Mar 24, 2019
Log-MD story
SeaSec East meetup
Gabe (county Infosec guy)
New Slack Moderator (@cherokeeJB)
Shoutout to “Jerry G”
Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407
www.Workshopcon.com/events and that we're looking for BlueTeam trainers please
Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet
Noid - @_noid_
noid23@gmail.com
Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3
Slides (PDF)
Security view was a bit myopic?
“What do we win by playing?”
Cultivating relationships (buy lunch, donuts, etc)
Writing reports
Communicating findings that resonate with developers and management
Often pentest reports are seen by various facets of folks
Many levels of competency (incompetent -> super dev/sec)
Communicating risk? Making bugs make sense to everyone…
The three types of power:
https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1 (yas!)
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Transcription (courtesy of otter.ai, and modified for readability by Bryan Brake)
Bryan Brake 0:13
Hello everybody this is Bryan from Brakeing Down Security this week
you're gonna hear part two of our interview with Noid, we did a lot
of interesting discussions with him and it went so well that we
needed the second week so for those of you here just catching this
now Part One was last week so you can just go back and download
that one. We're going to start leading in with the "one of us"
story because one of the one of the slides he talked about was how
you know he you know learned how to be one with his dev team and
one of the last topics we had was kind of personal to me I do a lot
of pentest writing for reports and stuff at my organization
"Leviathan" and and you know, we talked about you know What makes a
good report how to write reports for all kinds of people, whether
it be a manager that you're giving it to, from an engagement for a
customer, or, you know, the technical people who might be fixing
the bugs that an engagement person might find, or a pen tester
might find in this case. So, yeah, we're we're going to go ahead
and lead in with that. Before we go though, SpectreOps is looking
for people to go to their classes. They're learning adversary
tactics and red team Operations Training course in Tysons Corner,
Virginia. It's currently $4,000 to us and it's from April 23, April
26 of this year 2019. That doesn't include also airfare and hotel,
so you're gonna have to find your way to Tysons Corner the Hyatt
Regency there's a link in the show notes of course to the to the
class if you'd like to go You'll learn things like designing and
deploying sophisticated resilient covert attack infrastructure,
gaining initial access footholds on systems using client side
attacks, and real world scenarios cutting edge lateral movement
methods to move through the enterprise and a bunch of other cool
things... so yeah if you're interested in and hooking that up you
can you there's still you still got more than a month to sign up
for it it looks like there might still be tickets so knock
yourselves out they're also looking for blue team people. "Mike P"
on our Slack channel, which will tell you about the end of the show
here on how to join if you'd like, he said
http://www.workshopcon.com/events they're looking for blue team
trainers... you can hang out with folks like you know, SpecterOps
and Tim Tomes (LanMaster53) as well there when you you know we can
you sign up for the blue team stuff and yeah
http://www.workshopcon.com/events and then you can you know learn
to be a blue team trainer or actually give blue team training if
you so choose. So that said it's pretty awesome. Alright, so
without further ado, we're going to get started with part two of
our interview with Noid here, hope you have a great week. And here
we go.
Okay. So I think we've gotten down to like the "one of us" story. So we're in our hero finally starts to get it and begins to bridge the gap. Some of the things some of the points are the lessons learned in this story. And you can tell us about story was that language makes all the difference in the world. This is what got me on to the part about the reporting, which we'll talk about a little while, but maybe you could fill us in on this discovery, this the story that got you to these points.
Brian "Noid" Harden 3:37
Okay, so the team I'm working on I get asked the the thing in
question is it was a pretty massive product and it had never had
any threat modeling done,
Bryan Brake 3:50
okay.
Brian "Noid" Harden 3:51
So had never had any threat modeling done and this this particular
product was made up of tons of little sub products. So what I did
is I sat there first in a kind of a complete panic going, this is
overwhelming. I don't have nearly enough time or resources to be
able to do this. But you know how to eat the elephant, right? The
small pieces and get at it. So I had one dev lead, who I know, had
worked previously on a security product. And he was a nice guy. So
I sat down with them and basically said, "Hey, could you walk me
through visually diagramming how your service works, building that
data flow diagram, and then we're going to talk about it from a
security perspective". And he was sort of like, oh, that'd be fun.
Yeah, let's do that. And so we sat there and he diagrammed and the
whole time he's diagramming, he'd stop and erase things and go,
Wait, no, no, we were going to do it that way. But we didn't. And
then oh, and we stopped doing it this way, because we added this
other thing and we had to be able to break communication out number
channels and then he stopped at one point and was like, get a
picture of this was like I think this is probably the most accurate
diagram of our service we've ever had. And then when we started
doing the threat modeling side of it, like, you know, talking about
trust boundaries and you know, it's like all right, so what makes
sure that you know data from point A to point B and it's not filled
with that kind of thing? And I'm saying okay well, could you could
you you know, do this over HTTPS rather than just regular HTTP
Bryan Brake 5:29
right
Brian "Noid" Harden 5:31
you know you get non repudiation you know, and it's like, not
talking about even the security value of it, but talking more about
the you know, you the integrity be there and then at one point, he
stops and he looks at me and he says, Man, I never had a threat
modeling would generate so much feature work. And in my mind, I was
like, talking about feature work like, these are bugs you need to
fix. Now, all of a sudden, it was like, Oh, crap, I've been
approaching this entirely the wrong way my entire career. Devs look
at things that have looked at depth look at things from bug fixing,
and feature development. And as a security person, what i, every
time I'd been bringing up stuff they needed to do in my mind, it
was implied it was feature development. But they saw this bug
fixing, because in the "dev world" security fixes or bug fixes. He
saw the value here and went, Oh, this is going to generate a ton of
feature work. And it's like, oh, so I gotta stop calling the
security work. I've got to start calling this feature work. And
sure enough, not only if you start calling it feature work. And of
course now once you're talking about feature work, you can start
talking about the drivers. Why are we building a feature because
you know, you don't build features nobody wants. Unless you're
certain software companies. But yeah, but you build.. you build
features that come out of customer requests, you know, you get
features that hey, you know, I look at things like say Microsoft
Office, how that's evolved over the years. And that's because
people who use Office come back and say, you know, this is really
cool. But I'd really like it if when I'm giving my PowerPoint
presentation, I had a timer on the screen. So I know I'm on mark,
you know, and Okay, that's a feature requests. And so that's how
these things evolve. And so once I started talking about security
work from the perspective of feature development you know, we have
existing features that need to be worked on to give them new
functionality in order to be able to pick up new customers and we
have new features that we need to build that will also help because
the other thing too I also noticed is that well... well I care
about things like confidentiality and integrity. Devs care about
things like availability and performance, right, these two these
two things can kind of be almost used interchangeably, depending on
the circumstance, so when, when devs are talking about stability,
I'm thinking about integrity. When I'm when I'm talking about
availability, they're, they're thinking about performance. And so
all of a sudden, I'm now giving them ideas for like new proof
counters, basically, like new metrics to check the health of the
thing that we're building. And the way I looked at it was almost...
Yeah, this is what this is the business driver for the, you know,
customer X wants it customer Y needs it, you know, and here's the
benefit, you know, the product gets out of it. Here's the benefit
that developers get out of it. And what a security get out of it?
Hey, don't worry about it. Purely, purely any value I derived from
this work is purely coincidental.
Brian Boettcher 8:57
*Chuckles*
Brian "Noid" Harden 9:00
And that, in turn, helps start driving the conversation a lot
better. Because the other value I got out of it, too is by having
somebody on the development side of the house who had a name and
had some, you know, reputation behind him, he was able to go to his
respective peers and say, Man, I did this thing with Noid and it
was really valuable. And we got a lot of cool stuff out of it. So
he's gonna hit you up about it. And I totally recommend doing
Bryan Brake 9:27
right
Brian "Noid" Harden 9:28
and at which point because because some of the folks I worked with
were either indifferent towards me, they were just busy. I did have
some folks that I work with, though, that were just flat out
adversarial towards me. They frankly they didn't want me doing what
I was doing. They didn't really want me parking and poking around
like the dark corners of the product. You know, because it was
going to make work, but having somebody on their side say, No, I
actually got value out of this. Okay, well, I'll give it a try.
Holy crap, I got value out of this, too. So that was that was where
I suddenly realized that my languagein my mind, I'm not saying
anything differently. But yet, it turns out that when it comes to
the words coming out of my mouth and how they were being received,
it radically changed how I was expressing myself to people. And it
totally changed the response I got.
Brian Boettcher 10:26
So maybe we need a new "CIA" triad that has the other words on it,
you know, the, the translated words for development and product
teams,
Brian "Noid" Harden 10:35
possibly!
Bryan Brake 10:36
performance... integrity is stability.
Brian "Noid" Harden 10:43
Yeah, stability. availability...
Bryan Brake 10:48
What's confidentiality then? what does the other bit that they talk
about or worry about?
Brian "Noid" Harden 10:52
I don't know if only we had a dev lead on this call.
Brian Boettcher 10:55
*chuckles*
Bryan Brake 10:56
Yeah. Do you know one? *laughs*. So, so the lessons learned, you
said, language makes all the difference. You know the way you speak
is like, you know, if you're, if you only know English, like most
Americans and go over to France, speaking louder in English to
somebody who only speaks French is not going to help here to help
you so "look for the helpers" So let's say you don't, let's say
we're not lucky enough to have somebody like the person you found
in your organization is is it it's going to take a little bit
longer maybe to get them onto your side to you know, poke at him
like that or, you know, maybe grease the wheels with some donuts or
you know, maybe take them to lunch or something. Would that be
helpful at all?
Brian "Noid" Harden 11:35
Well, first off Yes, you'd be amazed at how much showing up with
donuts
Bryan Brake 11:48
Oh, I know
Brian "Noid" Harden 11:49
Oh yeah. No, actually actually it's funny too because I actually
just a couple of weeks ago and other team at my company came over
and gave my team donuts
They gave my team the IT team and the tech team donuts because of all the work we've been putting in form... as far as I'm concerned. Yeah, I'll march directly into hell for those people right now, because they gave me donuts...
Bryan Brake 11:56
niiiice.
they better be Top Pot donuts or something legit not like...
Brian "Noid" Harden 12:13
Oh, yeah, they were. They were Top Pot donuts. But yeah, so part of
its that something else, too is doing some of the work yourself.
So, in addition to all this work I'm doing I'm also managing the
development of security features. And I had gone over the product
spec for one of these security features. And I built a data flow
diagram. And then during one of my little weekly Scrum meetings
where I sit down with my devs. I showed it to them. and I remember
one of them to and he immediately stopped and was like, "What is
this?" He's like, "what is this doesn't make sense",
Bryan Brake 12:53
This is forbidden knowledge This is your thing.
Brian "Noid" Harden 12:56
Yeah, you wrote this. Okay, you wrote this, this is just a visual
representation of the thing that you wrote. And once I explained it
him, sort of the steps one through eleventy, you know, and showed
him what had happened. He was sort of like a "Oh, that's
interesting". Still somewhat dismissive of it, but it was still
kind of a file. So in addition to, you know, buttering people up
with donuts, and lunch and things like that, but also sometimes you
gotta just buckle down and do it yourself, and then show the value.
And I mean, I'll be blunt. That's how I've gone by through most of
my career is when I can't get traction. I'll go do it. And then pop
up and go. Hey, guys, check this thing out. Oh, wow. That's really
neat. How do you do that? Where did you do that? It's like oh, you
can do it too. Right now I can show you how I can work with you on
it. I'm certainly not going to tell you to RTFM and walk out of the
room. So part of it is it also shows a little bit of commitment on
your part, sort of one of the things I've picked up that security,
not even in the equation here. But just having worked in a lot of
software development organizations with the devs and the PMs is the
devs is frequently see the PM is not doing anything of value except
for when you are. So when you are willing to put that kind of
effort into deliver something like that, like, Hey, I thought
modeled our service,it sort of shows this, "oh, I take it back. All
those things I said about you know, you're not worthless after
all." So there's definitely some value there too, because a lot of
times too people are willing to say because it's easy to stand back
and issue edicts, it's easy to stand back and just, you know, get
up on your soapbox and tell everybody else what to do. But when
you're when you show you're willing to eat your own dog food. That
really gets people's attention because it's like, "Okay, this dude
clearly cares about this a lot" And now that he's done it, I see
what he's talking about. Yeah. You know, like we should do that
there's value here.
Bryan Brake 15:11
So very cool. Yeah. So when you on the last slide here, when you
wrapped it all up, you said engage early and often... Does it have
to be so when we're talking about communication, open
communication, trying to, you know, some of its, you know,
cultivating relationships. So, you kind of need to, you know, if
you're introverted, you kind of need to step out of your shell a
little bit and go and talk to people, get out of your cubes for
once a while. Turn on the lights, that kind of thing. How often did
you talk with these teams to help build this relationship after a
while, because obviously there had to be some team building
there?
Brian "Noid" Harden 15:48
Yeah, so in my case, since I was in the team, we thought weekly,
okay, weekly, and sometimes daily because they were literally down
the hall from me, right, but in terms of where I've had to work in
other organizations Where I've been in back in a centralized
organization and having to work with remote teams or work with
teams that I'm telling them to do things but I'm not in their
org... like a weekly basis okay like we're going to meet up this
weekbecause like for example like when I was a back when I was at
Microsoft I worked in the MSRC before I left yeah and I was
handling me and another guy we're handling all the (Internet
Explorer)IE cases. Okay. That was a lot of cases because there's a
lot of versions i right. So we would go meet with those cats once a
week. And we would sit down with them and say, Okay, here's here's
the queue. Here's what's new from last time. You know, here's sort
of what we think is the priority for fixing things you know, what
do you think about it, but it's it's that you always want them to
know who you are, and you want them to know that you're just as
busy as they are, and that you end that you're also respectful of
their time, right? You know, so we'd make the meeting short...
personal pet peeve of mine are people that set meetings
deliberately long with the expectation of all just go ahead and
give everybody 30 minutes. I'll give everybody 30 minutes back,
right? Like, well thanks jerk. Like how about you could have just
made a 30 minute meeting in the first place? You know it just tells
that that that tells me you're not that doesn't tell me you're a
magnanimous person that tells me you can't manage your time, you
know. So I try to be really concise. Like, I'm going to set up a
meeting with these devs. I'm going to include them agenda in the
meeting invite. I'm going to set it for exactly how long I think
it's like we're going to 30 minute meeting, you know, 30 minute
meeting to go over the bugs that are in the queue. There's four new
ones from last week one of them's really nasty, you know, that
probably is probably going to be a non negotiable.. You know, but
the other three are up for negotiation and you show up you sit down
with them you know some pleasantries and then you just, you get to
work and then you get them back out doing their thing and you get
back to your thing. And that really flows well... It really flows
well because, you know, none of us like meetings. And the closer
you are to touching computers, the more meetings disrupt your flow
the more they just disrupt your life and the thing that you're
effectively getting usually paid a lot of money for.And so by kind
of doing it that way, you keep that cadence up to keep that that
sort of friendship and that that rapport up but the other thing too
is a another point I wanted to make, but I'm getting tired... but
yeah, but but along those lines to Yeah, yo get that rapport there.
You're respectful of their time and then you... I can't remember
what I was going to say next.
Bryan Brake 19:20
So the last bit was, let's see, don't talk about securities, talk
about feature development. We talked about that threat modeling
your developers, you and Dr. Cowan, my, my car pool buddy, you and
Crispin need to you know get get together and talk about the the
threat modeling he's doing... he doesn't do trust boundaries so
much, one of the talk he gave at SeaSec East was about how we do
threat modeling in our organization but a lot of companies are
starting to see value in that before we do engagements because we
can prioritize what's the more important thing to test versus just
testing all the things in the environment
Brian "Noid" Harden 19:42
Threat modeling and software development is huge too, like that was
one of the one of the things I think a lot of my developers I've
done this with over the years have taken away from it is one you
have to make it fun... You can't make a complete slog. But one of
the nice things about threat modeling, is when you're visually
looking at the thing you're going to build, that's when you make
the realization that like, Oh, hey, my post office has no door...
You know, and it's like the best time to figure that out. Then you
always like, I always tell people that. Yeah, the best time to fix
a bug is an alpha before you write anything... And the next best
time to fix it is before it goes into production. And the worst
possible time to fix a bug is after I've been in prod for 10 years,
and it's a it's a load bearing bug at this point. It has
dependencies on it
Bryan Brake 20:30
you know what, it's funny you mentioned that I've been seeing some
like Linux kernel bugs they said there was one in there for like 15
years old at affected all of like 2.6.x to up to the latest
version. It was a use after free bug, you know that I don't know if
they found the bug 15 years ago and just never fixed it but yeah,
bugs like that sit in there because people don't don't check for
that kind of stuff...
Brian "Noid" Harden 20:51
that happens sometimes those the well I mean, God remember that.
Remember the whole SYN flood thing in the 90s? Yeah, I mean it was
it was it was in the RFC... One of those like, like, Oh, we found
the bug. It's like what? You read the RFC. And just finally
understood it. You know, so it's, it's that stuff. And there was an
SSH bug that popped up recently. Yep. It was the same thing. It
wasn't a terribly nasty critical bug. But it was, in a piece of
code that had been in SSH for ever.
Bryan Brake 21:26
Yeah. I seem to remember that one, too. Yeah. I'll have to find a
link to that one. So I know you're getting tired. I have one other
topic I'd like to discuss because I do a lot of report writing.
Well, I I probably should do a lot of report writing but at
Leviathan we you know we're the PM grease the wheels we you know,
work with a relationship with the the status meetings, we do the
executive summary and such and I could be better writing reports
some of our testers are way better at it than I am... You know,
taking the taking the whole idea of the language and where where
things go with this, when we, when we put findings out, we've won,
we call them bugs where we call them findings, not necessarily
bugs. But what I'm trying to figure out is how we can better
communicate our reporting, when we're doing things like readouts,
to you know, kind of resonate with both developers and management
because the idea is the executive summary is supposed to be for the
"managers" or senior folk and then we have like, you know,
components that drill down and talk about specifics and be more
technical, but, you know, often we find ourselves and I find myself
because I come from a more technical background writing more
technical to the executives and my question was, Is there ways of
communicating risk to both the developers and the managers in the,
you know, using using somewhat the same language? Or should we call
the bugnot bugs or not findings. We call them, you know, hey,
here's a feature you guys should implement, which would be, you
know, HTTP or, you know, you must have seen a few pen test reports
in your time. And I mean, what is what is your opinion of pen test
reports?
Brian "Noid" Harden 23:13
So, my opinion, the most pen test reports, is that their garbage...
Well, they're usually written to, they're usually written to one
extreme or the other. So unfortunately, I have yet to find any
really good language that appeases everybody.
Brian Boettcher 23:30
So what's the one extreme or the other?
Brian "Noid" Harden 23:32
What are the two extremes they're either hyper technical, the sort
of stuff that like any of the three of us would probably look at
and go, Okay, I get it, right. I understand the value here or there
so high level that if I'm a business person, I might be sitting
there going, Hey, okay, you know,you've you've reached out you've
touched my heart. I understand that this this is a critical like
this is a big issue we need to get fixed. But there's not enough
meat there that if I took that report and handed it off to my dev
lead and said, go fix this. The dev lead is going to sit there and
go...
Brian Boettcher 24:09
Are you kidding me?
Brian "Noid" Harden 24:10
Yeah. Like, I don't know what to fix, according to this report says
bad things can happen on the network. Are you telling me to go
prevent bad things from happening on the network? So that's the
thing. I find that Yeah, they either overwhelm you with details or
there's not enough substance to them. Okay, so every once in a
while, you get a really good one though, you get a you get a you
get a really good one. If I could look at just a shout out to
CoalFire actually, like their reports.
Unknown 24:39
I mean, okay, So, What is a happy medium type report for you? One
that would satisfy the manager folks but also get with, you know,
be technical enough. What kind of things would you like to see in
reports that you get from them and feel free to you know, talk
about the Coalfire thing I guess
Brian "Noid" Harden 25:02
*Chuckles*
Bryan Brake 25:06
*Chuckles* We're always trying to improve our reports that
Leviathan we've gone through and done things like test evaluations
and you know things like that and no it's fine you know they're
they're cool with me doing my podcast on the side so but if you had
when you get reports... the good ones... What do they look like
well I mean what what kind of things that you're looking for and
and and in a pen a proper pentest report?
Brian "Noid" Harden 25:30
Well for me being a technical person one of the things... the
biggest thing I'm looking for in a report repro steps, right? If
you haven't given me clear repo steps, then you have given me a
useless report and that's the thing I've seen reports were
basically it's... you know, hey man, we all we popped your domain
controller you know, we did this we did that. Look at all freaking
awesome we are... And you're like, Okay, I didn't hire you guys to
be a circus sideshow. I hired you guys to show me where my risk is,
and so I can focus my I know where to focus my efforts. And so
those types of so those types of like, "look at how badass I am"
reports don't do anything for me... what I do like there were
reports that say hey you know we found a cross site scripting
vulnerability on this particular product in this particular area.
And here is not only screenshots of the cross site scripting
vulnerability happening, but here's the repro steps because what's
going to happen is, for example, you know, I see something like
that and I go, Well, we got to fix that. I'm going to go to my
developers. And the first thing my developers are going to ask me
is, can you repro it? Can I read through it because one of the
things they're going to do is after they fix it, they're going to
validate the fix if they don't know how it was exploited in the
first place. They're not going to know how to validate the fix. So
being able to provide that information... down is is huge for me.
Um, but then again, I'm also not, you know the business guy, I'm
not the big money guy, I'm I want my report to be technical right
so would the executives of my company get the same value out of the
report? I probably not... you know when you're talking to the much
higher level non technical people what you need to be doing is you
need to be making sure you're talking in terms of risk. Sure, you
know, you're talking in terms of risk and you're talking in terms
of a not technical risk... You know, at the end of the day, the CEO
of the company doesn't give a damn that SMBv1 is still on the
network, right? They might not even know what that is, right? odds
are I'm gonna I'm gonna go out and say they probably don't know
what that is. Um, and even in that doesn't mean explain to them
what it is because they're not going to care so first. We're going
to go from not knowing what it is to not caring what it is. But if
you express things in terms of risk of that, you know, the current
network architecture, as it stands is very fragile and could be
easily brought down, you know, through almost potentially
accidental behavior, let alone. malicious behavior. You know,
resulting in outages and SLA violations right now, you got their
attention, because what they hear there is also if I don't fix
this, it might cost me money.
Brian Boettcher 28:36
profit loss.
Brian "Noid" Harden 28:37
Yeah, and that's the thing. It's the, you know, depending on where
they're at, in the org structure, you know, I've been in I've been
in plenty of organizations before where downtime... downtime is
bad... downtime is just, I mean, downtime is never good. But I
mean, I've been in organizations where it's like, okay, so I just
got promoted to like, super uber director guy. 48 hours into the
gig. You know, we had like, a two hour outage,... I'm done.
Bryan Brake 29:08
Busted that SLA, big money...
Brian "Noid" Harden 29:10
even though even though I had nothing to do with it, I'm the
accountable one. So, yeah, you have, you know, you need to be able
to express things in terms that they translates to, you know,
finding out like, like one of the things I back when I used to be a
consultant, one of the things I always ask the executive types I'd
meet on jobs is what keeps you up at night. You know, what keeps
you up at night? Like what you know, don't don't worry about what
I'm concerned about, what are you concerned about? Because they
might be the same thing. I'm just going to talk to you about it
using again, using the words that you care for and understand
because I see a lot of technical people try to describe risk to non
technical people and they do it by being highly technical and when
it's not being understood. They fall back to being even more they
take the approach of being in France... not speaking French. So I'm
going to speak slower and louder, right? And, and at the end of the
day, they're just going to keep shaking their heads going, Man,
this guy really wants to express something to make.
Bryan Brake 30:18
Yeah, something must be really important...
Brian "Noid" Harden 30:20
...to agitated by it. I don't know what it is...
Bryan Brake 30:23
Great, now it's blue monkey poo. I don't know what's going on.
Brian "Noid" Harden 30:26
Yeah, so that's, that's it. So yeah. When you're when you're
talking to leadership, expressing things in terms of the contract
violations, SLA violations, financial financial impact, right? You
know, like, like, one of the things I liked when PCI came out and
they had like these ridiculous up to $10,000 per bit of PII that
gets disclosed and then you explain to a room full of high level
people that and if blank were to happen 40,000 bits of PII .would
be exposed a you knnow and I'm not so good at math but my
calculator here tells me at $10,000 a pop and you watch people in
the room real quiet...
Bryan Brake 31:10
oh yeah no that now you know the thing is you just haven't seen a
Leviathan one yet so you know if you want to you know reach out to
us we'll do a pentest for you we when we don't mind coming out and
hanging out doing pen tests for you so
Brian "Noid" Harden 31:24
Frank's a good friend, solid solid human being
Bryan Brake 31:26
no I mean will take your money and will give you a good will give
you good drubbing. You will not get up and down left and right.
You'll make it hurt. So anyway, actually, yeah, we we actually
might need to talk about that a little bit later. I would not hate
on that. I get money when people come in its new business. So yeah,
I wouldn't hate on that at all.
Brian Boettcher 31:47
I like in in your last phrase or last sentence in your
presentation. If you can, avoid even using the word security. I
think that's a good summary of what we talked about.
Bryan Brake 32:00
Yeah, that got me too. I was like, Wow. Okay. So it's like, it's
like the buzzword you're not supposed to say or, you know, like,
you get a shock..
Brian "Noid" Harden 32:08
Treat it like a game. Yeah. Yeah, you got it like a game. But you
you'd be amazed it works
Bryan Brake 32:16
hundred percent of the time. It works every time?
Brian "Noid" Harden 32:18
Yeah, hundred percent of the works every time. But, ya know, it it
it definitely works because there are people too because there's
conditioning, right. The history between security people and
software developers is deep and it goes back
Bryan Brake 32:33
it's contentious
Brian "Noid" Harden 32:34
it's contentious at times. And, you know, obviously, you know, you
try to try to try to be a good human being, trying to better the
world around you. You know, try to,when you whenever you go
somewhere, try to leave it in a better condition than you found it.
But also understand that the person who may have been there for you
may have just straight up just f the place up
Brian Boettcher 32:58
scorched earth
Brian "Noid" Harden 32:59
Yep, yeah. so and so. Yeah. And sometimes, because, I mean, I've
got, I've rolled into organizations before where it's like, Why are
these people so mad at me? I just got here... And it's like, oh,
because the guy you replaced was just got off. And then and it
sucks because it's not fair that you have to rebuild those damaged
relationships because you didn't damage them. but life ain't
fair?
Bryan Brake 33:22
Yep. Well, you know, what, the, the, the whole, you know, DevOps
and those things, that was the, you know, the Elysian Fields for
developers like, Oh, I can go do anything and enjoy everything, and
then it's like, you know, we're, the "no" department where the,
we're the where the ones are going to put manacles on them. So, you
know, security folks have have got to learn to be flexible,
compliance folks can't wield their hammer anymore, like they, they
should, if they want to, you know, play with the developers in the
devops and the management folks, we talked about this with Liz rice
couple weeks ago about getting, you know, security into the devops
area and it's like one we got it we gotta learn to be flexible
we've got to help them understand that now yeah the bug feature
stuff if I'd heard this when we were talking to her I'm almost
certain she would agree with us on the fact that you know we can't
treat security like security we have treated as feature enhancement
in this case
Brian "Noid" Harden 34:16
it is a feature, you know it is a feature and increase the
stability of the product that can get increases the customer base
of the product it's right it has all the same things to it that any
other feature would, but yeah but as far as the security being the
note apartment thing to something else is like I still run into
security people that they look at themselves as the "No" department
that kind of pride themselves on Yeah, and when you find those
people just call them out. I mean, just just tell them like, Look,
man, that doesn't work. It's never work. Stop it now. Because when
you're viewed as the "no" department, no one will ever want to work
with you. Why would you want to?
Bryan Brake 34:57
Yep... you're a non-starter
Brian "Noid" Harden 34:59
Yeah, what's go because that was a bit of career advice I got at
one point was that basically be solutions focused. You know, nobody
wants to basically you're not going to go anywhere if you're the
person who's calling out the problem and you might be calling out
the problem more articulately than anybody else in the room, you
might have a better understanding of the scope of them the depth of
the problem, but there is a whole class of manager out there that
will just be like, Man, that Noid guy, nothing but problems.
Whereas if you instead say, you know, you kind of focus on the sort
of the not really the problem, but rather you focus on the
solution... "be solutions oriented" to sound like a business guy
for a second. And it's like, yeah, you'd be that solutions oriented
person, and especially if you can do it with a sort of positive
spin, like I had a boss at one point I would stop in his office
pissed off every once in a while, and I just be like this is
screwed up and that screwed up and blah, blah blah. And he stopped
and go "leave my office now and come back in and restate everything
you just said. But in a positive way." I don't even know how it
will then go sit in the hallway for a few minutes she would come
back and I'd be like, okay,we have an opportunity for us. And I
tell you I hated them for it. But name if it didn't work.
Bryan Brake 36:32
Oh god. Yeah, that would make complete sense. Yeah, coming in with
a positive instead of negative.
Brian "Noid" Harden 36:40
So that's the thing. It's like yeah, even when your negativity is
spot on and accurate. There's a lot of people that are like.. "ugh
the person is always negative" And then sure enough, yeah, you
start focusing on like, oh, you're the positive solutions oriented
guy. Even while you're telling them that it's all basically like
we're all going to Hell, but I'm doing it in a positive solutions
oriented manner, and you'd be amazed how much traction I get
you.
Bryan Brake 37:06
Mr. Boettcher, do you have any other thoughts or questions? I want
to let Mr.Noid go, cuz he's getting a little ty ty, he's a bit
sleepy and he needs to go to bed...
Brian Boettcher 37:15
There's a lot of great tidbits in here. I'm gonna have to listen to
it again, and get all of them. And, and again, there's a lot of
manager tools references here and, and manager tools, if you're not
a manager, that's okay. It's not for managers, all that stuff they
talk about is is really valuable to all employees.
Brian "Noid" Harden 37:39
What's it called, the manager tools podcast?
Bryan Brake 37:42
Yep.It's been going on for 12 years.
Brian Boettcher 37:45
Since 2006
Bryan Brake 37:46
Yeah, something like that. It's it's very big. We put a link to the
three powers three types of power and one to rule them all in the
in the show notes as well. So yeah, go listen to that. I listened
to that it's it's one of my regular non-info sec podcast that I
listened to, so I listen to it every Monday morning, and when I'm
on the treadmill at the gym, so yeah, really, really excellent
stuff. If you're, you're out there and, you know, yeah, I mean,
it'll help you kind of understand, but if you're out there and
you're not a manager yet, it might help you understand where your
managers coming from, too.
All right. Mr. Noid how would people get a hold of you if they wanted to maybe have you for more podcasts appearances or, you know, speaking engagements or whatever? Are you going to be speaking anywhere soon?
Brian "Noid" Harden 38:39
Am I I don't know. No, I don't think I am right. Sorry. Are you
going anywhere? So question? I am there you go. I am speaking soon.
Yeah, I'm, I'm speaking at the NCC group. Open Forum. Oh, that's
right. That's next weekend. I don't think it's actually been
announced yet. Okay. It's I mean, it's cool for me to talk about
it. But yes, it's...
Bryan Brake 39:02
the 12 (of March)
yeah it is the 12th in Fremont, so if you're outside of the Seattle area you're going to be SOL..
yeah they don't record that
Brian "Noid" Harden 39:15
but but I'm going to be giving basically the abbreviated version of
my besides talk. they had they had an empty slot they needed to
fill up... and they basically said could you do it I said sure and
then they said it's 30 minutes long and I'm like well my talks an
hour, but how will will make it work... they're I think they're a
Tableau up in Fremont...
Bryan Brake 39:37
yeah I'm on that list and yeah I know Miss Crowell over there who's
one of the senior managers at NCC she's great lady... she's
actually not running she used to run it and and gave somebody else
but she still helps out a when she can but yeah, really, really
great quarterly open forum that NCC group puts out. Plus they put
out a nice spread for dinner certainly good
Brian "Noid" Harden 40:00
I haven't been the one in a while, but they usually a lot of fun. I
wouldn't last one of those I went to was a TLS 1.3
Bryan Brake 40:09
I was at that one too.
Brian "Noid" Harden 40:10
That worked out great. Because literally the following weekend, I
spoke at DC 206 nice about TLS 1.2 right? and ended up getting Joe
to come along and speak about TLS 1.3 and a much more authoritative
manner than I could have. It's bad ass.
Bryan Brake 40:24
Yeah, Joe. Joe was on the steering committee for that.
Brian "Noid" Harden 40:28
Yep. Yeah, I think but yeah, that was also nice. He kept me honest.
While I was given my talk. I periodically just look at them any
kind of nod. I'm not going into the weeds yet. But yeah, as far as
getting a hold of me goes the best way to do it is I'm on Twitter
@_noid_ or you can email me at noid23@gmail.com
Bryan Brake 40:52
Yeah so yeah if you're in the Seattle area and the downtown Seattle
area or Fremont area that's really nice place I think parking I
think was at a premium The last time we were there
Brian "Noid" Harden 40:52
It's Fremont, parking is always at a premium
Bryan Brake 40:52
they're dodging bikes or whatever like motorized bicycles or
whatever so you know
Brian Boettcher 40:52
scooters now
Bryan Brake 40:52
yeah I mean Fremont area they're really weird about their bicycle
laws and stuff up there so
Brian "Noid" Harden 41:07
...and zoned parking so watch for your park too
Bryan Brake 41:32
I'm going to get Miss Berlin because you know she's got a lot going
on she's you know heading up the mental health hackers group.. you
can find her
was it hacker... god I hate this, um... she's @infosystir on Twitter. hackers mental health is her nonprofit. She's running that and you can find that @hackershealth on Twitter, she will come to your convention or conference and do a village. And and, you know it's a nice chill area you can go to, if you're interested in doing that
Brian "Noid" Harden 42:12
is truly doing the Lord's work too.
Bryan Brake 42:14
Yes she is. And we're very proud of her for all that she's doing.
So yeah, her and Megan Roddy who's also one of our slack slack
moderators... So speaking of our slack we have a very active slack
community we just like I said we have "JB" who was promoted to
moderator because it's been far too long and he's been doing the
the European and Asia book club and he should have been a moderator
for a while so did that today gave him access to our secret
moderator channel and such and but yeah we have a social contract
you can join us by emailing bds.podcast@gmail.com or hitting our
Twitter which is the the podcast Twitter @brakesec and you can
follow me on Twitter.@bryanbrake. Mr. Boettcher, you got a lot
going on to sir how would people find you if we wanted to talk
about the log MD stuff?
Brian Boettcher 43:10
yeah you just go to log-MD.com... Don't forget the dash right
otherwise you'll you'll get some well nevermind...
Bryan Brake 43:20
Is it like WhiteHouse.com *laughs* that's an old joke kids!
Brian Boettcher 43:26
I'd like to say though if you if you do go by your developers
donuts or whoever don't eat any between the pickup and drop off
right because then you'll show up with four donuts and they'll be
like oh thanks great there's 10 of us and you bring us for
Donuts
Bryan Brake 43:41
{imitating Forrest Gump]"I had some sorry" Don't do that yeah
yea buy 13 donuts and then eat one for yourself and then say you got it doesn't you go yeah so you're making an appearance you're going to be Bsides Austin at the end of the month along with Ms. Berlin's going to be that one as well. I think?
Brian Boettcher 44:00
I am... Megan's going to be there I'm not sure. Very cool as her
home base so we'll see. Nice. Yeah and the classes are cheap. I
don't know if they're sold out yet but it's like $100 bucks.
Bryan Brake 44:13
Okay, awesome. Cool. Before we go, we have a store. If you want to
go buy a T shirt for the Brakeing Down Security logo, you know, you
can definitely go do that or get one with Miss Berlin's face on it.
Which is very weird but it's still very cool I'm going to probably
by pink one here in the next few weeks and thank you to our patrons
people who help support the podcast but donating some money helps
pay for hosting pays for the time that we're doing this also we're
looking into adding some possible transcription services we've
gotten a couple emails from people who are saying they want to get
transcriptions of us saying "uh, um, ah" lot so I actually actually
it was a gentleman by the name of Willie I think was said head
hearing difficulties so he wanted to know if we had a transcription
of the podcast and I feel really bad because I'm like I don't know
how to reply to him and say I you know we're just a little mom and
pop shop here so we're looking at transcription services maybe
something like Mechanical Turk or there was one called otter.ai
that we're we're looking at to maybe kind of make it better for
people to hear these things
Brian "Noid" Harden 45:26
I'm actually actually suffer from degenerative hearing loss. I'm
slowly going deaf myself
Bryan Brake 45:31
I've got tinnitus is from the Navy
Brian "Noid" Harden 45:32
same here. It's permanent and ongoing. And just yeah, it's like I
feel for him. Yep. And hopefully transcriptions will be a thing at
some point. Yeah, god's I hope so. Yeah, I mean, other than the US
and about 800 times during podcast I apologize for that. But yeah,
so we're, we're trying to look into that if if we can make it work
we will we will do our utmost to make the podcast as available as
possible to everybody. So in end up to be we have to hire somebody,
he'll do it for us. So that that may be another thing, which means
will need more pot Patreon money, you know that kind of thing. So
if you're interested in getting full transcripts we may make that
possible if we can get another maybe 20 to 30 people a 20-30 bucks
a month. So but we do appreciate that the tips the you know we call
them tips because you're helping to support the podcast and helping
us get this out. And yeah, so for Miss Berlin who's not here sadly.
And she's going to be kicking yourself because this was a really
awesome podcast and Mr. Boettcher. This is Brakeing Down Security
from a world headquarters here in Seattle. Have a great week. Be
nice to another. Please take care of yourselves because you're the
only you have and we'll talk again soon.
Brian Boettcher 46:45
Bye bye
Brian "Noid" Harden 46:46
Bye Internet people.
Transcribed by https://otter.ai