:21,840 --> 00:26:23,840
as well as the margins and
669 00:26:23,840 --> 00:26:25,840
regulatory
670 00:26:25,840 --> 00:26:27,840
incentives that maybe developers may not
671 00:26:27,840 --> 00:26:29,840
have or certain
672 00:26:29,840 --> 00:26:31,840
industry verticals as well.
673 00:26:31,840 --> 00:26:33,840
Now I noted
674 00:26:33,840 --> 00:26:35,840
that the ODMs
675 00:26:35,840 --> 00:26:37,840
are the
676 00:26:37,840 --> 00:26:39,840
basically small development firms in China, Taiwan
677 00:26:39,840 --> 00:26:41,840
who…
678 00:26:41,840 --> 00:26:43,840
Could you just briefly explain ODM
679 00:26:43,840 --> 00:26:45,840
for our listeners? Sure. Original device
680 00:26:45,840 --> 00:26:47,840
manufacturers, what ODM stands for.
681 00:26:47,840 --> 00:26:49,840
So they are the companies
682 00:26:49,840 --> 00:26:51,840
that make the hardware
683 00:26:51,840 --> 00:26:53,840
for…
684 00:26:53,840 --> 00:26:55,840
Not necessarily the hardware
685 00:26:55,840 --> 00:26:57,840
but they may…
686 00:26:57,840 --> 00:26:59,840
Modules. Sure.
687 00:26:59,840 --> 00:27:01,840
They may create
688 00:27:01,840 --> 00:27:03,840
let’s say a specification
689 00:27:03,840 --> 00:27:05,840
or a product or a baseline of a product
690 00:27:05,840 --> 00:27:07,840
the hardware and the peripherals
691 00:27:07,840 --> 00:27:09,840
and they’ll work
692 00:27:09,840 --> 00:27:11,840
with… So they have a PCB
693 00:27:11,840 --> 00:27:13,840
and they work with the board support package
694 00:27:13,840 --> 00:27:15,840
whichever vendor, Broadcom
695 00:27:15,840 --> 00:27:17,840
Marvell, a number of other ones who
696 00:27:17,840 --> 00:27:19,840
can support the hardware
697 00:27:19,840 --> 00:27:21,840
and the ODM builds their stack
698 00:27:21,840 --> 00:27:23,840
their software stack on top of that
699 00:27:23,840 --> 00:27:25,840
and that could be the root file
700 00:27:25,840 --> 00:27:27,840
system and let’s say
701 00:27:27,840 --> 00:27:29,840
the HTTP configuration for example
702 00:27:29,840 --> 00:27:31,840
and then after that you have
703 00:27:31,840 --> 00:27:33,840
cloud service providers
704 00:27:33,840 --> 00:27:35,840
and OEMs and the OEMs are
705 00:27:35,840 --> 00:27:37,840
supporting
706 00:27:37,840 --> 00:27:39,840
the ODMs code base
707 00:27:39,840 --> 00:27:41,840
as far as
708 00:27:41,840 --> 00:27:43,840
in production and support tickets
709 00:27:43,840 --> 00:27:45,840
and security flaws
710 00:27:45,840 --> 00:27:47,840
and now
711 00:27:47,840 --> 00:27:49,840
one of the aspects of ODMs and introducing
712 00:27:49,840 --> 00:27:51,840
their SDKs
713 00:27:51,840 --> 00:27:53,840
and their APIs to OEMs
714 00:27:53,840 --> 00:27:55,840
is sometimes their
715 00:27:55,840 --> 00:27:57,840
black box binaries that
716 00:27:57,840 --> 00:27:59,840
they give to the OEMs
717 00:27:59,840 --> 00:28:01,840
so there’s no way for the OEM to review the code
718 00:28:01,840 --> 00:28:03,840
and not only that
719 00:28:03,840 --> 00:28:05,840
the ODMs also introduce
720 00:28:05,840 --> 00:28:07,840
either back doors, what they call
721 00:28:07,840 --> 00:28:09,840
or their excuses is more like…
722 00:28:09,840 --> 00:28:11,840
Service ports. Yeah.
723 00:28:11,840 --> 00:28:13,840
Or debugging or for support for
724 00:28:13,840 --> 00:28:15,840
production support
725 00:28:15,840 --> 00:28:17,840
and so they’re hard coded
726 00:28:17,840 --> 00:28:19,840
in the firmware image and now
727 00:28:19,840 --> 00:28:21,840
even, you know, it has nothing to do
728 00:28:21,840 --> 00:28:23,840
with the application side
729 00:28:23,840 --> 00:28:25,840
it’s more of the platform, let’s say embedded Linux
730 00:28:25,840 --> 00:28:27,840
for example, where they have
731 00:28:27,840 --> 00:28:29,840
a root user
732 00:28:29,840 --> 00:28:31,840
and a hard coded password that’s just a hash
733 00:28:31,840 --> 00:28:33,840
so you have to crack the hash there
734 00:28:33,840 --> 00:28:35,840
to get the plain text
735 00:28:35,840 --> 00:28:37,840
password, but that
736 00:28:37,840 --> 00:28:39,840
is kind of where a lot of the threats
737 00:28:39,840 --> 00:28:41,840
like Mirai or vulnerabilities
738 00:28:41,840 --> 00:28:43,840
and exploits come out, like Mirai
739 00:28:43,840 --> 00:28:45,840
is the ODM space, Yangmai is
740 00:28:45,840 --> 00:28:47,840
held responsible for
741 00:28:47,840 --> 00:28:49,840
basically Mirai
742 00:28:49,840 --> 00:28:51,840
and then you have other
743 00:28:51,840 --> 00:28:53,840
ODM vendors as well who are affected
744 00:28:53,840 --> 00:28:55,840
so if you go to, let’s say
745 00:28:55,840 --> 00:28:57,840
like a cert site
746 00:28:57,840 --> 00:28:59,840
for any cert in the world
747 00:28:59,840 --> 00:29:01,840
then you’ll see a vulnerability
748 00:29:01,840 --> 00:29:03,840
that affects, let’s say
749 00:29:03,840 --> 00:29:05,840
D-Link and Netgear, let’s say
750 00:29:05,840 --> 00:29:07,840
it’s easy to pick on
751 00:29:07,840 --> 00:29:09,840
but they’re all
752 00:29:09,840 --> 00:29:11,840
all the bugs relate to their products
753 00:29:11,840 --> 00:29:13,840
because they use the same ODM
754 00:29:13,840 --> 00:29:15,840
and the ODM has a right to repackage and sell it
755 00:29:15,840 --> 00:29:17,840
to different OEMs
756 00:29:17,840 --> 00:29:19,840
as they please, or resellers
757 00:29:19,840 --> 00:29:21,840
as well.
758 00:29:21,840 --> 00:29:23,840
You also talked a little bit about
759 00:29:23,840 --> 00:29:25,840
tools that you can use to
760 00:29:25,840 --> 00:29:27,840
reverse or
761 00:29:27,840 --> 00:29:29,840
look at firmware images
762 00:29:29,840 --> 00:29:31,840
and so on, and also
763 00:29:31,840 --> 00:29:33,840
you referenced your
764 00:29:33,840 --> 00:29:35,840
GitHub
765 00:29:35,840 --> 00:29:37,840
literature
766 00:29:37,840 --> 00:29:39,840
so could you just tell us
767 00:29:39,840 --> 00:29:41,840
where should we go to find
768 00:29:41,840 --> 00:29:43,840
these goodies?
769 00:29:43,840 --> 00:29:45,840
No problem, I actually created a bit.ly
770 00:29:45,840 --> 00:29:47,840
link, it’s bit.ly and it’s
771 00:29:47,840 --> 00:29:49,840
firmware analysis tools, or
772 00:29:49,840 --> 00:29:51,840
alternatively you can google
773 00:29:51,840 --> 00:29:53,840
OWASP embedded appsec project
774 00:29:53,840 --> 00:29:55,840
and there’s a tab on firmware analysis tools
775 00:29:55,840 --> 00:29:57,840
and the main tools I have there that are
776 00:29:57,840 --> 00:29:59,840
common in any firmware
777 00:29:59,840 --> 00:30:01,840
reverse engineering is Binwalk
778 00:30:01,840 --> 00:30:03,840
and there’s another one
779 00:30:03,840 --> 00:30:05,840
called Firmodyne and Firmwalker
780 00:30:05,840 --> 00:30:07,840
and Firmodyne, it helps or
781 00:30:07,840 --> 00:30:09,840
assists with emulating a binary
782 00:30:09,840 --> 00:30:11,840
so you don’t have to have the hardware device in hand
783 00:30:11,840 --> 00:30:13,840
you could stand up
784 00:30:13,840 --> 00:30:15,840
a virtual network interface
785 00:30:15,840 --> 00:30:17,840
and you can access the
786 00:30:17,840 --> 00:30:19,840
web UI for example
787 00:30:19,840 --> 00:30:21,840
and also get access to the
788 00:30:21,840 --> 00:30:23,840
file system console
789 00:30:23,840 --> 00:30:25,840
and provide research
790 00:30:25,840 --> 00:30:27,840
as if you had the product in hand
791 00:30:27,840 --> 00:30:29,840
there’s some tweaks and modifications but again
792 00:30:29,840 --> 00:30:31,840
the point is to emulate
793 00:30:31,840 --> 00:30:33,840
a device without buying it
794 00:30:33,840 --> 00:30:35,840
or purchasing it and just having the firmware
795 00:30:35,840 --> 00:30:37,840
Right, and Binwalk
796 00:30:37,840 --> 00:30:39,840
for looking at
797 00:30:39,840 --> 00:30:41,840
the files with the firmware
798 00:30:41,840 --> 00:30:43,840
Yeah, the firmware itself, it extracts
799 00:30:43,840 --> 00:30:45,840
the firmware
800 00:30:45,840 --> 00:30:47,840
it basically decompresses
801 00:30:47,840 --> 00:30:49,840
and
802 00:30:49,840 --> 00:30:51,840
for example there’s
803 00:30:51,840 --> 00:30:53,840
SquashFS, the file system
804 00:30:53,840 --> 00:30:55,840
it has what’s called
805 00:30:55,840 --> 00:30:57,840
unsquashed
806 00:30:57,840 --> 00:30:59,840
I forgot what it’s called at the moment right now
807 00:30:59,840 --> 00:31:01,840
but there’s another one called Sasquatch
808 00:31:01,840 --> 00:31:03,840
for modified SquashFS
809 00:31:03,840 --> 00:31:05,840
file systems as well
810 00:31:05,840 --> 00:31:07,840
so it basically extracts the file system
811 00:31:07,840 --> 00:31:09,840
so you can navigate
812 00:31:09,840 --> 00:31:11,840
the configuration files
813 00:31:11,840 --> 00:31:13,840
or the code statically
814 00:31:13,840 --> 00:31:15,840
and view
815 00:31:15,840 --> 00:31:17,840
again let’s say hard-coded credentials
816 00:31:17,840 --> 00:31:19,840
is one example I gave
817 00:31:19,840 --> 00:31:21,840
today in my talk
818 00:31:21,840 --> 00:31:23,840
Excellent, what do you
819 00:31:23,840 --> 00:31:25,840
think, I mean if you look
820 00:31:25,840 --> 00:31:27,840
at the
821 00:31:27,840 --> 00:31:29,840
area of
822 00:31:29,840 --> 00:31:31,840
IoT or embedded devices right now
823 00:31:31,840 --> 00:31:33,840
and what do you see
824 00:31:33,840 --> 00:31:35,840
in the future, will we see
825 00:31:35,840 --> 00:31:37,840
an end to the problems that relate
826 00:31:37,840 --> 00:31:39,840
to
827 00:31:39,840 --> 00:31:41,840
vulnerable
828 00:31:41,840 --> 00:31:43,840
ODM products
829 00:31:43,840 --> 00:31:45,840
that get
830 00:31:45,840 --> 00:31:47,840
proliferated into
831 00:31:47,840 --> 00:31:49,840
IoT products
832 00:31:49,840 --> 00:31:51,840
and consumer products
833 00:31:51,840 --> 00:31:53,840
because
834 00:31:53,840 --> 00:31:55,840
the way I think, it’s sort of like
835 00:31:55,840 --> 00:31:57,840
if
836 00:31:57,840 --> 00:31:59,840
the basic platform is vulnerable
837 00:31:59,840 --> 00:32:01,840
and has a lot of back doors
838 00:32:01,840 --> 00:32:03,840
that
839 00:32:03,840 --> 00:32:05,840
the OEMs can’t
840 00:32:05,840 --> 00:32:07,840
do anything about, they’re gonna
841 00:32:07,840 --> 00:32:09,840
continue feeding the market
842 00:32:09,840 --> 00:32:11,840
with vulnerable devices that’s
843 00:32:11,840 --> 00:32:13,840
a shitstorm
844 00:32:13,840 --> 00:32:15,840
waiting to happen. Yeah, that’s why
845 00:32:15,840 --> 00:32:17,840
what’s happening, unfortunately
846 00:32:17,840 --> 00:32:19,840
and again I think I discussed during my talk as well
847 00:32:19,840 --> 00:32:21,840
back porting
848 00:32:21,840 --> 00:32:23,840
these vulnerabilities, so say the OEMs
849 00:32:23,840 --> 00:32:25,840
are recreated and built on top
850 00:32:25,840 --> 00:32:27,840
of the ODM’s original code base
851 00:32:27,840 --> 00:32:29,840
and they’ve built a number of different iterations
852 00:32:29,840 --> 00:32:31,840
and updates and now back porting
853 00:32:31,840 --> 00:32:33,840
let’s say it’s a driver that’s
854 00:32:33,840 --> 00:32:35,840
affected or a piece of software
855 00:32:35,840 --> 00:32:37,840
and other dependency issues
856 00:32:37,840 --> 00:32:39,840
with that is a pain
857 00:32:39,840 --> 00:32:41,840
and not only that, the communication
858 00:32:41,840 --> 00:32:43,840
between the OEM
859 00:32:43,840 --> 00:32:45,840
who is supporting the product over to
860 00:32:45,840 --> 00:32:47,840
let’s say Broadcom for example
861 00:32:47,840 --> 00:32:49,840
there is no communication there
862 00:32:49,840 --> 00:32:51,840
and an update
863 00:32:51,840 --> 00:32:53,840
path, it’s very much
864 00:32:53,840 --> 00:32:55,840
a manual process and again
865 00:32:55,840 --> 00:32:57,840
as far as if an ODM’s involved
866 00:32:57,840 --> 00:32:59,840
you have a
867 00:32:59,840 --> 00:33:01,840
black box binary that
868 00:33:01,840 --> 00:33:03,840
you don’t know the code that’s inside
869 00:33:03,840 --> 00:33:05,840
and you can’t change the code, you don’t have the source
870 00:33:05,840 --> 00:33:07,840
code, it’s literally compiled
871 00:33:07,840 --> 00:33:09,840
and again there’s also
872 00:33:09,840 --> 00:33:11,840
from another aspect there’s also
873 00:33:11,840 --> 00:33:13,840
the ODM’s or even the OEM
874 00:33:13,840 --> 00:33:15,840
can branch out, they want a certain feature
875 00:33:15,840 --> 00:33:17,840
that you can have access to
876 00:33:17,840 --> 00:33:19,840
for USB, like
877 00:33:19,840 --> 00:33:21,840
NetUSB is an example I gave and that’s also
878 00:33:21,840 --> 00:33:23,840
contracted out
879 00:33:23,840 --> 00:33:25,840
to another third party
880 00:33:25,840 --> 00:33:27,840
who supports
881 00:33:27,840 --> 00:33:29,840
that driver, so even like Twonky
882 00:33:29,840 --> 00:33:31,840
media server that’s on most of
883 00:33:31,840 --> 00:33:33,840
routers, that’s the third party creating that piece of
884 00:33:33,840 --> 00:33:35,840
software and it’s a
885 00:33:35,840 --> 00:33:37,840
binary that they build in
886 00:33:37,840 --> 00:33:39,840
into their end firmware image
887 00:33:39,840 --> 00:33:41,840
and then distribute it out
888 00:33:41,840 --> 00:33:43,840
so there’s a lot of different hands, a lot of different
889 00:33:43,840 --> 00:33:45,840
black box code
890 00:33:45,840 --> 00:33:47,840
that is not
891 00:33:47,840 --> 00:33:49,840
there isn’t a source
892 00:33:49,840 --> 00:33:51,840
code that they can modify and change themselves
893 00:33:51,840 --> 00:33:53,840
it’s holding the
894 00:33:53,840 --> 00:33:55,840
ODM’s in a way
895 00:33:55,840 --> 00:33:57,840
accountable if they’re creating
896 00:33:57,840 --> 00:33:59,840
new products, for old products
897 00:33:59,840 --> 00:34:01,840
it’s hard to even
898 00:34:01,840 --> 00:34:03,840
gain those discussions and gain
899 00:34:03,840 --> 00:34:05,840
traction to get them to fix
900 00:34:05,840 --> 00:34:07,840
and spend time, because time is money
901 00:34:07,840 --> 00:34:09,840
to fix these security issues
902 00:34:09,840 --> 00:34:11,840
that’s also one thing that I was
903 00:34:11,840 --> 00:34:13,840
thinking about because we’re
904 00:34:13,840 --> 00:34:15,840
talking about very very low
905 00:34:15,840 --> 00:34:17,840
margin products
906 00:34:17,840 --> 00:34:19,840
so how
907 00:34:19,840 --> 00:34:21,840
could you persuade
908 00:34:21,840 --> 00:34:23,840
a market that’s
909 00:34:23,840 --> 00:34:25,840
basically counting cents
910 00:34:25,840 --> 00:34:27,840
and counting
911 00:34:27,840 --> 00:34:29,840
clock cycles on their
912 00:34:29,840 --> 00:34:31,840
small processors and weighing
913 00:34:31,840 --> 00:34:33,840
memory bytes
914 00:34:33,840 --> 00:34:35,840
on golden scales
915 00:34:35,840 --> 00:34:37,840
because the
916 00:34:37,840 --> 00:34:39,840
space is so cramped
917 00:34:39,840 --> 00:34:41,840
how could you convince them that they need to do
918 00:34:41,840 --> 00:34:43,840
security right
919 00:34:43,840 --> 00:34:45,840
from the start, I mean
920 00:34:45,840 --> 00:34:47,840
that’s going to cost a lot of money
921 00:34:47,840 --> 00:34:49,840
and unless you have that as a
922 00:34:49,840 --> 00:34:51,840
selling point, I think those
923 00:34:51,840 --> 00:34:53,840
businesses going that path
924 00:34:53,840 --> 00:34:55,840
will be out of business because
925 00:34:55,840 --> 00:34:57,840
they’re going to one, not be
926 00:34:57,840 --> 00:34:59,840
first to market and two
927 00:34:59,840 --> 00:35:01,840
their product is going to be
928 00:35:01,840 --> 00:35:03,840
you know, two dollars more expensive
929 00:35:03,840 --> 00:35:05,840
than
930 00:35:05,840 --> 00:35:07,840
the next guy and he’s selling
931 00:35:07,840 --> 00:35:09,840
his product for like two cents or
932 00:35:09,840 --> 00:35:11,840
five cents, you know
933 00:35:11,840 --> 00:35:13,840
Sure, yeah definitely
934 00:35:13,840 --> 00:35:15,840
I mean consumer space wise, that’s a problem
935 00:35:15,840 --> 00:35:17,840
even in the industrial control system
936 00:35:17,840 --> 00:35:19,840
space where they’re relying on
937 00:35:19,840 --> 00:35:21,840
these embedded XP devices
938 00:35:21,840 --> 00:35:23,840
or even servers who are controlling
939 00:35:23,840 --> 00:35:25,840
these legacy medical devices
940 00:35:25,840 --> 00:35:27,840
these are millions of dollars
941 00:35:27,840 --> 00:35:29,840
and heavily dependent
942 00:35:29,840 --> 00:35:31,840
on devices
943 00:35:31,840 --> 00:35:33,840
and infrastructure and to update it’s like
944 00:35:33,840 --> 00:35:35,840
do I want to spend another three thousand because they’re vulnerable
945 00:35:35,840 --> 00:35:37,840
to this, let’s just segment, you know
946 00:35:37,840 --> 00:35:39,840
and that’s another problem because
947 00:35:39,840 --> 00:35:41,840
their vendor, let’s say like Siemens for example
948 00:35:41,840 --> 00:35:43,840
they don’t provide an update
949 00:35:43,840 --> 00:35:45,840
that is no longer supported and now
950 00:35:45,840 --> 00:35:47,840
you know, they’re stuck with it
951 00:35:47,840 --> 00:35:49,840
in 2017
952 00:35:49,840 --> 00:35:51,840
I work a lot with
953 00:35:51,840 --> 00:35:53,840
SCADA and industrial control systems
954 00:35:53,840 --> 00:35:55,840
so I know of that
955 00:35:55,840 --> 00:35:57,840
and that’s definitely not
956 00:35:57,840 --> 00:35:59,840
a low margin market
957 00:35:59,840 --> 00:36:01,840
because you have huge markups
958 00:36:01,840 --> 00:36:03,840
on
959 00:36:03,840 --> 00:36:05,840
very
960 00:36:05,840 --> 00:36:07,840
very small
961 00:36:07,840 --> 00:36:09,840
and simple devices
962 00:36:09,840 --> 00:36:11,840
that they charge you an arm and a leg
963 00:36:11,840 --> 00:36:13,840
for, so
964 00:36:13,840 --> 00:36:15,840
It’s like the other end of the spectrum really when you think about
965 00:36:15,840 --> 00:36:17,840
a regulated space where it’s really really expensive
966 00:36:17,840 --> 00:36:19,840
and then they’re heavily dependent on to update
967 00:36:19,840 --> 00:36:21,840
and then there’s no updates and you have
968 00:36:21,840 --> 00:36:23,840
the consumer side where
969 00:36:23,840 --> 00:36:25,840
there’s no incentive and regulation
970 00:36:25,840 --> 00:36:27,840
to influence
971 00:36:27,840 --> 00:36:29,840
secure software
972 00:36:29,840 --> 00:36:31,840
or secure devices
973 00:36:31,840 --> 00:36:33,840
or secure by design or implementing that
974 00:36:33,840 --> 00:36:35,840
in a life cycle of building
975 00:36:35,840 --> 00:36:37,840
of building IoT. I like that you
976 00:36:37,840 --> 00:36:39,840
also talked about what
977 00:36:39,840 --> 00:36:41,840
to do and how you should go about
978 00:36:41,840 --> 00:36:43,840
creating
979 00:36:43,840 --> 00:36:45,840
secure products or
980 00:36:45,840 --> 00:36:47,840
secure software and I guess that’s
981 00:36:47,840 --> 00:36:49,840
from your OWASP engagement
982 00:36:51,840 --> 00:36:53,840
One thing I really liked
983 00:36:53,840 --> 00:36:55,840
was that you talked about doing
984 00:36:55,840 --> 00:36:57,840
threat models and I think that’s
985 00:36:57,840 --> 00:36:59,840
probably one of the
986 00:36:59,840 --> 00:37:01,840
best tools you can
987 00:37:01,840 --> 00:37:03,840
use to find
988 00:37:03,840 --> 00:37:05,840
design
989 00:37:05,840 --> 00:37:07,840
flaws early on in a project
990 00:37:07,840 --> 00:37:09,840
and I’m amazed that
991 00:37:09,840 --> 00:37:11,840
not a lot of companies do that
992 00:37:11,840 --> 00:37:13,840
because it doesn’t cost much
993 00:37:13,840 --> 00:37:15,840
and you could find so
994 00:37:15,840 --> 00:37:17,840
many things early on in a project
995 00:37:17,840 --> 00:37:19,840
And it’s a learning exercise
996 00:37:19,840 --> 00:37:21,840
you’d often find that different teams
997 00:37:21,840 --> 00:37:23,840
they’re stuck in their silo
998 00:37:23,840 --> 00:37:25,840
and they’re stuck only
999 00:37:25,840 --> 00:37:27,840
developing this one feature
1000 00:37:27,840 --> 00:37:29,840
they don’t know how the whole ecosystem
1001 00:37:29,840 --> 00:37:31,840
say they’re an embedded developer
1002 00:37:31,840 --> 00:37:33,840
they don’t know how the cloud side works
1003 00:37:33,840 --> 00:37:35,840
the infrastructure team and then the big data side
1004 00:37:35,840 --> 00:37:37,840
but getting each team
1005 00:37:37,840 --> 00:37:39,840
in a room for
1006 00:37:39,840 --> 00:37:41,840
either a day or span it out
1007 00:37:41,840 --> 00:37:43,840
it’s a good learning exercise for all
1008 00:37:43,840 --> 00:37:45,840
and they can definitely
1009 00:37:45,840 --> 00:37:47,840
match the low hanging fruit
1010 00:37:47,840 --> 00:37:49,840
and be like yeah
1011 00:37:49,840 --> 00:37:51,840
obviously now that we have it drawn out
1012 00:37:51,840 --> 00:37:53,840
it looks like a major problem
1013 00:37:53,840 --> 00:37:55,840
and it could affect not only us
1014 00:37:55,840 --> 00:37:57,840
our customers but also our infrastructure
1015 00:37:57,840 --> 00:37:59,840
and our name so let’s see how we can rework this
1016 00:37:59,840 --> 00:38:01,840
those are fun
1017 00:38:01,840 --> 00:38:03,840
then they start getting on the same page
1018 00:38:03,840 --> 00:38:05,840
like oh we’re on the same team
1019 00:38:05,840 --> 00:38:07,840
we’re not here as far as security is concerned
1020 00:38:07,840 --> 00:38:09,840
blame game
1021 00:38:09,840 --> 00:38:11,840
so it’s about the culture
1022 00:38:11,840 --> 00:38:13,840
but yeah threat modeling
1023 00:38:13,840 --> 00:38:15,840
huge huge huge as far as the impact it can cause
1024 00:38:15,840 --> 00:38:17,840
I think it’s
1025 00:38:17,840 --> 00:38:19,840
important in any piece of software
1026 00:38:19,840 --> 00:38:21,840
any device
1027 00:38:21,840 --> 00:38:23,840
you don’t see that a lot
1028 00:38:23,840 --> 00:38:25,840
I know Microsoft
1029 00:38:25,840 --> 00:38:27,840
has been a champion organization
1030 00:38:27,840 --> 00:38:29,840
for doing that
1031 00:38:29,840 --> 00:38:31,840
with their SDL
1032 00:38:31,840 --> 00:38:33,840
program but
1033 00:38:33,840 --> 00:38:35,840
you don’t see a lot of software companies
1034 00:38:35,840 --> 00:38:37,840
doing
1035 00:38:37,840 --> 00:38:39,840
that today either
1036 00:38:39,840 --> 00:38:41,840
so at least not
1037 00:38:41,840 --> 00:38:43,840
if you’re looking at startups
1038 00:38:43,840 --> 00:38:45,840
because in a startup you’re just trying to
1039 00:38:45,840 --> 00:38:47,840
make time to market
1040 00:38:47,840 --> 00:38:49,840
that’s key
1041 00:38:49,840 --> 00:38:51,840
and you want to throw out a product
1042 00:38:51,840 --> 00:38:53,840
sort of like what Steve was talking about
1043 00:38:53,840 --> 00:38:55,840
in his keynote
1044 00:38:55,840 --> 00:38:57,840
so that’s the thing
1045 00:38:57,840 --> 00:38:59,840
also the other side
1046 00:38:59,840 --> 00:39:01,840
we hope that the OEMs
1047 00:39:01,840 --> 00:39:03,840
will push
1048 00:39:03,840 --> 00:39:05,840
the ODMs to
1049 00:39:05,840 --> 00:39:07,840
build more secure software
1050 00:39:07,840 --> 00:39:09,840
the more mature OEMs would
1051 00:39:09,840 --> 00:39:11,840
but this is the part of IOT
1052 00:39:11,840 --> 00:39:13,840
these new products
1053 00:39:13,840 --> 00:39:15,840
that are being rapidly developed
1054 00:39:15,840 --> 00:39:17,840
and starter development kits
1055 00:39:17,840 --> 00:39:19,840
that make
1056 00:39:19,840 --> 00:39:21,840
creating and deploying
1057 00:39:21,840 --> 00:39:23,840
and selling these devices
1058 00:39:23,840 --> 00:39:25,840
super super simple
1059 00:39:25,840 --> 00:39:27,840
it’s common
1060 00:39:27,840 --> 00:39:29,840
if you were to build something or write software
1061 00:39:29,840 --> 00:39:31,840
you want it to work first
1062 00:39:31,840 --> 00:39:33,840
and then bolt everything else afterwards
1063 00:39:33,840 --> 00:39:35,840
and you don’t even think
1064 00:39:35,840 --> 00:39:37,840
it’s so far gone
1065 00:39:37,840 --> 00:39:39,840
interdependencies and things like that
1066 00:39:39,840 --> 00:39:41,840
but the rapid development of IOT
1067 00:39:41,840 --> 00:39:43,840
I don’t know if it’s a problem
1068 00:39:43,840 --> 00:39:45,840
but it’s just a matter of
1069 00:39:45,840 --> 00:39:47,840
we can make security easier
1070 00:39:47,840 --> 00:39:49,840
and faster for them to implement in their life cycle
1071 00:39:49,840 --> 00:39:51,840
otherwise it’s not going to happen
1072 00:39:51,840 --> 00:39:53,840
it’s not going to work
1073 00:39:53,840 --> 00:39:55,840
if we can’t implement something
1074 00:39:55,840 --> 00:39:57,840
that’s within their IDE
1075 00:39:57,840 --> 00:39:59,840
as a plugin for static
1076 00:39:59,840 --> 00:40:01,840
and then for dynamic with their builds
1077 00:40:01,840 --> 00:40:03,840
and their tools
1078 00:40:03,840 --> 00:40:05,840
as far as integrate with their tools
1079 00:40:05,840 --> 00:40:07,840
I think that’s the best way to go
1080 00:40:07,840 --> 00:40:09,840
otherwise statically
1081 00:40:09,840 --> 00:40:11,840
having a security team and pen test
1082 00:40:11,840 --> 00:40:13,840
and researchers
1083 00:40:13,840 --> 00:40:15,840
it doesn’t scale
1084 00:40:15,840 --> 00:40:17,840
Awesome, Aaron
1085 00:40:17,840 --> 00:40:19,840
Thanks for a great talk today
1086 00:40:19,840 --> 00:40:21,840
and thanks for taking time to talk to us
1087 00:40:21,840 --> 00:40:23,840
and bring some wisdom to our listeners
1088 00:40:23,840 --> 00:40:25,840
Awesome, thank you so much
1089 00:40:25,840 --> 00:40:27,840
Thank you for having me
1090 00:40:27,840 --> 00:40:29,840
Have a great day
1091 00:40:29,840 --> 00:40:31,840
So, that was all for this interview
1092 00:40:31,840 --> 00:40:33,840
and hopefully we will come up with
1093 00:40:33,840 --> 00:40:35,840
more of this
1094 00:40:35,840 --> 00:40:37,840
You can listen to the security podcast
1095 00:40:45,840 --> 00:40:47,840
in the next episode
1096 00:40:47,840 --> 00:40:49,840
Thank you for watching
1097 00:40:49,840 --> 00:40:51,840
and see you next time
1098 00:40:51,840 --> 00:40:53,840
Bye