Säkerhetspodcasten #170 - Trammell Hudson, Dani Goland & Mohsan Farid
Lyssna
Innehåll
I dagens avsnitt bjuder vi på ett par intervjuer inspelade under Sec-T 2019!
Inspelat: 2019-09-19. Längd: 00:36:26.
AI transkribering
AI försöker förstå oss… Ha överseende med galna feltranskriberingar.
1 00:00:00,000 --> 00:00:04,880
Välkomna tillbaka till SEK, Jesper Karlsson live från SEK-T, nästan live.
2 00:00:05,220 --> 00:00:06,540
Nästan live, broadcast.
3 00:00:06,620 --> 00:00:09,940
Exakt, broadcasting, inte streaming. Det var en viktig poäng jag gjorde igår.
4 00:00:10,440 --> 00:00:13,120
Jag sitter här med Jesper Larsson och Hudson Trammell.
5 00:00:13,360 --> 00:00:14,420
Nej, Trammell Hudson.
6 00:00:14,680 --> 00:00:15,580
Ja, jag har gjort det förbättrat.
7 00:00:16,020 --> 00:00:17,300
Det funkar på båda sätt.
8 00:00:17,440 --> 00:00:20,320
Så vi har bara lyssnat på en riktigt fantastisk tal. Vad var det om?
9 00:00:21,420 --> 00:00:26,480
Den här talen var om min forskning om att bygga hardware-implantationer för
10 00:00:26,480 --> 00:00:28,560
board management controllers, VMCs.
11 00:00:28,940 --> 00:00:33,640
Den var inspirerad av Bloomberg-historien, den stora hacken från förra året.
12 00:00:34,440 --> 00:00:37,440
Jag försökte utforska vad som är den tekniska tillgängligheten
13 00:00:37,440 --> 00:00:44,560
av dessa implanter, utan att försöka erkänna att vi inte vet
14 00:00:44,560 --> 00:00:50,760
om historien hände eller inte, men tekniskt sett är de helt tillgängliga.
15 00:00:50,760 --> 00:00:53,800
Ja, korrekt. Jag tror att din forskning var väldigt bra,
16 00:00:53,880 --> 00:00:55,760
för du besökte hela…
17 00:00:56,480 --> 00:01:03,440
Vad var det om? Var det på din helgdag, eller var det bara att du skulle gå till Kina och titta på det?
18 00:01:03,440 --> 00:01:04,440
Varför gjorde du det?
19 00:01:04,440 --> 00:01:12,780
Jag hade en fantastisk möjlighet att tura i en mängd PCB-manufacturing som en vän av mig
20 00:01:12,780 --> 00:01:18,660
hade gjort en tura genom de här fabrikerna för några start-ups i Silicon Valley
21 00:01:18,660 --> 00:01:21,700
så att de kunde se vad som var involverat i att göra en fysisk produkt.
22 00:01:22,640 --> 00:01:25,440
Jag var invigd att tagga med och verkligen…
23 00:01:26,480 --> 00:01:28,480
Jag tog upp en möjlighet.
24 00:01:28,480 --> 00:01:30,480
Ja, förstås. En fin vän att ha, eller hur?
25 00:01:30,480 --> 00:01:32,480
Det såg jättekul ut.
26 00:01:32,480 --> 00:01:34,480
Det var faktiskt en väldigt spännande del av din berättelse, tror jag,
27 00:01:34,480 --> 00:01:37,480
för det gav mig en insikt som jag aldrig hade förut,
28 00:01:37,480 --> 00:01:40,480
hur manufaktureringen faktiskt händer.
29 00:01:40,480 --> 00:01:42,480
Det är väldigt spännande.
30 00:01:42,480 --> 00:01:48,480
Ja, och det är intressant hur mycket som är koncentrerat i Shenzhen-området.
31 00:01:48,480 --> 00:01:50,480
Ja.
32 00:01:50,480 --> 00:01:54,480
Så de som jag kunde fotografera var några av de små manufaktureringarna.
33 00:01:54,480 --> 00:01:58,480
Jag hade möjlighet att turera några mycket större, men de hade…
34 00:01:58,480 --> 00:02:00,480
Inga fotografer.
35 00:02:00,480 --> 00:02:05,480
Men en av dem hade flyttat till 100% X-ray
36 00:02:05,480 --> 00:02:09,480
av bordarna som kommer ut för vissa höga förvaltningskustnader.
37 00:02:09,480 --> 00:02:10,480
Ja.
38 00:02:10,480 --> 00:02:12,480
Och de hade också…
39 00:02:12,480 --> 00:02:15,480
Som effekt av den här artikeln, eller bara som kvalitetsförvaltning?
40 00:02:15,480 --> 00:02:19,480
De ramlade den från samling till 100%, tror jag.
41 00:02:19,480 --> 00:02:21,480
Okej, förstås.
42 00:02:21,480 --> 00:02:23,480
Och speciellt kring implant.
43 00:02:23,480 --> 00:02:26,480
Ja, för implant i det här fallet.
44 00:02:26,480 --> 00:02:31,480
I stället för att bara kolla för förhållandena som finns och sådant.
45 00:02:31,480 --> 00:02:36,480
Ja, det var ganska vanligt för höga förvaltningskustnader
46 00:02:36,480 --> 00:02:39,480
om man bygger flyg- eller luftkraftkostnader för att X-raya dem alla.
47 00:02:39,480 --> 00:02:45,480
Men att göra det för komputerprodukter var bara för att verifiera
48 00:02:45,480 --> 00:02:48,480
att manufaktureringsprocesserna var…
49 00:02:48,480 --> 00:02:49,480
Upp till par.
50 00:02:49,480 --> 00:02:51,480
Upp till par, att färgerna såg bra ut och så vidare.
51 00:02:51,480 --> 00:02:52,480
Ja.
52 00:02:52,480 --> 00:02:55,480
Men i aviationsindustrin och i oljeindustrin
53 00:02:55,480 --> 00:02:58,480
X-rayar du många av dina väldar för att se att du inte har krav på något
54 00:02:58,480 --> 00:03:00,480
eftersom det är väldigt hög press och så vidare.
55 00:03:00,480 --> 00:03:04,480
Men här gör det senare att se att du får vad du får.
56 00:03:04,480 --> 00:03:08,480
Du visade en riktigt fin bild om en falsk RSU-3-2-skip.
57 00:03:08,480 --> 00:03:10,480
Det var ganska kul när de X-rayade…
58 00:03:10,480 --> 00:03:12,480
När de… Vad heter det?
59 00:03:12,480 --> 00:03:13,480
Decapsulerade.
60 00:03:13,480 --> 00:03:14,480
Decapsulerade, ja.
61 00:03:14,480 --> 00:03:15,480
Det är helt annorlunda.
62 00:03:15,480 --> 00:03:16,480
Ja.
63 00:03:16,480 --> 00:03:18,480
Men det ser exakt samma ut på ytan.
64 00:03:18,480 --> 00:03:20,480
Så det finns…
65 00:03:20,480 --> 00:03:22,480
Jag gick inte in på det i talet, men det finns…
66 00:03:22,480 --> 00:03:25,480
Det finns flera olika typer av kontrakter som folk är oroliga för.
67 00:03:25,480 --> 00:03:30,480
Det finns de som jag nämnde med de salvagerade delarna.
68 00:03:30,480 --> 00:03:35,480
Det finns de där vissa delar är skapade på vad som kallas för en ghost shift.
69 00:03:35,480 --> 00:03:36,480
Där…
70 00:03:36,480 --> 00:03:39,480
Vi går hem nu, men låt oss göra 1000 mer.
71 00:03:39,480 --> 00:03:40,480
Exakt.
72 00:03:40,480 --> 00:03:41,480
Det är exakt samma produkt.
73 00:03:41,480 --> 00:03:42,480
Ja.
74 00:03:42,480 --> 00:03:44,480
Och sen finns det de andra som är…
75 00:03:44,480 --> 00:03:45,480
Samtidigt.
76 00:03:45,480 --> 00:03:46,480
Där…
77 00:03:46,480 --> 00:03:50,480
Och sen har de dem paketat för att se ut som samma chip
78 00:03:50,480 --> 00:03:52,480
men inuti är det en helt annorlunda process.
79 00:03:52,480 --> 00:03:54,480
Och från en säkerhetsperspektiv…
80 00:03:54,480 --> 00:03:56,480
Det är faktiskt den skrämmigaste.
81 00:03:56,480 --> 00:03:57,480
Ja.
82 00:03:57,480 --> 00:03:59,480
För vem vet vilken annan funktionalitet…
83 00:03:59,480 --> 00:04:00,480
Kan hittas.
84 00:04:00,480 --> 00:04:01,480
Ja.
85 00:04:01,480 --> 00:04:02,480
Det är riktigt galet.
86 00:04:02,480 --> 00:04:07,480
Vi hade en avsnitt om det här där vi diskuterade det här i detalj.
87 00:04:07,480 --> 00:04:09,480
Och det enda…
88 00:04:09,480 --> 00:04:11,480
Det…
89 00:04:11,480 --> 00:04:16,480
Du har gjort det absolut klart för alla i publiken
90 00:04:16,480 --> 00:04:19,480
och alla på internet nu att det här är möjligt.
91 00:04:19,480 --> 00:04:20,480
Det här kan faktiskt göras.
92 00:04:20,480 --> 00:04:21,480
Men…
93 00:04:21,480 --> 00:04:26,480
Det är så mycket arbete som är utsatt för att göra det här.
94 00:04:26,480 --> 00:04:27,480
Det är så stort.
95 00:04:27,480 --> 00:04:28,480
Man måste interceptera.
96 00:04:28,480 --> 00:04:30,480
Om det går att göra det på skala.
97 00:04:30,480 --> 00:04:34,480
Man måste gå in till produktionen och allt.
98 00:04:34,480 --> 00:04:36,480
Men eftersom alla negerar det…
99 00:04:36,480 --> 00:04:38,480
Varför var det där?
100 00:04:38,480 --> 00:04:39,480
Vad var artikeln?
101 00:04:39,480 --> 00:04:40,480
Varför kom det fram?
102 00:04:40,480 --> 00:04:41,480
Vad tror ni?
103 00:04:41,480 --> 00:04:44,480
Varför var artikeln på Bloomberg?
104 00:04:44,480 --> 00:04:47,480
Jag är inte säker på att någon intelligensagent
105 00:04:47,480 --> 00:04:49,480
skulle vilja göra det på skala.
106 00:04:49,480 --> 00:04:50,480
Ja, du vill ha ett mål.
107 00:04:50,480 --> 00:04:54,160
I think they would want to target
108 00:04:54,160 --> 00:04:56,840
a very small number of customers.
109 00:04:57,820 --> 00:04:59,540
It helps a whole lot for containment
110 00:04:59,540 --> 00:05:03,260
if you’re only going after one.
111 00:05:03,680 --> 00:05:05,720
Otherwise anyone who buys a Supermicro board
112 00:05:05,720 --> 00:05:08,860
could potentially find this sort of thing.
113 00:05:08,860 --> 00:05:10,380
You’re exposing yourself way too much.
114 00:05:11,180 --> 00:05:14,580
As I pointed out, the targeted access operations
115 00:05:14,580 --> 00:05:18,460
lets them tailor it to a single customer.
116 00:05:18,460 --> 00:05:23,100
That makes a lot more sense, as you mentioned as well.
117 00:05:24,260 --> 00:05:26,660
Intercepting something that’s going to a specific customer.
118 00:05:27,360 --> 00:05:29,300
Then it’s not a supply chain attack though.
119 00:05:29,380 --> 00:05:31,940
Then you just short ship it and put your implant in.
120 00:05:32,280 --> 00:05:33,580
That’s more feasible.
121 00:05:35,440 --> 00:05:38,020
It’s supply chain from the perspective of the customer.
122 00:05:39,280 --> 00:05:41,260
It’s just not in the manufacturing process.
123 00:05:42,260 --> 00:05:46,680
As I pointed out, Supermicro was very clear in their letter
124 00:05:46,680 --> 00:05:48,440
that all of their protections
125 00:05:48,440 --> 00:05:51,120
are on the manufacturing process.
126 00:05:51,500 --> 00:05:54,840
Once it leaves their factory, it’s hard for them to control.
127 00:05:54,840 --> 00:05:56,180
It makes sense.
128 00:05:56,880 --> 00:05:58,760
Do we think that this actually occurred?
129 00:05:59,000 --> 00:06:00,900
Or do we think, as my opinion,
130 00:06:01,100 --> 00:06:04,360
was this a short in the stock market for Supermicro?
131 00:06:05,520 --> 00:06:08,760
I really tried to avoid speculating
132 00:06:08,760 --> 00:06:11,920
about any of the motivations
133 00:06:11,920 --> 00:06:14,600
for why the story appeared,
134 00:06:15,060 --> 00:06:16,960
when it appeared, and so on.
135 00:06:18,440 --> 00:06:22,640
It seems to me that they had been working on it
136 00:06:22,640 --> 00:06:23,620
for a really long time.
137 00:06:23,620 --> 00:06:27,660
In the article, Bloomberg mentions that they had been talking to sources
138 00:06:27,660 --> 00:06:34,580
going back almost to the 2015-2016 time frame.
139 00:06:35,100 --> 00:06:37,020
It had been a multi-year story.
140 00:06:37,900 --> 00:06:40,100
I don’t know what was involved
141 00:06:40,100 --> 00:06:41,960
in their timing decision.
142 00:06:44,120 --> 00:06:47,200
Because everyone that was named in the story
143 00:06:47,200 --> 00:06:48,980
has denied it.
144 00:06:50,160 --> 00:06:51,660
Oh, there’s one guy, right?
145 00:06:51,660 --> 00:06:52,020
Apple and Amazon.
146 00:06:52,020 --> 00:06:53,300
Oh yeah, yeah.
147 00:06:55,300 --> 00:06:57,700
Don’t you find it strange that they haven’t
148 00:06:57,700 --> 00:06:58,940
retracted the story?
149 00:06:59,140 --> 00:07:02,100
I find it very strange that they haven’t retracted
150 00:07:02,100 --> 00:07:03,320
or provided more detail.
151 00:07:04,080 --> 00:07:06,020
It seems that if…
152 00:07:06,900 --> 00:07:08,780
They have made statements
153 00:07:08,780 --> 00:07:10,740
that they’re confident in their sourcing
154 00:07:10,740 --> 00:07:14,000
and that the editors are confident
155 00:07:14,000 --> 00:07:15,140
in the anonymous sources.
156 00:07:15,720 --> 00:07:16,160
And typically,
157 00:07:17,200 --> 00:07:18,960
a news organization,
158 00:07:19,440 --> 00:07:21,460
the editors will meet with
159 00:07:21,460 --> 00:07:23,380
or know who the anonymous sources are.
160 00:07:23,800 --> 00:07:25,580
It’s not that the reporters can’t just say,
161 00:07:26,020 --> 00:07:28,320
oh, I talked to some guy and he told me this.
162 00:07:28,760 --> 00:07:29,620
The editors will say…
163 00:07:29,620 --> 00:07:31,560
And it has to be fact-checked
164 00:07:31,560 --> 00:07:32,600
and reference-checked.
165 00:07:32,740 --> 00:07:34,020
Who knows how
166 00:07:34,020 --> 00:07:37,660
what it’s called, the SPI looks like.
167 00:07:37,660 --> 00:07:39,940
If you get a schematics of something,
168 00:07:40,320 --> 00:07:41,480
how could you as a journalist
169 00:07:41,480 --> 00:07:44,160
source the truth out of that?
170 00:07:44,300 --> 00:07:44,580
I don’t know.
171 00:07:44,740 --> 00:07:45,520
You need to have references.
172 00:07:45,520 --> 00:07:46,660
Maybe in a…
173 00:07:47,200 --> 00:07:47,960
In a certain way,
174 00:07:48,040 --> 00:07:50,180
maybe Bloomberg is trying to save face
175 00:07:50,180 --> 00:07:51,920
by not retracting
176 00:07:51,920 --> 00:07:53,240
and standing by their claims.
177 00:07:53,420 --> 00:07:54,080
And like, well…
178 00:07:54,080 --> 00:07:54,780
All could be one case.
179 00:07:54,780 --> 00:07:55,880
We can’t tell you our sources.
180 00:07:56,460 --> 00:07:58,660
So you’re just going to have to take our word for it.
181 00:07:58,660 --> 00:08:00,720
But the argument is solid, I think.
182 00:08:00,780 --> 00:08:01,940
It’s really sound that
183 00:08:01,940 --> 00:08:04,440
since this is an ongoing…
184 00:08:04,440 --> 00:08:06,140
You can actually see
185 00:08:06,140 --> 00:08:07,660
that it’s a lot of work behind it.
186 00:08:08,160 --> 00:08:09,700
And then it sort of makes sense
187 00:08:09,700 --> 00:08:11,040
that there is actually…
188 00:08:11,040 --> 00:08:12,580
They’ve been working on it for a long time.
189 00:08:12,880 --> 00:08:14,020
So, yeah.
190 00:08:14,220 --> 00:08:14,400
Yeah.
191 00:08:14,720 --> 00:08:15,120
Yeah.
192 00:08:15,380 --> 00:08:16,660
I don’t think that legitimizes…
193 00:08:17,200 --> 00:08:19,540
Not just legitimize the whole thing in itself,
194 00:08:19,660 --> 00:08:21,540
but still it’s like, yeah.
195 00:08:22,160 --> 00:08:23,360
There is something there.
196 00:08:24,500 --> 00:08:25,520
I’m getting scared.
197 00:08:25,740 --> 00:08:27,560
There must be…
198 00:08:27,560 --> 00:08:29,360
I mean, obviously we don’t know the full story
199 00:08:29,360 --> 00:08:29,980
as you mentioned,
200 00:08:30,280 --> 00:08:32,460
but it’s certainly feasible.
201 00:08:33,000 --> 00:08:35,000
And there’s probably a grain of truth
202 00:08:35,000 --> 00:08:36,640
or a grain of rice.
203 00:08:36,840 --> 00:08:40,160
Yes, I think there’s a rice grain sized…
204 00:08:40,160 --> 00:08:40,620
Exactly.
205 00:08:40,960 --> 00:08:41,460
Yeah, implant.
206 00:08:41,460 --> 00:08:43,460
And the…
207 00:08:44,020 --> 00:08:46,460
My feeling is that…
208 00:08:47,200 --> 00:08:49,880
It very well might have been a TAO type thing.
209 00:08:51,200 --> 00:08:52,360
I would not be surprised
210 00:08:52,360 --> 00:08:57,460
if there are lots of these sort of TAO implants out there.
211 00:08:57,900 --> 00:09:00,660
And they’re going to get harder and harder to find.
212 00:09:01,400 --> 00:09:02,200
That the…
213 00:09:03,240 --> 00:09:08,060
Again, with a zero budget sort of capability,
214 00:09:08,760 --> 00:09:14,640
you can still produce quite a bit of interesting implants.
215 00:09:15,360 --> 00:09:16,200
And the…
216 00:09:17,200 --> 00:09:21,240
The NSA Playset group
217 00:09:21,240 --> 00:09:24,900
has been making a lot of recreations of things
218 00:09:24,900 --> 00:09:26,100
out of the Ant Catalog
219 00:09:26,100 --> 00:09:28,820
with basically hobbyist budget.
220 00:09:29,960 --> 00:09:32,220
And people are now bundling all sorts of electronics
221 00:09:32,220 --> 00:09:35,080
into USB cables
222 00:09:35,080 --> 00:09:38,720
that are, again, being done by hobbyists
223 00:09:38,720 --> 00:09:40,820
with equipment at home.
224 00:09:41,720 --> 00:09:42,000
It’s…
225 00:09:42,000 --> 00:09:44,880
Yeah, the latest one was the Apple…
226 00:09:44,880 --> 00:09:45,920
Thunderbolt charger.
227 00:09:46,040 --> 00:09:47,140
Thunderbolt charger, yeah.
228 00:09:47,200 --> 00:09:47,460
Yeah.
229 00:09:47,740 --> 00:09:50,720
And if you tear apart a Thunderbolt cable,
230 00:09:51,720 --> 00:09:54,500
did you know that there are CPUs in the cables
231 00:09:54,500 --> 00:09:55,160
in both ends?
232 00:09:55,200 --> 00:09:55,660
I had no idea.
233 00:09:55,880 --> 00:09:56,200
That they…
234 00:09:56,800 --> 00:09:57,840
And they have firmware.
235 00:09:59,180 --> 00:10:02,260
And in fact, if you plug a cable in,
236 00:10:02,440 --> 00:10:03,200
sometimes it’ll tell you…
237 00:10:03,860 --> 00:10:05,640
Your device will ask you to please…
238 00:10:05,640 --> 00:10:07,360
Yeah, unlock to use the…
239 00:10:07,360 --> 00:10:08,820
Well, with the…
240 00:10:08,820 --> 00:10:10,560
It wants to update the firmware in the cable,
241 00:10:10,920 --> 00:10:12,720
but it can only update the local end.
242 00:10:13,200 --> 00:10:16,020
But they can negotiate with the other end and say,
243 00:10:16,020 --> 00:10:17,020
oh, this end…
244 00:10:17,200 --> 00:10:18,980
This end is running a different version from the other end.
245 00:10:19,020 --> 00:10:19,800
Oh, my God.
246 00:10:19,800 --> 00:10:21,360
Please turn the cable around.
247 00:10:21,500 --> 00:10:22,240
I didn’t know about this.
248 00:10:22,240 --> 00:10:23,880
So that it can update the other end as well.
249 00:10:23,900 --> 00:10:24,680
Oh, that’s crazy.
250 00:10:25,080 --> 00:10:25,700
That’s insane.
251 00:10:25,940 --> 00:10:26,860
Yeah, and…
252 00:10:26,860 --> 00:10:32,260
You know, Moore’s Law has given us just microscopic CPUs.
253 00:10:32,660 --> 00:10:34,500
Yeah, you showed it in your slide as well.
254 00:10:34,640 --> 00:10:36,600
This Cortex…
255 00:10:36,600 --> 00:10:40,320
The ARM Cortex processor is like really, really, really…
256 00:10:40,320 --> 00:10:43,380
The size of two transistors in a 65-bit deal.
257 00:10:43,900 --> 00:10:46,200
It’s incredible how much Moore’s Law…
258 00:10:46,200 --> 00:10:47,080
You know…
259 00:10:47,080 --> 00:10:49,920
Has meant in terms of transistor density.
260 00:10:50,100 --> 00:10:50,220
Yeah.
261 00:10:50,940 --> 00:10:51,960
Yeah, and that means, obviously,
262 00:10:52,460 --> 00:10:54,720
it’s going to be almost impossible to detect.
263 00:10:54,860 --> 00:10:55,080
Yeah.
264 00:10:55,620 --> 00:11:00,060
And, like, you guys said, like, this will be feasible,
265 00:11:00,400 --> 00:11:01,220
because it’s…
266 00:11:01,220 --> 00:11:01,360
Yeah.
267 00:11:01,800 --> 00:11:02,480
Why not, right?
268 00:11:02,640 --> 00:11:05,020
Yeah, but just going back to the Bloomberg story,
269 00:11:05,080 --> 00:11:06,380
because I can’t quite remember,
270 00:11:06,480 --> 00:11:10,080
but they mentioned that the implant was laminated
271 00:11:10,080 --> 00:11:11,560
between the PCBs in that story.
272 00:11:11,840 --> 00:11:14,620
So in the story, they mentioned that their sources
273 00:11:14,620 --> 00:11:16,760
had found a number of implants,
274 00:11:17,080 --> 00:11:18,280
I don’t remember the specific number,
275 00:11:18,980 --> 00:11:21,700
one of which was the signal coupling capacitor,
276 00:11:21,700 --> 00:11:23,960
or signal coupling…
277 00:11:23,960 --> 00:11:25,240
Sorry.
278 00:11:25,920 --> 00:11:27,480
Signal conditioning coupler.
279 00:11:27,660 --> 00:11:27,900
Right.
280 00:11:28,120 --> 00:11:29,480
The size of a grain of rice.
281 00:11:30,040 --> 00:11:34,000
And then an additional implant was the one laminated inside the PCB.
282 00:11:34,580 --> 00:11:37,700
And it is relatively…
283 00:11:38,300 --> 00:11:41,960
I wouldn’t say common, but it’s…
284 00:11:41,960 --> 00:11:46,560
Occasionally you will find embedded passives in PCBs.
285 00:11:46,600 --> 00:11:46,740
Mm.
286 00:11:46,740 --> 00:11:51,160
It’s a very expensive process to have it manufactured that way.
287 00:11:51,460 --> 00:11:53,280
But it is, if you go to a PCB house,
288 00:11:53,460 --> 00:11:55,400
that is something that they will offer to do for you.
289 00:11:55,520 --> 00:11:55,660
Yeah.
290 00:11:56,200 --> 00:11:59,240
But that also means that, in that case,
291 00:11:59,400 --> 00:12:01,720
it would have to be part of the manufacturing process
292 00:12:01,720 --> 00:12:03,800
where the implants take place.
293 00:12:03,800 --> 00:12:06,540
This is where the cover story completely breaks down,
294 00:12:06,660 --> 00:12:09,120
because it’s obvious when it happened.
295 00:12:10,740 --> 00:12:14,820
Now, I’ve also, for the hack-in-the-box talk
296 00:12:14,820 --> 00:12:15,800
where I was bypassing…
297 00:12:16,740 --> 00:12:19,200
I did build a small proof of concept
298 00:12:19,200 --> 00:12:22,880
that was 0.6 millimeters thick
299 00:12:22,880 --> 00:12:24,780
and would fit underneath the flash chip.
300 00:12:25,520 --> 00:12:27,340
So you could desolder the flash chip…
301 00:12:27,340 --> 00:12:28,040
Yeah, and put it…
302 00:12:28,040 --> 00:12:29,440
Oh, that’s nice.
303 00:12:29,860 --> 00:12:31,020
And that was…
304 00:12:31,020 --> 00:12:32,620
Unless you were really looking for it…
305 00:12:32,620 --> 00:12:34,280
Yeah, you wouldn’t be able to see it.
306 00:12:34,300 --> 00:12:37,760
And this would fit in a laptop with the cover closed.
307 00:12:38,620 --> 00:12:40,020
This is really cool stuff.
308 00:12:40,080 --> 00:12:42,900
So that, again, zero-budget sort of attack.
309 00:12:43,000 --> 00:12:43,200
Yeah.
310 00:12:43,200 --> 00:12:46,200
But the fact that we can fit an FPGA
311 00:12:46,740 --> 00:12:49,380
and a small flash memory and a voltage regulator
312 00:12:49,380 --> 00:12:52,560
in this microscopic size…
313 00:12:52,560 --> 00:12:53,640
That’s crazy.
314 00:12:53,860 --> 00:12:57,800
And going back to what Joe Fitzpatrick pointed out,
315 00:12:58,220 --> 00:13:00,600
no one knows what’s supposed to be in their hardware anyway.
316 00:13:00,800 --> 00:13:02,220
So if you open your laptop
317 00:13:02,220 --> 00:13:05,220
and there’s a riser card underneath your flash chip…
318 00:13:06,280 --> 00:13:07,800
Well, maybe it should be there, right?
319 00:13:08,620 --> 00:13:09,860
Oh, this is scary stuff.
320 00:13:10,280 --> 00:13:11,060
But, so, yeah.
321 00:13:11,180 --> 00:13:15,160
I mean, this is only going to get worse, I suppose you could say.
322 00:13:15,180 --> 00:13:16,280
So we need open hardware for everyone.
323 00:13:16,740 --> 00:13:16,940
Period.
324 00:13:17,620 --> 00:13:18,680
It helps.
325 00:13:19,380 --> 00:13:23,720
It does mean that motivated customers
326 00:13:23,720 --> 00:13:26,180
could validate what they have.
327 00:13:27,720 --> 00:13:30,640
But again, in a TAO sort of thing,
328 00:13:31,080 --> 00:13:32,660
it would be very hard to tell
329 00:13:32,660 --> 00:13:36,440
how many do you need to sample
330 00:13:36,440 --> 00:13:39,200
to determine if you’re being targeted.
331 00:13:39,200 --> 00:13:41,540
Right, and obviously you only need one
332 00:13:41,540 --> 00:13:43,200
from an attacker’s point of view.
333 00:13:43,620 --> 00:13:46,340
One wonderful thing from an attacker’s point of view
334 00:13:46,340 --> 00:13:50,580
on the BMC is once you have code execution on one,
335 00:13:51,360 --> 00:13:53,840
they typically share a common VLAN
336 00:13:53,840 --> 00:13:56,100
or a common network segment between all the BMCs.
337 00:13:56,100 --> 00:13:59,800
So horizontal movement becomes very easy.
338 00:14:01,220 --> 00:14:03,060
So everyone listening to this,
339 00:14:03,220 --> 00:14:04,780
you should throw out your computer,
340 00:14:04,960 --> 00:14:05,700
buy a RISC-V,
341 00:14:06,400 --> 00:14:08,160
and open hardware for the win.
342 00:14:09,380 --> 00:14:12,300
Yeah, open hardware and then the capability
343 00:14:12,300 --> 00:14:15,640
of analyzing all your hardware on a microscopic level.
344 00:14:16,340 --> 00:14:18,160
I’m imagining changing computers every other year.
345 00:14:18,240 --> 00:14:19,020
That would be terrible.
346 00:14:19,640 --> 00:14:20,760
So not again!
347 00:14:21,460 --> 00:14:25,320
Yeah, I mean, just being able to actually verify,
348 00:14:25,580 --> 00:14:26,860
even if you have the specs,
349 00:14:27,080 --> 00:14:29,320
this is exactly how it’s supposed to be.
350 00:14:31,140 --> 00:14:33,060
Actually looking through it and verifying
351 00:14:33,060 --> 00:14:34,900
that nothing is added or removed.
352 00:14:36,260 --> 00:14:38,740
Right, and doing that on the hardware level is difficult.
353 00:14:39,300 --> 00:14:40,260
On the software level,
354 00:14:40,420 --> 00:14:43,180
we perhaps have some ability to do it.
355 00:14:43,660 --> 00:14:46,260
I’m a big fan of hardware research,
356 00:14:46,340 --> 00:14:46,960
roots of trust,
357 00:14:47,300 --> 00:14:48,940
and what’s called remote attestation,
358 00:14:49,080 --> 00:14:51,720
where the system is able to cryptographically
359 00:14:51,720 --> 00:14:53,660
sign something saying,
360 00:14:53,660 --> 00:14:57,060
this is the firmware and the kernel
361 00:14:57,060 --> 00:14:58,860
and the init RD and the configuration
362 00:14:58,860 --> 00:15:01,320
that is actually running on the machine,
363 00:15:02,040 --> 00:15:05,600
which potentially gives you the ability
364 00:15:05,600 --> 00:15:08,860
to detect if something has been modified along the way.
365 00:15:09,900 --> 00:15:12,260
If not, it’s incorporated in the CPU
366 00:15:12,260 --> 00:15:13,660
or somewhere where it’s…
367 00:15:13,660 --> 00:15:14,100
Exactly.
368 00:15:14,440 --> 00:15:16,220
So then it sort of fails.
369 00:15:16,340 --> 00:15:16,820
Right, right.
370 00:15:16,820 --> 00:15:17,580
But I know what you mean.
371 00:15:17,800 --> 00:15:22,020
Like with, what is this called, TPM and…
372 00:15:22,020 --> 00:15:23,300
What’s the…
373 00:15:23,300 --> 00:15:24,600
Now my brain is fried.
374 00:15:25,560 --> 00:15:25,840
Already?
375 00:15:26,660 --> 00:15:27,420
It doesn’t matter.
376 00:15:27,540 --> 00:15:28,560
Oh yeah, carry on.
377 00:15:28,860 --> 00:15:32,480
Yeah, I mean, but this is a very, very hard problem to solve,
378 00:15:32,520 --> 00:15:35,960
I think, because you can usually go one step further
379 00:15:35,960 --> 00:15:37,860
or put your implant somewhere else
380 00:15:37,860 --> 00:15:40,980
or move to software or firmware.
381 00:15:41,880 --> 00:15:43,080
Both or all of them.
382 00:15:43,080 --> 00:15:46,080
Right, although if the root of trust is…
383 00:15:46,340 --> 00:15:50,520
is well designed and well secured,
384 00:15:51,160 --> 00:15:54,140
an attacker who modifies the firmware
385 00:15:54,140 --> 00:15:57,360
would be detected in the attestation phase.
386 00:15:57,720 --> 00:16:00,060
But the idea is that you don’t necessarily care
387 00:16:00,060 --> 00:16:02,100
what has been run afterwards
388 00:16:02,100 --> 00:16:05,560
as long as you can prove which,
389 00:16:06,080 --> 00:16:07,540
the hash of…
390 00:16:07,540 --> 00:16:09,160
Yeah, what part was manipulated
391 00:16:09,160 --> 00:16:12,220
and sort of directly get a reference or a warning
392 00:16:12,220 --> 00:16:14,660
that, hey, this is not how it’s supposed to be.
393 00:16:14,660 --> 00:16:15,500
Right, right.
394 00:16:16,340 --> 00:16:20,200
So there are a few examples of this in use.
395 00:16:20,740 --> 00:16:23,540
For instance, Chromebooks will attest to Google
396 00:16:23,540 --> 00:16:26,500
the version of Coreboot
397 00:16:26,500 --> 00:16:29,200
and the Linux kernel that they have loaded
398 00:16:29,200 --> 00:16:31,500
before you log in to Google.
399 00:16:32,260 --> 00:16:33,980
And Google can say,
400 00:16:34,340 --> 00:16:36,260
this is a modified Chromebook,
401 00:16:36,440 --> 00:16:37,660
maybe you shouldn’t trust it
402 00:16:37,660 --> 00:16:39,760
through that remote attestation.
403 00:16:39,840 --> 00:16:40,900
That’s cool, that’s cool.
404 00:16:40,900 --> 00:16:43,420
I think we need to have this sort of capability
405 00:16:43,420 --> 00:16:44,820
across all of the systems.
406 00:16:45,220 --> 00:16:45,260
Yeah.
407 00:16:45,720 --> 00:16:46,180
There’s a need…
408 00:16:46,180 --> 00:16:46,220
There’s a need…
409 00:16:46,220 --> 00:16:46,320
There’s a need…
410 00:16:46,320 --> 00:16:48,160
There’s a need project from MoVad
411 00:16:48,160 --> 00:16:49,660
called System Transparency
412 00:16:49,660 --> 00:16:51,700
where they want their servers
413 00:16:51,700 --> 00:16:54,440
to be able to attest to you, the user,
414 00:16:54,900 --> 00:16:57,000
that it has not been tampered with.
415 00:16:57,300 --> 00:17:00,160
And I think this sort of mutual remote attestation
416 00:17:00,160 --> 00:17:02,260
gives us a potential future.
417 00:17:03,280 --> 00:17:05,920
Yeah, I mean, that’s a good way to go.
418 00:17:06,120 --> 00:17:08,320
I mean, if we can get there.
419 00:17:09,320 --> 00:17:11,900
But then again, there’s firmware everywhere.
420 00:17:12,320 --> 00:17:13,300
There really is.
421 00:17:14,160 --> 00:17:15,500
So it’s not going to be easy.
422 00:17:15,500 --> 00:17:16,200
But hopefully…
423 00:17:16,200 --> 00:17:18,400
Hopefully we can get closer anyway.
424 00:17:18,660 --> 00:17:19,040
Hopefully.
425 00:17:19,360 --> 00:17:20,940
Yeah, with talks like this,
426 00:17:21,160 --> 00:17:21,900
shedding light on it,
427 00:17:21,940 --> 00:17:24,720
I think it’s a really good step in the right direction.
428 00:17:24,960 --> 00:17:25,940
And MoVad as well,
429 00:17:26,140 --> 00:17:28,040
presenting this system transparency stuff
430 00:17:28,040 --> 00:17:28,580
is really good.
431 00:17:28,700 --> 00:17:29,140
Yeah, definitely.
432 00:17:29,640 --> 00:17:31,200
It’s going to be interesting to see
433 00:17:31,200 --> 00:17:33,120
if anything else comes to the Bloomberg article.
434 00:17:33,120 --> 00:17:35,860
I would like a follow-up at some point.
435 00:17:36,200 --> 00:17:37,700
That would be really awesome to read.
436 00:17:37,840 --> 00:17:39,080
Perhaps next year at SEC-T
437 00:17:39,080 --> 00:17:40,420
we’ll have two years on.
438 00:17:40,940 --> 00:17:41,800
What do we know?
439 00:17:41,940 --> 00:17:44,980
We’ll keep going until someone says something.
440 00:17:45,780 --> 00:17:45,920
Yeah.
441 00:17:46,200 --> 00:17:46,400
All right.
442 00:17:46,740 --> 00:17:47,860
Do you have anything else to ask?
443 00:17:47,860 --> 00:17:48,420
I think we’re good.
444 00:17:48,540 --> 00:17:49,920
I think it was really nice meeting you
445 00:17:49,920 --> 00:17:51,520
and really nice listening to you talk.
446 00:17:51,620 --> 00:17:52,080
Really good.
447 00:17:52,360 --> 00:17:53,740
Thank you for having me on the podcast.
448 00:17:53,960 --> 00:17:54,460
Thank you very much.
449 00:17:54,640 --> 00:17:56,040
And we’ll see you guys again
450 00:17:56,040 --> 00:17:57,500
just in a little bit.
451 00:17:57,860 --> 00:17:58,500
Have a good time.
452 00:18:05,900 --> 00:18:08,700
So hello and welcome to this special
453 00:18:08,700 --> 00:18:10,680
with Securets Podcast and SEC-T.
454 00:18:10,880 --> 00:18:13,320
We are interviewing some of the speakers
455 00:18:13,320 --> 00:18:14,800
on the conference.
456 00:18:14,800 --> 00:18:17,460
And now we’re having
457 00:18:17,460 --> 00:18:18,820
Danny Golan back
458 00:18:18,820 --> 00:18:19,960
for the second time today.
459 00:18:20,560 --> 00:18:22,120
And Mo Sanfrid.
460 00:18:22,240 --> 00:18:23,360
Mo Sanfrid, yes.
461 00:18:23,580 --> 00:18:24,280
Very welcome.
462 00:18:24,700 --> 00:18:26,020
Thank you for having us.
463 00:18:26,380 --> 00:18:27,500
Yeah, really nice having you here.
464 00:18:27,640 --> 00:18:28,740
It was a cool talk.
465 00:18:28,800 --> 00:18:30,300
It was a little bit about everything.
466 00:18:30,900 --> 00:18:32,800
It was some exploitation
467 00:18:32,800 --> 00:18:34,020
and some post-exploitation
468 00:18:34,020 --> 00:18:36,460
and then some hardening
469 00:18:36,460 --> 00:18:39,180
and takeaways on how you should
470 00:18:39,180 --> 00:18:40,980
manage your resources in the cloud.
471 00:18:40,980 --> 00:18:42,180
And how you should manage.
472 00:18:42,260 --> 00:18:44,760
Mostly how you should manage your resources in the cloud.
473 00:18:44,800 --> 00:18:47,140
And I think most of our…
474 00:18:47,140 --> 00:18:49,700
So we actually got to this talk.
475 00:18:49,840 --> 00:18:51,100
He’s an internal pen tester.
476 00:18:51,480 --> 00:18:52,100
I’m not.
477 00:18:52,200 --> 00:18:53,700
I’ve never worked like AD.
478 00:18:54,320 --> 00:18:55,920
I did web pen testing.
479 00:18:56,300 --> 00:18:57,240
I did app pen testing.
480 00:18:57,800 --> 00:18:59,840
Cloud because as a CTO
481 00:18:59,840 --> 00:19:01,940
I work in our infrastructure.
482 00:19:02,160 --> 00:19:03,200
DevOps, DevSecOps.
483 00:19:03,740 --> 00:19:06,020
And I enjoy having my nights
484 00:19:06,020 --> 00:19:07,840
and trying to break our own cloud.
485 00:19:08,400 --> 00:19:09,900
So that’s how I found a bunch of vulnerabilities
486 00:19:09,900 --> 00:19:12,500
or right tools to mitigate that.
487 00:19:12,840 --> 00:19:14,460
And then we spoke about it.
488 00:19:14,800 --> 00:19:15,640
And we’re like,
489 00:19:16,240 --> 00:19:18,420
companies are moving these days to the cloud.
490 00:19:19,160 --> 00:19:20,960
But then the move is not…
491 00:19:20,960 --> 00:19:22,540
It was actually a question from Defcon.
492 00:19:22,600 --> 00:19:23,980
We were speaking in Defcon Cloud Village.
493 00:19:24,440 --> 00:19:25,240
And someone asked me,
494 00:19:25,500 --> 00:19:28,020
why is there a connection between them?
495 00:19:28,500 --> 00:19:29,320
And then you think about it.
496 00:19:29,360 --> 00:19:32,020
A company cannot go cloud native in a day.
497 00:19:32,680 --> 00:19:33,920
Take a big company.
498 00:19:34,240 --> 00:19:35,120
All it is is a progression.
499 00:19:35,600 --> 00:19:37,060
So while the progression,
500 00:19:37,060 --> 00:19:38,640
they’ll have some kind of tunnel
501 00:19:38,640 --> 00:19:39,660
between.
502 00:19:40,280 --> 00:19:41,720
So we were talking about,
503 00:19:42,180 --> 00:19:43,420
let’s go through a tunnel.
504 00:19:43,840 --> 00:19:44,600
Let’s try to…
505 00:19:44,600 --> 00:19:45,600
See what we can do.
506 00:19:45,600 --> 00:19:47,900
The cloud is, I feel it’s like less mature
507 00:19:47,900 --> 00:19:48,660
in terms of protection
508 00:19:48,660 --> 00:19:50,340
than internal systems.
509 00:19:50,460 --> 00:19:51,020
I mean, you’ve had…
510 00:19:51,020 --> 00:19:51,820
Both yes and no.
511 00:19:51,960 --> 00:19:54,240
Like if you really want to protect your stuff
512 00:19:54,240 --> 00:19:55,420
in AVS, you can.
513 00:19:55,560 --> 00:19:56,360
But it’s a lot of work.
514 00:19:56,420 --> 00:19:58,620
So people tend not to maybe implement all of it.
515 00:19:58,740 --> 00:19:58,960
True.
516 00:19:59,220 --> 00:20:00,800
But in terms of products as well.
517 00:20:01,000 --> 00:20:02,260
Think about how many products you have
518 00:20:02,260 --> 00:20:03,240
for on-premises.
519 00:20:03,280 --> 00:20:04,480
Well, yeah, that’s true.
520 00:20:04,640 --> 00:20:07,760
Like for an internal active directory topology,
521 00:20:07,880 --> 00:20:08,740
there is a lot of stuff.
522 00:20:08,800 --> 00:20:10,620
And there’s a lot of mitigations in place as well.
523 00:20:10,960 --> 00:20:13,920
But the funny part with Windows applications
524 00:20:13,920 --> 00:20:13,960
or the Microsoft applications,
525 00:20:13,960 --> 00:20:15,260
you know, the Microsoft realm
526 00:20:15,260 --> 00:20:17,940
of managing assets in an enterprise, right?
527 00:20:18,300 --> 00:20:19,120
It’s pretty hard
528 00:20:19,120 --> 00:20:20,600
because they need to be backwards compatibility.
529 00:20:21,040 --> 00:20:23,060
Yeah, that’s one of their killing heels.
530 00:20:23,440 --> 00:20:26,100
Yeah, you sort of showed a lot of broadcasting protocols
531 00:20:26,100 --> 00:20:27,400
that are easily exploited.
532 00:20:28,100 --> 00:20:29,460
And I think the twist
533 00:20:29,460 --> 00:20:31,320
where you’re talking about having a VPC
534 00:20:31,320 --> 00:20:32,560
or a site-to-site VPN
535 00:20:32,560 --> 00:20:34,840
to your cloud-native environment,
536 00:20:35,020 --> 00:20:37,120
that sort of is a really good vector
537 00:20:37,120 --> 00:20:38,000
because it’s really valuable.
538 00:20:38,240 --> 00:20:39,140
It could happen.
539 00:20:39,140 --> 00:20:42,220
And also, the thing I noticed about cloud, right?
540 00:20:42,220 --> 00:20:44,360
Like, you get new services
541 00:20:44,360 --> 00:20:47,100
and new API calls every day.
542 00:20:47,560 --> 00:20:50,260
And like, of course they test it,
543 00:20:50,400 --> 00:20:52,940
but we don’t have enough people,
544 00:20:53,400 --> 00:20:54,200
like security people,
545 00:20:54,740 --> 00:20:56,780
like going at all these new services
546 00:20:56,780 --> 00:20:57,980
because every day I wake up,
547 00:20:58,020 --> 00:20:59,180
I go to the AWS console,
548 00:20:59,540 --> 00:21:00,860
something new thing pops up.
549 00:21:01,080 --> 00:21:03,200
I see a version 2.3.2
550 00:21:03,200 --> 00:21:04,980
of a new API call for something
551 00:21:04,980 --> 00:21:07,380
with another, like another field, you know?
552 00:21:07,620 --> 00:21:09,380
What happens if you fuzz that field?
553 00:21:09,680 --> 00:21:10,860
Does anyone test it?
554 00:21:10,860 --> 00:21:11,160
Nope.
555 00:21:12,220 --> 00:21:12,600
Why not?
556 00:21:12,940 --> 00:21:13,980
It takes time, exactly.
557 00:21:14,200 --> 00:21:16,600
So I feel that getting to the cloud,
558 00:21:16,760 --> 00:21:19,120
and we showed you like three ways of doing that
559 00:21:19,120 --> 00:21:19,920
and the easiest way,
560 00:21:20,080 --> 00:21:21,580
like a deserialization attack,
561 00:21:21,660 --> 00:21:23,840
which has been available for years.
562 00:21:24,120 --> 00:21:25,360
But once I got into the cloud
563 00:21:25,360 --> 00:21:28,540
and then he started attacking the ADFS proxy
564 00:21:28,540 --> 00:21:30,260
and we tunneled into the internal,
565 00:21:30,780 --> 00:21:31,560
I mean, that is something
566 00:21:31,560 --> 00:21:33,060
that I don’t think anyone’s prepared for.
567 00:21:33,280 --> 00:21:34,680
I don’t think anyone’s prepared
568 00:21:34,680 --> 00:21:36,440
for someone coming from their cloud
569 00:21:36,440 --> 00:21:37,260
into the internal.
570 00:21:38,100 --> 00:21:39,700
It’s sort of a thing now, isn’t it?
571 00:21:39,700 --> 00:21:41,280
Like, in the before times,
572 00:21:41,440 --> 00:21:42,200
we talked,
573 00:21:42,220 --> 00:21:43,040
we talked about an inside
574 00:21:43,040 --> 00:21:44,700
and an outside of the corporate network.
575 00:21:44,820 --> 00:21:45,820
And then we sort of evolved
576 00:21:45,820 --> 00:21:48,200
deploying zone concepts, right?
577 00:21:48,240 --> 00:21:49,260
We have different zones,
578 00:21:49,500 --> 00:21:51,240
like EMZs and whatnot.
579 00:21:51,460 --> 00:21:52,700
And then we invented the cloud.
580 00:21:52,900 --> 00:21:54,460
And then we sort of reinvented
581 00:21:54,460 --> 00:21:55,840
the inside-outside again.
582 00:21:56,260 --> 00:21:59,140
But with the same problematic image
583 00:21:59,140 --> 00:22:02,340
with corporates and networks
584 00:22:02,340 --> 00:22:03,880
that needs to be interconnected in a way.
585 00:22:03,940 --> 00:22:05,540
So we sort of created
586 00:22:05,540 --> 00:22:06,960
a more complex environment,
587 00:22:07,140 --> 00:22:07,800
one could say, right?
588 00:22:08,420 --> 00:22:10,260
And that’s, I think your talk
589 00:22:10,260 --> 00:22:12,200
sort of sums that up pretty nicely.
590 00:22:12,200 --> 00:22:14,200
Like, we have internal stuff,
591 00:22:14,860 --> 00:22:16,240
but it’s more or less reachable
592 00:22:16,240 --> 00:22:17,840
from public clouds.
593 00:22:18,100 --> 00:22:18,220
Yeah.
594 00:22:18,640 --> 00:22:20,980
There’s a false impression
595 00:22:20,980 --> 00:22:23,460
of security with the cloud
596 00:22:23,460 --> 00:22:25,200
where people think that
597 00:22:25,200 --> 00:22:27,220
their assets in the cloud
598 00:22:27,220 --> 00:22:28,200
are completely isolated
599 00:22:28,740 --> 00:22:29,600
from the internal,
600 00:22:30,640 --> 00:22:32,420
which we just demonstrated.
601 00:22:32,620 --> 00:22:33,840
No, it’s not.
602 00:22:34,260 --> 00:22:35,100
And they also think
603 00:22:35,100 --> 00:22:36,300
when they run an EC2 instance
604 00:22:36,300 --> 00:22:37,400
that it’s protected.
605 00:22:37,980 --> 00:22:39,180
But once there’s a patch out,
606 00:22:39,300 --> 00:22:40,260
there’s like a vulnerability.
607 00:22:41,220 --> 00:22:42,000
It’s your responsibility
608 00:22:42,000 --> 00:22:42,600
to patch it
609 00:22:42,600 --> 00:22:43,740
if you don’t use a managed service.
610 00:22:44,000 --> 00:22:44,780
In the shared model,
611 00:22:44,940 --> 00:22:46,060
you’re responsible for this.
612 00:22:46,120 --> 00:22:47,560
And I was emphasizing
613 00:22:47,560 --> 00:22:49,240
how, I mean,
614 00:22:49,300 --> 00:22:50,640
AWS lets you do patching
615 00:22:50,640 --> 00:22:51,460
in like one click,
616 00:22:51,580 --> 00:22:52,220
patching everything.
617 00:22:52,740 --> 00:22:53,320
But I was emphasizing
618 00:22:53,320 --> 00:22:54,280
how I think patching
619 00:22:54,280 --> 00:22:55,500
is the wrong way to do this.
620 00:22:55,500 --> 00:22:55,700
Yeah.
621 00:22:55,920 --> 00:22:57,780
Because we’re running in VMs.
622 00:22:58,020 --> 00:23:00,200
Like, getting a new image
623 00:23:00,200 --> 00:23:01,300
on a VM is fast.
624 00:23:01,480 --> 00:23:02,520
It’s not like restarting
625 00:23:02,520 --> 00:23:04,120
100 computers, right?
626 00:23:04,480 --> 00:23:05,200
VMs are fast.
627 00:23:05,280 --> 00:23:06,260
If you’re using like Docker,
628 00:23:06,720 --> 00:23:07,360
it’s even faster.
629 00:23:07,500 --> 00:23:08,240
You get like 30 minutes
630 00:23:08,240 --> 00:23:08,760
startup time.
631 00:23:08,960 --> 00:23:11,200
So just get a new base image,
632 00:23:11,200 --> 00:23:12,400
put a patch in there
633 00:23:12,400 --> 00:23:14,020
and then replace everything
634 00:23:14,020 --> 00:23:14,700
so you know that
635 00:23:14,700 --> 00:23:15,920
everything is running on your own.
636 00:23:15,920 --> 00:23:16,860
But it depends on
637 00:23:16,860 --> 00:23:17,860
what service you’re running.
638 00:23:17,960 --> 00:23:18,640
If you are like this
639 00:23:18,640 --> 00:23:19,500
hip young company
640 00:23:19,500 --> 00:23:20,100
or like a,
641 00:23:20,160 --> 00:23:20,980
not young,
642 00:23:21,100 --> 00:23:22,040
like you developed
643 00:23:22,040 --> 00:23:23,640
DevOps pipeline.
644 00:23:23,760 --> 00:23:24,700
So you have everything.
645 00:23:24,860 --> 00:23:26,220
You have scriptable infrastructure.
646 00:23:26,620 --> 00:23:28,480
You have a build service.
647 00:23:28,660 --> 00:23:29,620
Like you have CircleCI.
648 00:23:29,840 --> 00:23:30,420
You have something
649 00:23:30,420 --> 00:23:31,220
that deploys code.
650 00:23:31,520 --> 00:23:32,640
Then I think it will make sense.
651 00:23:32,720 --> 00:23:33,720
But you have a lot
652 00:23:33,720 --> 00:23:34,900
of big enterprises there
653 00:23:34,900 --> 00:23:36,880
running like fat and thick
654 00:23:36,880 --> 00:23:38,000
client-driven Java.
655 00:23:38,480 --> 00:23:39,280
Yeah, running Bespoke.
656 00:23:39,340 --> 00:23:40,420
Yeah, they can run them.
657 00:23:40,420 --> 00:23:41,180
Yeah, all right.
658 00:23:41,220 --> 00:23:42,280
Let’s say they’re running
659 00:23:42,280 --> 00:23:43,060
a monolith, right?
660 00:23:43,380 --> 00:23:44,080
But then they’re running
661 00:23:44,080 --> 00:23:44,620
on a machine.
662 00:23:44,840 --> 00:23:45,520
That machine has
663 00:23:45,520 --> 00:23:47,300
an Amazon machine image
664 00:23:47,300 --> 00:23:48,280
that it’s running on, right?
665 00:23:48,280 --> 00:23:48,760
Yeah, sure.
666 00:23:49,240 --> 00:23:50,760
But then it will be harder
667 00:23:50,760 --> 00:23:51,980
to define a Docker image
668 00:23:51,980 --> 00:23:52,920
and be harder to…
669 00:23:52,920 --> 00:23:53,800
No, I’m not talking about Docker.
670 00:23:53,900 --> 00:23:54,480
I’m talking about
671 00:23:54,480 --> 00:23:55,500
operating system.
672 00:23:55,620 --> 00:23:56,300
You get the Linux.
673 00:23:56,900 --> 00:23:57,980
You harden it
674 00:23:57,980 --> 00:23:58,840
with one of those.
675 00:23:58,920 --> 00:23:59,460
There’s a bunch of
676 00:23:59,460 --> 00:24:00,260
Ansible scripts that harden it.
677 00:24:00,260 --> 00:24:01,040
Oh yeah, you can even have it
678 00:24:01,040 --> 00:24:02,680
as your private AMI or something.
679 00:24:02,840 --> 00:24:03,600
Yeah, what I’m saying is
680 00:24:03,600 --> 00:24:04,820
you bake your own AMIs.
681 00:24:05,000 --> 00:24:06,340
Every time there’s a vulnerability,
682 00:24:06,700 --> 00:24:07,500
you don’t patch
683 00:24:07,500 --> 00:24:08,920
an existing machine.
684 00:24:09,440 --> 00:24:10,640
You bake a new AMI
685 00:24:10,640 --> 00:24:11,180
that is built in.
686 00:24:11,200 --> 00:24:12,020
Oh, that makes sense.
687 00:24:12,020 --> 00:24:12,980
And you swap it, right?
688 00:24:13,120 --> 00:24:14,780
You can have your monolith,
689 00:24:14,920 --> 00:24:15,480
double monolith.
690 00:24:15,840 --> 00:24:16,700
At some time,
691 00:24:16,820 --> 00:24:17,500
you just swap them.
692 00:24:18,040 --> 00:24:19,340
And that will be…
693 00:24:19,340 --> 00:24:20,120
That way you know
694 00:24:20,120 --> 00:24:21,560
that patches might fail.
695 00:24:22,080 --> 00:24:23,360
And then you have to manage that.
696 00:24:23,660 --> 00:24:24,860
But once you bake an AMI
697 00:24:24,860 --> 00:24:25,400
and it works
698 00:24:25,400 --> 00:24:26,920
and you just swap it
699 00:24:26,920 --> 00:24:27,620
on all your machines
700 00:24:27,620 --> 00:24:29,060
and it’s a super easy process
701 00:24:29,060 --> 00:24:29,680
with Packer.
702 00:24:29,860 --> 00:24:30,300
It makes sense.
703 00:24:30,380 --> 00:24:31,980
But a lot like kernel hardening
704 00:24:31,980 --> 00:24:32,740
if you run Linux
705 00:24:32,740 --> 00:24:34,180
is really important.
706 00:24:34,480 --> 00:24:36,460
Like removing all the
707 00:24:36,460 --> 00:24:37,660
bad file permissions
708 00:24:37,660 --> 00:24:38,460
that might exist.
709 00:24:38,580 --> 00:24:39,620
So that makes sense.
710 00:24:39,740 --> 00:24:40,580
And have your base image.
711 00:24:40,580 --> 00:24:41,180
Do it that way.
712 00:24:41,200 --> 00:24:42,500
Runs and then roll everything on.
713 00:24:42,840 --> 00:24:44,300
And you have tools for that.
714 00:24:44,380 --> 00:24:44,940
So HashiCorp,
715 00:24:45,040 --> 00:24:45,620
they have Packer
716 00:24:45,620 --> 00:24:47,180
which gives you a stager.
717 00:24:47,440 --> 00:24:48,020
It takes…
718 00:24:48,020 --> 00:24:49,960
You take like the base
719 00:24:49,960 --> 00:24:52,220
Ubuntu image
720 00:24:52,220 --> 00:24:53,140
by AWS.
721 00:24:53,680 --> 00:24:54,720
It runs it on machine
722 00:24:54,720 --> 00:24:55,780
and then you give it
723 00:24:55,780 --> 00:24:56,500
a bunch of stages
724 00:24:56,500 --> 00:24:57,260
that you want to do.
725 00:24:57,500 --> 00:24:58,860
So I put Ansible scripts
726 00:24:58,860 --> 00:25:00,180
to harden the kernel.
727 00:25:00,440 --> 00:25:00,580
Yeah.
728 00:25:00,840 --> 00:25:01,060
Right?
729 00:25:01,200 --> 00:25:02,020
You have…
730 00:25:02,020 --> 00:25:03,020
And so CTL
731 00:25:03,020 --> 00:25:04,140
and maybe you do
732 00:25:04,140 --> 00:25:05,480
your Chromeworks
733 00:25:05,480 --> 00:25:06,200
and you do
734 00:25:06,200 --> 00:25:07,080
file system permissions.
735 00:25:07,140 --> 00:25:07,580
Exactly.
736 00:25:07,780 --> 00:25:09,380
You can do custom scripts.
737 00:25:09,580 --> 00:25:10,580
You can do Ansible.
738 00:25:10,580 --> 00:25:11,160
You can do
739 00:25:11,160 --> 00:25:11,500
Chef.
740 00:25:11,520 --> 00:25:12,540
But HashiCorp is actually…
741 00:25:12,540 --> 00:25:13,820
They’re doing good stuff.
742 00:25:14,140 --> 00:25:14,780
They’re doing good stuff.
743 00:25:14,780 --> 00:25:15,880
Vault is a really good product
744 00:25:15,880 --> 00:25:17,520
in conjunction with KMS
745 00:25:17,520 --> 00:25:18,420
or Parameter Store
746 00:25:18,420 --> 00:25:18,780
or something.
747 00:25:18,880 --> 00:25:19,080
Yeah.
748 00:25:19,180 --> 00:25:21,160
So you unseal it with KMS.
749 00:25:21,340 --> 00:25:21,440
Yeah.
750 00:25:21,520 --> 00:25:22,840
That’s the way you should do.
751 00:25:23,280 --> 00:25:23,940
But again,
752 00:25:24,080 --> 00:25:24,860
also you have
753 00:25:24,860 --> 00:25:26,680
things in HashiCorp
754 00:25:26,680 --> 00:25:27,920
that I don’t like
755 00:25:27,920 --> 00:25:29,160
that they give you
756 00:25:29,160 --> 00:25:29,960
the easiness.
757 00:25:30,540 --> 00:25:32,120
So if you’re on console
758 00:25:32,120 --> 00:25:33,100
and you want to do
759 00:25:33,100 --> 00:25:33,680
server discovery,
760 00:25:34,060 --> 00:25:34,940
they can give you
761 00:25:34,940 --> 00:25:36,660
the EC2 server discovery.
762 00:25:36,880 --> 00:25:38,280
That means you have to give
763 00:25:38,280 --> 00:25:39,480
describe tags
764 00:25:39,480 --> 00:25:40,380
and describe instances
765 00:25:40,380 --> 00:25:40,920
to each server.
766 00:25:40,920 --> 00:25:40,980
Yeah.
767 00:25:40,980 --> 00:25:41,000
Yeah.
768 00:25:41,000 --> 00:25:41,100
Yeah.
769 00:25:41,100 --> 00:25:41,120
Yeah.
770 00:25:41,120 --> 00:25:41,140
Yeah.
771 00:25:41,160 --> 00:25:42,960
If you give that
772 00:25:42,960 --> 00:25:43,440
an attacker
773 00:25:43,440 --> 00:25:44,780
gets in one of your instances,
774 00:25:44,980 --> 00:25:45,740
describe instances
775 00:25:45,740 --> 00:25:46,500
lets you read
776 00:25:46,500 --> 00:25:47,700
all the user data
777 00:25:47,700 --> 00:25:50,160
which can contain
778 00:25:50,160 --> 00:25:51,020
a lot of stuff.
779 00:25:51,120 --> 00:25:51,200
Yeah.
780 00:25:51,320 --> 00:25:52,280
So this is like
781 00:25:52,280 --> 00:25:53,500
the easiness they give you.
782 00:25:53,500 --> 00:25:53,680
Yeah.
783 00:25:53,980 --> 00:25:55,540
But it comes with
784 00:25:55,540 --> 00:25:56,300
a great risk
785 00:25:56,300 --> 00:25:57,260
that they don’t specify
786 00:25:57,260 --> 00:25:57,800
in the documentation.
787 00:25:57,800 --> 00:25:58,340
But it’s the same
788 00:25:58,340 --> 00:25:59,640
with versioning and indexing
789 00:25:59,640 --> 00:26:00,320
if you’re storing
790 00:26:00,320 --> 00:26:01,520
your Terraform state files.
791 00:26:01,840 --> 00:26:01,980
Yeah.
792 00:26:01,980 --> 00:26:03,340
In an unsecure matter
793 00:26:03,340 --> 00:26:04,060
you will have
794 00:26:04,060 --> 00:26:05,000
more or less console output.
795 00:26:05,160 --> 00:26:05,880
You will have everything
796 00:26:05,880 --> 00:26:07,800
that that Terraforming script did.
797 00:26:08,300 --> 00:26:08,640
True.
798 00:26:08,800 --> 00:26:08,960
Yeah.
799 00:26:08,960 --> 00:26:10,400
So that’s an important thing
800 00:26:10,400 --> 00:26:11,120
to really take care
801 00:26:11,120 --> 00:26:11,760
of as well.
802 00:26:11,760 --> 00:26:11,860
Exactly.
803 00:26:12,220 --> 00:26:13,480
It’s those little things.
804 00:26:13,500 --> 00:26:13,680
Yeah.
805 00:26:13,900 --> 00:26:15,340
But the problem for me
806 00:26:15,340 --> 00:26:15,840
is they give you
807 00:26:15,840 --> 00:26:16,960
the easiness to do it.
808 00:26:16,980 --> 00:26:17,100
Yeah.
809 00:26:17,220 --> 00:26:17,900
Because to do it
810 00:26:17,900 --> 00:26:18,880
without doing
811 00:26:18,880 --> 00:26:19,800
the auto discover
812 00:26:19,800 --> 00:26:20,580
with EC2
813 00:26:20,580 --> 00:26:21,660
is a pain in the ass.
814 00:26:21,660 --> 00:26:21,820
Yeah.
815 00:26:21,880 --> 00:26:22,260
It’s harder.
816 00:26:22,520 --> 00:26:23,820
But if you do it
817 00:26:23,820 --> 00:26:24,080
It’s doable
818 00:26:24,080 --> 00:26:24,840
but it’s harder.
819 00:26:24,880 --> 00:26:25,360
It’s doable
820 00:26:25,360 --> 00:26:26,580
but when you have
821 00:26:26,580 --> 00:26:27,160
the EC2
822 00:26:27,160 --> 00:26:28,020
when someone compromises
823 00:26:28,020 --> 00:26:28,380
the machine
824 00:26:28,380 --> 00:26:29,080
and he can read
825 00:26:29,080 --> 00:26:29,800
all the user data
826 00:26:29,800 --> 00:26:30,640
from all your machines
827 00:26:30,640 --> 00:26:32,180
he will find something.
828 00:26:32,360 --> 00:26:32,500
Yeah.
829 00:26:32,780 --> 00:26:33,380
Most definitely.
830 00:26:33,380 --> 00:26:33,700
Yeah.
831 00:26:34,140 --> 00:26:35,140
So I think
832 00:26:35,140 --> 00:26:35,560
the easiness
833 00:26:35,560 --> 00:26:37,100
comes with a big risk
834 00:26:37,100 --> 00:26:38,780
and you shouldn’t
835 00:26:38,780 --> 00:26:39,800
always read
836 00:26:39,800 --> 00:26:41,060
the production hardening guides
837 00:26:41,060 --> 00:26:41,800
because they’re always
838 00:26:41,800 --> 00:26:42,520
at the end
839 00:26:42,520 --> 00:26:43,380
at some point.
840 00:26:43,520 --> 00:26:43,840
But you need
841 00:26:43,840 --> 00:26:44,580
a maturity level
842 00:26:44,580 --> 00:26:45,080
to do that
843 00:26:45,080 --> 00:26:46,820
as well as your components
844 00:26:46,820 --> 00:26:48,600
like fixing SMB
845 00:26:48,600 --> 00:26:51,060
like relay attacks.
846 00:26:51,740 --> 00:26:52,120
Like yeah
847 00:26:52,120 --> 00:26:52,840
we patched
848 00:26:52,840 --> 00:26:53,520
a lot of stuff
849 00:26:53,520 --> 00:26:54,360
but as you said
850 00:26:54,360 --> 00:26:55,080
some of the patches
851 00:26:55,080 --> 00:26:56,080
were incomplete, right?
852 00:26:56,260 --> 00:26:56,480
Right.
853 00:26:56,660 --> 00:26:57,360
But we still
854 00:26:57,360 --> 00:26:58,520
in my opinion
855 00:26:58,520 --> 00:26:59,720
you have to correct me
856 00:26:59,720 --> 00:27:00,140
if I’m wrong
857 00:27:00,140 --> 00:27:00,820
but there’s still
858 00:27:00,820 --> 00:27:01,840
a lot of companies
859 00:27:01,840 --> 00:27:02,540
out there running
860 00:27:02,540 --> 00:27:04,220
SMB 1.0
861 00:27:04,220 --> 00:27:04,500
and
862 00:27:04,500 --> 00:27:05,540
I was going to say
863 00:27:05,540 --> 00:27:06,160
it’s enough
864 00:27:06,160 --> 00:27:07,040
to have one
865 00:27:07,040 --> 00:27:07,880
old server
866 00:27:07,880 --> 00:27:09,380
in an AD environment
867 00:27:09,380 --> 00:27:10,520
and you’re basically
868 00:27:10,520 --> 00:27:11,980
throwing around
869 00:27:11,980 --> 00:27:13,260
NTLM hashes.
870 00:27:13,420 --> 00:27:14,400
All I need is one.
871 00:27:14,720 --> 00:27:15,060
Yeah, right?
872 00:27:15,060 --> 00:27:15,940
The guy from Pre-Em.
873 00:27:16,080 --> 00:27:16,540
What did he say?
874 00:27:16,600 --> 00:27:17,300
The version 1 of
875 00:27:17,300 --> 00:27:17,780
what was it?
876 00:27:18,840 --> 00:27:19,540
He says like
877 00:27:19,540 --> 00:27:20,880
stop it if you’re running that.
878 00:27:21,040 --> 00:27:22,600
Of net NTLM.
879 00:27:22,600 --> 00:27:22,860
Yeah.
880 00:27:24,240 --> 00:27:25,000
And people are still
881 00:27:25,000 --> 00:27:25,280
running it.
882 00:27:25,280 --> 00:27:26,820
If you run
883 00:27:26,820 --> 00:27:27,580
Mimikatz
884 00:27:27,580 --> 00:27:29,280
you almost always
885 00:27:29,280 --> 00:27:30,100
find a digest
886 00:27:30,100 --> 00:27:31,080
password
887 00:27:31,080 --> 00:27:32,160
even now.
888 00:27:32,580 --> 00:27:32,800
Yeah.
889 00:27:33,340 --> 00:27:34,080
So I mean
890 00:27:34,080 --> 00:27:34,640
the thing is
891 00:27:34,640 --> 00:27:35,300
is the whole
892 00:27:35,300 --> 00:27:37,580
like in our talk
893 00:27:37,580 --> 00:27:38,380
I showed how
894 00:27:38,380 --> 00:27:39,200
I was able to get
895 00:27:39,200 --> 00:27:40,040
60 shells
896 00:27:40,040 --> 00:27:40,860
in 30 seconds
897 00:27:40,860 --> 00:27:42,580
but the reality
898 00:27:42,580 --> 00:27:43,220
of the situation
899 00:27:43,220 --> 00:27:44,740
is I just need one.
900 00:27:45,080 --> 00:27:45,160
Yeah.
901 00:27:45,280 --> 00:27:46,680
In an Active Directory
902 00:27:46,680 --> 00:27:47,140
environment
903 00:27:47,140 --> 00:27:48,200
I just need one shell
904 00:27:48,200 --> 00:27:49,060
and the rest
905 00:27:49,060 --> 00:27:49,760
is all going to
906 00:27:49,760 --> 00:27:51,020
it’s a domino effect.
907 00:27:51,480 --> 00:27:51,640
Yeah.
908 00:27:51,880 --> 00:27:52,360
Yeah.
909 00:27:52,800 --> 00:27:53,280
Absolutely.
910 00:27:54,080 --> 00:27:54,820
And I mean
911 00:27:54,820 --> 00:27:55,200
that’s
912 00:27:55,200 --> 00:27:56,220
that’s your
913 00:27:56,220 --> 00:27:57,580
that’s the trade-off
914 00:27:57,580 --> 00:27:58,040
that you have
915 00:27:58,040 --> 00:27:58,820
with Active Directory
916 00:27:58,820 --> 00:27:59,160
right?
917 00:27:59,260 --> 00:28:00,400
You have that convenience
918 00:28:00,400 --> 00:28:02,020
but in the event
919 00:28:02,020 --> 00:28:03,020
that it’s compromised
920 00:28:03,020 --> 00:28:04,780
then it’s all
921 00:28:04,780 --> 00:28:05,680
going to eventually
922 00:28:05,680 --> 00:28:05,980
go down.
923 00:28:05,980 --> 00:28:06,460
It’s game over.
924 00:28:06,600 --> 00:28:07,480
And it’s sort of like
925 00:28:07,480 --> 00:28:08,100
you don’t even
926 00:28:08,100 --> 00:28:09,160
have to have
927 00:28:09,160 --> 00:28:09,640
like really
928 00:28:09,640 --> 00:28:10,700
nice credentials
929 00:28:10,700 --> 00:28:11,060
anyway
930 00:28:11,060 --> 00:28:11,680
because it is
931 00:28:11,680 --> 00:28:13,500
it’s based
932 00:28:13,500 --> 00:28:14,740
out of reading attributes.
933 00:28:15,080 --> 00:28:16,120
So every user
934 00:28:16,120 --> 00:28:16,820
needs to be able
935 00:28:16,820 --> 00:28:17,220
to read
936 00:28:17,220 --> 00:28:18,100
the Active Directory
937 00:28:18,100 --> 00:28:19,200
database, right?
938 00:28:19,280 --> 00:28:20,240
So you know
939 00:28:20,240 --> 00:28:20,940
where to look.
940 00:28:21,200 --> 00:28:21,860
So if you compromise
941 00:28:21,860 --> 00:28:22,440
one machine
942 00:28:22,440 --> 00:28:23,760
you have all the access
943 00:28:23,760 --> 00:28:25,040
to actually know
944 00:28:25,040 --> 00:28:25,980
where to look next.
945 00:28:26,340 --> 00:28:26,540
Absolutely.
946 00:28:26,800 --> 00:28:27,220
And that’s really
947 00:28:27,220 --> 00:28:28,220
the neat part.
948 00:28:28,460 --> 00:28:28,800
Absolutely.
949 00:28:29,040 --> 00:28:29,400
So yeah,
950 00:28:29,440 --> 00:28:30,240
it’s a fun field.
951 00:28:30,440 --> 00:28:30,960
The neat part
952 00:28:30,960 --> 00:28:31,780
for the red team, yeah.
953 00:28:31,820 --> 00:28:32,400
Yeah, yeah.
954 00:28:33,040 --> 00:28:33,780
And also
955 00:28:33,780 --> 00:28:34,800
there’s the problem
956 00:28:34,800 --> 00:28:35,240
that you know
957 00:28:35,240 --> 00:28:36,180
like he showed you
958 00:28:36,180 --> 00:28:36,640
all that stuff
959 00:28:36,640 --> 00:28:37,860
on internals
960 00:28:37,860 --> 00:28:38,820
and there’s a bunch
961 00:28:38,820 --> 00:28:39,380
of companies
962 00:28:39,380 --> 00:28:40,520
doing internal pen tests
963 00:28:40,520 --> 00:28:41,500
web pen tests.
964 00:28:42,840 --> 00:28:43,940
I have not seen
965 00:28:43,940 --> 00:28:44,920
that many companies
966 00:28:44,920 --> 00:28:46,560
doing like AWS pen tests.
967 00:28:46,840 --> 00:28:46,980
Right.
968 00:28:47,260 --> 00:28:47,600
You know,
969 00:28:47,820 --> 00:28:48,500
there’s Rhino Labs.
970 00:28:48,520 --> 00:28:49,280
Rhino do it.
971 00:28:49,420 --> 00:28:50,080
Our company
972 00:28:50,080 --> 00:28:50,660
where I work
973 00:28:50,660 --> 00:28:51,780
I do a lot of them
974 00:28:51,780 --> 00:28:53,120
every week almost.
975 00:28:53,340 --> 00:28:54,020
But compare that
976 00:28:54,020 --> 00:28:54,800
to like internal
977 00:28:54,800 --> 00:28:56,980
web applications.
978 00:28:58,040 --> 00:28:58,920
Because of that
979 00:28:58,920 --> 00:28:59,640
even the amount
980 00:28:59,640 --> 00:29:00,180
of research
981 00:29:00,180 --> 00:29:01,340
we have on vulnerabilities
982 00:29:01,340 --> 00:29:02,480
is low
983 00:29:02,480 --> 00:29:03,520
because if you have
984 00:29:03,520 --> 00:29:04,280
like three companies
985 00:29:04,280 --> 00:29:05,000
or like let’s say
986 00:29:05,000 --> 00:29:05,820
I’m going to go
987 00:29:05,820 --> 00:29:06,620
like 50 companies
988 00:29:06,620 --> 00:29:07,080
in the world
989 00:29:07,080 --> 00:29:08,040
versus like thousands
990 00:29:08,040 --> 00:29:08,560
doing that
991 00:29:08,560 --> 00:29:09,280
and like
992 00:29:09,280 --> 00:29:09,720
preempt
993 00:29:09,720 --> 00:29:10,840
I don’t think
994 00:29:10,840 --> 00:29:11,900
they’re probably
995 00:29:11,900 --> 00:29:13,300
doing internal, right?
996 00:29:13,440 --> 00:29:14,480
I mean most of the research
997 00:29:14,480 --> 00:29:15,340
is about AD
998 00:29:15,340 --> 00:29:17,660
or they have a product
999 00:29:17,660 --> 00:29:18,980
but you don’t have
1000 00:29:18,980 --> 00:29:19,500
that in the cloud
1001 00:29:19,500 --> 00:29:20,500
so the amount of research
1002 00:29:20,500 --> 00:29:21,040
the amount of like
1003 00:29:21,040 --> 00:29:22,400
manpower and hours
1004 00:29:22,400 --> 00:29:23,180
that go into it.
1005 00:29:23,180 --> 00:29:23,800
But we’re getting
1006 00:29:23,800 --> 00:29:24,520
a lot of like
1007 00:29:24,520 --> 00:29:25,380
AVS
1008 00:29:25,380 --> 00:29:26,560
more or less
1009 00:29:26,560 --> 00:29:27,080
implemented
1010 00:29:27,080 --> 00:29:28,240
security features
1011 00:29:28,240 --> 00:29:29,300
like Aqua security
1012 00:29:29,300 --> 00:29:30,080
does a lot of
1013 00:29:30,080 --> 00:29:31,440
AMIs that you can
1014 00:29:31,440 --> 00:29:32,120
install directly
1015 00:29:32,120 --> 00:29:32,780
into the cloud.
1016 00:29:32,980 --> 00:29:33,340
Those are the
1017 00:29:33,340 --> 00:29:34,240
Docker scanning.
1018 00:29:34,660 --> 00:29:35,480
You have
1019 00:29:35,480 --> 00:29:37,300
Falco and Systic
1020 00:29:37,300 --> 00:29:37,860
they are maybe
1021 00:29:37,860 --> 00:29:38,780
not the best
1022 00:29:38,780 --> 00:29:39,240
but they’re
1023 00:29:39,700 --> 00:29:41,160
Falco and Systic
1024 00:29:41,160 --> 00:29:42,460
so it’s like
1025 00:29:42,460 --> 00:29:45,380
well it’s not like
1026 00:29:45,380 --> 00:29:46,960
it’s sort of
1027 00:29:46,960 --> 00:29:49,120
it’s anomaly detection
1028 00:29:49,120 --> 00:29:49,780
more or less
1029 00:29:49,780 --> 00:29:51,020
we can talk a little bit
1030 00:29:51,020 --> 00:29:51,620
more about that
1031 00:29:51,620 --> 00:29:52,240
off camera
1032 00:29:52,240 --> 00:29:53,080
but they’re
1033 00:29:53,080 --> 00:29:54,000
really
1034 00:29:54,000 --> 00:29:55,000
they’ve just been
1035 00:29:55,000 --> 00:29:56,080
accepted into the
1036 00:29:56,080 --> 00:29:56,960
CNF
1037 00:29:56,960 --> 00:29:57,960
the native foundation
1038 00:29:57,960 --> 00:30:00,160
and they are
1039 00:30:00,160 --> 00:30:01,500
they will be good
1040 00:30:01,500 --> 00:30:02,020
eventually
1041 00:30:02,020 --> 00:30:03,240
but not
1042 00:30:03,240 --> 00:30:04,700
really mature yet.
1043 00:30:04,700 --> 00:30:05,520
I have a little bit
1044 00:30:05,520 --> 00:30:05,880
of problem
1045 00:30:05,880 --> 00:30:06,440
with the cloud
1046 00:30:06,440 --> 00:30:07,400
native foundation
1047 00:30:07,400 --> 00:30:09,020
it’s not a big
1048 00:30:09,020 --> 00:30:09,380
problem
1049 00:30:09,380 --> 00:30:10,240
I’m just saying
1050 00:30:10,240 --> 00:30:12,780
the acceptance rate
1051 00:30:12,780 --> 00:30:13,400
right
1052 00:30:13,400 --> 00:30:14,000
you go look
1053 00:30:14,000 --> 00:30:14,540
at the landscape
1054 00:30:14,540 --> 00:30:15,980
for every
1055 00:30:15,980 --> 00:30:16,920
like cubicle there
1056 00:30:16,920 --> 00:30:17,660
you have like
1057 00:30:17,660 --> 00:30:18,440
50 solutions
1058 00:30:18,440 --> 00:30:20,220
and when you have
1059 00:30:20,220 --> 00:30:20,520
that
1060 00:30:20,520 --> 00:30:21,800
there’s 50 solutions
1061 00:30:21,800 --> 00:30:23,140
with 50
1062 00:30:23,140 --> 00:30:24,560
different places
1063 00:30:24,560 --> 00:30:24,900
to look for
1064 00:30:24,900 --> 00:30:25,540
new vulnerabilities
1065 00:30:25,540 --> 00:30:26,300
because people
1066 00:30:26,300 --> 00:30:26,860
are running that
1067 00:30:26,860 --> 00:30:27,360
right
1068 00:30:27,360 --> 00:30:28,340
once you kind of
1069 00:30:28,340 --> 00:30:28,700
like
1070 00:30:28,700 --> 00:30:30,100
get closer
1071 00:30:30,100 --> 00:30:30,540
and like
1072 00:30:30,540 --> 00:30:31,100
that’s why I like
1073 00:30:31,100 --> 00:30:31,520
console
1074 00:30:31,520 --> 00:30:32,020
or like
1075 00:30:32,020 --> 00:30:32,340
so you have
1076 00:30:32,340 --> 00:30:32,740
console
1077 00:30:32,740 --> 00:30:33,280
Istio
1078 00:30:33,280 --> 00:30:33,660
and like
1079 00:30:33,660 --> 00:30:33,960
LinkedIn
1080 00:30:33,960 --> 00:30:34,320
right
1081 00:30:34,320 --> 00:30:34,880
they’re like
1082 00:30:34,880 --> 00:30:35,560
the most
1083 00:30:35,560 --> 00:30:36,520
most people
1084 00:30:36,520 --> 00:30:37,160
are running them
1085 00:30:37,160 --> 00:30:37,840
so
1086 00:30:37,840 --> 00:30:38,320
so
1087 00:30:38,320 --> 00:30:40,040
you can test
1088 00:30:40,040 --> 00:30:40,400
these
1089 00:30:40,400 --> 00:30:41,240
and you’ll find
1090 00:30:41,240 --> 00:30:42,040
like the vulnerabilities
1091 00:30:42,040 --> 00:30:42,600
and fix them
1092 00:30:42,600 --> 00:30:43,440
but once you have
1093 00:30:43,440 --> 00:30:43,720
like
1094 00:30:43,720 --> 00:30:44,800
a hundred
1095 00:30:44,800 --> 00:30:45,320
like
1096 00:30:45,320 --> 00:30:45,900
microservice
1097 00:30:45,900 --> 00:30:46,460
proxies
1098 00:30:46,460 --> 00:30:48,180
it’s very hard
1099 00:30:48,180 --> 00:30:48,480
to like
1100 00:30:48,480 --> 00:30:49,120
look for things
1101 00:30:49,120 --> 00:30:50,040
in every one of them
1102 00:30:50,040 --> 00:30:51,100
the world of
1103 00:30:51,100 --> 00:30:51,480
Kubernetes
1104 00:30:51,480 --> 00:30:52,360
and orchestrations
1105 00:30:52,360 --> 00:30:53,640
are at their door
1106 00:30:53,640 --> 00:30:54,320
and it’s getting
1107 00:30:54,320 --> 00:30:54,700
adopted
1108 00:30:54,700 --> 00:30:55,760
in a rate
1109 00:30:55,760 --> 00:30:56,200
that we
1110 00:30:56,200 --> 00:30:56,700
can’t even
1111 00:30:56,700 --> 00:30:57,060
comprehend
1112 00:30:57,060 --> 00:30:57,600
so
1113 00:30:57,600 --> 00:30:58,620
well
1114 00:30:58,620 --> 00:30:59,340
I think
1115 00:30:59,340 --> 00:31:00,100
we will not
1116 00:31:00,100 --> 00:31:00,820
be out of a job
1117 00:31:00,820 --> 00:31:01,300
soon
1118 00:31:01,300 --> 00:31:01,820
oh yeah
1119 00:31:01,820 --> 00:31:02,420
like
1120 00:31:02,420 --> 00:31:03,580
the more there is
1121 00:31:03,580 --> 00:31:04,160
the more I’m
1122 00:31:04,160 --> 00:31:05,020
gonna look for things
1123 00:31:05,020 --> 00:31:05,240
right
1124 00:31:05,240 --> 00:31:05,920
either console
1125 00:31:05,920 --> 00:31:06,420
my next
1126 00:31:06,420 --> 00:31:07,180
will be Istio
1127 00:31:07,180 --> 00:31:07,700
I’ll look for
1128 00:31:07,700 --> 00:31:08,140
how to
1129 00:31:08,140 --> 00:31:08,780
break that
1130 00:31:08,780 --> 00:31:09,140
and
1131 00:31:09,140 --> 00:31:10,040
like
1132 00:31:10,040 --> 00:31:10,860
you know
1133 00:31:10,860 --> 00:31:11,320
every day
1134 00:31:11,320 --> 00:31:11,640
something new
1135 00:31:11,640 --> 00:31:12,440
thing comes out
1136 00:31:12,440 --> 00:31:12,860
and
1137 00:31:12,860 --> 00:31:14,500
I’m a developer
1138 00:31:14,500 --> 00:31:15,520
so
1139 00:31:15,520 --> 00:31:16,440
I know that
1140 00:31:16,440 --> 00:31:16,840
I make
1141 00:31:16,840 --> 00:31:17,320
vulnerability
1142 00:31:17,320 --> 00:31:17,820
in my code
1143 00:31:17,820 --> 00:31:18,580
so
1144 00:31:18,580 --> 00:31:19,380
and people
1145 00:31:19,380 --> 00:31:19,640
found
1146 00:31:19,640 --> 00:31:19,960
vulnerability
1147 00:31:19,960 --> 00:31:20,580
in my code
1148 00:31:20,580 --> 00:31:21,160
and
1149 00:31:21,160 --> 00:31:21,820
it’s fine
1150 00:31:21,820 --> 00:31:22,260
it’s like
1151 00:31:22,260 --> 00:31:22,640
no one’s
1152 00:31:22,640 --> 00:31:22,940
perfect
1153 00:31:22,940 --> 00:31:23,860
I think
1154 00:31:23,860 --> 00:31:24,760
you know
1155 00:31:24,760 --> 00:31:25,460
people are more
1156 00:31:25,460 --> 00:31:26,400
concerned about
1157 00:31:26,400 --> 00:31:27,180
preventing
1158 00:31:27,180 --> 00:31:27,840
that
1159 00:31:27,840 --> 00:31:29,020
initial point
1160 00:31:29,020 --> 00:31:29,640
of compromise
1161 00:31:29,640 --> 00:31:30,540
but
1162 00:31:30,540 --> 00:31:31,520
there’s really
1163 00:31:31,520 --> 00:31:32,260
nothing you can
1164 00:31:32,260 --> 00:31:33,040
do about that
1165 00:31:33,040 --> 00:31:33,740
it’s inevitable
1166 00:31:33,740 --> 00:31:34,700
I think
1167 00:31:34,700 --> 00:31:35,300
what’s very
1168 00:31:35,300 --> 00:31:35,840
important
1169 00:31:35,840 --> 00:31:36,800
and highly
1170 00:31:36,800 --> 00:31:37,220
like
1171 00:31:37,220 --> 00:31:38,120
underestimate
1172 00:31:38,120 --> 00:31:38,600
it
1173 00:31:38,600 --> 00:31:39,120
as far as
1174 00:31:39,120 --> 00:31:39,620
the amount
1175 00:31:39,620 --> 00:31:40,040
of value
1176 00:31:40,040 --> 00:31:40,340
that it
1177 00:31:40,340 --> 00:31:40,680
offers
1178 00:31:40,680 --> 00:31:41,680
is having
1179 00:31:41,680 --> 00:31:42,500
telemetry
1180 00:31:42,500 --> 00:31:43,260
like
1181 00:31:43,260 --> 00:31:44,160
you know
1182 00:31:44,160 --> 00:31:44,820
like
1183 00:31:44,820 --> 00:31:45,200
for my
1184 00:31:45,200 --> 00:31:45,700
particular
1185 00:31:45,700 --> 00:31:46,100
attack
1186 00:31:46,100 --> 00:31:46,400
that I
1187 00:31:46,400 --> 00:31:46,920
demonstrated
1188 00:31:46,920 --> 00:31:48,140
yes
1189 00:31:48,140 --> 00:31:48,560
I use
1190 00:31:48,560 --> 00:31:49,280
an undetectable
1191 00:31:49,280 --> 00:31:49,700
payload
1192 00:31:49,700 --> 00:31:50,100
you were
1193 00:31:50,100 --> 00:31:50,580
not able
1194 00:31:50,580 --> 00:31:50,860
to see
1195 00:31:50,860 --> 00:31:51,440
the traffic
1196 00:31:51,440 --> 00:31:52,500
you weren’t
1197 00:31:52,500 --> 00:31:52,960
able to
1198 00:31:52,960 --> 00:31:53,460
see
1199 00:31:53,460 --> 00:31:54,980
anything
1200 00:31:54,980 --> 00:31:55,280
going
1201 00:31:55,280 --> 00:31:55,580
across
1202 00:31:55,580 --> 00:31:56,060
the wire
1203 00:31:56,060 --> 00:31:56,900
but
1204 00:31:56,900 --> 00:31:58,040
why
1205 00:31:58,040 --> 00:31:58,280
were
1206 00:31:58,280 --> 00:31:58,520
there
1207 00:31:58,520 --> 00:31:59,080
60
1208 00:31:59,080 --> 00:32:00,540
systems
1209 00:32:00,540 --> 00:32:01,500
reverse
1210 00:32:01,500 --> 00:32:02,020
connecting
1211 00:32:02,020 --> 00:32:02,560
to me
1212 00:32:02,560 --> 00:32:03,280
simultaneously
1213 00:32:03,280 --> 00:32:04,160
that’s
1214 00:32:04,160 --> 00:32:04,600
the thing
1215 00:32:04,600 --> 00:32:05,200
you need
1216 00:32:05,200 --> 00:32:05,540
to have
1217 00:32:05,540 --> 00:32:05,860
some
1218 00:32:05,860 --> 00:32:06,080
kind
1219 00:32:06,080 --> 00:32:06,160
of
1220 00:32:06,160 --> 00:32:07,300
anomaly
1221 00:32:07,300 --> 00:32:07,800
detection
1222 00:32:07,800 --> 00:32:08,000
there
1223 00:32:08,000 --> 00:32:08,800
it’s
1224 00:32:08,800 --> 00:32:09,020
no
1225 00:32:09,020 --> 00:32:09,480
reason
1226 00:32:09,480 --> 00:32:10,740
every
1227 00:32:10,740 --> 00:32:14,060
user
1228 00:32:14,060 --> 00:32:14,260
in
1229 00:32:14,260 --> 00:32:14,380
the
1230 00:32:14,380 --> 00:32:14,980
directory
1231 00:32:14,980 --> 00:32:15,420
under
1232 00:32:15,420 --> 00:32:15,740
five
1233 00:32:15,740 --> 00:32:16,140
minutes
1234 00:32:16,140 --> 00:32:16,560
right
1235 00:32:16,560 --> 00:32:18,620
I
1236 00:32:18,620 --> 00:32:19,080
come
1237 00:32:19,080 --> 00:32:19,240
from
1238 00:32:19,240 --> 00:32:19,360
a
1239 00:32:19,360 --> 00:32:19,520
data
1240 00:32:19,520 --> 00:32:19,780
science
1241 00:32:19,780 --> 00:32:20,380
background
1242 00:32:20,380 --> 00:32:20,900
right
1243 00:32:20,900 --> 00:32:21,220
like
1244 00:32:21,220 --> 00:32:21,500
machine
1245 00:32:21,500 --> 00:32:21,820
learning
1246 00:32:21,820 --> 00:32:22,060
I
1247 00:32:22,060 --> 00:32:23,140
think
1248 00:32:23,140 --> 00:32:23,240
you
1249 00:32:23,240 --> 00:32:23,340
don’t
1250 00:32:23,340 --> 00:32:23,480
even
1251 00:32:23,480 --> 00:32:23,720
need
1252 00:32:23,720 --> 00:32:23,980
that
1253 00:32:23,980 --> 00:32:24,140
you
1254 00:32:24,140 --> 00:32:24,320
need
1255 00:32:24,320 --> 00:32:24,540
like
1256 00:32:24,540 --> 00:32:25,000
a
1257 00:32:25,000 --> 00:32:25,420
threshold
1258 00:32:25,420 --> 00:32:26,160
like
1259 00:32:26,160 --> 00:32:26,440
you
1260 00:32:26,440 --> 00:32:26,660
should
1261 00:32:26,660 --> 00:32:27,140
yeah
1262 00:32:27,140 --> 00:32:27,360
so
1263 00:32:27,360 --> 00:32:27,560
you
1264 00:32:27,560 --> 00:32:27,760
don’t
1265 00:32:27,760 --> 00:32:28,100
need
1266 00:32:28,100 --> 00:32:28,440
like
1267 00:32:28,440 --> 00:32:29,020
60
1268 00:32:29,020 --> 00:32:29,220
is
1269 00:32:29,220 --> 00:32:29,460
like
1270 00:32:29,460 --> 00:32:29,820
a
1271 00:32:29,820 --> 00:32:30,140
crazy
1272 00:32:30,140 --> 00:32:30,420
amount
1273 00:32:30,420 --> 00:32:30,540
of
1274 00:32:30,540 --> 00:32:30,960
machines
1275 00:32:30,960 --> 00:32:31,280
drinking
1276 00:32:31,280 --> 00:32:31,740
outside
1277 00:32:31,740 --> 00:32:31,960
like
1278 00:32:31,960 --> 00:32:32,360
one
1279 00:32:32,360 --> 00:32:32,940
system
1280 00:32:32,940 --> 00:32:35,120
that’s
1281 00:32:35,120 --> 00:32:35,240
a
1282 00:32:35,240 --> 00:32:35,620
rule
1283 00:32:35,620 --> 00:32:35,880
you
1284 00:32:35,880 --> 00:32:36,060
don’t
1285 00:32:36,060 --> 00:32:36,220
need
1286 00:32:36,220 --> 00:32:36,480
any
1287 00:32:36,480 --> 00:32:36,660
like
1288 00:32:36,660 --> 00:32:37,340
crazy
1289 00:32:37,340 --> 00:32:37,780
anomaly
1290 00:32:37,780 --> 00:32:38,220
deep
1291 00:32:38,220 --> 00:32:38,520
learning
1292 00:32:38,520 --> 00:32:38,880
thing
1293 00:32:38,880 --> 00:32:39,080
it’s
1294 00:32:39,080 --> 00:32:39,220
like
1295 00:32:39,220 --> 00:32:39,340
a
1296 00:32:39,340 --> 00:32:39,480
rule
1297 00:32:39,480 --> 00:32:39,620
that
1298 00:32:39,620 --> 00:32:39,720
a
1299 00:32:39,720 --> 00:32:39,960
person
1300 00:32:39,960 --> 00:32:40,140
can
1301 00:32:40,140 --> 00:32:40,440
write
1302 00:32:40,440 --> 00:32:41,360
but
1303 00:32:41,360 --> 00:32:41,580
that’s
1304 00:32:41,580 --> 00:32:41,660
a
1305 00:32:41,660 --> 00:32:41,880
windows
1306 00:32:41,880 --> 00:32:42,160
box
1307 00:32:42,160 --> 00:32:42,380
no
1308 00:32:42,380 --> 00:32:42,740
so
1309 00:32:42,740 --> 00:32:42,920
it
1310 00:32:42,920 --> 00:32:43,300
chats
1311 00:32:43,300 --> 00:32:43,520
like
1312 00:32:43,520 --> 00:32:43,640
an
1313 00:32:43,640 --> 00:32:43,800
old
1314 00:32:43,800 --> 00:32:44,080
lady
1315 00:32:44,080 --> 00:32:44,460
so
1316 00:32:44,460 --> 00:32:47,880
if
1317 00:32:47,880 --> 00:32:47,980
you
1318 00:32:47,980 --> 00:32:48,140
have
1319 00:32:48,140 --> 00:32:48,520
looked
1320 00:32:48,520 --> 00:32:48,660
at
1321 00:32:48,660 --> 00:32:48,780
a
1322 00:32:48,780 --> 00:32:49,180
pcap
1323 00:32:49,180 --> 00:32:49,440
there
1324 00:32:49,440 --> 00:32:51,420
is
1325 00:32:51,420 --> 00:32:51,560
a
1326 00:32:51,560 --> 00:32:52,000
lot
1327 00:32:52,000 --> 00:32:52,160
of
1328 00:32:52,160 --> 00:32:52,440
noise
1329 00:32:52,440 --> 00:32:54,120
yeah
1330 00:32:54,120 --> 00:32:56,320
that’s
1331 00:32:56,320 --> 00:32:56,600
sort
1332 00:32:56,600 --> 00:32:57,020
of
1333 00:32:57,020 --> 00:32:57,160
yeah
1334 00:32:57,160 --> 00:32:57,380
but
1335 00:32:57,380 --> 00:32:57,560
I
1336 00:32:57,560 --> 00:32:57,920
think
1337 00:32:57,920 --> 00:32:58,180
that’s
1338 00:32:58,180 --> 00:32:58,300
a
1339 00:32:58,300 --> 00:32:58,640
good
1340 00:32:58,640 --> 00:32:59,040
takeaway
1341 00:32:59,040 --> 00:32:59,400
because
1342 00:32:59,400 --> 00:32:59,640
there
1343 00:32:59,640 --> 00:32:59,960
are
1344 00:32:59,960 --> 00:33:00,280
some
1345 00:33:00,280 --> 00:33:00,820
fairly
1346 00:33:00,820 --> 00:33:01,420
simple
1347 00:33:01,420 --> 00:33:02,120
metrics
1348 00:33:02,120 --> 00:33:02,420
that
1349 00:33:02,420 --> 00:33:02,600
you
1350 00:33:02,600 --> 00:33:02,980
could
1351 00:33:02,980 --> 00:33:03,700
look
1352 00:33:03,700 --> 00:33:04,060
at
1353 00:33:04,060 --> 00:33:04,420
I
1354 00:33:04,420 --> 00:33:05,200
mean
1355 00:33:05,200 --> 00:33:05,340
we
1356 00:33:05,340 --> 00:33:05,540
were
1357 00:33:05,540 --> 00:33:05,780
doing
1358 00:33:05,780 --> 00:33:06,160
this
1359 00:33:06,160 --> 00:33:07,060
defense
1360 00:33:07,060 --> 00:33:07,420
in
1361 00:33:07,420 --> 00:33:07,660
depth
1362 00:33:07,660 --> 00:33:09,100
privilege
1363 00:33:09,100 --> 00:33:09,580
at
1364 00:33:09,580 --> 00:33:09,920
least
1365 00:33:09,920 --> 00:33:10,360
privilege
1366 00:33:10,360 --> 00:33:10,860
policies
1367 00:33:10,860 --> 00:33:12,900
and
1368 00:33:12,900 --> 00:33:13,680
so
1369 00:33:13,680 --> 00:33:13,800
I
1370 00:33:13,800 --> 00:33:14,100
know
1371 00:33:14,100 --> 00:33:14,320
the
1372 00:33:14,320 --> 00:33:14,620
things
1373 00:33:14,620 --> 00:33:14,760
that
1374 00:33:14,760 --> 00:33:14,920
you’re
1375 00:33:14,920 --> 00:33:15,180
running
1376 00:33:15,180 --> 00:33:15,820
don’t
1377 00:33:15,820 --> 00:33:16,140
be
1378 00:33:16,140 --> 00:33:16,900
crazy
1379 00:33:16,900 --> 00:33:17,260
stupid
1380 00:33:17,260 --> 00:33:17,740
don’t
1381 00:33:17,740 --> 00:33:17,900
be
1382 00:33:17,900 --> 00:33:18,040
an
1383 00:33:18,040 --> 00:33:18,260
early
1384 00:33:18,260 --> 00:33:18,640
adopter
1385 00:33:18,640 --> 00:33:18,780
of
1386 00:33:18,780 --> 00:33:18,980
something
1387 00:33:18,980 --> 00:33:19,160
that
1388 00:33:19,160 --> 00:33:19,260
you
1389 00:33:19,260 --> 00:33:19,440
don’t
1390 00:33:19,440 --> 00:33:19,740
know
1391 00:33:19,740 --> 00:33:20,380
always
1392 00:33:20,380 --> 00:33:21,220
if
1393 00:33:21,220 --> 00:33:21,360
you
1394 00:33:21,360 --> 00:33:21,560
like
1395 00:33:21,560 --> 00:33:21,960
pull
1396 00:33:21,960 --> 00:33:22,600
things
1397 00:33:22,600 --> 00:33:23,480
check
1398 00:33:23,480 --> 00:33:23,760
it
1399 00:33:23,760 --> 00:33:24,220
yeah
1400 00:33:24,220 --> 00:33:25,900
or
1401 00:33:25,900 --> 00:33:27,520
if
1402 00:33:27,520 --> 00:33:27,660
you’re
1403 00:33:27,660 --> 00:33:27,940
using
1404 00:33:27,940 --> 00:33:28,420
if
1405 00:33:28,420 --> 00:33:28,960
you’re
1406 00:33:28,960 --> 00:33:30,180
taking
1407 00:33:30,180 --> 00:33:30,560
down
1408 00:33:30,560 --> 00:33:31,120
php
1409 00:33:31,120 --> 00:33:32,440
framework
1410 00:33:32,440 --> 00:33:32,880
from
1411 00:33:32,880 --> 00:33:33,120
some
1412 00:33:33,120 --> 00:33:33,360
guy
1413 00:33:33,360 --> 00:33:33,540
in
1414 00:33:33,540 --> 00:33:33,880
russia
1415 00:33:33,880 --> 00:33:34,680
maybe
1416 00:33:34,680 --> 00:33:34,920
not
1417 00:33:34,920 --> 00:33:35,080
be
1418 00:33:35,080 --> 00:33:35,220
the
1419 00:33:35,220 --> 00:33:35,480
valid
1420 00:33:35,480 --> 00:33:35,860
source
1421 00:33:35,860 --> 00:33:36,180
check
1422 00:33:36,180 --> 00:33:36,340
out
1423 00:33:36,340 --> 00:33:36,540
the
1424 00:33:36,540 --> 00:33:36,760
source
1425 00:33:36,760 --> 00:33:36,980
where
1426 00:33:36,980 --> 00:33:37,100
are
1427 00:33:37,100 --> 00:33:37,220
you
1428 00:33:37,220 --> 00:33:37,520
pulling
1429 00:33:37,520 --> 00:33:37,700
stuff
1430 00:33:37,700 --> 00:33:37,800
no
1431 00:33:37,800 --> 00:33:37,900
you
1432 00:33:37,900 --> 00:33:38,060
also
1433 00:33:38,060 --> 00:33:38,220
have
1434 00:33:38,220 --> 00:33:38,380
like
1435 00:33:38,380 --> 00:33:38,500
all
1436 00:33:38,500 --> 00:33:38,620
those
1437 00:33:38,620 --> 00:33:38,920
supply
1438 00:33:38,920 --> 00:33:39,140
chain
1439 00:33:39,140 --> 00:33:39,360
attacks
1440 00:33:39,360 --> 00:33:39,560
right
1441 00:33:39,560 --> 00:33:39,780
when
1442 00:33:39,780 --> 00:33:40,420
you
1443 00:33:40,420 --> 00:33:41,060
especially
1444 00:33:41,060 --> 00:33:41,320
when
1445 00:33:41,320 --> 00:33:41,380
you
1446 00:33:41,380 --> 00:33:41,480
have
1447 00:33:41,480 --> 00:33:41,640
like
1448 00:33:41,640 --> 00:33:41,900
circle
1449 00:33:41,900 --> 00:33:42,160
ci
1450 00:33:42,160 --> 00:33:42,500
which
1451 00:33:42,500 --> 00:33:42,920
pulls
1452 00:33:42,920 --> 00:33:43,180
things
1453 00:33:43,180 --> 00:33:43,400
from
1454 00:33:43,400 --> 00:33:43,840
a
1455 00:33:43,840 --> 00:33:44,120
git
1456 00:33:44,120 --> 00:33:44,820
like
1457 00:33:44,820 --> 00:33:45,280
get
1458 00:33:45,280 --> 00:33:45,440
the
1459 00:33:45,440 --> 00:33:45,720
hash
1460 00:33:45,720 --> 00:33:45,860
and
1461 00:33:45,860 --> 00:33:46,160
compare
1462 00:33:46,160 --> 00:33:46,340
it
1463 00:33:46,340 --> 00:33:46,600
before
1464 00:33:46,600 --> 00:33:46,820
you
1465 00:33:46,820 --> 00:33:47,060
run
1466 00:33:47,060 --> 00:33:47,260
it
1467 00:33:47,260 --> 00:33:47,520
because
1468 00:33:47,520 --> 00:33:48,200
if
1469 00:33:48,200 --> 00:33:48,880
someone
1470 00:33:48,880 --> 00:33:49,200
gets
1471 00:33:49,200 --> 00:33:49,620
their
1472 00:33:49,620 --> 00:33:49,920
key
1473 00:33:49,920 --> 00:33:50,140
and
1474 00:33:50,140 --> 00:33:50,420
pushes
1475 00:33:50,420 --> 00:33:51,080
something
1476 00:33:51,080 --> 00:33:51,240
to
1477 00:33:51,240 --> 00:33:51,420
their
1478 00:33:51,420 --> 00:33:51,840
branch
1479 00:33:51,840 --> 00:33:52,380
you’re
1480 00:33:52,380 --> 00:33:52,760
screwed
1481 00:33:52,760 --> 00:33:53,300
you
1482 00:33:53,300 --> 00:33:53,580
had
1483 00:33:53,580 --> 00:33:53,760
an
1484 00:33:53,760 --> 00:33:54,060
npm
1485 00:33:54,060 --> 00:33:54,440
attack
1486 00:33:54,440 --> 00:33:54,620
that
1487 00:33:54,620 --> 00:33:55,040
almost
1488 00:33:55,040 --> 00:33:55,300
took
1489 00:33:55,300 --> 00:33:55,580
down
1490 00:33:55,580 --> 00:33:56,100
with
1491 00:33:56,100 --> 00:33:56,240
a
1492 00:33:56,240 --> 00:33:56,560
cryptocurrency
1493 00:33:56,560 --> 00:33:57,460
exactly
1494 00:33:57,460 --> 00:33:57,860
same
1495 00:33:57,860 --> 00:33:58,020
thing
1496 00:33:58,020 --> 00:33:58,180
though
1497 00:33:58,180 --> 00:33:58,460
say
1498 00:33:58,460 --> 00:33:58,680
like
1499 00:33:58,680 --> 00:33:58,860
it’s
1500 00:33:58,860 --> 00:33:59,000
with
1501 00:33:59,000 --> 00:33:59,500
npm
1502 00:33:59,500 --> 00:33:59,760
it’s
1503 00:33:59,760 --> 00:34:00,000
like
1504 00:34:00,000 --> 00:34:00,340
on
1505 00:34:00,340 --> 00:34:00,680
event
1506 00:34:00,680 --> 00:34:01,000
stream
1507 00:34:01,000 --> 00:34:01,420
which
1508 00:34:01,420 --> 00:34:01,520
is
1509 00:34:01,520 --> 00:34:01,640
like
1510 00:34:01,640 --> 00:34:01,940
it
1511 00:34:01,940 --> 00:34:02,060
was
1512 00:34:02,060 --> 00:34:02,200
the
1513 00:34:02,200 --> 00:34:02,380
most
1514 00:34:02,380 --> 00:34:02,680
popular
1515 00:34:02,680 --> 00:34:03,080
library
1516 00:34:03,080 --> 00:34:03,620
one
1517 00:34:03,620 --> 00:34:03,780
of
1518 00:34:03,780 --> 00:34:03,840
the
1519 00:34:03,840 --> 00:34:03,980
most
1520 00:34:03,980 --> 00:34:04,180
popular
1521 00:34:04,180 --> 00:34:04,580
libraries
1522 00:34:04,580 --> 00:34:04,700
in
1523 00:34:04,700 --> 00:34:05,080
npm
1524 00:34:05,080 --> 00:34:05,460
and
1525 00:34:05,460 --> 00:34:05,640
the
1526 00:34:05,640 --> 00:34:05,960
developer
1527 00:34:05,960 --> 00:34:06,240
is
1528 00:34:06,240 --> 00:34:06,440
like
1529 00:34:06,440 --> 00:34:06,820
abandoned
1530 00:34:06,820 --> 00:34:07,040
it
1531 00:34:07,040 --> 00:34:07,100
is
1532 00:34:07,100 --> 00:34:07,260
like
1533 00:34:07,260 --> 00:34:07,660
oh
1534 00:34:07,660 --> 00:34:08,060
fuck
1535 00:34:08,060 --> 00:34:08,260
this
1536 00:34:08,260 --> 00:34:08,600
yeah
1537 00:34:08,600 --> 00:34:08,900
and
1538 00:34:08,900 --> 00:34:09,120
some
1539 00:34:09,120 --> 00:34:09,260
dude
1540 00:34:09,260 --> 00:34:09,380
is
1541 00:34:09,380 --> 00:34:09,500
like
1542 00:34:09,500 --> 00:34:09,680
i
1543 00:34:09,680 --> 00:34:09,960
want
1544 00:34:09,960 --> 00:34:10,200
it
1545 00:34:10,200 --> 00:34:10,640
and
1546 00:34:10,640 --> 00:34:10,860
he
1547 00:34:10,860 --> 00:34:11,060
put
1548 00:34:11,060 --> 00:34:11,620
something
1549 00:34:11,620 --> 00:34:11,820
that
1550 00:34:11,820 --> 00:34:12,180
targeted
1551 00:34:12,180 --> 00:34:12,500
like
1552 00:34:12,500 --> 00:34:12,640
a
1553 00:34:12,640 --> 00:34:13,140
specific
1554 00:34:13,140 --> 00:34:13,660
coin
1555 00:34:13,660 --> 00:34:14,140
exchange
1556 00:34:14,140 --> 00:34:14,820
to
1557 00:34:14,820 --> 00:34:15,280
like
1558 00:34:15,280 --> 00:34:15,820
poison
1559 00:34:15,820 --> 00:34:16,500
to
1560 00:34:16,500 --> 00:34:16,880
inject
1561 00:34:16,880 --> 00:34:17,120
like
1562 00:34:17,120 --> 00:34:17,360
a
1563 00:34:17,360 --> 00:34:17,620
code
1564 00:34:17,620 --> 00:34:17,820
into
1565 00:34:17,820 --> 00:34:17,980
the
1566 00:34:17,980 --> 00:34:18,180
mobile
1567 00:34:18,180 --> 00:34:18,520
app
1568 00:34:18,520 --> 00:34:18,680
you
1569 00:34:18,680 --> 00:34:18,840
know
1570 00:34:18,840 --> 00:34:19,140
docker
1571 00:34:19,140 --> 00:34:19,340
about
1572 00:34:19,340 --> 00:34:19,560
the
1573 00:34:19,560 --> 00:34:19,780
same
1574 00:34:19,780 --> 00:34:20,060
thing
1575 00:34:20,060 --> 00:34:20,280
they
1576 00:34:20,280 --> 00:34:20,740
removed
1577 00:34:20,740 --> 00:34:21,300
thousands
1578 00:34:21,300 --> 00:34:21,820
of
1579 00:34:21,820 --> 00:34:22,720
really
1580 00:34:22,720 --> 00:34:23,340
really
1581 00:34:23,340 --> 00:34:23,880
they
1582 00:34:23,880 --> 00:34:24,220
were
1583 00:34:24,220 --> 00:34:24,600
compromised
1584 00:34:24,600 --> 00:34:25,120
containers
1585 00:34:25,120 --> 00:34:25,640
that
1586 00:34:25,640 --> 00:34:25,860
people
1587 00:34:25,860 --> 00:34:26,280
used
1588 00:34:26,280 --> 00:34:26,600
yeah
1589 00:34:26,600 --> 00:34:27,160
because
1590 00:34:27,160 --> 00:34:27,300
they
1591 00:34:27,300 --> 00:34:27,520
didn’t
1592 00:34:27,520 --> 00:34:27,640
do
1593 00:34:27,640 --> 00:34:27,800
their
1594 00:34:27,800 --> 00:34:28,160
homework
1595 00:34:28,160 --> 00:34:29,020
the
1596 00:34:29,020 --> 00:34:30,060
industry
1597 00:34:30,060 --> 00:34:30,640
needs
1598 00:34:30,640 --> 00:34:30,760
to
1599 00:34:30,760 --> 00:34:31,060
mature
1600 00:34:31,060 --> 00:34:31,520
i
1601 00:34:31,520 --> 00:34:32,000
think
1602 00:34:32,000 --> 00:34:32,140
one
1603 00:34:32,140 --> 00:34:32,220
of
1604 00:34:32,220 --> 00:34:32,340
the
1605 00:34:32,340 --> 00:34:32,600
biggest
1606 00:34:32,600 --> 00:34:32,960
issues
1607 00:34:32,960 --> 00:34:33,160
with
1608 00:34:33,160 --> 00:34:33,300
the
1609 00:34:33,300 --> 00:34:33,600
industry
1610 00:34:33,600 --> 00:34:33,840
right
1611 00:34:33,840 --> 00:34:34,140
now
1612 00:34:34,140 --> 00:34:34,580
with
1613 00:34:34,580 --> 00:34:34,940
i’ve
1614 00:34:34,940 --> 00:34:35,160
seen
1615 00:34:35,160 --> 00:34:35,360
from
1616 00:34:35,360 --> 00:34:35,540
my
1617 00:34:35,540 --> 00:34:35,860
personal
1618 00:34:35,860 --> 00:34:36,280
experience
1619 00:34:36,280 --> 00:34:36,500
is
1620 00:34:36,500 --> 00:34:36,700
that
1621 00:34:36,700 --> 00:34:37,500
organizations
1622 00:34:37,500 --> 00:34:38,480
post
1623 00:34:38,480 --> 00:34:38,760
pen
1624 00:34:38,760 --> 00:34:39,140
test
1625 00:34:39,140 --> 00:34:39,820
they’re
1626 00:34:39,820 --> 00:34:39,960
gonna
1627 00:34:39,960 --> 00:34:40,380
say
1628 00:34:40,380 --> 00:34:41,060
what
1629 00:34:41,060 --> 00:34:41,300
they
1630 00:34:41,300 --> 00:34:41,600
always
1631 00:34:41,600 --> 00:34:41,880
ask
1632 00:34:41,880 --> 00:34:42,000
me
1633 00:34:42,000 --> 00:34:42,320
what
1634 00:34:42,320 --> 00:34:42,820
products
1635 00:34:42,820 --> 00:34:43,040
can
1636 00:34:43,040 --> 00:34:43,180
i
1637 00:34:43,180 --> 00:34:43,740
buy
1638 00:34:43,740 --> 00:34:44,260
to
1639 00:34:44,260 --> 00:34:44,740
prevent
1640 00:34:44,740 --> 00:34:45,080
this
1641 00:34:45,080 --> 00:34:45,220
and
1642 00:34:45,220 --> 00:34:45,320
i’m
1643 00:34:45,320 --> 00:34:45,480
like
1644 00:34:45,480 --> 00:34:46,320
don’t
1645 00:34:46,320 --> 00:34:46,620
worry
1646 00:34:46,620 --> 00:34:46,800
about
1647 00:34:46,800 --> 00:34:46,960
your
1648 00:34:46,960 --> 00:34:47,400
products
1649 00:34:47,400 --> 00:34:47,960
put
1650 00:34:47,960 --> 00:34:48,240
that
1651 00:34:48,240 --> 00:34:48,540
money
1652 00:34:48,540 --> 00:34:48,860
in
1653 00:34:48,860 --> 00:34:49,180
training
1654 00:34:49,180 --> 00:34:49,380
your
1655 00:34:49,380 --> 00:34:49,760
people
1656 00:34:49,760 --> 00:34:50,460
your
1657 00:34:50,460 --> 00:34:50,860
product
1658 00:34:50,860 --> 00:34:51,020
is
1659 00:34:51,020 --> 00:34:51,400
only
1660 00:34:51,400 --> 00:34:51,660
as
1661 00:34:51,660 --> 00:34:51,920
good
1662 00:34:51,920 --> 00:34:52,280
as
1663 00:34:52,280 --> 00:34:52,440
the
1664 00:34:52,440 --> 00:34:52,800
people
1665 00:34:52,800 --> 00:34:53,040
who
1666 00:34:53,040 --> 00:34:53,540
deploy
1667 00:34:53,540 --> 00:34:53,720
it
1668 00:34:53,720 --> 00:34:53,880
the
1669 00:34:53,880 --> 00:34:54,160
people
1670 00:34:54,160 --> 00:34:54,320
who
1671 00:34:54,320 --> 00:34:54,760
configure
1672 00:34:54,760 --> 00:34:54,960
it
1673 00:34:54,960 --> 00:34:55,120
like
1674 00:34:55,120 --> 00:34:56,000
don’t
1675 00:34:56,000 --> 00:34:56,320
worry
1676 00:34:56,320 --> 00:34:56,680
about
1677 00:34:56,680 --> 00:34:57,160
getting
1678 00:34:57,160 --> 00:34:57,360
the
1679 00:34:57,360 --> 00:34:57,620
latest
1680 00:34:57,620 --> 00:34:58,060
product
1681 00:34:58,060 --> 00:34:58,600
don’t
1682 00:34:58,600 --> 00:34:59,120
worry
1683 00:34:59,120 --> 00:34:59,320
about
1684 00:34:59,320 --> 00:34:59,480
it
1685 00:34:59,480 --> 00:34:59,840
it’s a
1686 00:34:59,840 --> 00:35:00,140
cultural
1687 00:35:00,140 --> 00:35:00,460
thing
1688 00:35:00,460 --> 00:35:00,660
as
1689 00:35:00,660 --> 00:35:00,820
well
1690 00:35:00,820 --> 00:35:01,020
like
1691 00:35:01,020 --> 00:35:01,180
we
1692 00:35:01,180 --> 00:35:01,340
need
1693 00:35:01,340 --> 00:35:01,460
to
1694 00:35:01,460 --> 00:35:01,760
implement
1695 00:35:01,760 --> 00:35:02,120
non
1696 00:35:02,120 --> 00:35:02,380
blame
1697 00:35:02,380 --> 00:35:02,840
policy
1698 00:35:02,840 --> 00:35:03,200
that
1699 00:35:03,200 --> 00:35:03,640
everyone
1700 00:35:03,640 --> 00:35:03,900
is
1701 00:35:03,900 --> 00:35:04,080
like
1702 00:35:04,080 --> 00:35:04,340
it
1703 00:35:04,340 --> 00:35:04,620
doesn’t
1704 00:35:04,620 --> 00:35:04,920
matter
1705 00:35:04,920 --> 00:35:05,160
where
1706 00:35:05,160 --> 00:35:05,320
you
1707 00:35:05,320 --> 00:35:05,540
find
1708 00:35:05,540 --> 00:35:05,680
the
1709 00:35:05,680 --> 00:35:05,940
bugs
1710 00:35:05,940 --> 00:35:06,420
we
1711 00:35:06,420 --> 00:35:06,620
will
1712 00:35:06,620 --> 00:35:06,920
help
1713 00:35:06,920 --> 00:35:07,100
it
1714 00:35:07,100 --> 00:35:07,460
out
1715 00:35:07,460 --> 00:35:07,900
each
1716 00:35:07,900 --> 00:35:08,200
other
1717 00:35:08,200 --> 00:35:08,580
to
1718 00:35:08,580 --> 00:35:08,860
fix
1719 00:35:08,860 --> 00:35:09,000
it
1720 00:35:09,000 --> 00:35:09,120
you
1721 00:35:09,120 --> 00:35:09,260
need
1722 00:35:09,260 --> 00:35:09,340
to
1723 00:35:09,340 --> 00:35:09,740
train
1724 00:35:09,740 --> 00:35:10,260
every
1725 00:35:10,260 --> 00:35:10,580
person
1726 00:35:10,580 --> 00:35:11,180
like
1727 00:35:11,180 --> 00:35:11,360
the
1728 00:35:11,360 --> 00:35:11,780
secretary
1729 00:35:11,780 --> 00:35:12,360
look
1730 00:35:12,360 --> 00:35:13,720
at
1731 00:35:13,720 --> 00:35:14,120
our
1732 00:35:14,120 --> 00:35:14,400
talk
1733 00:35:14,400 --> 00:35:14,580
from
1734 00:35:14,580 --> 00:35:14,860
before
1735 00:35:14,860 --> 00:35:15,100
about
1736 00:35:15,100 --> 00:35:15,240
the
1737 00:35:15,240 --> 00:35:15,640
APT
1738 00:35:15,640 --> 00:35:16,020
right
1739 00:35:16,020 --> 00:35:16,780
spear
1740 00:35:16,780 --> 00:35:17,160
fishing
1741 00:35:17,160 --> 00:35:17,880
they
1742 00:35:17,880 --> 00:35:18,120
got
1743 00:35:18,120 --> 00:35:18,520
and
1744 00:35:18,520 --> 00:35:18,680
they
1745 00:35:18,680 --> 00:35:18,940
used
1746 00:35:18,940 --> 00:35:19,280
the
1747 00:35:19,280 --> 00:35:19,600
MC
1748 00:35:19,600 --> 00:35:19,980
bypass
1749 00:35:19,980 --> 00:35:20,440
you
1750 00:35:20,440 --> 00:35:20,600
can
1751 00:35:20,600 --> 00:35:20,780
see
1752 00:35:20,780 --> 00:35:20,940
in
1753 00:35:20,940 --> 00:35:21,080
their
1754 00:35:21,080 --> 00:35:21,440
script
1755 00:35:21,440 --> 00:35:21,600
how
1756 00:35:21,600 --> 00:35:21,760
they
1757 00:35:21,760 --> 00:35:22,260
bypassed
1758 00:35:22,260 --> 00:35:22,480
MC
1759 00:35:22,480 --> 00:35:22,820
with
1760 00:35:22,820 --> 00:35:23,400
splitting
1761 00:35:23,400 --> 00:35:23,920
the
1762 00:35:23,920 --> 00:35:24,600
power
1763 00:35:24,600 --> 00:35:25,000
command
1764 00:35:25,000 --> 00:35:26,100
classic
1765 00:35:26,100 --> 00:35:26,480
way
1766 00:35:26,480 --> 00:35:26,640
to
1767 00:35:26,640 --> 00:35:26,800
do
1768 00:35:26,800 --> 00:35:26,920
it
1769 00:35:26,920 --> 00:35:27,080
right
1770 00:35:27,080 --> 00:35:27,420
now
1771 00:35:27,420 --> 00:35:28,020
and
1772 00:35:28,020 --> 00:35:28,360
spear
1773 00:35:28,360 --> 00:35:28,680
fishing
1774 00:35:28,680 --> 00:35:29,980
will
1775 00:35:29,980 --> 00:35:30,340
always
1776 00:35:30,340 --> 00:35:30,660
stay
1777 00:35:30,660 --> 00:35:32,900
someone
1778 00:35:32,900 --> 00:35:33,220
will
1779 00:35:33,220 --> 00:35:33,380
get
1780 00:35:33,380 --> 00:35:33,800
foothold
1781 00:35:33,800 --> 00:35:34,500
somehow
1782 00:35:34,500 --> 00:35:35,060
you
1783 00:35:35,060 --> 00:35:35,280
have
1784 00:35:35,280 --> 00:35:35,380
to
1785 00:35:35,380 --> 00:35:35,720
expect
1786 00:35:35,720 --> 00:35:36,040
that
1787 00:35:36,040 --> 00:35:36,540
but
1788 00:35:36,540 --> 00:35:36,720
you
1789 00:35:36,720 --> 00:35:37,080
have
1790 00:35:37,080 --> 00:35:37,680
to
1791 00:35:37,680 --> 00:35:38,080
detect
1792 00:35:38,080 --> 00:35:38,280
that
1793 00:35:38,280 --> 00:35:38,640
right
1794 00:35:38,640 --> 00:35:38,960
and
1795 00:35:38,960 --> 00:35:39,160
how
1796 00:35:39,160 --> 00:35:39,840
to
1797 00:35:39,840 --> 00:35:40,620
constrict
1798 00:35:40,620 --> 00:35:40,800
them
1799 00:35:40,800 --> 00:35:41,060
from
1800 00:35:41,060 --> 00:35:41,400
moving
1801 00:35:41,400 --> 00:35:41,900
laterally
1802 00:35:41,900 --> 00:35:42,240
I
1803 00:35:42,240 --> 00:35:44,960
think
1804 00:35:44,960 --> 00:35:45,440
that’s
1805 00:35:45,440 --> 00:35:45,940
a
1806 00:35:45,940 --> 00:35:46,140
really
1807 00:35:46,140 --> 00:35:46,380
good
1808 00:35:46,380 --> 00:35:46,620
note
1809 00:35:46,620 --> 00:35:46,840
to
1810 00:35:46,840 --> 00:35:47,000
end
1811 00:35:47,000 --> 00:35:47,260
this
1812 00:35:47,260 --> 00:35:47,960
conversation
1813 00:35:47,960 --> 00:35:48,280
because
1814 00:35:48,280 --> 00:35:48,500
I
1815 00:35:48,500 --> 00:35:48,740
think
1816 00:35:48,740 --> 00:35:48,860
we
1817 00:35:48,860 --> 00:35:49,020
can
1818 00:35:49,020 --> 00:35:49,200
sit
1819 00:35:49,200 --> 00:35:49,360
here
1820 00:35:49,360 --> 00:35:49,480
and
1821 00:35:49,480 --> 00:35:49,660
talk
1822 00:35:49,660 --> 00:35:49,860
for
1823 00:35:49,860 --> 00:35:50,180
hours
1824 00:35:50,180 --> 00:35:51,800
but
1825 00:35:51,800 --> 00:35:52,000
the
1826 00:35:52,000 --> 00:35:52,340
listeners
1827 00:35:52,340 --> 00:35:52,620
might
1828 00:35:52,620 --> 00:35:52,960
not
1829 00:35:52,960 --> 00:35:53,160
be
1830 00:35:53,160 --> 00:35:53,620
interested
1831 00:35:53,620 --> 00:35:55,520
so
1832 00:35:55,520 --> 00:35:56,200
Danny
1833 00:35:56,200 --> 00:35:56,660
and
1834 00:35:56,660 --> 00:35:56,940
Mo
1835 00:35:56,940 --> 00:35:57,360
thank
1836 00:35:57,360 --> 00:35:57,500
you
1837 00:35:57,500 --> 00:35:57,660
so
1838 00:35:57,660 --> 00:35:57,900
much
1839 00:35:57,900 --> 00:35:58,120
for
1840 00:35:58,120 --> 00:35:58,360
taking
1841 00:35:58,360 --> 00:35:58,560
the
1842 00:35:58,560 --> 00:35:58,760
time
1843 00:35:58,760 --> 00:35:59,000
to
1844 00:35:59,000 --> 00:35:59,260
talk
1845 00:35:59,260 --> 00:35:59,420
to
1846 00:35:59,420 --> 00:35:59,600
us
1847 00:35:59,600 --> 00:36:00,900
this
1848 00:36:00,900 --> 00:36:03,440
has
1849 00:36:03,440 --> 00:36:03,580
been
1850 00:36:03,580 --> 00:36:03,720
a
1851 00:36:03,720 --> 00:36:04,040
complete
1852 00:36:04,040 --> 00:36:04,440
pleasure
1853 00:36:04,440 --> 00:36:04,640
and
1854 00:36:04,640 --> 00:36:05,060
honor
1855 00:36:05,060 --> 00:36:05,280
and
1856 00:36:05,280 --> 00:36:05,540
thank
1857 00:36:05,540 --> 00:36:05,660
you
1858 00:36:05,660 --> 00:36:05,800
for
1859 00:36:05,800 --> 00:36:06,060
having
1860 00:36:06,060 --> 00:36:06,420
us
1861 00:36:06,420 --> 00:36:06,700
thank
1862 00:36:06,720 --> 00:36:07,160
you
1863 00:36:07,160 --> 00:36:07,860
all
1864 00:36:07,860 --> 00:36:09,280
right
1865 00:36:09,280 --> 00:36:10,840
cheers
1866 00:36:10,840 --> 00:36:12,580
cheers
1867 00:36:12,580 --> 00:36:13,040
cheers
1868 00:36:13,040 --> 00:36:15,100
let’s
1869 00:36:15,100 --> 00:36:15,300
go
1870 00:36:15,300 --> 00:36:16,660
that was
1871 00:36:16,660 --> 00:36:16,960
longer
1872 00:36:16,960 --> 00:36:17,240
than
1873 00:36:17,240 --> 00:36:17,800
the
1874 00:36:17,800 --> 00:36:18,640
rapt
1875 00:36:18,640 --> 00:36:18,980
one
1876 00:36:18,980 --> 00:36:20,620
no
1877 00:36:20,620 --> 00:36:20,840
no
1878 00:36:20,840 --> 00:36:21,160
no
1879 00:36:21,160 --> 00:36:21,700
no
1880 00:36:21,700 --> 00:36:21,780
no
1881 00:36:21,780 --> 00:36:21,800
no
1882 00:36:21,800 --> 00:36:21,820
no
1883 00:36:21,820 --> 00:36:21,840
no
1884 00:36:21,840 --> 00:36:21,860
no
1885 00:36:21,860 --> 00:36:21,880
no
1886 00:36:21,880 --> 00:36:21,900
no
1887 00:36:21,900 --> 00:36:21,920
no
1888 00:36:21,920 --> 00:36:21,940
no
1889 00:36:21,940 --> 00:36:21,960
no
1890 00:36:21,960 --> 00:36:21,980
no
1891 00:36:21,980 --> 00:36:22,000
no
1892 00:36:22,000 --> 00:36:22,020
no
1893 00:36:22,020 --> 00:36:22,040
no
1894 00:36:22,040 --> 00:36:22,060
no
1895 00:36:22,060 --> 00:36:22,080
no
1896 00:36:22,080 --> 00:36:22,100
no
1897 00:36:22,100 --> 00:36:22,120
no
1898 00:36:22,120 --> 00:36:22,140
no
1899 00:36:22,140 --> 00:36:22,160
no
1900 00:36:22,160 --> 00:36:22,180
no
1901 00:36:22,180 --> 00:36:22,260
no