Mai Tais with Tom Cross
Tom Cross · October 12, 2023 · 57:00
Back to EpisodeOkay, so Adam, or is this Adam or Ken?
What have I got on this shirt? Come on. That's, that's very hip. You know, that's, that's cool. I'm a Barbie girl in a Barbie world. Okay, there it is.
There you go. Very, very impressive. So Adam, we got a, we got a fun show today. We once again, have a great guest on, um, who's got quite a history in the business. Um, Tom Gross, how you doing, Tom?
Awesome. Thanks for having me on the podcast. This is fun.
So thanks for. Thanks for coming on. Why don't you tell us a little bit about, you've had a, I think your resume is actually longer than mine, even though you're probably younger, but you've done a lot.
So, you know, I guess, I guess I'll start with, I worked at internet security systems, both before and after it was acquired by IBM. And so I was a researcher on X-Force research for a while. And, And then ended up, I was the X-Force research manager for a while, editor of the trend report and stuff like that. Eventually left IBM and went to Lancope where I ran research there. So we made a product called Stealthwatch. So lots of people knew the Stealthwatch brand and didn't know the Lancope brand. In any event, that company got bought by Cisco. So now it's Cisco Stealthwatch. And some of the stuff we made is still is still being used. I went on and I co-founded a micro-segmentation startup called Drawbridge Networks. We were a really small team and we built some micro-segmentation technology. We sold it to a company called Opaque. So I was at Opaque for a while. These days, I'm doing a few things. I'm doing some independent contracting. So I have a few clients that I'm helping out with their security programs. One of them is in the finance industry, and the other is a cybersecurity vendor. And, you know, I've also been doing some of my own projects. I got this thing called Feedseer, which is a, it's currently, it's gone through a couple of different permutations because the social media world is something that's changing a lot. But right now, it's a newsreader for Mastodon. So, And if you use Mastodon, there's lots of infosec people on Mastodon. It will keep track of what links they post on their feeds every day, the people that you follow. And it gives you sort of an aggregate view of, you know, what people are talking about. And that kind of helps me keep abreast of what's going on. And I have a few people that use it as well. So I don't know, that's the kind of stuff that I'm up to these days.
That's cool. Mastodon, how hip. I guess all the cool people have left Twitter or X or whatever the hell they call it these days.
Well, there's been this diaspora, right? And there's people that are still on Twitter and then there are people who've gone to threads and there's people who are on Mastodon and there's people who are on BlueSky. I'd like to take a look at BlueSky because it's got, so I mean, to me, the fun thing about Mastodon is that there are APIs and I can build software on top of it. I was, so previously FeedSeer was a thing for Twitter. And what it did when it was when I built it for Twitter is that it analyzed your social network, and it would find clusters within the graph, which if you've got multiple interests, it was good at identifying like, if you're, you know, say you're in the infosec and you're into policy. it would differentiate those two groups of people and you could push them back as lists. So you could use the list feature in Twitter to read those people specifically. And it worked really well as a way of sort of like cleaning your feet up and focusing you on what you wanted to read today. But it doesn't, I can't do that anymore because the API price rates on Twitter are so high at this point. So I had to mothball that thing. So I read, and like I said, a lot of, specifically InfoSec, a lot of InfoSec people move to Mastodon. And so it is for people that do what we do, I think it's worth being over there. Because there's a lot of conversation going on over there that used to be on Twitter in our space in particular.
Okay. I'll have to check it out. I'm not a, I'm also kind of a privacy aficionado. So I just, I usually use LinkedIn grudgingly, but I'm just not a social media guy.
There's a lot of professional conversation on LinkedIn and, you know, you can get a lot of it, uh, you know, that way. Um, it's, I think there's probably more discussion going on on LinkedIn now than there was a year ago as a consequence of, you know, just like some of the things moving away from Twitter as well.
I agree with that. It's funny, right? The last time I was at Defcon Black Hat, Joe sent me with the company I work for. And while I'm there, somebody sent me this message, some woman allegedly saying, I know who you are and I know where you are and I know you're at Black Hat and Defcon. I'm like, okay. I didn't even post anything. And I know where I can find you. I'm like, I'm sitting on the third chair at the Luxor next to this. You don't have to guess where I am. So the point I'm making is after that, even though I still kept LinkedIn, I was like, I'm destroying all my social media. I don't want social media.
I thought your point was you like, look forward to having a stalker.
Like you were, no, I'm usually the stalker, not the stalker. That's right. I'm usually not, I'm usually not being stalked. I'm stalking. That's what it is. It's a Scotland Island thing.
Yeah, of course, everyone does it. So today we have, this is the cocktail hour and it's actually pretty close to cocktail hour as we're recording. So we have Mai Tais today, which was your choice and an excellent choice, I thought.
So let me talk about my Mai Tai. Can I do that? Absolutely. This, first of all, is a Trader Vic's Mai Tai glass. And Trader Vic's is a restaurant that I like the idea of more than the reality. Um, I've had some nice nights there. Uh, and, uh, um, I've got a couple of things. One of them is, so this stir stick is from Frankie's Tiki bar, which is a legit Tiki place in Las Vegas. Um, so if you're at Blackhat or Defcon next year and you want to do something interesting, uh, to have your cab take you to Frankie's. It's off strip. It is very old school, if you remember how Vegas used to be in that there's a lot of video poker and smoking, but a very excellent jukebox, very excellent tiki beverages. And you have a tendency to leave the place in a blur. In addition, there is a wood carving of Jack Daniel of B-Sides fame on the wall in the place. Um, so there's, there's sort of like a scene of, uh, people would.
A wood carving, like someone would carve it like a statue.
I mean, he's an interesting guy with the beard and everything. There's a, there's a sort of like a wood carving of him on the wall. I'm pretty sure.
You know what, when you say there's a wood carving of someone in a, in a bar in Las Vegas, so they can, you're thinking there's going to be like Dean Martin or something, not an info set guy. That's awesome.
Tom, in case you want to know the last time I went out drinking with Joe. He did leave in a blur and he lost his credit card.
I did not lose it. They had it. They confirmed. And we actually went out actually lost just slightly misplaced.
We have, we went out with another guest that happened to be in New York city at the time. So I, I, he was in a blur. I mean, like he was talking to like, uh, the, uh, one of the columns holding up a wall or something.
That was a column.
Well, I will say that the trips home from Frankie's that I remember are often a little, you know, the camera's moving around a lot.
Um, the, uh, it is a great place.
Um, and, uh, and so let me talk about, so, so I, you know, I've gotten these like cheers in any case. Um, in the past, I've gotten these, um, books full of, In fact, Frankie's has a book full of their recipes if you want, but it's so complicated to make at home. So I'm lazy and I just get Mai Tai mix.
Oh good. Now I don't feel bad because I looked it up on YouTube and I saw Trader Vic's original recipe and I'm like, this is too complicated for me. I bailed out and got the mix, you know? So, okay.
You know, yeah, I'm using mix, but it's, and then I, I'm gonna, I'm gonna also admit to, so this is not good. But what's important about it is that it has coconut in it. And I don't use a lot of it. It just gives the Mai Tai a little bit of coconut flavor. It's Captain Morgan's coconut rum. And then I use this Sailor Jerry spiced rum as the primary rum in the beverage. And it's a little nicer than Captain Morgan. So, you know, the coconut gives it a little bit of a personality, I think. So that's my Mai Tai mix. I've got a couple of nicer rums here. So I've got this stolen smoked rum, which as you can see, I apparently like.
You do apparently like it, yeah.
But that is a rum that I would not put in a cocktail. That is a rum that I would put in a little sifter like this one that has a sailboat on it and just make sure you smell it and just kind of sip it. That's the proper way to consume that kind of thing.
What I'm noticing in the 19 podcasts that we have done, and I, yes, I know where the security cocktail hour, but a lot of the infosec people tend to enjoy their drinks and we put out a poll. Not that it was a big poll and 60% of the people wanted us to drink online during our podcast. So I get it. Thank you to the audience for letting us know. We'll continue. Maybe we'll do a separate after hours with you, Tom, just going over recipes for drinks. Cause that seems to be what people want, but we definitely, we definitely know our listeners.
One of the most brilliant talks I ever saw at, so SummerCon is a storied hacker convention that's been going on since the eighties. And this guy, John Lynn showed up one year and he did SMTP and scotch and the talk. So he would, he would pull out a scotch. He would talk about the scotch. He would pour little tiny cups and like sort of circulate. So everyone in the audience could taste the scotch just enough to taste and smell it. Then he would spend a few minutes talking about these he was building these like sand traps for spammers. And so he'd set up a bunch of servers that would sort of look at like attractive places to relay mail, and then it would sort of suck them in. And so he talked about the project and, you know, he would maybe spend five minutes on the project that he would pull out another bottle, talk about the bottle, distribute the shots, and then go back to talking about his project and, you know, different things that he had learned. And so it was very entertaining. I enjoyed that immensely.
I don't know him. Is he still around? We got to have him on.
We got to have him on. I've seen him a few years ago. I think he's still around.
That's how I met Chris Roberts. He was doing the same thing, except he was passing around a flask at Sky Talks and some other things at DEF CON. And I'm like, holy crap, this guy's drinking and passing a flask around the audience.
These days, I don't want to share a flask with everyone else at DEF CON.
But yeah, I wouldn't quite share the same one. Yeah, I mean, but I know what you mean. Well, it's funny, too, talking about drinking. I'm pretty sure that everyone I know in InfoSec, with the exception of two guys who do not drink for religious reasons, they all drink. Everyone drinks. This is just stress and just everything, you know?
Yes, there is, there is stress. You know, I mean, it's like, I'm going to, I'm going to talk about that. Let's talk about that for a minute. So, um, sure. I will say that, that personally in my life, I'm seeking, um, a, a, a condition where, um, you know, I, I enjoy alcohol and I have like a glass of wine with dinner or whatever, but I'm not, um, I used to drink a lot and I'm trying to reel that in, um, and still have alcohol as part of my life, but not have it. be sort of as much of a thing as it once was. But I think that... So I'm going to relate a thing that you guys have maybe heard before. So I call it Rumsfeld's quadrants, because it comes from a talk that Donald Rumsfeld gave while he was the Secretary of Defense. And you might hate Donald Rumsfeld. Lots of people hate him. It doesn't matter. You can hate him and like his quadrants at the same time. It really doesn't matter what your opinion of him is. He's a guy who had a lot of weird little sayings and things that you keep notes about. Uh, he said in one of the talks, he said, he said, there are, there are known knowns. Uh, there are known unknowns and there are unknown. Um, and, uh, I use that all the time. I think about that like a lot in our practice. Um, because I'm constantly, in fact, there was one time when I had a job, I actually just drew a cross up on the wall in my office just to remind me of that quadrant. Cause I constantly wanted to ask myself, what is my unknown unknown? What is the thing that I think works and is going to tell me if something goes wrong, that's actually broken and it's not going to go off. Right. And, you know, I think we, we, in our, you know, what we do, we're constantly sort of like worried about what is it that we don't know that's just going to ruin Saturday because we're on this podcast and, you know, my phone's going to light up because something's gone sideways. You know what I'm saying? Yeah. You know,
Yeah, I use that too a lot. Actually, believe it or not, I use it a lot in interviews. People ask me, they go, what keeps you up at night? Or what do you worry about as a director or a CISO? And I go, well, you know what? There's the stuff where we know we have weaknesses, where we know there's a threat. And hopefully we've done our risk management so we know. something may happen, something happened, whatever, you know, we're prepared for we can deal with it. It's a bad day. But you know, still, I go, the stuff that really worries me is the unknown unknowns is the stuff totally from left field that we're not prepared for, that we're not set up for, that we're going to be scratching our heads and freaking out over. So yeah, I know what you mean with that.
So it's a common, it's a common practice in project management. And it's also, I think, a common practice in more firms. And what I mean by that is, is that they, they, they budget for known unknowns, you know, whether it might be something environmental or, or, or political, something that's going to happen somewhere. And they, they're involved in something and they need that contingency money. And then the known unknowns is they put a war chest together and say, we don't know if we're ever going to use this, but we're going to have it in case we don't even think about this happening. and they keep that money there. So project management does that. And like, oh my God, we never expected a typhoon, you know, and that money gets used or something like that for the projects. So yeah, definitely something that people have to think of. You can sit there and brainstorm all day long. Oh, this project might incur an issue because something political is going to happen during that time. Might be the elections in the United States. It might be, you know, a remembrance of something else, but, The unknown unknowns doesn't even come to mind.
So this is going to segue right into a conversation that I wanted to have with you guys. So while I was out at Black Hat, I had the privilege of getting to co-teach a class that a friend of mine wrote called Hacking Bureaucracy. And hacking bureaucracy is a, so my friend is named Greg Conti. And if you go back through the history of Black Hat, there's Greg and I and other colleagues of his, like Dave Raymond have given a number of talks together. Greg and Dave are both West Point professors. And they sort of come at things from a, they understand like US Army doctrine. And so for hundreds of years, the military has been thinking about conflict. They have all this like organized, structured thinking about conflict. And what we do in information security is in part conflict. And, you know, we can, so I'm the sort of like hacker guy that kind of adds the hacker perspective to the things that we're doing together. But we can, you know, it's interesting to apply some of the military's thinking to the kinds of things that we do, find ways to apply it. And so we've done a number of things around that. Hacking bureaucracy. is an application of some of those ideas to running an organization within a, like basically operating within a large organization and dealing with politics and navigating that successfully. And it's a really interesting set of material. I kind of think of it as like, it's like a leadership class for people in cybersecurity. And you can go to Blackhat and learn, you can spend two days reverse engineering malware or learning how to do machine learning on your video card. But as technical people, we kind of already know a lot of that stuff. Some leadership training is sort of like a useful tangent that can broaden our ability to do what we do. And so I think it's a great class and I'm really glad I got to help teach it. The regular guy that is the secondary instructor had a personal situation this month where he was getting a new job and moving. And so I got the opportunity to teach it. And this topic that Uh, you know, that, that we're, um, that we were just talking about is one of the things that comes up in the class. Um, and so like as InfoSec people, so one of the things that, you know, I'm talking about this in the context of InfoSec, we're probably way more cognizant of Rumsfeld's quadrant than most people. Right. We're thinking how, what, what is it that could happen to this organization? How is this organization going to get owned? Right. I've got that list in my mind. I'm trying to prioritize our security effort around the things that I think are most likely to happen. But in hacking bureaucracy, we talk about it in terms of like, irrespective of whether or not you have an InfoSec role, if you're running a team within an organization, what could go wrong in that team? What is somebody going to fat finger, screw up? Who are they going to piss off? Like, you could sit down for an hour and ask yourself, with my team that I'm responsible for leading, like, what are the things that are most likely to go wrong? And then what is my incident response process for each one of those scenarios? Right. And, and like, no one does this, you know, you, you like, you just kind of, you kind of coach your people not to do dumb things. And you kind of hope that that's not going to happen. And it absolutely does. Like inevitably it's going to happen. And so sitting down and like going through the, The incident preparation process with respect to your team within the bureaucracy that you're in is a totally healthy thing to do. That was a recommendation that came up in that class that I think is something that you have to think to do it. And a lot of people don't. They just stumble into those those situations where inevitably, as particularly as you get more and more people working for you, like there's somebody who's going to do something wrong and it's going to get sideways with somebody else in the organization. You know what I mean?
Yeah. Yeah. We know about that, Adam, right?
I was going to say, you know, and you bring up a perfect point. I love like reinforcing a lot of these things, but the perfect point here is not so much a technical aspect or issue as much as it is more of a social or a layer eight issue. What I mean by that is, I could be working for somebody, or I could be a leader, and we have to provide some delicate information to, let's say, one of our CISOs or C-level people or whatever it is. And the way that information gets managed and transferred, even though the same message could be said in different ways, will change the response of the recipient. So those are one of the things I try to be very cognizant or very aware of. How do I wanna deliver that message? Now, it doesn't have to be a breach. It doesn't have to be, oh, I think somebody pwned us. It could be something like, oh, I think some intellectual property got emailed out and we're investigating it. It could be something smaller. And these are the things that we have to be aware of. How do I manage that communication to the individual? And sometimes saying the wrong thing can highly escalate and cause major issues. So that's even harder to prepare for.
Yeah, it's like Adam puts it in such, such lofty language and everything, you know, that the Jersey Staten Island version is someone said something stupid. And how do we deal with this? You know, that's true.
Could be the smartest. These podcasts are going to get me another job making eight figures. So I got to look like I'm intelligent or something, or we need to get a sponsor so we can go to Black Hat and DEF CON next year and broadcast from there. Live.
That's our little goal. But yeah, Tom, that's a really interesting way of looking at things. And I was sitting there going like, wow, that makes sense. Because I think about it as being a security manager for a long time. And I guess this applies to a lot of people. I suppose I'm almost as a manager back in the security thinking 15, 20 years ago. It's like, you know what? Just like we got to get the best technology to try to prevent everything and avoid it. I always think I got to hire the best team. And I spent a lot of time, you know, getting the right team, get not just the right technical skills, but the right mix, the right people, the right attitude, people who can live together and everything. And, you know, come to think of it, I have spent a lot of my career, especially depending on the organization going out and dealing with situations, you know, and I, and I have to admit, I do do it, you know, very often you do it on an ad hoc. Uh, you know the level someone complains about some someone so you have to talk with them you figure out what's going on and then you know, and you go you you know, depending on what the situation is you you Apologize you schmooze them you threaten them, you know, whatever you deal with but the the the idea of having a a plan for that And actually a bit of a process like an ir process is is really interesting. I never considered something like that
You know who it's going to be and you know what's going to happen. You just hope that it's not going to happen. Like in the back of your mind, you kind of know, but you haven't taken, you know what I'm saying? But you, you know, systematically sitting down and saying, okay, I'm going to, I'm going to flip the coin over and accept that that's going to go sideways and ask myself, What do I want to have ready on that day? And how am I going to deal with it? You know what I'm saying? Like, you know, that can be that can be useful. Although, you know, the reality is that you're hoping it's not going to happen. It's just, you know what I'm saying? It's like, just as you know, I mean, we hope our organization is not going to get breached, but we're going to flip that coin over and And we're going to war game that scenario and make sure that we're prepared and have a tabletop exercise. It's the same thing with respect to just people. You know who's going to forget about something during a production change and cause something to crash or who's going to make HR mad by not doing their paperwork. You know what I'm saying? You can predict it.
Um, yeah, it's it sounds like it's like what's the threat model for for this person? I was like, okay, he's got a big mouth.
He's careless on friday afternoon We never did a tabletop and how we would interact with the other Um middle management lower, you know or a higher management and by the way, just so you know tom when I worked for joe Joe didn't get the opportunity to hire me inherited.
Indeed, that happens. And he got lucky. But, you know, sometimes you inherit complicated situations. And, and there's, you know, you're trying to coach people, but, you know, you also recognize risk.
Basically, yeah.
So, alright, so I'm gonna We talked a little bit about business. I'm going to pour some of this smoked rum and see what it smells like. It's actually been a while since I've opened these. Like I said, I'm trying to reduce my, it's ironic, right, but I'm trying to reduce my alcohol. I'm trying to get to like, just kind of drink a little on the weekend and not during the week. And unless I'm like, out on business, like definitely you saw me drinking a black hat. But it's black. Yeah.
Well, Tom, it's like, it's like, I think it was Joe Wall, she used to say, now that I quit drinking, I can enjoy coffee. Exactly.
I'm afraid to drink. I become very unfiltered.
Why do you think we have this show?
No, I'm just kidding. It's nice. Yeah. It's been a while since I've, uh, since I've actually had that. It's, it's been, uh, mostly empty in my closet for some period of time, but, uh, yeah, it's got a nice, uh, sort of carameliness to it and a smokiness.
Rum drinkers, especially not, especially not neat. I'm like, okay, I'm going to have to try some of this stuff.
All right. So Tom, I have a question for you. You know, I know, I know we spoke a little bit about, um, Def Connor, Black Hat, what do you think about next year's show? Any surprises, anything to look forward to, you think? For next year's show?
Yeah, either one. Oh, for this year's show. So, I mean, let me just talk about my, the thing that I had the most fun with this year. I mean, so I would say if I turn the clock back to the 90s, when I would go out there, I was always sort of seeking you know, some kind of new thing to sink my teeth into that I wanted to get excited about intellectually, like some kind of new technology or capability or possibility that, you know, was something that I could really come back and play around with. Maybe it's a new protocol or a tool, you know, so that's what I got jazzed about going out there. I would always like just get exposed to things excuse me, that I hadn't seen before that were really interesting and exciting and changed my perspective. Over time, you get to a point where you feel like you've seen it all and you've done it all. We've all been in this industry for a very long time. And so that sort of sense of of novelty and possibility, I guess, wanes in time, right? And so, there's always groundbreaking research that's happening, but is it like a thing? But I've seen somebody find a heap overflow in a thing 20 times before, you know what I mean? It's a heap overflow in another thing, or they fuzz something else, or Uh, you know what I'm saying? Eventually, um, you, you know, you've, you've kind of gotten to a point where, where you've seen a lot of it. Uh, you know, I think, um, something that's happened recently that I find to be very interesting is the aerospace village. Um, uh, you know, I think at Defcon, I think that they, it's really interesting, the level of engagement that they have from Boeing and other folks in the aerospace industry. Um, they have a real flight simulators. Um, I got a selfie taken with the autopilot from airplane.
Uh, Dave, um, wait, wait, wait, wait, did he wait, did he have a cigarette in his mouth? Oh, the, uh.
But they've got real satellites, and they've been having, for the past four years, a capture the flag around hacking into satellites. And they had a satellite, the firmware image, last year that they were hacking into. And so there was a lot of content this year about hacking satellites. And this year, so a few months before Black Hat, the Air Force launched a CubeSat. So a CubeSat is, it's this sort of standardized format for launching these very small satellites into low Earth orbit that can kind of fit into the empty space that the larger satellites fill in the spacecrafts that they're launching. So it kind of optimized the space and these CubeSats maybe cost, you know, like a few hundred thousand dollars to put up there. So more money than I've got, but within the budget of the Air Force, that's, you know, yeah, the Air Force, that's coffee money. And so. They put up a 3U CubeSat that was specifically designed for information security research. And the Capture the Flag that they were operating at DEF CON involved literally hacking into that satellite and doing things with it while it was in space. And so I just like found this to be tremendously interesting and like, was excited to learn a bunch about it. And so I kind of felt like, you know, it was something I brought back from, from DEF CON and Black Hat, where I was like, you know, this is cool. I want to read more about it. I want to learn about this. Like, I'm actually excited about this, you know. Did it get pwned? Yeah, well, I mean, so it's obviously a bit of a sandbox environment, and I can talk about some of the things that they did. There is a wealth of information online about it, but I feel like the way that the information is organized, some of it can be hard to get to. They had a setup where they weren't directly transmitting to the satellite, the company that launched the satellite was transmitting to it. And they could issue, there was an API that they could use to issue messages to the satellite. So assume they're able to transmit. Uh, and, um, the, uh, uh, there are certain challenges that they had to complete with respect to the satellite. So, um, for example, um, they had the ability to, um, like, uh, you know, they could basically, they could run Lua scripts, I think on the satellite that would cause, um, it to operate different functions. And so there's this, uh, gyroscopic thing that can cause them to manipulate its physical, um, positioning. Uh, and there's a camera. And so one of the things that they had to do, so a simple thing they had to do is like manipulate the position of the satellite and take a picture. And there weren't any, I don't think there were any like sort of security rails that they had to violate in order to make that happen. But there were also parts of the earth that were sort of blacklisted that they were not allowed to take pictures of. And so one of the things they had to do is figure out how to take a picture of part of the earth they weren't supposed to take a picture of. And so the way that they had to do that is there was, I think, a vulnerability in the GPS module in the satellite. And so they had to exploit that in order to send bad GPS coordinates to the satellite to make it think it was pointing at a different part of the Earth than it was pointing to. And that allowed them to take pictures of the Earth that they were prohibited from taking. Right. And they, they, they really did this. They really manipulated the satellite in space and took the photographs. There's a few photographs up on the Hakkasat website that they took. Um, and so like all these things are, are, you know, sort of like as close to being real, but they didn't, you know, obviously they didn't give them like free reign to do whatever they wanted with this thing that was actually in space. Um, but, uh, these were all challenges or sandbox kind of things that they set up that they intended them to be able to do.
So I'll tell you what I've been wondering about that. Cause I obviously heard about it, read about it. I mean, great clickbait news coming out, you know, it's like hackers, let's hackers take over satellite, whatever. And, you know, understand they had some satellite things to do and everything. But like from the, I'm actually going to ask a technical thing, which I usually don't do, but from a technical perspective, I mean, it's a device. It's a device that's in a particular place up in space or whatever. You've got some sort of access to it, some sort of radio link, whether it's async or someone relaying commands or whatever. From the hacking perspective, how different was it from hacking any other device that might have been in another room or a car or something like that? Was it really that different or is it just kind of a cool factor? So the satellite's an IoT device?
Yeah.
Yeah. Is that like an IOT device, basically?
Absolutely. So, well, let me talk about a slightly more real thing. So there was a presentation at Black Hat by a European university professor, and he was able to get the ESA to share with him firmware images for satellites that are really in space, that are not a sandbox. He talked about two different satellites that he got firmware images for. Um, and, uh, basically, um, you know, and it's, it's, if you, if you made all the cynical assumptions that InfoSec people make about how things get built, like they're all true. Okay. So, um, the first one, um, there's no authentication. So if, if you, if you, if you build an appropriate radio with an appropriate antenna that can send data to the thing, there's no authentication. And so you can send it messages and then there's an API that you can access because there are digital messages. There's an API that you can access. You can send messages of different types. There's a protocol. And one of the message types that you can send is an arbitrary mem copy. And so consequently, you can overwrite the recorded memory. And so, and you just arbitrarily. So there's no, you can laugh about whether or not this isn't even hacking. So he modified the firmware image to add authentication, therefore locking out the legitimate satellite owner. He did this through the firmware image that he had in the lab and not to the actual satellite. But, um, you know, it is a, it is a scenario that, that is, um, you know, real with, it's a real image that is really running.
That's almost like 1986, 80, and then writing stuff back with assembly into the memory, changing the, um, the actual assembly language in memory. That's what it reminds me of.
The second one, there was... Well, I got to tell you, Tom, before you go to that, that's just appalling to me because I got a background in security architecture too, but it's like they put no authentication on it because they assumed that no one would have the radio and be able to talk to it. So we don't need authentication that I'll tell everyone, that's not a good assumption, ever, especially today, maybe 30 years ago, people used to do stuff like that.
It's just nuts and move laterally into the radio that you don't even own, you can do that too.
Yeah, if you get ahold of it, it's crazy.
Anyway, this is what happens.
You guys know, like the people build things so that they work any added complexity, particularly in this environment, it means added cost, added energy requirements, and also technical risk, right? If there's a key and you lose the key, you lose the satellite, you break it, right?
Yeah, I've I've encountered that too with, and I actually, as I go way back in my past, a little bit of satellite stuff I've had to expose to, been exposed to, it's like, yes, I remember with that and with things that could be like very distributed geographically that are hard to get to, authentication does always breed terror. There's just terror that they won't be able to get into it because it's either, difficult or physically impossible to get to. That is true, but we've got to be able to get past that stuff.
How to build systems properly. And God knows how long that thing's been up there, right? I mean, I don't know off the top of my head how old this thing was, but there are things that stay up there for a very long time. Um, and so the, um, and so the, I can really scare you, but we'll get to that in a minute. So the second satellite, um, that he looked at the protocol, they were using a standard, there's kind of an industry standard protocol. He described it as being sort of the TCP IP for satellites, but, um, and that protocol does have an authentication mechanism that is built into the protocol, but. In this particular image, they turned it off. So although the feature was present, they weren't using it. So again, there's no authentication. There wasn't a really, really simple API call that just gave them arbitrary mem copy, but he found a stack overflow vulnerability in one of the API calls that was available and therefore was able to obtain arbitrary memory writing from the stack overflow vulnerability. And so to your point, he was, the joke at that point was like, look, I got a black hat talk accepted from a vanilla stack overflow. Right. You know, I mean, yeah, it's, it's, it's, it isn't different from a typical, A typical IOT, their computers, they work the same as other computers do. And all of the pathologies that we have in our computer design are applicable to them. It's really the reality of the situation and the context that makes it interesting. And it produces a different set of things that you need to do sort of operationally in order to protect these things. So there was a speaker at DEF CON who had something called SPARTA, which was like an ATT&CK style framework for thinking about attacks on space systems. And there's a different set of considerations. Obviously, if you think about what I just described, the security of the firmware image itself is really important in this context. Because if I have the firmware image that I can run it in the lab, I can find vulnerabilities, I can make sure my exploit works. It's a little bit more difficult to do this stuff just by like interacting with the thing in space and like sending it random things and hoping that you can like reverse the protocol. And so, you know, if you're building space systems, the security of developers, laptops, development environments, you know, images that are being deployed, your supply chain to get those things into production, all of that stuff is really, really important. And you might want to take it to a higher level of care than a normal software engineering organization would, because that's a critical problem if you lose control of those images. So it does lead to, like analyzing the problem does lead to particular observations and considerations that I think are relevant to organizations that are dealing with this stuff beyond please put cryptographic authentication in the things you're launching. And for sure, like the current modern, you know, expensive stuff that's getting put up there typically has better security features, but the little CubeSats often do not, right? And so there are things up there, and certainly there are old things up there that don't have good authentication. So that I said I'd scare you that the really scary scenario that people talk about with satellites is that, you know, so let's say, you know, somebody gets telemetry on one of these things and is able to get it off course and crash it into another one right. There's this sort of catastrophic scenario that can happen where these things start crashing into each other and they create debris field and everything just gets destroyed there, right? And you've got this huge debris field and human civilization doesn't have satellite capabilities or space capabilities for like 20 years as all this stuff slowly, you know, deteriorates and eventually it burns up and it's okay. But it's like, you know what I'm saying? That's the like worst case scenario associated with this stuff.
I have three responses to that. One, I think what you're telling me is you don't want to remotely brick a satellite. Number two, what I think you're saying is that there's no remote hands should you cause some kind of overflow and then things not responsive. I thought maybe you can call maybe a data center and then get somebody on the phone and do remote hands. I guess not. You got to get Elon, say.
From a QA and sysadmin perspective, like it's a, it's a, it's interesting to think about like the reality of admitting something that where no, it turns out you can't, you can't just like get console access to it at all, regardless. So if you, if you fat finger it, you, you got a different level of problem. Right.
Oh my God. Well, you know, You remind, I say this, you remind me back in 2005, I was, um, I was upgrading one of those old stackable UPSs from APC where you had like these chunks. And then I couldn't get remote access correctly to it. I mean, I was there, but I needed remote access to even though it's physically there. And the guy goes, I want you to tell net. Yes. Don't say anything. Don't tell net. I want you to tell him that hit the letter V. Oh, gee, boom. I bricked the whole entire UPS because I hit one letter key. And that, that UPS was no longer viable anymore. I had to buy a new one. So that kind of makes me think about telnetting to a satellite through our API or whatever, and sending the command. Oh, I hit the wrong letter. It's like almost saying lunch or launch. Go ahead. I'm sorry.
Yeah. But the crazy thing with that is that, you know, we, we know how to I don't want to say solve, but we know how to mitigate those risks. You know, you have, we do, you need to have better QA. You need to have better testing. You need to have great procedures. You need to make sure your, your password management is dead on. So it doesn't die.
But you need to design so that hitting that won't.
be so catastrophic.
I agree that we need them designed so that, that you can't act catastrophically break it. So that's, that's, you know, non, I don't know what the term for that is. Cause we talked about secure by design, but like, like, like safe use by design is a, is a different concept that we don't talk about as much. Right. Yeah. Adam proof. You want to, you want to have the firmware running in your lab, any procedure that you run against production, you want to have done against staging. Um, and, and it needs to have worked in staging. And we, we don't often do that in it, where we actually like, we actually like the entire procedure gets running at staging before you ever touch production. Um, but I mean, they did that. Yes, we did.
Yeah. Well, you know what? We used to do that in IT in the earlier days of the web, in the earlier days of e-commerce, I remember. And it was expensive. We had like a dev environment, a QA environment, a staging environment where we would push before, you know, just to make sure that even that the push was okay. And then there was production. But you know what? Now in the whole DevOps thing and the rolling upgrades and all of that, we're That whole method of thinking is gone. Like that's so old school. Why would you do that? We got to move fast. We got, we got to do rolling upgrades, you know, and sans 540, which is what I'm doing now.
I'm trying to finish that. If anybody wants to take the test, let me know for me. Um, but what they talk about is that we went from back in the day to like 40 changes in three months to like 400,000 changes in 24 hours on some of these SaaS environments, whether it's, and I don't want to, I'm not giving the exact numbers, I don't know, but like a Netflix or an Amazon or any of those, the amount of changes per day are ridiculously insane. And that's why they call it no ops, right? You're going directly from the dev, regular, directly into production. They don't even test anything anymore. From what I understand. Is that, is that true?
Not like they used to.
Places I work, I have, you know, staging environments. My clients, my current clients all have staging environments or UAT environments. But they, they, you know, but they're testing software in those environments. They're not testing like sysadmin procedures in those environments. And in fact, like the admins, the ops people are not necessarily sort of like in lockstep with the software developers as far as that's concerned. So, you know, I think that's the operational, the procedure testing is an even higher level of care, but it.
Well, you also mentioned. that you're working in financial services, that they still do it because they don't want stuff breaking.
The new philosophy is no ops, no. They'll invest the money.
You want anything you're doing to production in the cloud to be infrastructure as code. You don't actually ever want to be logging in hands-on keyboard into AWS and doing stuff. If you're doing that, I don't think your operations are yet at the level of maturity that some organizations are at, right? I think that, what do you guys think?
But even if you're doing it, well, I think even if you're doing infrastructure as code, which is a good thing to do, you still, you know, can. be pushing that that code out and implementing it in separate environments and doing a for sure a reasonable amount of testing on it depending on what your what your needs are you know i mean it's not it's not all i'm going to give you some of the cowboys like us say yeah do you know facebook you know i have some junior guy who just pushes it out to like you know 10 million machines or whatever on before he goes to lunch it's not quite like yeah but
Yeah. No, I mean, I, I do, I do think that, that though, um, few organizations reached the sort of ideal where, um, where everything, as I said, is, is, is, uh, is, is infrastructure is code and everything is, is, you know, pretested before it's done in production. They, they're, they're getting, everybody's got people who are getting in there from time to time and pushing buttons. Uh, and, uh, and, um, it's a, I'm good at pushing buttons. So. Yeah, I just felt like the space stuff was interesting. So the other thing to talk about with respect to the space stuff is satnogs. So satnogs is a is a amateur satellite base station network. And so there's a whole, so lots of like ham radio guys build or 3D print parts for antennas that have tracking capability that they have in their backyard that they're using. And most of them are just receiving satellite transmissions, but some of them are actually transmitting as well. Um, and, uh, and so, you know, the, the level of like ham radio clue that you need in order to successfully do this is high. Some of these are very difficult builds of, of difficult pieces of machinery to do the tracking. But, um, and they're hand building antennas, but, uh, there's a network out there and you can, um. You can schedule receptions on the network based on when a particular spacecraft will pass over a particular physical locations. And you can also listen to different transmissions up there. So you can you can go up there in their database and pretty quickly find, say, you know, people using so the International Space Station, for example, has a repeater. It's not very exciting, but you can, you can listen into the ISS. We'll go over somebody's sat nog and they'll have recorded the traffic on the repeater. And you can listen to the traffic and you can see the. One interesting thing is you can stay have visual histograms and you can kind of see the Doppler shift of the frequency in the histogram because the vehicles are moving so quickly that the actual frequency has to be adjusted as they pass over you in the sky. Um, and so it's just neat. Um, and, and if you have abundant free time, you can get like, uh, very, very deep into this stuff and build your own satellite, uh, you know, transceiver center in your backyard and, and link up with other hobbyists that are trying to do this. And they're talking to these, uh, universities, uh, CubeSats and stuff like that. Uh, and, uh, it's just, there's, there's, uh, it's a, there's a lot of depth to this. If you desire, uh, a really interesting nerdy hobby. And so I've been trying, I've got my, I have to pull it through all the alcoholic beverages, but I got my little scanner out. I want to listen to ISS when it comes over. And I haven't successfully done that yet. I think their normal transmission frequency is only used when they're doing educational programs for schools. And so it's come over ahead a few times, but I don't think it was transmitting. So I'm trying to figure out if I can time it and then know, like, you know, I'll be at work and it'll be like, oh, it's two in the afternoon. Okay. I got a 10 minute window and see if I can pick it up. I haven't successfully done it yet, but that's something that I'm trying to do. So a couple of things.
My hand radio call sign is KC2MGX. Number two, the ISS call sign is NA as in North America, 1SS. for those who care, and the frequency is 145.800 megahertz.
So I- Wait, you're a ham radio operator too?
Over 20 years. Oh my God.
The thing with Adam is he's a ham radio operator at an EMT. Have you listened to the ISS?
I mean, you know the frequency off the top of your head, so I expect that you have.
No, I didn't look it up. I didn't know off the top of my head. I actually Googled it, because I knew that people do it. I belong to several radio clubs. I don't have the time to do it. I don't want to give up the perception that I'm some incredible ham radio operator. I've had, you know, different ham radios over the years. I played with them. I've had, I actually carried ham radios to transmit on the EMS frequency when I was doing EMS stuff. But I like, I like radios. I've always liked radios. But I do know that some people do have to listen. They either use one or one quarter inch, one quarter antenna, or they also download an application that gives you the ability to have a ham radio on your computer as an application. I think it's called Echonet.
Like a software-defined radio?
Yeah, it's like, yes, you can do a software-defined radio also at CR. And I know at one point people were using 9600 baud, believe it or not, to see pictures and use it as a modem.
Oh, yeah.
I know people have done faster things now. I am not that good. I never claimed to be that good. But there was one gentleman I know in New York City who was that good. I think it's N2NOV. That's his call sign. He's in Staten Island. Not because I live in Staten Island, he's just well known. Of course. And his name is Charlie and I know he does that stuff. That's cool.
Yeah, so with that frequency, what they say is that because of that Doppler shift I was talking about, early in the window, if it's coming overhead, you actually wanna be at, it's 145.805, and then you go to 145.800 when it's directly overhead, and then you shift it down to 145.795 as it passes by, and that increases the window of time that you can hear it, because you're testing to compensate for the Doppler shift. Um, so, uh, like I, I want to do this, but that frequency, that's the one that they, they, they, it usually is dead unless they're talking to students. And so I got to look at their schedule when they're doing schools back in, my kids are in school. So now that school's back there, they've got programs. And so I'm going to see if I can get it all lined up and listen to it.
So we've had a little technical scare here, but we're kind of close to the end of the road anyway. So I think that means it's time for last call, which we usually turn it over to our guests. So Tom, any, well, any final thoughts and including on that, that fine rum you're drinking out of like a mini snifter. It's nice, you know?
Yeah. Usually when they say last call, I gotta, I gotta finish up. So, um, You know, last thoughts.
Well, some of us might possibly keep going after the show. We call that the after party.
Right. I got a lot of room here. I got to drink. I think that, you know, We don't all get to work on space systems, but thinking about it operationally speaking is interesting because it presents like a really challenging environment. And if you can figure out processes that work for that environment, there might be lessons that you can bring back to what you're doing that improves their reliability. You know what I mean? So I think it's interesting in that respect. And that's something I was observing as we were talking. Um, and so I guess that's my final thought. So, uh, you know, thanks for having me on the podcast guys. This was a fun conversation and, uh, we should do it again sometime.
Yeah, absolutely. I mean, I had a blast. I have not had a Mai Tai for a long time and I can tell you, we come in a big box, so you have to, you know, exactly.
My recommendation would be is that we do an after party for maybe about 10 minutes and we talk about different drinks and recipes and just sample drinks left and right. That would also help our audience because they love 60% of them want us to drink.
Well, if we do black hat, I mean, you know, we're going to have to not just. podcast where we're going to need a full bar and everything, you know. Oh, man.
So we need two sponsors. One sponsor. Get us there and put us up. And the other sponsor will have to be some kind of a company that distributes alcohol.
Awesome. All right. Okay. Well, Tom, thanks again for joining us. We have had a blast. This has been a lot of fun. Definitely interesting, fun stuff.
Great. Thank you, sir.
All right. Bye, everyone. Thanks for listening.