BSidesNCL (Newcastle) 2022 - Main Stage
Show transcript [en]
Scott. Went for the full-size presenter this year. Yeah, we've gone bigger, we've gone better. There's been a tragic accident. If I can just introduce my friend Dave, who is here, because... What's happened? Well, Scott was going down the escalator and unfortunately slipped straight underneath the bottom of it and... There's a rescue team and a football team involved. And Elon Musk has tweeted something about it as well. But we hope to get him out at some point. We might go live to the scene later on. We'll see how that works out. Awesome. Some housekeeping. Some housekeeping. So those of you in the building, there are no fire alarms planned for today. So anything that you hear
that's a fire alarm is probably our fault. Yes. Ben. Ben. So should the fire alarm go off, out the front of the building, Master Point is there. People in jackets with luminous stuff on will shout at you. If anyone needs to use the facilitars, there are toilets upstairs and down, out the door, round to the side, so you can use the loo. Coffee, that's important. Coffee is very important. Coffee is important. The cafe today is open till 3pm. So it'll be available during breaks and lunchtime. The whole of the schedule is up on the website currently. It's mostly accurate? Yes. Let's say yes. Yes. Yes. Directionally accurate as to what's going on with the schedule.
We've got an amazing, amazing set of talks today and activities going. Other things you need to know where are the speakers gonna be they're gonna be in here and where else? And in the room up above the foyer so if you go up the stairs and then towards the top right as we're kind of looking at it and that will be track two today. We've also got our wonderful sponsors and we'll do a full rundown of sponsors shortly but if you are a sponsor of the event thank you so much. Quorum Cyber, we need to call out as our lead sponsor. Yep, lovely people. We love QC. Thank you for all your help and assistance
and support over the years. Exabeam, there's a whole load more of them. I will go through the list multiple times today. But thank you very much to our sponsors. What else? There's workshops. There is. There is a village. There is a village. Which is round to the right. Over there. Where you came in the front door, hang a right. Village will be in there. Tomorrow there will be BattleBots. Assuming Ben's built the BattleBots. Yeah, there'll be BattleBots. He has arrived, so I'm going to presume BattleBots are working. That's quite early compared to the first year. But there we are. Today, very important, tinfoil hat competition. So this will be for the folks who are on virtual. We'll find a way to get
you in. Folks, hang on a sec. Come on, Ben. Up you come. Ben, everyone. Yay. Say hello. You're here. Yes. Mostly on time. It wouldn't be a big size Newcastle if it was on time. Right. Have you brought everything? Yes. Yes. Yeah. Good. Do you want to go and get dressed? Go and get dressed. Go on. Go away. Ben, everyone. Yay. Hey, Ben. He worked ages on that speech. All right, anything else of note we should tell people? We've done coffee. Yeah. What are we doing tonight? We're doing tonight, two things tonight. We have two choices. Well, you've got to do what you like. Or Newcastle is indeed your oyster if you're here. Or if you're at home, I mean, make your
own choices. Really. Come here. Don't. Yep. Yes. So if you need anything, reach out to anybody in a red shirt. Just double-check it. Yes, nobody's worn a red shirt. If anyone in the audience does want to help do a bit of last-minute volunteering, you'll win a cowbell and one of these cheap but attractive red shirts. Speakers, if you haven't had your speaker stuff yet, go back out there later. But coming up now, we've got an absolute treat, although we're a little early. He is already waiting in the wings, I feel. Morgan, look at me. Actually, shout-out to Morgan in the booth. Morgan's keeping things running in the booth. Raj is in the wings already, isn't he? So we can maybe start him a little
early if he's feeling brave. Do you want to check with him? Those of you on the stream, track two streaming will be running about half an hour behind today, which is something to do with Sunderland, and we'll just leave it there. It's a true story. Contentious, but true. Yes, it's true, isn't it? It is true. It was Sunderland's fault. Have we got anything else? I don't think so. I'm in for a fun packed day. I'm excited. Is anybody here for their... First B-sides or con. Wow, that is impressive. Now, you were supposed to come in fancy dress in your first one, but we'll let it slide this time. It's good that you're dressed. You dressed fancy, that's good. But yeah, the two days are
yours. Have as much fun as you can. If there is somebody wondering about that you don't know who they are, introduce yourself and say hello. because that's how you'll get the most out of this thing. The speakers will be fantastic, there will be hijinks and disasters and beach balls. There's no Nerf this year. There is a complaints desk. There is a complaints desk. I'm not sure anyone's brave enough to actually go up to the complaints desk. We can't show the complaints desk person on the stream because she's seven years old and maybe my child. LAUGHTER But yes, but no, make the most of it. Get to know people around you. Everybody here is super friendly, apart from him. But no, have fun,
mill about, drink tea, drink coffee, have lots of fun and make sure that you get to know at least five new people today. And ten tomorrow. And those of you who forgot your fancy dress today. Yeah, tomorrow. Tomorrow's fine. Or tinfoil competition later on. Oh, we could go beyond hats. Yeah, well, yeah. I think we kind of... I don't like where my brain's going on this. No, because I'm just sitting there. No, I'm sitting there going, no. Stop it, Sam. Yeah, yeah. Stop it, Sam. I've noticed we've got this brilliant thing down the back of the stage here for falling off as well. Yeah, your child nearly fell down there about three times yesterday. Brilliant. Okay, does anyone know first aid? It's fine.
Walk it off. All right, all right, just a scratch. Morgan in the booth. Is Raj ready to go? Can we beam him in? Let's beam in Raj. Hopefully he can hear me. Good morning, Newcastle. Hey. Hey, up. There he is. All right. Do you want to get rid of the chat? Because we can see that on the screen. I can't believe you said that about the audience. So, for those of you who don't know Raj Samani, Raj is a really good friend of mine. I had the pleasure of working with him at McAfee. He's now over at Rapid7. Absolutely fantastic guy. Wrote the book on a lot of cybersecurity things, which I'm sure he will mention at the end. And I feel he may have
a book or two to give away. Hint, hint. So Raj is our opening keynote today. If we can have a big, big, big B-Sides Newcastle welcome for Raj Samani. Over to you, my friend. Thank you so much. Hopefully you can all see the screen. So I'm just going to get started. Sam, I can't see you in Newcastle. So if there's a problem, please just let me know and I'll kind of reboot the computer or the router or something. So today what I want to talk about, well, for those of you that might be fans of Lily Allen may recognize the title of the talk, Everyone's at it, so why aren't we? What I want to do is actually talk about the prickly subject of attribution. Because if
I was to ask you, or rather, if you were to tell people what you do as a living, they'll turn around and say, well, the hackers are all coming from this country, aren't they? And if I was to do a poll to the audience and say, where do you think most of the attacks are coming from? Chances are, you'd probably mention Russia, you'd probably mention China, you'd probably mention North Korea. Basically, you'd start to list the countries that have red flags. No pun intended. But the reality is, is if we start to think about what's actually happening out there in the world today, literally everyone is at it. And a really good case study for
that was actually demonstrated by Citizen Lab a couple of years back. Now, we're really lucky because the work that was being done by Citizen Lab really showcased the offensive cyber operations being done by countries that you wouldn't automatically assume that are carrying out such acts. And I'm going to show you some of their reports. And of course, this is taken from the Finn Fisher and the hacking team breaches, because remarkably, when these organizations were breached, the criminals, because that's effectively what they were, they effectively disclosed all of the information about the customers that these organizations had. And these organizations were certainly providing tools that could be used for surveillance purposes or other nefarious purposes. But The countries that we have listed aren't the countries that
you automatically would assume are the ones that effectively don't have red flags. I mean, you know, actually I don't know what the flag from Mongolia is, but you wouldn't have classed them as in the same category as, say, for example, some of the other nations that we think about. And that's the reality of the world that we live in today. And by the way, this is from 2015 and 2014. So the likelihood is that we've seen, or certainly we anticipate, the use of digital or cyber, effectively, we would call it. But we've seen an increase in the use of that compared to physical warfare. There was an amazing report done by the Department of Defense
on North Korea, I think it was like the early 2010s, 2012. And they basically made the assertion that they were witnessing and seeing the growth and rise in digital means for warfare because it provides the government the opportunity to be able to have non-repudiation. In other words, like in the words of Bart Simpson, you can kind of shrug your shoulders and say it wasn't me. And in the digital realm, that's the reality that we live in because actually doing true attribution is, and certainly only through technical means, is actually almost impossible. Now, that doesn't mean that we can't sit and actually make really good, highly confident assertions about who we believe to be behind these
attacks. But that's not quite what's happening today. And of course, we have to acknowledge the fact that there are literally millions so many nefarious threat actors out there and many of whom are kind of intermingling. So there's this kind of economy that's occurring today in which very technically capable individuals are effectively guns for hire. And those guns for hire are switching between, you know, APT groups or switching between criminal or organized criminal groups, really with a purpose of for them getting paid, but ultimately serving the purpose of their paymasters. And this was kind of recognized actually throughout industry for some time now, where, and this is actually from cyber reason, but the nation states are now using private companies to carry out operations. And of course,
these groups do have an incredible level of sophistication. I was on the, well, I am on the board for the European Cybercrime Center, EC3, and the head of EC3, Charles Orting, back in actually a few years ago now, actually made the assumption or made the assertion that there are organized criminal gangs today that have a higher level of capability and sophistication than most nation states. And that's the reality that we live in is that Those slides, and some of you may have seen slides today where you kind of see the category of hacker. I hate the word hacker, but they say category of hacker. They say script kiddie. They've got criminal gangs and they've got
nation states and they've kind of got a sophistication line going kind of like inferring that actually nation states have the most level of capability. I mean, that's bullshit, right? And anybody that puts that kind of slide up today really needs to kind of rewind and go back to 2010 and use those slides then and not use them anymore because it's a very, very fluid environment. And we see and we witness individuals switching very, very quickly. And it's such a fluid space that actually making those assertions, I would argue, can be really quite dangerous and detrimental. And so the world that we live in today, we've got this attribution roulette. And you could argue that actually the attribution roulette today is based upon really flimsy indicators. I mean, you know,
I've seen there was one particular case that I thought was remarkable in which they looked at the source IP address of the intrusion and the source IP address was coming from China. And then they turned around and said, yeah, the attack is coming from the Chinese government. Other examples we'll witness is just purely using the time in which criminals are actually accessing an environment or, yeah, it's criminals, right? Whether they're nation states or criminals, it's the same thing. And you can't just use single indicators as a suggestion as to who the attributor is or who's behind the source of the attack. And whilst it's been okay in the past, while it's been great for generating and creating PR,
getting certain companies the opportunity to be able to stand up on BBC News, moving forward, it's not really going to be an option. And in part because the whole industry is basically going to be turned on its head with one decision. And that decision isn't coming from us as the cybersecurity community or from law enforcement for that matter. It's actually coming from insurers. And I want you to just to think about this for a second, because there's no question that cyber insurance as a risk mitigation approach is viable. But if you can think about it for a second, if you as a company have paid incredibly large premiums, and those premiums are being used to kind of offset the potential impact of
an attack against your environment, And all of a sudden, the insurer turns around and says, yeah, but it came from a nation state. And that entire policy is completely void, or certainly that claim is completely void. It's going to leave you in a really difficult position. But of course, the question you've got to ask yourself is, well, how are lawyers going to determine what a nation state attack is? I mean, you know, Lloyd's is an incredible insurer, but last time I heard, they weren't doing, you know, they weren't reversing malware and determining the likely attribution or source of a particular attack. And you've seen this just recently. I think it was this large shipping company that actually had their insurance because it was asserted that it came
from a nation state. And of course they took the insurer to court and ultimately won, but do you really have the time to go through that? And so as we begin to move forward, as we begin to get over COVID, like really deal with a scenario in a world in which attribution really matters, there is a risk that insurers may just look at the headlines on the register or look at the headlines on ZDNet and just say, Yeah, that particular attack came from a nation state. And it's not just a simple case of saying, well, you know, if it's espionage, it's an APT group and ransomware, it's not. Because actually large nation state groups actually
do ransomware attacks. And you might remember WannaCry in 2016, that was asserted by the DOJ to have come from a nation state. So if you suffered an impact through WannaCry and you had insurance, today that wouldn't be covered and certainly wouldn't be covered if you had an insurance policy like this. And that... ultimately is the challenge that we face. And so what I want to do today is really kind of walk you through an incident that I actually worked on, but kind of walk you through how we've done it, or certainly I've done attribution, and some of the things that we should be thinking about if we're going to make these assertions, because actually making
these assertions are important. And some of you may be sitting there thinking, well, why the hell would you, you know, some bloke sitting in a garden room in London, like be the right person to be making claims around, you know, an entire nation carrying out attacks against an organization. And so what I want to do with you is just kind of share with you the reason why I think it's important. And fundamentally the steps in the methodology or certainly a set of steps in methodology that can be used and leveraged. And the example I want to give you is, and I think I published this, but I can't remember. I couldn't find it. So I
might not have, but there was a case in which I got called and it was in 2021. It was early 2021. And the phone call I got was, we think that there's been an intrusion inside our network. And at the time I was like, well, how do you know? And there's like, well, we're seeing some strange traffic in our environment. And at the time, like it wasn't even raised by the CISO, it was just a SOC operator. and of course the question was, I was working for a software company at the time, a vendor at the time, and they're like well you should have stopped it. So I get that a lot by the way.
And so we kicked off an investigation, we started to undertake or go through a set of like identifying and analyzing logs really with a view to try to understand what was happening. And what we found actually was really remarkable because The attack itself, based upon the analysis that we found, actually started in 2015. In fact, what was remarkable about this particular case was that under normal circumstances, you'd make the assumption that the adversary would basically wipe everything and leave no trace that they were there. But what happened in this case was they were actually in the environment from 2015, and because they hadn't been detected, like, I mean, we're talking about seven or six years at the time, because they hadn't been detected, they just didn't
bother cleaning up. And that was, I mean, that was actually a first for me, I've got to be honest. And actually, as we began, just as an FYI, but as we began to do additional deep analysis and additional deep dives into this, it actually turned out that actually they'd been compromised from 2014. But at the time it wasn't even on the CISOs radar, like it was just at the SOC level. And as we began to do analysis, what we found was actually it was an internet server on the DMZ that had been compromised. They'd obviously managed to gather credentials and they'd maintained and implemented multiple persistence mechanisms inside the environment. Now, this has never happened
before. But obviously, A, we had the logs, but what was really phenomenal was we were able to find a compressed folder in one of the servers. And that compressed folder was actually being used to submit and transfer information to an infrastructure that we believe to be owned by the Mustang Panda Group, which is an APT group based out of Southeast Asia. Now, I'm not saying it was definitely Mustang Panda just based upon infrastructure, but the data that we found in the X4 folder was phenomenal. like TLP Red data, like, because this was a defense contractor, and they were providing information and support for the Department of Defense for that country. I'm not saying it was
the US, but for that country. And so now all of a sudden, we're kind of dealing with a scenario in which actually we've got state secrets being exiled to an infrastructure being hosted by another nation. And it was at that point, we kind of said, look, we need to get with the CIA, get with the CISO, and we need to share with you what we've actually found. And the really scary part was, I was like, look, and this was January. And I said, look, the truth of the matter is, is that we found the initial entry vector, we found some persistence mechanisms inside the network. But what we need, and you're not going to like
this is we're going to need to keep them in your network. And like this was like freaking them out because at this point the CEO had been called and by kind of February, March, the prime minister's office had been notified. I mean, it became like a major, major issue. And they was like, well, look, all we want you to do is throw them bad guys. And I said, look, if you do that, if you don't, if we don't sit and monitor what's happening in the environment, and find out all of the persistence mechanisms, they're not only going to come back, but the chances are they'll come in and torture the environment. And when we did
the Bank of Taiwan investigation, what we found was actually they were using ransomware as a vehicle to wipe all traces of the threat actor activity. So we were really concerned. We said, look, if you don't keep the bad guys in the network for at least six to eight weeks, then we're not going to find the additional persistence mechanisms. And of course, this was like remarkable, but they actually agreed to allow, they actually allowed us to do that. So we actually sat there like watching these threat actors come inside the environment, drop tools, steal data, but actually allowed us to gather information and so by the time March came around we were able to do a
golden ticket reset, like delete all of the back doors and actually like touch wood, we've not heard of the threat actors come back and again but you know at the time I would say our attribution was probably a little flimsy at the time initially But what we began to do was we began to look at all of the various different indicators and assets in the environment and we were able to determine who the likely threat actor was and what that enabled us to do, it enabled us to actually have the discussion at the CEO level. So then we could make a decision and a discussion around, can you allow criminals inside your network to continue
to steal state secrets? I mean, that literally was the quest, that was the ask that we had of them. But because we were able to say, look, you're dealing with what we believe to be a state. And if you don't do this, this is what they are capable of. That's why attribution was so imperative with regards to this discussion. Because if we hadn't done that, and if we hadn't given them some indication as to the likely threat actor, you can bet that the SOC analysts would have said, just throw them out. And then the state would have come back in and wiped out the entire environment. I will say my recommendation was to completely torch
the network and rebuild it from scratch. That wasn't something they were willing to do. So they weren't completely listening to everything I told them. And so as we begin to kind of think about, well, okay, how are we going to be able to determine attribution? How are we going to be able to do this? You know, one of the things that we do constantly is, you know, we'll look at the MITRE ATT&CK techniques and we map these MITRE ATT&CK techniques as a set of TTPs, tools, tactics, and procedures, and allocate those to specific threat groups. And so in this instance, what we were able to do is say, hey, look, you know, The TTPs inside
this particular environment correlate to this particular threat group. The other thing that we were able to do, and I think obviously this is the obvious part, but obviously we get the malware samples, we analyze the backdoors. And the other thing actually, which I think is really key is doing the source code analysis on the malware and looking at clear overlaps between other attributed sources. uh samples that we may have again begins to contribute towards that kind of picture that we determined to be attribution and of course we can look at the times that the threat actors get in and like i know i i know i was pretty rude about this particular methodology but like
but like if you add it and contribute towards it then of course this does help and of course this particular time zone was um oh my gosh it's asking me to update soon not now all right so of course that does begin to contribute towards that assertion where we have look at the times we look at the malware we look at the infrastructure we're also able to look at look at the x4 data and that then allows us to basically determine who we suspect is behind this um can i just say by the way if you are a an apt criminal or you're working on behalf of a state, you don't really do many hours.
I mean, realistically, you only really do like three days of work a week. And I kind of looked and we kind of joked afterwards and I said, blimey, you know, like you've got to say, they really achieve a good work-life balance if you are working on behalf of a nation state. Because, I mean, realistically, you're kind of shutting off at 5pm on most days and you're not really doing much on the weekends. But again, you know, like that was tongue in cheek, but it does begin to kind of paint a picture of, And if we map this out and we kind of say, well, okay, what does this actually look like? We can kind of
look at the challenges that we face, but fundamentally, you know, it's all of the above. It's all of the intelligence and challenges that we have. So what does this all mean and how can we begin to do this? Well, unfortunately, from an investigative perspective, our work has become a lot more difficult than it ever has. As I said, I'm on the Europol's European Cybercrime Centre Advisory Board. And within that, we published the IOCTA report. And I would say that that is a tremendous report. It's actually written by EC3. We have contribution from industry, of course, but it is a law enforcement report. IOCTA is Internet Organised Crime Threat Assessment Report. And what was remarkable was they actually talked about the challenges that they face in conducting investigations. And
one of the challenges that we all face now because of GDPR is who is has basically gone dark. And so, look, I acknowledge that criminals won't register domains in their own name. Like I accept that, but from a metadata perspective, it's the first thing we always do. And now with who is going dark, of course, that's not really a viable option as a first step. In fact, you've got to submit an MLAP, which is a mutual legal assistance treaty in order to be able to get the data. But law enforcement have to do the same as well. So one of the things that I think we need to be thinking of as an industry is like with such a fragmented industry, with such a fragment, we'd actually, we'd
rather, we'd rather attack each other on Twitter than we would kind of get together and work and find out ways that we can actually stop things like who is going dark. And so like one of the things that I'd like, the messages I'd like to get across is yeah, attribution is really difficult, but not impossible. But what, what I'd love to be able to do is like we as an industry need to be more collaborative and actually that's part of the reason why I wanted to do B-Sides because B-Sides to me is one of those communities where actually it is a supportive community and it is where we're kind of working together and looking to
collaborate together and so like my ask is as we kind of move forward, like let's continue to do it in that spirit of collaboration, because I'll tell you from a privacy perspective, they really work well together, which is why we've seen laws that are protecting the privacy of individuals, which is great, but the unintended consequences are also protects criminals as well. And so Let me share with you what kind of we do today and but there's no product pitch here. I can promise you. So obviously within my team, we run the Metasploit framework and some of the tools that you can use and some of the tools that you can access. Obviously, you all know
Metasploit. It's free to use. The framework is completely free to access. We've got like four and a half thousand modules that are freely accessible. We also provide scanning technologies. This is all available free of charge. You can access this if you wish. And we also run our honeypots. And, you know, the way that we're currently doing attribution today and not like absolute attribution, but the way that we're determining the context of an attack today is is we have our honeypots sitting there listening to connections. Those honeypots are gathering TTPs and IOCs which are then backed and analyzed against our threat actor library and that then determines who we suspect to be likely behind specific attacks.
That context we then use to support law enforcement and other operations. Now, not quite yet, but what I will say is that all of this data will be accessible and available for you free of charge. So if you bear with me, I'll post it on Twitter and so forth when we're ready. But, you know, we are making this information available to you as researchers, as academics. in order for you to be able to understand what's happening in the threat space, but also to secure your own environments. And again, this is all free of charge. So please bear with me. I'm like a couple of weeks into the new role. But we are going to be
making all of this data available under open data. I kind of, I'm going to pause. Actually, I'm going to go to the last slide. Well, I can't actually, because it's not working and my laptop's frozen. Fantastic. Let's try this. Okay, let me try again. Sorry. Share screen. That's embarrassing. No, that's not working. All right. It looks like Chrome has completely crashed on me. No, it's not. Okay. It looks like Chrome has completely crashed on me. Let me try that again. Let me see if I can share that once more. I really only had one slide. And then what I want to do is kind of get into a Q&A, but also I'd like to give
you, I'd like to make available. Okay, there we go. And so the last slide that I'd like to really say here is that... One of the things that I think is really important from us as a company that actually does have the telemetry is we are making as much of this information available to you. So from our Metasploit teams, obviously, you've got access to the modules. You've got access to in-depth exploitability analysis through attacker KB. We publish the intelligence reports. So we analyze things like known time to attack. time to know an exploitation of vulnerabilities and of course all of the critical details around emerging threat response. All of this we've made available for you.
Please, you know, let me know if there's more that we can do to help you as the community. Our competition isn't other vendors, our competition are criminals and quite frankly we need to work and collaborate together to do everything we can to stop them because look you know I kind of co-founded No More Ransom in 2016 and like the whole reason for that is because we live in a world in which you know and you know a clinician can open up an email and a hospital will no longer be able to provide patient care like that to me is just a scenario in a world in which is just unacceptable so Let's work together. Let's
find ways to collaborate. And like I said, reach out and we'll start to make all of this information and content available for you. And like I said, you've got Metasploit, you've got Attacker KB, you've got Velociraptor, like all of these tools that are freely accessible. We will continue and you have our commitment to continue to provide that to you. Okay, I'm going to pause and open it up for Q&A. Sam, I'm assuming that like the internet didn't crash. And I haven't been talking to myself over the last kind of 20, 25 minutes. And I do have a book to give away as well. But it's an old book. But like I thought it'd be nice
to just kind of provide that. So I'm going to shut up for a second and see if you're all still there. Hello. Can you hear us, Raj? I can indeed. Yes. Excellent. Thank you very much. That was an amazing talk. I cannot believe that you can't just look at the IP address or something and decide to blame an entire government. You've rocked my world. But you know what the crazy thing was? There was an admittance from a UK law enforcement agency that said publicly, if we see that the IP address of a cyber attack is coming from China, we won't investigate it because it's just too difficult. And that was publicly admitted by a law enforcement official. And it doesn't surprise me at all.
But shocking that they would admit it. Does anyone have any questions for Raj? Oh, wait. Thanks Raj, that was brilliant. Question I had right at the start, you showed the report from FinFisher and you sort of showed the global map of the customers of that tool in particular and you pointed out that sort of the usual suspects weren't on that list. Do you think that's because the usual suspects just aren't using those tools and they're doing absolutely everything in-house or do you think there's something else behind that? Yeah, so there's definitely a capability gap. You know, some of the smaller nations are definitely outsourcing, but many of the larger nations would have their own capabilities. And there is a TLP Red briefing that I have in
which we've actually mapped out, you know, one nation's entire cyber offensive capabilities and tools and teaming. I mean, it's like some of them are really good. Like they've got entire teams dedicated to OSINT, entire teams like, like, creating fake LinkedIn profiles and phishing people all the time. I mean, some of these nations have like, in fact, I think with the DOD reference to North Korea, who basically said they're actually investing in cyber as opposed to traditional warfare, because it's more cost effective and non repudiation. So actually, yeah, some of these nations that I referred to right at the beginning, have have really capable, really, really, really frightening capabilities. Thank you very much. Any other questions?
Oh, hello you. On the question on the investigation that you discussed and the importance of attribution in going to the CEO, how much would you say there's a likelihood for chasing for an attribution to go to a CEO with that kind of conversation in mind? Well, actually, I think, and here's the scary thing, I think it's always required. because the sad reality is what we do as an industry is we are devoid of context. You know, if you think about the logs, if you think about everything that we can, we stop and we see, there's no real context as to what's actually happening. And when we're talking to the business, then they desperately need the context around making those business decisions. And, you
know, for us, for me, if we hadn't been able to provide that context, I wouldn't have got to the CEO. They would have basically said, well, you're just going to, like, like, like, close off the initial entry vector. And we found about eight to 12 different backdoors after that. And they had 84 compromised credentials. So we didn't even know that at the time. So I would say that like determining context wherever you can is imperative in every investigation, in every case. The challenge is that we just don't have the time and resources to be able to provide context on everything. But like, I think that's the challenge we face as an industry because you know
how many alert like when we were at intel i think we had some something ridiculous like millions of alerts a day and we just didn't have the time to understand the context behind those millions a day so that's the challenge that i think we face is taking those millions of alerts and getting it to like the five or six that you really want to focus on that are probably more critical but like that's the challenge is how do you get context scale Thank you very much, Raz. Yeah, I think context isn't technical as well. I mean, when you're dealing with alerts and stuff, it's the what does the company do, especially if you don't work
for that company and you're coming in as a person, like a remote SOC or a remote incident responder. It can be really, oh, yeah, it's fine. We've seen this a million times. close it down sort of thing, whereas you don't realize what other customers is, and it's a supply chain attack. So context behind everything, it doesn't really matter whether it's technical or like a social thing, is always super important. Any other questions? So let me share with you a quick story. So I had to do an investigation against a company that had a soda and a kiwi attack, which is the Revo Group. the ransomware group. And I mean, I got like pelted. They're like,
you know, you didn't protect us. You're crap. I mean, I got so much abuse. And so I was like, okay, well, so what we did was I got the team. We actually did some work with law enforcement on disruption of an RTP shop. And we actually found their creds available for sale in this RDP shop. And I went back to the CIO and I said, well, with all due respect, I said, they've gone in through RDP 11 months ago, you ignored the alerts and your password for your web-facing RDP system was welcome123. And so context to me is imperative, but the amount of work that had to go into that was not insignificant. But that's
the challenge that we face is that I think organisations see it as binary, like you're protecting me or you're not, but actually our challenge is to provide the bit in between. And I will tell you that was the most enjoyable conversation I've ever had in my career. Yeah, I've had a couple of them myself. It's awesome. While you're trying not to smile. You're not on? Where's the question? Where's the question? Where's the question? I have a question, but I will also give context at the end of the question. My main question is, what can private companies, in your professional opinion, give accurate attribution? And the reason I ask this is, about a month and a half, I was
at the UN in Geneva, and the Deputy Minister of Information Security said, was very angry at the UN for having private companies participate in the summit and it was his opinion that only governments should be doing it and I believe he also told off the UN and stormed off and cursed at some people. So that's the context. You can't do this without us. That might sound like the most arrogant thing on the planet but it like If you think about infrastructure today, infrastructure today by and large is hosted by private companies. The telemetry of global attacks are hosted by private companies. So it has to be a public and private thing. There is no other way. One of the first takedowns I did with Europol was the B-Bone
botnet, and that was a true public and private partnership. You know, we had law enforcement agencies from across the globe. We had private sector companies doing analysis, tracking the threat. We had NGOs like Shadow Server doing the sinkholing. I mean, it can't be done with, like, it can't just be done with private sector. It can't just be done with NGOs and it can't just be done with, you know, with public sector. And I think politicians that... I mean, you hear this all the time. Like, oh, we're going to build our only internet just for us. Or we're going to ban encryption. Like, wake up. It's not... We're in the 20... first century, you know, it's just I keep forgetting what year we are
because I've kind of like I think Thanos has like stolen three years from me. But like, you know, we're in 2022 and like modern policing, modern law enforcement and digital crime has to be a collaborative effort. And like a great example of this is I always say like look at NoMoreRansom. You know, NoMoreRansom was at the time when it was with McAfee, Kaspersky, National High-Tech Prime Unit in the Netherlands and Europol and Amazon and Barracuda agreed to host it for us. And we've prevented I think 10 million downloads of 3D cryptos. And that could not have been done just by us or just by law enforcement. So I'd love to speak to that individual that
stormed out. I would love to speak to that individual. Oh, more questions? I think I'm on now as well. I am on. Okay, over to you. It was in the United States about two or three years ago that we're starting to propose laws about actually hacking back or attacking back on criminal organizations or even nation states. What's your view on that sort of approach? I mean... Well, I guess a lot of it depends upon the infrastructure or really the attribution that you've done. Of course, you know, there is likely to, there is the potential of the risk of you attacking somebody that didn't have anything to do with it. And so there is that risk. But look,
personally, I think, you know, my opinion is that we need to set an example. And I think actually carrying out offensive operations I think from private sector's perspective, that's not what we do. I think if governments want to do that, then more power to them. So I'm not in a position to say what government should be doing, but from a private sector perspective, that's not what we do. And in fact, I was at a conference recently and there was a CEO of a company who stood up and said to the audience, yeah, we actually do hack back. And I was like, well, that's actually criminal. If you feel comfortable enough to say it publicly, then
go ahead. But I don't think we should do it. And in fact, I did a piece with the Cyber Peace Institute on... following the Ukraine and Russia war around the dangers of we as individuals doing hack back or hacking operations against the Russian state. So I know it's controversial, but what I would say is that that blog is still up there and it kind of articulates my views, but I don't think we should be doing it. I think if governments want to do it or an intelligence agency is going to do it, then that's up to them. But for me, I wouldn't. And it's illegal. So don't do it. It's a spiky question, though. But
yeah, look, you know, we're there to defend. That is our role. We're there to protect. We're there to defend. We're there to educate. We're there to enable. That is our role. It is not to go and do arrests. It is not to out people. It is not to dox. It is not to, you know, bring down infrastructure because it suits the narrative. That is our role. And I look forward to being flamed later. Awesome. What a great start to the day. Everyone, big round of applause for Raj Samani. Thanks, Sam. I have a question for the audience, and I'm willing to give away one of the books that I wrote in the past. I'm a
huge Sam Fender fan, and I know Sam's from the Northeast. Can somebody in the audience tell me what Can He Chanter means? Because it's in his lyrics for 17 Going Under, and I have no idea what it means. And there is a book in it for you, the first person that came up with an answer. Can He Chanter? canny chanter i'm gonna say let me put you on microphone steve it's just a person that wants to try something on thank you very much sam if you can share the contact details i will liaise with steve and get a book out to him in the next week fantastic love it well done mate all right that's brilliant thank you again so much my friend that was awesome um we
very much appreciate your time so uh there we go we're off to the races keynote one in the back thank you bye-bye cheers raj
I've got to run upstairs in a second because we're splitting. You've got ten minutes, it's fine. It's fine, isn't it? It's fine. Right, you have an absolutely awful choice now between Mike or James. Pen testing, the last thing you should do, or war strategy and war games and threat hunting. Hang on a second, I've got it all here. Both of them look amazing, which is why they're all being recorded, so that we can all watch the other one when we can't be in two places at once. Yes. So, right, you're in charge again. Thank you. Fine. Thanks. I'm loving your work. You're doing a great job. Awesome. Bye-bye. I'll leave John here, though. He can look after you. Excellent. So, we
have about ten minutes before Mike's due to come up. He's been muted. Oh, there we're back. Oh, that's... Weird. Thanks. So, quick five minutes if you want to run out, grab coffee, toilets, grab extra swag that may or may not have appeared outside. Next thing, can you thank the sponsors, which are on your bum, and on the website. Hello, hello, hello. Okay, first IRL speaker with us. Mike. Nice slide deck, nice. Oh, the hearts. Nice. So... Big round of applause for Mike, who is going to tell us about Wargames. Good morning. So, just a bit about me. I am Mike. I'm the Global Cyber Threat and Incident Response Manager at Verifone. The Wargames is more relevant to a previous organisation, With You With
Me. Part of their model was looking for potential over-experience and breaking down the... the cyber skill shortage and also the entry-level roles being quite difficult to achieve so part of the model of the business was bringing in people with zero experience usually from neurodivergent or veteran backgrounds that are slightly more difficult to employ and giving them the hands-on experience and training that they require to become very competent cyber operators and it's a proven method and it does work it's also a great way to test your incident response capabilities And it also means you can offset some of the budget and requirements based on training because I asked for your compliance things because obviously if you do your yearly table top you can kind of offset things. So
the rationale behind it, hands-on training is obviously one of the most critical things for a lot of people and you will see job requirements that require years of experience in A, B or C, different tooling sets, things like that. And depending on your background and or experiences, it's quite difficult to get that hands-on experience. You might have done a lot of certifications, you might have a lot of theoretical knowledge, but it's getting that hands-on experience and actually developing the skills that you need to grow into your career. It's also a great way to test your processes and procedures. Obviously you might do the yearly tabletop exercise and you'll pull out one of your playbooks and
decide we'll do ransomware or we'll do a malware outbreak this year and You're ticking that compliance box but it's just more of a it's for the compliance driving it as opposed to the actual enrichment for junior or entry-level employees. So this way you're getting everyone to sort of test them processes and procedures and you can identify any gaps or any weaknesses in a slightly more coherent manner because you're running it through in real time and checking as it goes. Again I've mentioned it there's the global cyber skills shortage. by bringing in junior and entry-level people and giving them that hands-on training, it makes it a lot easier to fill them gaps. It also shares the
knowledge and reduces skill silos. Again, if you've got, with the skill shortage, it's quite a hot market for cyber professionals. So as a result, you can end up going through quite a few, so your turnover can be quite high. And bringing people in and training them up should be seen as an investment as opposed to a burden, an enrichment and development. Again, bringing in junior and sort of entry-level employees and getting them that development and actually investing your time in them, which is going to help in the future. So again, the why. Training up, skilling. It's one of these things that doing your wargames, it's like a controlled environment that you can train and develop
people in, but it also gives them that as close to real as possible. Again, as you mature your wargaming process, you can... delve further into the sort of how real it is so initially I'd always start off in like a very sandboxed environment and it's almost spoon-fed but it's getting that sort of muscle memory in place and then as you start to expand you can throw like red herrings into your production environment and things and it means it's a little bit more difficult for them to actually do the sort of the threat hunting process or you give them sort of a slightly more arbitrary CTI task to then find and discover and build a profile
on. And cross-training. Depending on how your organisation is structured, you might have threat hunting functions, you might have threat intelligence functions, you might have an incident response function. Again, you might be all one team, you might be siloed off. It's great to cross-train and get that experience between everyone. It reduces skill silos. If, for example, you've got one guy who does your CTI and he takes a two-week holiday, there's potentially a deficit in your squad and you've got that experience across the board. And again, if you've got entry-level and junior-level employees and you've brought someone in as a CTI analyst, they might want to do a little bit more threat hunting, they might find that
more interesting. It's about giving people the opportunity to grow their career and give them that sort of experience and examples of what's out there in the other disciplines. So who's this target at? Well if you're a team leader and manager and you're sort of having issues hiring or looking at retention or potentially just you're not hiring talent that's hitting the ground running, which is why we see these job adverts that need six years experience in anything and you're expected to be an entry-level expert. So again by doing this and planning these war games again depending on your organization you can run them at different stages of the year and use it as a sort of
you have keystones or milestones and you can hit every three months depending on how sort of intense you want to do it. and you'll watch the individuals grow and again if you're an individual contributor and you're sat there wondering if you can get a little bit more hands-on and you can grow into your career a little bit more and bring this up with your manager or your lead again the benefit of doing it as an incident response training process is that you can usually get away with mitigating your yearly compliance requirements so it means it's a little bit easier to get away with sort of the manpower and the time deficit that you're trying to
justify So, planning the war games. Again, this will be completely unique to most organisations. It's going to be the one sort of try and grow them into the area that's going to be most beneficial for you initially and then potentially broaden out. So as an organisation, if you're using industrial control systems or something that are quite bespoke to your industry, there's not going to be that many people who are at a junior level or an entry level or a less senior level who are going to have had experience or exposure to these systems. So you can look to Wargame around that sort of system and it's going to get people up to speed a lot quicker and also, again, strengthen the ranks. Again, there's
organizations have different operating systems. You could have IBM's AIX, HP UX and things like that, that again, unless you've been in a large enterprise or a large organization, you're not going to have had much exposure to. So getting that training and getting the hands-on experience of responding to alerts associated with Solaris OS or even just doing a digital investigation on like a Solaris host that isn't the norm or isn't the sort of there's not that many documents or you don't read blog posts about how to do IR on Solaris it tends to be Linux Windows sort of systems that people favor and And yeah, ask where your team are feeling weakest. It might be that
they do want to explore Linux a little bit more, if you're a Windows shop. And again, it might not be completely beneficial to your organisation at the time. But getting that skill and keeping people interested, I think it's the hugest thing. Because if you can keep driving that passion, you're always going to have people performing better because it's that motivation. And then you've got to find the right moment. Again, this can be somewhat time consuming and it can be a time constraint for an organisation. And depending on how busy, say, your SOC is, you might not have the time to actually sit there and go, well, we need to dedicate a week to this. A
lot of organisations have started doing innovation weeks or hack weeks. This would be a great time to do it. It's sort of that time where you can develop and sort of enrich yourself. And this shouldn't be seen as a burden. The key is to maximise engagement. So if you're doing it, you can get stakeholders from all over the business, especially if you're doing the full cycle, like IR processes and procedures. You can get the threat hunting aspect done. You can get the executives in. So when you get a call at three o'clock in the morning because there's a ransomware outbreak or you've lost customer data and it's getting that simulation to as real as possible.
So again, designing your wargames. Initially, as I said, I'd start off with a nice sort of very controlled sandboxed environment. It all again depends on how experienced the team you're trying to train up or get exposure to are. If they are completely green or sort of very at the beginning of their journey in their career, I'd say make it as sort of obvious as possible. And it's that spoon feeding process because we can get the more information you're instilling in them, they'll start to discover the journey themselves as they develop. Again, the opportunity to build your lab can also be your first upskilling or cross-skilling section. Security engineering or DevOps or systems administration tasks, things
like that, whilst not necessarily imperative to the role that they're performing. Again, it's broadening that skill set. It's giving them that slightly different knowledge about the systems that they're protecting and looking at them systems in a slightly more... They have that knowledge to go behind it. I'd always advocate for infrastructure as code where possible. Once you've spent the time and you've done that big investment at first, you can then just spin things up on sort of queue, which then mitigates the issues later down the line, especially the time issues. So the example I'm going to use today is at all hands. So we're going to test our threat intelligence functions. We're going to train junior
threat hunters, our threat intelligence people and our incident responders. I always like to come up with a fictitious APT group. It depends on how mature you want to go with it, how sort of abstract you want to be. If you've got a sort of specific industry or your sort of attack surface is in a certain area, you can tailor it towards that. And it'll basically be sprinkling some technical indicators that you control or some C2 servers and other technical indicators and creating some TTPs that associate to this profile. And then getting your entry-level or junior threat analysts to then build up the profile on it. It could be just getting them to write Sigma rules.
It could be getting them just to start putting the data into sticks and things like that. Even just entering it into like MIRSP or their threat intelligence platform. and just getting that hands-on, building the profile and working out sort of the different technical indicators and mapping and understanding the TTPs that these threat actors use. Again, attribution was mentioned in the previous call. If you're an organisation that wants to perform attribution, which I know many don't because of the time constraint and the costs associated, this would be a great way to start building that that skill set and getting people using the diamond model or the pyramid of pain and getting them in from the early
levels and sort of in that controlled environment where there's no harm, no foul type thing. It gives people that real time to get into it and understand it. At this point, once the threat intelligence has been conducted, we can start looking at the threat hunting side of things. Again, this will be in a controlled environment. We'll have some file hashes potentially some ip addresses that we do control again you can just sprinkle them about um and you can get your hypothesis written up it could be that you know that there's a apt group that are using brute force attacks from stolen credentials and then they're using ransomware that's bash shell or powershell based you can
start building your hypothesis of what to look for you've got a couple of the indicators to compromise it could be that you've got an email address and things and you can start to build it and start to hunt from there And then once you've finished your hunt, you'll start finding the IOCs, you'll find these indicators, you can move into your incident response mode, and you can start to contain and eradicate the threat that's posed to your environment. And again, it's that full cycle. You could do this as a single team of SOC analysts. It doesn't necessarily need to be defined as per function. It's just that was the experience I had at my previous organisation.
So the example here, I'm going to use APT Clumsy Magpie, who are a North East based factor. We know that their TTPs are brute force, phishing, remote system discovery and data encryption. So this is the sort of information we're going to give the CTI guys. We know that they look for publicly exposed services such as RDP and SSH, and they have got PowerShell and Bash scripts. The reason I choose this sort of attack method for the first one, there's a lot of open source Bash and PowerShell based ransomware that has built-in C2 servers. So the barrier to entry and getting this sort of environment spun up is quite low, but it also gives that real,
slightly more real-to-life threat profile that you can start to work on.
So from here, you've got your hypothesis to then build. It could be that your CTI analysts have started building this profile. They've started mapping the TTPs to the attack framework, MITRE. They've looked at our attack surface. They've worked out potentially where the attacker's going to try and get us. And then you hand it out. Again, this area is where you can get these junior guys writing queries, searching for things, and just really getting into it with, again, no real time constraints. It's all about that enrichment, even just understanding the query and language that you're using and how to pull... specific hashes, things like that from the files that normally they might have the slightly more
senior guys query and writing the queries and doing these sort of tasks. And then you move into your incident response side of things. Again, this could be one team, it could be a dedicated function. And it's given that slightly more real tabletop exercise. So you're not talking about what you're actually doing, you're going in, you're analysing the network connections that are coming out on the host, you're looking at what files have been encrypted, for instance, where it's sending its data and things like that. And this all then feeds back into the CTI process and it's that nice full cycle of the systems. But again, if you sat there at 3 o'clock in the morning and
you get a P1 incident and you've lost half your estate to ransomware, it's not going to be the junior guy that's going to be there jumping on and having to dig into it. This is that it's giving them the chance. Again, whilst you're going through this, you'll have more senior people driving them through, giving them the guidance and just keeping it going. But when you're sat there in the passenger seat, you're not learning. So when it's that sort of, it's that slightly more real-to-life experience and people will upskill a lot quicker. And it does, it's just getting that muscle memory and they'll start to look for things that potentially they wouldn't have noticed before because
they'd not seen it. And then you go through your after-action review. Again, if you're running through like your playbooks that you've done your tabletop exercises for three years, you've run the ransomware one, two or three times and yeah, you might realise that there's certain processes that just don't make sense. There might be things that would make sense now you've got a different tooling set in place and it could just be that, well, we should do things a little bit differently or... we'll skip this step we'll move to this step and it's that real life you've run through it you've tested it and you know it works or you know that there's deficits it could just
be the fact that the process and the order well let's break this out into sort of different sections and silo a little bit more move it into different bits how did the games go so you're getting that review you're getting that feedback if the team is sat there going yeah i learned a lot in this past week two three days then you can look to plan to move on to the next one and make it slightly more challenging slightly more difficult and then the biggest one is was there enough support because essentially you are just going to drop a load of people who may not have the experience and the exposure into the deep end
and it's either swim or drown type thing. But there you've got to give them that gentle encouragement and support and if they do need anything or they need that pointer, guide them in the direction and help them grow themselves and sort of continue on that journey. And it does work. Again, previous organization, we had a team of eight or nine security analysts that had no prior experience in tech, cybersecurity, anything like that. They'd done a couple of online courses, and then the organization brought them in, and within... two or three months they were starting to get their feet wet and they were getting quite confident but after six months they were more than happy to jump into incidents. The intelligence guys were building up profiles on APT groups
and looking for attribution. Our Threaten Hunting team were tearing into different web tokens and other quite sort of sophisticated attack methods that were prevalent at the time and within our environment. And then the incident response guys are running these tests, they're pulling host data, they're looking at reverse engineering malware samples, and they're getting into that process of how does it work, Again, a lot of organisations, they may have just been churn tickets, churn tickets, pass it up. And this is that letting them get in, they're too stuck into it. Again, there's always that safety barrier of a senior member of the team to jump in if there is an issue. But people will grow in an exponential way. And once you've got that
drive and that sort of hunger for it, they'll continue to grow. Any questions? Excellent. Right. Questions? Who's got hands up? We'll start at the bottom because it's easier.
Hi, great talk by the way. I really agree, I do really agree with you on creating tabletop exercises in a lab environment, but As a business leader, an experience that we've had is we'll pay thousands of pounds a year, and we still do, for training and lab environments, pay extra for lab environments, and they don't get used. And you'll have people sometimes in the tech team that will just totally not be engaged with the labs at all. They're interested in theory. It's a massive problem. I thought it was just us. You know, these people are good at the jobs. They're not. They're not. And I spoke to other people in the same situation as me
and they're like, yeah, what is that all about? You go to these conferences and they'll say, we want lab environments, you want practical training, you provide it and it's just totally disengaged with. So I'm just wondering what your opinion is on that and whether you think it should be worked into KPIs or if it's enforced, is it then more disinteresting? So for me it was always the, if you've got the right people, so again we've got, like my team was built up of a lot of ex-veterans and things that are second, third, maybe even fourth careers at this point and they've got that hunger, they've got that drive and they've got that passion to really
grow into an industry that they find fascinating and I think a lot of it is if you've got the, again, if you've got the right people and they've got that sort of drive and passion, they'll, they'll be chomping your arm off for these labs, they'll be wanting more, they'll be wanting to do different things. I mean, we used to do digital forensic disk image hunts and I would come up and create different random, it was like stealing cupcake recipes and these bad guys have got the world secret cupcake recipe please analyse the disc image and pull it and they'd be sat there and within the next two to three days they'd be like oh I
need another one can you make they take a lot of time to make so it's kind of you're churning through them but once you've got that passion that drive I think again I've seen the online learning resources in the labs that haven't been used by a lot of companies and And it depends on if you're using it as your yearly compliance training and you're having to drive it that way. But it also depends on the content. If the content is good and engaging, I do find that people will sit there and spend the time. But it's also that if the time's made out of their own personal time, they might not want to spend an
extra two hours in a lab a day. Well, it's the right place then. Hi. So I run an online education platform for people interested in getting into cyber. And I was wondering if this kind of approach could be useful in a kind of virtualized environment for people where it's not actually a company that's working on it, but could be a completely fictitious scenario or completely virtualized, potentially run over something like a Zoom call. Yeah, it wouldn't be anything dissimilar to like Blue Team Labs, but on a sort of scale where you're multiple people working on the same thing and mentoring. And I think the biggest thing is the mentorship, because if you were to give
people these scenarios and situations and just drop them in it, they do need the guidance and the sort of here's where to look, but it's also... when to not give them that bit. If you can give them that nugget of information and they have to then discover it themselves, they're going to discover it a lot quicker or in their own way. Because again, everyone learns in a different manner. It could be that someone really likes getting presentations and speaking and listening. It could be that they are a hands-on doer. And when you're in that process of doing things, people learn. And it's having the, it's every individual is going to be a different use case.
And it's kind of knowing who your audience are to some extent. Thank you. Another question over here. I think you raise a really important point there about the mentorship and kind of the instructor or kind of the guidance of the class or the trainees. What are the tips on... picking the mentor, developing the mentors. I guess in my experience, a lot of the really good practitioners almost do this out of an innate or natural ability and therefore struggle to then pass that process or that skill on to someone else. They know what they do, but they don't know how they do, so that makes it hard to teach. Again, I think it's all on... It's difficult because I know what you mean.
There are some incredibly talented technical people, but it's kind of... They've been doing it that long. It's just, how would you not know this? And I think there's that... again work out how the the team likes to learn and it could even just be a case of shadowing okay so i'm going to spend the next two hours doing this do you want to just sit on ask questions as i go and you've got that live process which might be a little bit easier for someone who doesn't necessarily understand what they're doing is a lot more complicated than they make it look um because again i've seen that where you'll sit on a call for three
or four hours if you're just doing the generic stuff and people are like why are you doing that why are you doing this? What's the reason behind this? And as you go, they're like, oh, okay, I wouldn't have thought of that. And it's just them little bits of when they're watching it in real time, they can go, that's how that makes sense and how it's pieced together. Excellent. Any more questions for Mike? Oh, right. Oh, you're closer. Just listening to the previous questions, I think maybe it's if the person's on site with you, it makes it a lot easier to actually... Ask the question and the contact is probably the key thing because it breaks
down barriers whereas online and in a virtual environment It's hard to pick up the phone or like just say can you look at this for me? So I'm not proud to say this but I actually got into this argument on Twitter not too long ago and it was on about how someone was complaining about the remote world and they can't mentor and they can't their staff are sort of stifled their employees are just not growing and I get a load of rubbish and I think, fair enough, turning around in the office and being like, oh, how do I do this? It's a little bit easier. But again, it's all about knowing the people that you're
targeting. So if you've got someone who will sit and read a technical document and they'll sit there and just engross themselves in it and pick it up, that's great for them it might be that someone else needs to sit on a call with you and have it talked through they take that presentation and i think it is there's no one size fits all and i think there is limitations in doing things remotely in terms of that initial gratification and that initial feedback but if you prepare and plan things in advance you can sit there and go where are your weakest let's jump on a couple of calls this week we'll sit down we'll go through
it and it's just about that continually growing and trying to nurture the talent But again, everyone's different, so it could be that someone doesn't want two or three calls a week, they just want to get a taft to get stuck into and then just they'll ask questions as they go. And I think it's that, finding that balance between where it becomes cumbersome to try and customise a sort of training plan for everyone in your team to making it as sort of broad and accessible to everyone. But I think just being there. Like if you're always at the sort of the end of the Teams, Slack, whatever messaging chat you're using, and they can get that
initial, oh, I need this, oh, well, here you go, here's where to look, or here's who you should speak to, and it's just continually sort of communication with them will help. Yeah, and sometimes it's a good idea to pull people that are remote into one place and do one of these things. But similarly, if you are going to have an incident at two in the morning and people normally work all over the country, then they should practice being able to do it remotely because they can't be in the same room. They're not going to be. I'm an apprentice, so I'm very much on the receiving end of all this training. So whenever my company decides
to trial a new product, we always go through a CTF with it to just see how it feels. How do CTFs differ from doing war games and such when it comes to this sort of thing? It's a similar sort of process. I think the wargaming is more for the... It's that real-life simulation. I know Capture the Flags can be somewhat real, but at the same time you're kind of playing a game because you're hunting for the flag in a lot of respects. With the wargame, it's trying to, again, start off in a sort of spoon-fed, very controlled, very obvious manner. But as you start to mature the process, it'll be you've thrown a couple of
rogue servers up in your production environment that have... this magic binary that's running and doing things that's, again, tightly controlled. And I think it's just given that, it's trying to simulate what the tabletop exercise would do just in a more practical and technical manner than talking it through and sort of verbalising it. It's actually doing it. Excellent. Thanks very much. Awesome. OK, can we get a massive round of applause for Mike? Thank you. OK, in just three and a half minutes, OK, you'll be up. So if you want to dump laptop and go and get a mic from Morgan at the back, you can. Yep. Just stick your laptop in there. Okay. While we're waiting on that, a
word about the people that make all this happen. One is all you, obviously. But... What we do need to do is thank the sponsors because this stuff does not happen without money and talent and drive and they provide all of it for us. So we do have Quorum Cyber, Exabeam, InfoSec Governance, that's the only woo governance ever got. The wooing governance. Our amazing friends at Pentas Partners, Minecast, Jumping Rivers, who I still have their coasters. I use my Jumping Rivers coasters every day. It's my dance. It's really nice. There's some upstairs, I think. Is there more? Because I need more. I think so. Awesome. I mean, there's no more. No, there's none. Yeah, none. Nobody go upstairs. Okay, we've
got KSEC and that security company. Slash Pocket Sim. And obviously the awesome people at Cyberfest. Yes. Yes. So Cyberfest runs all month. There is a ton of amazing stuff happening across the Northeast. Phil will be here tomorrow. Woo! Woo! Woo! Phil's awesome. Phil's actually the person who keeps us sane. And we should also say thank you to Phil because without Phil, we wouldn't be sat here. Ben may not be alive. Has anyone seen Ben? Not in a while. Okay, might have my phone as well, but whatever. All right. Right, so without further ado, we have Kay. Love this guy. I love him. I stole that from my mentor. I like to call him my messiah,
but I'll get to that. Cool. Great round of applause for Kay. Hi, good morning everyone. I would like to first of all apologize. This is my first time doing this. I'm a little nervous. My experience in the industry as you can see is basically just seven weeks old. I'm only a placement student doing this for the first time. But I'm passionate about application security, something that I thought I'd be a penetration tester when I went to university. It was sexy, it looks awesome. But then I spoke, I had a little interview and the result of that interview made me go speak to Tanya, who I now call my Messiah. And she fueled my passion for this. So
please bear with me. And if there's anything I've got wrong, please, I'll love your feedback as well. Thank you. We're going to talk about DevOps, DevSecOps, and security being a part of everybody's job. Now, it's my opinion that OWASP is the best thing that's happened to application security, and DevOps and DevSecOps is the next new thing. I'll get to that in a sec. But before I go on, can I ask, is there anyone that writes code here? Anyone that secures any app, make patches or stuff like that? In my opinion, it's everyone's job, regardless of if you write code as a developer, if you make security patches, or if you are checking your web apps, making sure there are no vulnerabilities, that you should do
that securely and in the most secure way possible. And that's what this talk is leading to. I don't know who's seen this before. This is a little bit of social commentary. It's not meant to be taken literally. But this is how some security people see DevOps. Now, I know it's a little early and no one wants to start seeing Unicorn poop. But they feel that everything, the golden things the developers do, that amazing code they make, they have to do the grunt work for it. They have to make sure that it's always cleaned up, it's always nice and no one can attack it. This is not how we should see DevOps. This is how I
want us to see DevOps. We're all singing Kumbaya, holding hands, teaching everybody, encouraging, empowering our developers so that they can make secure code. We have to remove the blame culture. We have to shift from siloing ourselves into one particular category and all work together, both as developers, as the operations, and as security experts. I hope by the time I finish this talk that we all have this Kumbaya moment. My Messiah, she's the inspiration behind this talk. Without her, I don't think I would have any knowledge whatsoever. She's the CEO and founder of WeHackPurple. I'm hoping most of you have heard of Tanya Janker. Her book, Alice in Bubbler and Application Security, I have a running
joke and she doesn't appreciate it, but I call it my New Testament. And her website is my temple. If application security was a religion, she would be my Jesus Christ. I mean, well, like I said, I'm just a second year cybersecurity student at the University of Salford. Seven weeks ago I started my placement, industrial placement studies at Battalion. And in that time frame, in just the seven weeks I've been there, they've encouraged and pushed me to learn more about application security. And even, I never thought I'd be standing here presenting to such an amazing group of people. But with their help and their feedback, I'm here to share one of my passions. So what is AppSec? Now according
to Tanya, she says it's every activity you perform to ensure that your software is secure. Now we already do this from time to time but there is no formalized process. Some industries, some organizations, sorry, don't have a formalized process of application security. Now this is usually the bad news part but poor application security is a problem. Over the last few years, thanks to Verizon, and I have to update this slide because the 2021 slide says APIs are number one and web apps are number two, which is kind of like, well, you've just split our categories into two and told us we suck at the top of the two. So that's not exactly good news. But this is not to scare
anyone and not to condescend to our developers because they do do amazing jobs. But this is a problem that we need to address. The industry seems to be more focused on the symptoms, not the disease. We encourage incident responders, penetration testers, and we hype them to the max, even to a certain extent where some of them might have egos, which is a little detrimental to our industry. But we need to deal with the disease itself. We have So many front-facing apps, but we worry about the perimeter, not the window. You have your window wide open, but you've got security guards around. It's not going to stop anyone from breaking in. They could easily jump in through that window, grab your safe, and they're gone. That's what our web apps
are. They're the window to our industry, and it's the one way over the last few years that we've had breaches. This has to be resolved. My opinion is... introducing DevSecOps. But before I go into that, let me explain why this is actually a problem. In my experience as a university student, we do not teach application security or we don't teach our students, our future developers, how to write secure code. Now, From my experience, I'm not sure about the rest of you here, but at Salford, we had a security course, and it basically focuses on network penetration testing, right? That's good for me as a cybersecurity student, but not so much for the developers. That's not their realm.
Even if some from the research I made some colleges especially in America are beginning to introduce some secure coding modules to their courses, which is great. But this is something that we have to it has to be across the board. We have to have to empower developers to make secure code. We have to actually teach them and motivate them on how to do these things. This is something we're severely lacking in. Another thing is that we are totally unnumbered. Now according to GitHub, the recent figure shows that there are 500 developers to 20 ops and 2 security members. During the waterfall during the period of waterfall this could be up to 2,000 developers to one security team now if you put the blame of every breach on that security
personnel Then it's gonna take 18 months which was what we saw during waterfall for a release cycle to get released Thanks to agile. Thanks to DevSecOps these those release times are pretty much immediate and I'll get into how beneficial that is in a couple of minutes So what is DevSecOps? According to Imran Mohammed, a guy from Practical DevSecOps, I've taken his course, he explained that DevSecOps is AppSec in a DevOps environment. According to him, we already have these processes, developers fix bugs, security personnel give advice for remediation and mitigation. But if we put all of this together, application security, developers and IT ops without being siloed, all working together, then we would reduce, there'll be a
faster release date and improved resiliency, which I'll go into in a few minutes. I'm a big fan of the Mandalorian and I think DevSecOps is the way. And I'll I was going to the three ways of DevOps and we'll be able to clarify why this should be the standard for every organization creating software. Now the three ways of DevOps: the first way is to emphasize the efficiency of the entire system, the second way is fast feedback, and the third way is continuous learning. In my opinion, I think this meshes well with security. How? By emphasizing the efficiency of the entire system, we can shift from left to right. Now, I have an analogy with a house, right? That if you and
your partner, for example, plan to have your dream home, you go through the stages of... getting your contractors, getting your architects to design, draw, get the builders in to come in, put fixtures in and everything. By the time you get to the last day when you want to get your keys, and you realize that you've got seven kids with only one bathroom, you'll have to go back and rebuild the entire process. But when you see from left to right with the speed that you have, you have these, you've taken all these considerations in every part of the software development lifecycle, then you'll be able to release your code in time. With a security personnel in every stage of this lifecycle, you emphasize the efficiency of
the entire system. meaning that you have a faster release cycle. So what does this mean for security teams? This means that security teams, if they want to be able to work in a DevOps environment, they have to be able to sprint as well with the developers. What does this mean for DevOps teams? They have to engage in security meetings, be able to threat model. I've lost my train of thought, I'm sorry. There it is. So they help the AppSec teams tune their tools for their sake and for ours. For example, you have a DAS tool or a SAS tool in the CICD pipeline. In my experience, I had never heard of YAML in any kind of config files
until I came to Matillion. Without the help of our developers, I wouldn't have been able to securely test the tool in the CID pipeline. They were efficient in helping us to tune those tools and get the metrics for them for us to be able to feedback for what they need to correct. Also, the dev and ops teams need to have both positive and negative unit tests on the application, be able to get it to handle invalid inputs. This is kind of like the threat modeling, almost like the threat modeling stage where you put your evil brainstorming hat on and figure out what are the negative use cases, which ways can an attacker or malicious threat actor, what ways would it go to break your system?
Faster feedback. Now this is one of my favorite, shifting left. You have to push left because in some organizations the security team aren't allowed to shift so you literally have to push to go left. Which goes back to my house analogy. When you go back to the requirement stage and right from that stage you have security in mind. Same thing with the house. You get your architects in and you tell them, look, I've got seven kids, so I have to make sure I've got a bathroom where every one of us can be free and there will be no complaints. You have to ensure that it's safe, get your barriers for your children. You go to
the design stage and it's the same thing. What do you need to put on the electric sockets to make sure that they don't go put their fingers in there? code is almost, well, you're bringing your design to life. So you're adding your structures, and you're ensuring that it's also, your balcony has the security gate so your kids don't jump over. And then you test it. You test it, make sure that it meets those security requirements. You just don't fix the gate and leave it, you know, a little wobble and it falls over and, I'm sorry, your kids are down the stairs. And then when you get your keys, to get into your new home, you
find out that you don't really need to go back and do anything else because you've already had, you've considered every possible thing that could go right or wrong while you're going through the entire stage, which means that you get faster feedback on every, during each stage of the software development lifecycle, you get feedback faster on what you should, shouldn't do and what would be appropriate for the release.
What does this mean for the security team? It's like I said security team will have to learn how to sprint along with development teams, will be able to add their inputs based on every stage of the secure development life cycle. What about the dev and op teams? Feedback goes both ways. So you want to be able to tell the security team what you're concerned about, what you feel might break the build, what you feel might be essential to ensure that you could release your software faster. like I said before, you participate in security activities, incident handling, threat modeling, security sprints as well. If you're in a position where your organization has both red and blue
teams, you could actually perform some of those red team activities and see where some of the deficiencies in your system lies. And my personal favorite, continuous learning. I think most nerds nowadays are more either gamers, I'm like the old school nerd, I like a huge chunk of fresh books in front of me. I just love the smell, I don't know why. But for us, like every athlete, I'm sure most of us, I don't know if you guys are Newcastle fans considering where we are, but as a Chelsea fan myself, I know athletes, they constantly have to hone their skills. Even during the off-season, you see them on nutrition, they're with the nutritionist, they're doing their fitness regimens. It's the same, they're continuously learning so that they could be
in a position where they're always giving their peak performance. And this could be saying, this is the same for us as in security. We have to constantly hone our skills. What does this mean for the security and DevOps teams? This means for the security team, the security team has to be able to enable and empower developers to be able to introduce materials that are... Materials that are necessary for the work they do to make sure that whatever the code they write, the libraries they use are both secure. The tools that might be required, say, from a security perspective, a DAS, a SAS tool, using Snyk and stuff like that, to be able to teach those developers and show them how you could use this to find vulnerabilities
in that code. Dev and ops team, what does this mean for them? That means they have to be Open-minded. This isn't... we're not trying to be condescending. We're not saying the software developers suck or they need to get better. We just want them to hone their skills to get to just like athletes to be better and be efficient at what they do at all times. Finally, to be able to make security everyone's job, it requires a culture change. First of all, we can't stop blaming everybody. A breach happens, we can't say, "Okay, it's your fault. You deal with it." We know it's happened. The solution should be how do we make sure this doesn't happen
again? What can we learn from this breach or this incident or this vulnerability? And how can we make sure that we're in a better place for it? To be able to do that, we have to change our security culture. Even something as minute as passing a pen test, celebrate that. Running a pipeline and it comes with no highs and criticals, celebrate that. Offer a pizza break. You guys did awesome. Those kind of mentality change helps you reinforce the fact that, okay, this is something we need to be doing every day. And it shouldn't be secondary to our jobs. It should be a part of our jobs. We have to reinforce that culture change if we're going to be doing that work. Like I said, we're too siloed as teams.
Security is on its own, devs are on their own, the IT operations team are on their own and only talk when they need to. We need to be able to work closely with these guys. We need to even, to a certain extent, embed ourselves in their teams, understand their working patterns, learn from them, and be able to offer solutions when problems come. The only way we can be able to do that is if we all work together, all closely together. Like I said, no more blaming. If a particular situation has happened or occurred, we need to shift from "this is your fault" to "okay, what do we do to make this better?" What can we learn from this moment and become and ensure that we're more resilient
in the future? And then my resources. Like I said, OWASP I think is the best thing that's ever happened to application security. I'm an OWASP student member myself and the benefits I get from just a learning perspective is awesome. I would encourage every one of you to join up. And my Jesus Christ herself. Please follow her. She's amazing. Her insights to everything application security, being that she's been a software developer herself and a security professional now, is insightful. She works with, they used to be called NeuroLegion, but they're called Bright now, and I've tested their DAS tool, and it's pretty awesome, and it's thanks to her. So please, follow her on Medium, follow her on Twitter, check out her topics on YouTube,
and please visit the WeHackPurple Academy. It is awesome. And yeah, that's me. Thank you. If there are any questions, I'll take your questions. Thank you. That's your first talk. That was amazing, man. Thank you. Honestly. Another round of applause. First talk. Thank you. Do we have any questions for Kay? Not really a question, but a piece of information. I think... Tanya's WeHack Purple company got folded into Bright. And now the whole training academy has become free for anybody to use. So all the paid training courses now have become free for anybody. And her AppSec training courses are very good. I'd recommend anybody to go and sign up for those courses. Thank you. I appreciate that. Any more
questions for Cade? It's a bit of a mean one. You said at the start something that sort of reverberated with some of my previous experience sort of that security teams can't shift anywhere, they're not allowed, trying to break down those cultures. I was going to ask, and it's unfair given you've mentioned sort of your short time in the industry, how you think we can kind of break down those barriers. But equally, you also said just give pizza, and that's possibly the best we can ever get. So I've definitely taken that one on board because pizza wins everything. But I'll see if you've got anything else to add to that list as well. No, I'm glad you considered the fact that this is pretty much me in diapers trying
to walk. So I don't think I'm in a position to be able to give that kind of high level advice. From a rudimentary point of view and as someone who's, like I said, making my baby steps, it would be awesome. to have, we've passed the pen test, some dominoes. I'd love that. I'd know that every time we have to have any type of security challenge, I have to be on it because I have pizza. It's a small start and I'm sure there are more things that we could do to be able to change the security culture and that's part of my remit. I'm learning as well and I want to be in a position where
I can be here maybe next year, and give this talk again and be able to say, okay, based on the year I've had, these are the things I think we need to be able to do to be able to have a great security culture. Thank you. Other Peter Brands are available. I do think that sometimes if you need to move a culture, you need to find out who's blocking you? Traditionally it's the "we can't afford that, that's not that important" and then you have to speak their language. So if someone's blocking you in anything, speak to them in their own language, not in yours because they don't care about absolutely, they don't care about security. The company makes plastic palm trees, so if we do this we can make
more plastic palm trees. That's the way to start moving change when you have such a wall. It's not easy. It is the don't try and solve it all at once, move it, celebrate your little successes with pizza. You're right. And I should have mentioned this during my talk, but if security wins, the business wins, right? Or if the business wins, security wins. If the business is out of business, right, we'll be out of a job. Take, for example, the company I work with, Matillion, which is a software development company. If we had any kind of problems that affected the business, we would be the first to leave. The developers aren't going. They're going to be there to try and fix the problem and make sure that
the company earns more money. So if the business wins, security wins. And I think that's a very important part to put in because sometimes some security folks forget the fact that we have to make these things 100% secure. Not necessarily. But thank you for sharing that. I appreciate it. And thank you for having me. I appreciate you listening. One question. Oh, my God, I'm sweating here. Don't worry, I'm not really going to ask a question, but because of the kind of comment that was made of, well, how can you make this happen, I very much just want to say I very much agree with your comment of, you know, sitting on the sprint. That's what
I do every morning. And, yeah, you know, it's... developers, they don't have the time often to look at security themselves and understand it. And yeah, us in security, we can't always understand everything of the code they're writing. But basically, I work with squads as a security analyst. And... I alternate between my squads every morning, sitting in on their sprints, look at their gyro tickets, see what they're working on and pick up from that the things that I might want to look into that might cause issues. but also then when they get stuff that needs data protection type, data governance overview, hold their hand through that process and help them with it. And so, yeah, you become that kind of critical
friend. They come to you and they ask you the questions. They ask you for help in meeting data governance requirements. But then they start to trust you more as to how do we make this more secure? And yeah, then you get to the Pinterest test and it works Or you can you can see the problems that come up in the pen test and you can say well that shouldn't actually be too difficult to fix I think you just need to tweak this and few it's not going to add another month on to our Sprint's and that so So, yeah, it's very much back what you say. - No, thank you for adding to it. It's
part of, I think one of our jobs as application security engineers, at least in my opinion, is it's all good to have that technical knowledge and being able to solve and deal with bugs and vulnerabilities, But importantly, we have to be able to empower the developers. They are the ones in the position to write the code. They will be the ones to be able to remediate it faster. So if we can empower them in a security way about how to consider and how to make security a part of their jobs, then we won't probably not have to be critical friends anymore. We'll just be normal buddies. You could just come to me and we talk
about this because you understand the security problem and I could help with maybe explaining some of that more. Thank you for that. I appreciate that. Any questions? Any really horrible, hard questions for someone on the first talk? Make me sweat some more. Something super horrible critical. You've said about having seven kids. How have you got the patience? I don't have seven kids. I've got two. How have you got the patience to deal with them? And has that helped you in your AppSec career? Developers. That's an actually great question because my first daughter has cerebral palsy. And I should have said this story as well as part of how application security is missing for students at university. My daughter, when
she was six months old, before she had her brain injury, we always sat together during my university classes because everything was done at home. To make it easier, because she kept on crying, I would just give her Cheetos, right? Like, "Here's some Wotsits, eat that." After three weeks of doing that, her mom kicked my ass. I didn't have coffee for a week, it was painful. But then I started giving her tomatoes instead. She didn't like it at all, hated it, cried even worse. But I put my foot down and made her take those tomatoes and now She's a fruit lover, she's a vegetable lover, she could eat. Man, I was surprised when this chick was
eating a corn on the cob by herself. And she's got cerebral palsy. But because she's used to having her vegetables, we know that having Power of Your Five a day is good for you in the long run, right? Compared to having Cheetos or Wotsits every day. Same thing could be applied to our developers, right? The... from their experiences, only when they come into industry sometimes, if they go externally and learn, they learn how to write secure code. If we keep pushing them by giving them these new vegetables, they might not necessarily like it. They're used to having their fancy features and not insecurity-wise having to break it. But if we keep feeding them these vegetables,
in my opinion, in time, they would love vegetables as well. So they will always want to write a secure code. They will always consider security first. Maybe not as the be-all and end-all, but it would be a part of the thinking when they are writing their codes. That's the one way I could equate the two together. And it's the one thing I learned from having children, that you have to be patient. You can't just all be screaming and shouting and saying, you have to do this. You also have to show them why they have to do it. Why is this good for you compared to the stuff that you actually liked before? So what we're
saying is good code pizza, bad code... Hey, right. Oh, we have another question. Is it about vegetables? Yeah, it's just an observation. It was a really good presentation. Thank you. I think, though, you might want to consider going to the developers' convention and delivering this presentation to them, because I think you've just reminded all of us what we go through on a day-to-day basis. But if I play devil's advocate to meself... I like a little bit of insecure code. I like the people who click links. I like the people who open attachments. I want to pull them into my bosom and nurture them because without them I don't actually have a job. Thank you. All right. Any other
questions? Look at that. Survived his first talk, his first grilling. I've got the sweats to prove it now as well. You did a really good job. No, I appreciate it. Thank you. All right. Big round of applause for Kate. Thank you.
Okay, we're now moving into a break, so run out, grab teas, coffees, toilets, snacks, anything that's not nailed down, and back in at half past. Do you want me to just sit down and do the intro? Okay. Hello, hello, hello. Hello, hello, hello. It's on my mic at the moment. Hello, hello. Excellent. So... We're now all going to witness a live robot being built and it becomes a roverlord by the end of the talk. See how it goes. It'll either do the ironing or be roverlord one or the other. But big round of applause for Mark who's going to come and tell us all about building a robot for complete beginners.
Thank you very much everyone. So this is either going to go really well or really, really badly because I am going to be doing some stuff sort of live on stage and it means that the demo gods very definitely have to be with us or it's not going to work too well. First of all I want to talk about why I'm into this sort of thing. Who remembers their first computer or the first computer they got to play with? Wasn't it brilliant? Wasn't your first computer brilliant? You could do all these things on it that you really didn't think were possible before. You know, you could, sure, run the programs and stuff that other people
had written, but you could write your own, you could make it do things, and it was really exciting. My first computer was really, really brilliant. It had 32K of RAM, it had a 6502 processor, and it had eight colors or 16 if you count them flashing. Brilliant. And when you wrote a program on it, you could save it to tape or get this, you could save it to floppy disk. Right. And computers today are actually a whole load better, aren't they? I've got a laptop here that I'm doing this presentation on. The reason why it's scaled funny is because the laptop I'm using is terrible. It's so terrible, it's one that my teenage kid threw
away because it wasn't capable of running Minecraft anymore. But even my really terrible laptop is literally thousands of times more powerful than that thing. Hundreds of thousands of times more powerful than that thing. And there are computers everywhere, so much so that we don't really notice them anymore. You drove here in a car, well, that's probably got about 100 computers. You've used your phone today, well, that's got at least four or five CPUs running different bits of what it's doing. And they're everywhere, they're ubiquitous, and they're ubiquitous to the point that they're not really very interesting anymore, are they? You know, I think that seven-year-old me would be so, so disappointed that there are computers everywhere and they're just so dull, right? So this talk is about trying
to make computers brilliant again, right? Can we find some way of, in a computing device that we've got, recapture that excitement that we got from the first computer that we ever used? That's what this talk is all about. So, first of all, disclaimer, disclaimer. I'm Mark Goodwin, as I was introduced earlier on. My day job, I'm an application security engineer slash manager. I usually break software. I don't normally build hardware. I have zero qualifications whatsoever in any of this. I'd encourage you to try some of the stuff that I'm talking about today, but I can't promise you won't break things. I can't promise you won't set things on fire. So obvious disclaimers there. Be careful. But what are we talking about? We're talking
about robots. What is a robot? Does anyone want to give me an idea of what they think a robot is? A person with no personality? Thank you for that. Any other ideas? It's a computer that interacts with its environment, with a physical environment. Now, the stuff that we're used to using, our laptops, our phones, whatever, they interact with their physical environment as well, right? If you press a key, it knows that it's happened. If you touch the screen, it knows it's happened. So actually, we're talking about computers that interact with their physical environment in ways that aren't standard. Okay. So I'm going to give you some examples of things that I made that I considered to be robots. My journey
here started because one of my kids said, Daddy, I want to build a robot to mow the lawn. And at first I'm like, that's a ridiculous idea. And then I'm like, cool. And so the problem that you've got is you can't just go and buy a lawn mowing robot kit. You can buy the whole thing these days, but you couldn't then. So first I had to get something to make the bits for my lawn mowing robot. So I built a 3D printer, which is kind of in a way also a robot, right? It's a computer controlled thing that moves and does things with a physical environment. I made an incubator for hen's eggs. That's kind
of a robot, right? It senses its environment. It's got something that allows you to sense the temperature and the humidity in the environment. It turns on fans to blow moisture. It turns on lamps to heat the eggs. So that's kind of a robot, isn't it? Chicken feeder. Tries to see what sort of chicken's coming along and give it the right sort of food because chicks have one sort and grown-up chickens have another. Or a chicken door opener thing. It gets too dark, the door shuts and the chickens are safe inside and Mr. Fox doesn't get them. You'll notice there's a chicken theme here. I like chickens. I'm the AppSec robots and chicken guy. Okay, so we're talking about this sort of thing. How can we, from virtually no
knowledge, start making machines that do this kind of thing? Okay. Who's written a computer program like that before? Okay, room full of hands. What does it do? Oh come on, it's an easy one. It prints "Hello World", right? It's literally the simplest kind of computer system there is. Well, it's one step removed from the simplest computer system there is. The simplest just exits, right? This one outputs a predetermined bit of data and then it exits, right? It says "Hello World". Everyone's written something like this in one language or another. So we're going to do the equivalent of "Hello World" but in physical computing. And my big idea here, which is probably terrible, but we'll see how it works, is I'm going to make sure that you
can see what I'm doing by running the webcam on my laptop. Can everybody see that? Well, you get my belly in glorious not HD. Okay, but you see here I've got a thing. It's got some chips, it's a board, it's plugged into the USB port of my computer. and I've put an LED on it. Okay? And what we're going to do is we're going to make that thing do something. Now, I've got one that I prepared earlier. Here we go. I want something that blinks an LED and I've got a blink program that I wrote earlier on. Actually, I didn't write it. I ripped it off. It's in the Arduino example set. But I've changed it, okay? I've changed it in a really important way.
The default version of this uses pin 13 for the LED. I've changed it to pin 11 for reasons that will become clear later on. And what we're going to do is we're going to take this program. There we go. We're going to tell the Arduino software to upload it. It's compiling the sketch. It's uploading it. And hopefully, if I go back to the camera... We should be able to see... That's not working. Of course it's not working. Why is it not working is the question. Ah, because I haven't changed it to the right pin. There we go. As I said, the demo gods really have to be with us, but also I have to not make stupid mistakes like that. And then the
lights mean that we can't actually see what's going on. Okay, take my word for it, that LED is actually going on and off. Maybe if I shade it from the lights... Up a bit. There we go. How about that? So there we go. That is our physical computing hello world. It's a bit like hello world in that we've predetermined what it's going to do beforehand. We run it, and it just does it. Okay. So far, so meh, right? It's about as exciting as hello world in that it doesn't do much, and we've not really learned anything yet, have we? So what we're going to do now is we're going to plug in something else. Actually, before we do that, we're going
to have a look at what it is that we just made. We've got our single board computer here. We've wired something into one of the GPIO pins. GPIO means general purpose IO. And we've run a program that makes that LED flash. Okay. What does this program do? Come on, someone let's know. It's a question and answer thing. It says, what's your name? And when you enter your name, it sends it back to you. Hello, whatever. So if you put your name B-Sides Newcastle, it'd say, hello, B-Sides Newcastle. Okay, so we're going to do the physical computing version of this. What we're going to do is we're going to add some input to our program, to our system, and then we're going to make stuff happen
with that input. And the input we're going to add... is a switch. I've got a little button here, if I go back to cheese you can see we've got a button and I'm going to connect that button to one of the GPIO pins on the Arduino and hopefully it will register the fact that the button's been pressed. Now before it just looped turning a light on and off and it kept the frequency of that the same the whole time, what it's going to do this time is when it detects that the button's been pressed it's going to halve the amount of time between it turning the light on and off. Now there's a little detail
here that I want you to look at. You'll notice that I've put a little resistor here between the switch input and the ground. This is because of a little detail of the way that analog inputs work on GPIO pins. If you don't make sure that it's pulled to either the control voltage or to ground, It's not actually defined what voltage that input is. Okay, so it might be that when you close the switch it goes to 5 volts and the Arduino can read it, or it might be that you get sort of random input. Some devices have automagic pull-down or pull-up features in them. This one doesn't, and so we've put a resistor in. So
we've got a resistor, we've got a switch, and we're going to plug it all in, run the software, and see if it works. Okay, so first step we need some code. This time we're going to open a digital I/O project. There we go. And to talk you through what's happening here, we're setting up two different pins on the Arduino. We're setting up pin 13 for the LED and pin 8 for the button. We're choosing a delay time of 1024 rather than 1000 because 1024 divides by 2 really conveniently. And then what we're going to do is we're running a loop. Every time we go around the loop, if the button's being pressed, we're going to halve the delay time. So
we'll start off with flash on, flash off roughly once a second. If we press the switch, that's going to speed up. If we press the switch again, it's going to speed up some more. So we need to put our button on to pin number eight of our Arduino. Let's do that now. Pin number eight is here. and we needed to put a control voltage, so I plugged that into 5 volts on the Arduino, and a ground as well, so I plugged that into ground. So, what you can see now if you look at the Arduino is there's a bunch of wires coming out of it, and the grey and the purple one are for the
LED that we already had, the others are all about making this switch sit in place. Okay, and then we can go back to our project, we can run the code, and there's a bug in line 31. Oh, this is just because I haven't got space here, so I'm kind of putting this stuff together on the keyboard, which makes for interesting input. There we go. So, it says it's compiled it, it says it's uploaded it, and now, if we go back, so far it should look exactly the same, because the LED should be going on and off again, except it isn't, because I didn't change the GPIO settings. back to 11. There's a reason why I changed this pin. It all became clear in a bit, honestly.
There we go. So now, can you see that going on and off? Okay, now if I press the button, can you see that going on and off faster? Nope. There you go. On, off, on, off, on, off. And if I keep on pressing it, it starts going really, really, really, really fast until actually it's just sort of dimly on rather than flashing on and off. Any idea why it looks sort of dimly on? Anyone got any ideas on that? Yeah, so it hasn't got time to power down completely, or possibly more accurately, it's turning on and off, it's just happening so fast that you can't see it. Okay, so that's what's going on there. Now this is a really good point for us to start
thinking about something that's really useful in building robots and things. We're going to talk about a thing called pulse width modulation, because we've looked at digital input and output where we've got an LED that's either on or off, and digital input where we've got a switch that's either on or off. But we want to move to things that are varying degrees of on or off. And obviously computers are digital machines, right? When you're doing something in a computer and it looks like you've got an analogue input or an analogue output, it's fooling you in some way. And pulse width modulation is how a computer fools you into giving you an analogue output. What happens is
it will give you pulses at a particular frequency and how much on there is compared to how much off there is tells you how on the thing that you're controlling is. And so that first case there is just like the LED that we had on our example there where it's on half the time and off half the time so it's sort of half on. This one here would be almost all on because it's on most of the time and only off a tiny bit of the time and this one here is almost all off. Now, this is useful for us because it means that we can take things like motors or actually LEDs, you can
change the brightness of an LED using this technique, and it allows us to vary the amount of power that goes to that device, which is really useful if you're powering motors and stuff. Okay, so we're going to do a bit of this now. We're going to take out Arduino again. This time we're going to add a different input. We used a digital input before on pin 8. This time we're going to use an analog input, and we're going to put a potentiometer on there. So a potentiometer is just a resistor, a big resistor between its outer two legs, and then when you turn the little knob in the middle, let's turn it back to... the camera so you can see what's going on. When I
turn this here, it changes whereabouts on the resistance material the contact is so that you get a varying amount of the voltage across the outer pins. It's kind of shown in the diagram there. You've got the 5V side, the ground side, and this moves up and down as you turn the little dial. So we're going to plug that in. and then we're going to try running another program which we'll talk through before we actually start making use of it. So this time, again, I'm plugging in to 5 volts and ground so that I've got a known voltage across the potentiometer. 5 volts and ground. And then what I'm going to do is I'm going to plug the final lead into
the analog input, and now we're going to talk about code. So here we go, we've got... the analog input there with a yellow lead as per the diagram that we saw here. Okay, so let's look at some code. I'm going to go to our sketchbook and I've got an analog IO project. And what's happening here is every time the loop is running, so I set up an LED first, analog LED on pin 11. That's why I changed the pin on the previous examples. And we have a loop. And every time the loop runs, we're taking a sensor value from the analog input and we are setting the LED to be that value divided by 4. Now the reason why we've got the magic number 4 there is that when
you are writing to one of the PWM pins, I don't know how do we know, it takes a value from 0 to 255. When you're reading an analogue value, it takes a 10-bit value, so it can be from 0 to 1024. So we just divide it by 4 because it's Hackey maths and it works. We upload it, we run our program, and then this time what happens is, if we go back to cheese and see what's going on on the camera, I should put something over the screen, shouldn't I? Then we could see that without... There we go, I can turn it all the way up. I've got maximum brightness. I can turn it all
the way down, where it's basically off, or I can put it somewhere in between. And whatever I do to the potentiometer here is reflected in what happens... to that LED. Okay. So, lovely. We've managed to deal with things that do input, analogue and digital. We've done things that do inputs, we've done things that do outputs, analogue and digital. Now, this is a good point to talk about which of the many kinds of little boards with lots of chips on that you should use for this kind of thing. Who's got a Raspberry Pi here? Okay, so Raspberry Pis are one of a number of single board computers that are basically full-fledged computers in a small form factor, right? You run regular Linux on your Raspberry Pi. It's ARM
Linux, but it does have a few little nice things for building this sort of thing. It has GPIO ports. It has a couple of PWM outputs and things. The thing I'm using here in Arduino is a purpose-made microcontroller prototyping board, and that contains something that's far less powerful, is less like a general-purpose computer, but because of that actually makes it a little bit easier to get up and running in the initial case. And I think that which you use really depends on what your application is going to be. If you've got a microcontroller board, typically the advantages are it's easier for you to run the program the first time. And when you turn the thing
on, your program is running straight from the outset. You don't need to figure out how to sort out your initialization scripts on your Linux installation to get your code running. You get real-time processing because it's got a single thread. You've got lots of IO options, you've got six analog input ports whereas a Raspberry Pi would have none and so on and so forth. Single board computers have a different set of advantages. They have support for many more different kinds of input and output. So for example a Raspberry Pi has a camera, it knows how to do sound. It has a full operating system which means that you get things built in that allow you to
do things like networking and so on and so forth. And it'll allow you to support more language as well. On Arduino you've basically got a choice of C, C++. Some of the newer microcontroller boards you can use Rust and that's great. And then you've got things like the Esprino which allow you to run JavaScript. But for the most part microcontrollers you're fairly restricted. Now I often use both, sometimes on the same project. So the ones we saw earlier on, the thing for opening and closing the chicken coop door, that's due to an Arduino because it doesn't need to be clever. The green robot, that needs the I/O features that the Arduino has, but it also needs a bigger brain than a microcontroller can have. So I have a fully
fledged computer on there as well as a machine that does the I/O. Other examples, incubator for hatching the eggs that was just a Raspberry Pi because I just needed simple input and output and yeah, sometimes I use both. So we'll get into a little bit more detail about that later on. Now before we move on to actually building a robot, I just want to make a point about analog outputs. When you are taking an output from a microcontroller board or a Raspberry Pi or something like that. Typically it will give you a voltage, right? The voltage will give you some information what it is that you're outputting, but it won't drive much current, which means that if you want to run a battery or something it's
not going to work and even if the voltage is matched the current wouldn't and in many cases when you're doing something that requires real movement you're going to want to drive a higher voltage on the battery than you would otherwise. And so there are a bunch of things that can make this sort of thing easier. One thing that's really useful to learn about is a thing called an H-bridge driver. This does two things for you. The first is it has the sort of digital amplification stuff built in that allows you to boost the voltage and current to what your motor needs. The other thing that it allows you to do is to swap the inputs
on your DC motor so that you can drive it one way or another way without having to worry about which leads connected to what. So it allows bi-directional control of two DC motors or this particular one which I think is an L298 or something allows you to drive one stepper motor but you don't need to worry about stepper motors yet. So we're going to be using one of these in a bit. So apologies for the next bit. We're going from some basic input and output stuff to something that's a little bit more complicated. I don't want you to despair too much about drawing the rest of the L, because actually everything in what you're about
to see is something that you've already seen. Before we do, though, I've got another... spin on the example that we've just looked at. So we had the analog LED thing. We've looked at basic digital I.O. We've looked at basic analog I.O. I want to talk about one more kind of input output that's really, really useful. And that is that Whilst you're familiar now with the idea of reading or writing a bit for digital I/O, you'll be aware that there are sort of higher level digital protocols that allow you to do things a bit more clever with digital communications between two devices, right? So you'll know, for example, that you can have a serial connection between
two machines. In terms of the electronics of what's going on, you've just got I/O pins reading and writing digital bits on a wire, But in terms of what you see as a programmer, it's all a bit easier. So serial is one example. Another example would be the Philips I2C bus. There might be other things like that. Going high level, you have things like networking or whatever. And we're going to make use of one of these high level protocols by talking to the program that we've just written over the serial port. So it looks pretty much the same as it did before, except we're initializing some stuff for our serial input output. We're setting up the
analog LED as we did before. We're setting a speed on our serial port. We're reading the sensor value the same as we did before. We've got something that does a bit with this based on some value which we haven't talked about yet. I've got a reversed value there. And then what we do is we read from the serial port and we look for a command. If the line has show, we're going to show what the sensor value is to the serial port. If it starts with reverse, we're going to change how that sensor value is interpreted. And now we're going to run it, put it onto our Arduino. That's uploading. It's working now. And initially it's going to look exactly the same as it did before. We go
to our... I'll just show it off on the camera. There we go. You can see that that's on at the moment. If I turn down the brightness it goes darker. If I turn up the brightness it goes brighter. But now what we're going to do is we're going to interact with it in a different way. What we're going to do now is we're going to start a serial connection to the... Arduino that's running and we're going to send it a command. Remember one of them would show if I run that command it tells us that at the moment the analog input is 1023. If I turn it down a bit nothing happens, but it should. There we go. The demo gods have given up on
us. It's showing us something which is nice at least I suppose. Okay. There's a bug in there somewhere. I can't be bothered to find it. But the other thing we can do is we can send it a command to reverse. And then when it receives that, what it's going to do... Oh, there we go. It says it's zero now. When we turn it to reverse, this time, when the potentiometer is turned all the way down, the light is fully on. And if I turn it up, it turns off. So we've completely changed the behaviour of our programme by sending it a command over one of these high-level communication mechanisms. OK. So there we have it. We've got analog I/O, we've got higher level sort of digital I/O
and we've seen the low level digital I/O as well. So let's move on to our more complicated thing. We've got the Arduino that we saw before. Whereas before we had one analog output that controlled how bright an LED was, what we're going to do this time is we're going to have four analog outputs that tell you how fast a motor has to go in a particular direction. The way that this H-bridge driver works is it's got four input pins here which tell you... whether it's meant to go a particular speed in one direction, a particular speed in another direction, or the same for the other channel. So we've got two motors here, and these four lines from the Arduino are controlling how fast the motor goes in
a particular direction. And then what we've got is we've got a serial port connected to the piece of hardware we haven't introduced yet, which is just... I need to find that or the demo is not going to work very well. It's here somewhere. Oh, there we go. Here we go, this is a Bluetooth to serial adapter, right? And so what we can do is we can plug in this Bluetooth to serial adapter, we can plug in our H-bridge driver which has got motors attached to it, we can plug it into a battery, and if we've done all the plugging in right, and that's a big if, we should be able to control it with something, right? Now, has anyone ever driven a bulldozer or anything before? A
tracked vehicle? It's fun, right? Yeah? What input do you need to drive a bulldozer? You have sticks, don't you, which control the speeds of the different tracks. I thought what would be really nice is if you could drive a track vehicle with one finger. So what I've done is I've written a program for my phone that talks via Bluetooth to something, the robot in this case, and tells it where I'm touching on the screen. And if I'm touching the sides of the screen, it will tell the robot to turn. And if I'm touching the top or the bottom of the screen, it will tell the robot to go forwards or backwards. So we're using the
phone as a sensor, essentially. And this idea will be important later on. So let's put this thing together. This is where we're most likely to have a problem, in my humble opinion. This is where it's all going to go horribly wrong. So you can either wish me luck or catastrophe, depending on your disposition. Before I do anything else though, I'm going to upload the software that runs this thing to the Arduino. It really isn't very complicated by the way, this code, so we'll talk it through ever so quickly once we've got the thing moving. So that's there. Upload it. It's uploaded. And I've got a picture of where I put the GPIO pins last time I did this, so hopefully... Everything should
go okay, he says. So, remember we need to... Oop, that's the wrong picture. First of all, plug in some power. Turns out my brain's doing the GPIO pins first, so let's just go with that. Pin 3, pin 5... You know how it's really hard typing when someone's watching you? Have you ever tried putting wires into something? It's not easy. There we go. So now what I've done is I've connected all of the wires that I need for the motor driver inputs. Now I need some power for my Arduino. So plug that in here. But I'm also going to need some power for my Bluetooth receiver. So I'm going to have to do some jamming things in. What did I do with the Bluetooth receiver?
Oh, there it is. So I want the yellow cable. I don't want the green cable to go in with the 5 volts there. So somebody who did this properly would have a breadboard where everything was nicely broken out rather than trying to hack it by shoving things in on a platform. But that's not me. That's not how we roll. Okay, so now I need ground, which is yellow. Ground is yellow. And I need to plug in the serial leads, which I think are here. Okay, so now I'll hold it up for the camera. I've got the Arduino sat on the chassis with what looks to be wires going into all the right places. We're going to want another
ground lead there. Let's plug that one in. And then any luck, if I stick this out of the way, push that battery in. Yay, lights have come on. That's always a good sign when lights come on. And I can... Run my program again. I tell it that I want to connect. It says, do I want to connect with that Bluetooth adapter? And I say, yes. What do you reckon? Is it going to work? So there we go. You can just steer that around. Anyone want to go? There we go. Don't put all my messages on the internet. There you go. It's quite intuitive, isn't it? So we turned our phone into a sensor for our robot. And this is one of the cool
things about making use of different devices in what you're building. Because actually phones are pretty cool. They've got accelerometers, they've got GPSs, they've got touchscreens, they've got cameras, they've got all that sort of stuff. And that makes them really useful. Which leads me on to another slide, which is this one here. A few years back... When I worked at Mozilla, we were building a phone operating system. And security work on phone stuff isn't always thrilling. So when you get an opportunity to do something that isn't security stuff, it can be fun. So I made a program on the phone which used WebRTC, which is the web technology that allows you to do video conferencing in
your browser, to sit on a robot chassis and work as a virtual telepresence robot. and that's me and my kid showing it off. And that was good fun. Now, the robot I've just shown you is made from a thing that I bought on Amazon. It was 10.99, but the motors were rubbish, so I replaced them. And actually, the whole thing was rubbish, so I've cut most of it out, and I've sort of jammed bits back in, and it works all right, yeah? The thing is that you're probably not, if you're sort of first getting into this kind of thing, you're probably not willing to spend money on things to throw them away. or to break
them up or whatever. And so what I wanted to do was come up with a way of making this a little bit more accessible to people that didn't want to break things just to get something working. And this brings me on to the final bit, which is this. There's an event in Birmingham called Fusion. It's a pretty good meetup. Whereas you'll often have like a developer meetup or a QA meetup or a... designers meet up. Fusion is a bit of everything, and I sometimes go along to do security talks. I got a call from Hannah Mitchell, the person that organises it, one day saying, we've got an AI day and we need someone to build a robot. Can you do that for us? Okay, fine.
So I set off. I went to Toys R Us and bought that, and then on the train I hacked it to do stuff. So this is a little bit of very, very rudimentary reverse engineering. So you take the thing apart. What happens is you have a Little remote control. Let's get the camera out because I've got one somewhere. I'm sure I've got one somewhere. Just put this here. Don't fall off. There we go. Little remote control. It's got two little levers on it. And they're either on or off. You don't get proportional control, which is a real shame. And that talks to a receiver, which is here, which in turn drives some motors. That's the wrong window. Here
we go. And the motors drive the tracks. So I thought, well, there can't be anything too magic happening here. Let's figure out how this is actually working. And you can indeed figure out how it's working. You get these little special bricks here when you're using Lego power functions. Here's one of these little bricks here. Looks a bit like a robot face, doesn't it? Hello. And I worked out how the connecting up works because the... the battery packs you get, you can plug a motor into them directly and it can go one way or another, or you can turn it off. And yet you can also plug things that aren't directional or intermittently controlled. So there
had to be two lines that were providing a voltage in the ground permanently and then the other two switching over. And indeed that is the case. You can see here we've got the four little contacts. That's ground always. That's 5 volts always, and then what these two are depends on what's going on with the controller. And so what I did was I took this, and did that to it, so that I have exactly the same software, exactly the same type of board, and I've got two spare leads here. Off eBay that allowed me to butcher just enough to get the Lego toy working using our custom Control stuff. Okay, so bear in mind the original version it works, right? But it doesn't allow you to do proportional control
and stuff So what we're going to do is we're going to see whether we can get exactly the same phone app and exactly the same Robot software to work with Lego. So I'll need my app running again. I
This one should work fine because I literally haven't touched it since it was working this morning. And of course that's why it isn't. Oh, there we go. There we go. So off-the-shelf Lego toy. I haven't broken it at all. And it means that if you want to get trying some of this stuff, you can do so without any risk to eBay purchases or other things like that. So there we go. That is how to build a robot for complete beginners. Any questions?
I can't see. If you've got questions, I can't see you anyway. Hello, hello, hello. I'm reasonably safe it's not going to be my overlord by the end of the day. Maybe. We could attach a leaf blower to it, though, and chase Scott McGreedy out of the place. Absolutely. It's got to be done. If you could put a harness on it or something like that, we could maybe get Scott out of the escalator he's trapped in. The first version of this, as I said before, was as a result of my kids saying, can we build a robot to mow the lawn? So I put a lithium-ion-powered strimmer head on the robot base. What could go wrong?
Well, you know, spinning blades of death, small children. So there we go, yeah. Ooh, we have hands up. What robot or kit was that from LEGO, which was there if we wanted to grab one as well? So this kit here is 42065. It's not the only one that will work. There's another one in the Power Functions track vehicle series, which is a little bit cheaper, which might be a good start point. I don't know if anybody follows me on Twitter, but one of the things I was asking before this event was, does anybody want to buy me one of the newer app-controlled ones so I can hack that and show you how I did that? But no one did that for me. So always happy to reverse
engineer the newer ones and help you use that as a base for your own things. I might have a chat with you later about that. Okay. I'm going to start with the Microsoft one. Let's do some obstacles. Oh, look at that. Let's just drive it off the shallow step. So there are lots of downsides with this hobby, I have to say. One of them is that your kids are always asking where their Lego is. LAUGHTER Another one is that people give you things that are broken. You get a collection of half-working Roombas and stuff like that. What's worse than that is that after that happening for a while, you start using them. LAUGHTER I got
half of an old washing machine and found a use for that. But you know, it's fun. Any more questions for Mark? Have you ever tried using AI to solve mazes and stuff like that with robots? Not solving mazes, but one of the things I'm doing at the moment is using image classifiers to decide what the robot should do. I have a little bit of a paddock out the back of my house. And so we find ourselves feeding chickens and cats because they're pets and crows and hedgehogs because they're wildlife and they seem to like us. And what I want to be able to do is to have food for the specific animals, but only dispense the one for the animal that's there. I
got it working for two categories. I'd like to do some more work on it. That's cool. Any more questions for Mark? I'll put all the code for this up on GitHub later. I forgot my YubiKey, so I couldn't upload it. I can't upload it until I get home. Stupid security. Just a blocker security. Just a blocker. Yeah, there you go. Right, a round of applause for Mark. An even bigger round of applause for the robot. That was tempting the demo gods. Only one thing failed, right? I'm quite impressed with it. It's probably going to break if I drive it off there. Oh, man down. It still wants to go. It still wants to go. Oh, dear. Okie dokie. Right. We will be breaking for lunch
now. Can I ask or remind everybody, upstairs there is the sticker stall, lock picking and the actual vendors and stuff, some of the guys that sponsor it. So go up and have a chat with them and find out what they do. Make friends with vendors. It's always really useful in later bits of your career. So don't just make friends with the people beside you. Make friends with vendors because they'll give you stuff. Yeah. stuff that you'll then never use but there's sometimes good stuff but yeah go up go have a chat with the vendors meet more people I think we've got an hour for lunch so let's meet back here in about an hour's time
but another round of applause for Mark who was awesome and everyone see you after lunch
I don't know, 12? 12. Boom. All right, do you want to stream us? Welcome. For those of you watching this on YouTube, people did come back as well, so that's nice. Some of them are wearing appendages since lunchtime. And that's cool. More on that later, at the break, I feel. Are you all right, Dave? I am fine. How are things going with you? Well, McDonald's forgot to bring some of my lunch, and clearly I'm going to waste away. So... Did you lose Morgan? I did lose Morgan. Then we found him. What is lost is now found. Exactly. All right. So an action-packed afternoon coming up for you, pod pickers. Starting off with this man here, Jerry Gamblin, who's going to
help us understand our vulnerability data for the next half hour or so. Yeah. Whenever you guys just start booing, I'll leave. So, right, everyone set your watches. We're good. All right. I don't think I've got anything else to say at the moment other than go and see the sponsors at the break and the CTFs running and anything else? Run to the sponsors later again. Yeah, they're there. There are the sponsors. Thanks, sponsors. We love you. All right, Jerry, the floor is yours. Awesome, thank you. Hey, thank you for inviting me to Newcastle. This has been great. I've been here for two days. I haven't seen a castle. I have seen three Burger Kings, though, so is that where the name came from? Come to Glasgow and get stuffed.
There you go. Can we do a big round of applause? Sorry. No. So a little about me, my name is Jerry Gamblin. I spent 10 years working for the federal government, five years working for a big data company called Carfax. I then went to a very tiny startup called Kenna Security, who decided that we're going to make vulnerability management and patching easier for companies because we know that the average company can only patch about 15% of the stuff on their network. about what has it been 14 months ago Cisco came and bought us so I am now a Cisco employee and everything that goes along with that but they let me go all over the
world to give talks like this to help people understand vulnerability data. So the agenda is going to be really quick we're just going to talk about the background of vulnerability data, the vulnerability life cycles and there's gonna be plenty of time for questions and answers. So when I say vulnerability data, we're just going to zoom right in and talk about CVEs today because that's what 90% of people think about when they think about a vulnerability, correct? So a brief history of CVEs. CVEs came up with the MITRE Corporation in 1999. There was just a talk at one of their conventions towards coming together with a common vulnerability enumeration system. The workgroup was formed later in 1991, 321 CVEs were published
for the whole year. We'll talk a little bit about a data growth. We have more CVEs than that on some of our busiest days in 2022. Within the rest of the year, there were 29 companies and 43 organizations that were providing data to MITRE to build this list. So who runs the CVE program? The CVE program is ran by the American Deep State. If you're a conspiracy theorist, you'll love that. The MITRE Corporation, which is a nonprofit corporation that was spun out of MIT, has been running this and most other government researches programs since the 50s right after the Cold War. So if you ever say, hey, what's MITRE? It's the Massachusetts Institute of Technology Research and Education
nonprofit organization. So they're a nonprofit and they get government grants to run CVE along with the MITRE ATT&CK framework that you guys might be familiar with and a couple other cyber programs. along with a bunch of healthcare and other research. So MITRE is the root CNA and up until eight years ago, they were the only people who were allowed to give out a CVE. So if you wanted to get a CVE, you had to go to MITRE. But in the last eight years, they decided that the internet's getting too big, stuff's getting too fast, we're not going to do that. So they then let people and software companies who are vetted release CNA or CVE data on their own. They can publish directly to the
database. There are now about 250 individual CNAs in the world and these CNAs are based all over. Most of them are your local certs and your information sharing groups. But a lot of them are also companies and pen test groups and research organizations that make their money by publishing CVEs. WPscan, WordPress scan is probably the biggest. They have the most CVEs a year and they only produce CVEs that have to do with WordPress. So here is what CVE growth looks like over the last 20 years, right? We're getting 2,500 CVEs in the early 2000s per year. We get that a month now. Here are the CVEs by the numbers. Overall, there have been 183,000 CVEs.
That averages 22 a day. That's if you take all 23 years of CVE data that we have. If you just talk about this year, we're already at 16,000, which averages 68 CVEs a day. And the average CVSS score, if you think that's going to save you, is 7.21, which puts the average CVE into the high, high to medium, high to critical ranking. So that's where we're at in the size of numbers, and this is what I talk about all day, right? We're to a point where CVEs aren't human readable anymore. So another problem that I know is that people really don't understand how the CVE process works. How you go from a vulnerability to an actual CVE and beyond. I'm going
to walk you guys through that right now. If you have any questions you can stop and ask or we can take them at the end. So, you know, it's before publication, advisory, MITRE publication, the NVD publication, and then post publication. Those are the steps that we're going to walk through today. So before publication, this is what everybody thinks happens with a vulnerability discovery, right? You have some hacker, and he finds some bug, and then it's on. So that's step one. We're going to break this down into two categories. We're going to call them zero days and what I like to call friendly days, right? Since nobody really knows what zero day means, we're just going to say it's an external vulnerability that just happens to be reported
to your company either through the news, the government, or your information sharing group. Those are terrible. There's no way for you to control the flow of that. Your friendly days, they're either through your bug bounty program, through your customer support. We see a lot of those. Or through an information sharing community that might say, hey, we've noticed this in our logs. You also get... Some internal from your compliance reporting is a very big part of CVE reporting inside companies, surprisingly. And then proactive customers and proactive companies who are looking for this in staff red teams internal and then go along to actually publish that data. So after you've discovered a vulnerability in your product, There are two ways to do this. And just your
friendly day and just how you're going to run this if you're Microsoft, you're going to be, the vulnerability isn't going to be widely unknown. Nobody's going to know the vulnerabilities out there, so you have plenty of time. You don't have to rush. Your response is going to be between 30 and 120 day time window. That's how long it normally takes from discovery to publishing a patch. Just for everybody to take that in, it takes six months from the time you found the CVE to there being a patch in normally a public relations. And then you have the internal triage, right? This is where you have to start thinking about, hey, are we even going to
patch this? Is this version going to be around in six months or eight months? Is this something that we want to work on? Are we just not going to patch this and say it's an EOL or it's not high enough vulnerability to be patched? Does anybody here have any idea on a base image of Ubuntu how many CVEs have been released that do not have a patch? It's about 60 as of today. They said, hey, these don't rise to the level of us filing a ticket to have it patched, so we're just going to leave these open
So after that, you then move to the vendor advisory. This is when it starts to officially run down the CVE track. So, the vendor in this case can be any CNA can file a CVE, any product developer or any interested party can do that. But the vendor must have a public website that includes these points for a CVE to be considered official and be published. It has to have a pros description, which I had to look that up, and it means, Words that anybody in the technical industry can understand and know what they're talking about. That said, the affected product, the affected in fixed versions, the vulnerability type, the root cause, the impact, and the
suggested CVEID VMware, if you guys are VMware customers, you might see this. These are what a security advisory looks like. They have to be published beforehand and they're a good, and they're a good place to go to figure out what's going to be coming out soon. If you subscribe to these, all of these have RSS feeds or email alerts and just says, Hey, here's what we've released. You can see that, um, VMware does VMSA, uh, VMware security advisories for theirs so they have their own unique numbering system. So I think Microsoft has the same thing. Here's Microsoft's vulnerability thing for the Windows Defenders. They of course do the MSRC lookup. But then just to show you that it's not all gravy, there
is this new company called Hunter, H-U-N-T-R. Their claim to fame is that they have 1.8 CVEs for every registered user on their site. So if you find any bug in any GitHub repository, they will cut you a CVE for that right on the spot. So this gives me a headache about every day. So then we go to MITRE publication. This is the step where it becomes an official CVE. As we talked about, MITRE is from MIT Lincoln Labs. they run this program. You might also be familiar with them in the MITRE ATT&CK framework. So this is the information that MITRE includes in all of their CVEs, right? CVE ID, who assigned the signing CNA, the
publishing date, title, description, version, vulnerability type, cause, impact, and references. And that's it. Congratulations, you now have a CVE. You can also add CVSS 3.1 scoring if you want. NVD will take care of that in a little bit. You can also add problem type, exploit, workaround, solution, and you can give credit now, which is a big part of the new CVE program. You will laugh at me when I tell you that all of these CVEs are submitted by a web form. So you have to either use this or they have something called Bonogram now, which is just the same form that looks like a little HTML5 thrown on top of it. But as of now, there is no API, no programmatic way to
submit CVEs. It's all done by hand on these two websites. And after that, boom, you have what looks like a 2002 web page with your published CVE on there. and now you officially have a CVE. But it's not very useful at this point because it's missing the information that most security professionals want. From there, we handed off to another US government agency called the National Vulnerability Database that is ran by NIST, the National Institute of Science and Technology, and they handle this part of the publication. So they add the CPE, The common platform enumeration, which tells you what software this is affected on in a programmatic way so that you can link it back to software that
you own or you might be running. They have the CWE, which is the common weakness enumeration. It's a small number, normally between 1 and 500. You might have seen them. It's like CWE 79 is one of the most important and one of the most common ones. And then they add the CVSS scoring system. So this part of the government makes the record useful for most people. And that's the part that they do. And they do this by hand too. They have about six people who do nothing all day but sit around and figure out the CVSS score, the CPE, and the CWE for these vulnerabilities. And they're just people. And you email them and say, "Hey, I think this is wrong." And
80% of the time they're like, "Yep, you're right. I hadn't had my coffee. Let me fix that for you." So it's not the best work the US government has ever done. And then you go into post-publication, right? And here is where you get your scanner and IDS rules, your third-party scoring, and where we handle disputes. So everybody here who does vulnerability scanning or management, these numbers won't surprise you, but out of 180,000 CVEs there are, traditional scanners, your big three, they only cover about 15% of all CVEs because once again, you have to take somebody from one of those companies, sit them down, they have to look at the CVEs and they have to say, okay, I can write a detection rule for this and B, it's worth
writing a detection rule for this, right? Like, if it's a Bluetooth skateboard vulnerability, Tenable, Qualys, whoever, Rapid7 are probably not going to spend the time and the manpower to write a rule, release the rule, support the rule forever. So they say, "Okay, we're only gonna do stuff that we think is likely to be on our customer's network." IDS systems are even worse because they can only cover about the 8-10% of vulnerabilities that are network-based. So you leave yourself pretty open on that end too. That's why if you're in this industry or you are getting into this industry, you're going to start to hear a lot about OS query and agent-based vulnerability scanners. And that's because they can be 100% effective if the NVD data is
right, which it isn't. But you have to call something the source of truth. So, if we call the NVD data the source of truth, OS query-based vulnerability management tools are, you know, ten times better, eight times better than your network-based traditional scanners at this point, just because they can see everything that's running on a system. From there, your third-party scoring happens. This is what we do. We take all of the data and we say, hey, here's how likely it is for this vulnerability to be exploited. Here's what we know about it. Here's all the links. And we pull it together and then we add threat intelligence over that. There are a bunch of companies that do that. As part of our acquisition process, At Cisco, we were
able to give part of our patents away to an open source program called the Exploit Prediction Scoring System, EPSS. I have a quick 10-minute talk tomorrow I'm going to give about that. But what it does, it takes every CVE and gives you a probability of it being exploited in the wild so that you can use that data to then patch your network based on a risk-based vulnerability management model.
And then from there, we go into disputes, right? You're at the end, this couldn't have happened anywhere else because it only makes sense. But now is where you get to decide if the CVE that's went through all these stages is real or not, right? So there are three ways you can dispute a CVE with MITRE. You can put it into the reject stage, which means that you and MITRE have come together and decided that This is just not true. We're not going to publish it, right? Disputed was added by MITRE about four years ago, especially when heavy crypto type bugs started to get introduced and heavy crypto CVEs where they couldn't tell. They literally just
said, you know, I don't know enough math to tell you if this is right or not. So we're just going to throw disputed on here and say that, hey, these nerds think that they're right. These nerds think that they're wrong. You guys figure it out. That's the disputed. And then unsupported was new and just came out a year ago. It's where they've decided that we're not going to let you go back and find a bug in IE6 anymore and get a CVE for it just because we don't support it as a company and you shouldn't expect anybody to still be using it. So it gets an unsupported tag. And here's what those will look like.
If I was better at slides, I would have rolled them up. The reject, the unsupported, when assigned, and the disputed. And with that, I have time for questions, if you have any. And light heckles. Thanks very much, Jeremy. Will they go back when a bit of software becomes unsupported by a vendor? Does that mean everything that's open would go back, or is it just at the time? It's just at the time. Interesting. It's one of the new, as a vendor, you can go back and dispute it as unsupported and you have to show them that you have a public page saying that version X of my software is end of life at 1.1.22. Awesome. So marketing isn't going to start making everything unsupported and get
rid of their CVs. Exactly. Anybody got any questions for Jerry? Coming round, coming round. You were mentioning that an agent-based system like OS Query could almost give 100% coverage for what's in the NVD database, if that's correct. Yes. How about scanners that are doing authenticated scans or are allowed to look inside of things instead of from the outside? An authenticated scan is a little different. It doesn't allow them to always see everything that's on there. I think it gets closer. I've not looked at those numbers specifically, but I think that most Most of the scanners that have moved to agent-based are really OS query if you look under the hood. Thanks. Good question. Any more? Your
graph of CVE reports that sort of steadily climb sky high, it troughs in the middle. Is there any reason you know of for that? Let me see. So I actually run a website called cve.icu. Let me see if I can... So, where at? So, rather than a steady sort of rate of climb, which you'd expect, there's obviously years where it dropped off, right? It was lower than previous years. Yep. This, if you're talking about this hill right here, 2009, that's called the Microsoft got their crap together hill. In all honesty, they were running IE7 then, and they were just getting hammered. And that's when, that drop is nearly all Microsoft fixing their stuff. I was assuming it was just
release dates of the new Microsoft operating systems. All right, coming down the back. We'll have to pass this down. Why would a CVE be rejected? Obviously, if it was untrue, but why would someone put it through and then it just be wrong? Because people think CVEs give them some kind of standing in the community. You'll hear people say... So I hire, my team at Cisco hires about 30 interns a year. And if somebody has a CVE, it's on their resume. I even hire full-time employees who put their CVEs on their resume. And it's really weird, right? Like it becomes... It becomes street cred for people, right? So they want to get a CVE through so they can say
that they had one. When there were 10,000 CVEs, that was saying something, right? Like you had one of 10,000, you actually know what you're doing, you know, and you could tell. But at this point, that's kind of passed away. All right, last question. Stuart was waving at me. How does Cisco secure endpoint and the Kenner stuff come together or the Cisco secure banner? I will answer that question not on stage because it'll sound like marketing, but there was another hopefully not Cisco question. Here's the other question. Is it a marketing question? Says the marketing person. I'm not in marketing. As you sort of alluded to, I think it's quite common in the infosec community to have CVs use the street cred. Do you think that that's
contributed to the explosion in 2017? And do you think it's a positive that more and more are being found? Or do you think they're more obscure and arguably in the past would have been seen as unnotable? Yes. Or, you know, on obscure software? Yes. So... LAUGHTER I'm of the opinion that data in the database is fine. We're nowhere near big data. If you have anybody who does any size of data on your network and you go and tell them, hey, I have a I have a data set of 180,000 records. They're going to laugh at you because that's small and it can be processed anywhere. But what it has moved from, it's moved CVEs from
being human readable and human operatable into the need for machines and some kind of data to say, hey, I only want to see CVEs in my newsfeed or et cetera that say software that I know is running on my network. or software that I've set, right? So I don't have any problem with it. And you could triple the number of CVEs and it wouldn't bother me as long as all the data points that need to be there are there and that the quality stays the same. But we're just past human-readable and into machine-readable data now. All right. We are at time. Jerry, that was awesome. Thank you. Really interesting, really educational, which we like. Thank
you for coming all the way to Newcastle. Thank you for inviting White Castle Burgers to Newcastle. Yes. That's important. If you've never had White Castle, you have to. Do you know, it was one of my missions at DEF CON to go to White Castle, and I failed. Great plans. Anyway, big, big, big round of applause for Jerry. Okay, coming up, we do have a great talk. However, we're going to take a break from the public schedule just for a second. All good. Because we've had news that Scott has actually made it out from the escalator and has sent this message for Dave. And I'm disturbed as you are by that. Yeah. Can I get a copy of that? There's a better one. Anyway,
that was so I could get my child out of the room and she wasn't on the stream. So there we go. Thanks, Scott. We know you're watching from under the escalator. Get some work done. All right. Coming up next. CyberCute coming down. Join us. Carefully come down the stairs. Yes. Now, as much as people were expecting showdown and were deeply disappointed upstairs earlier, I don't see any sunflowers, my friend. Yes. That's a succulent. Are you going to grow them live on stage? If I do, we will see. Anything can happen. I need to get a better picture of you for the wombo, because when you go no teeth, that is super disturbing. Very. You look like my
nan with no teeth. Yes. I'm just going to keep digging that little hole. Sol's Dave. All right. Yes, so we are going to be overclocking Sunflowers by Elliot, wearing a beautiful hat. First of all, round of applause for Elliot's hat. They're not judging, though, so it's fine. I mean, they are judging. They're all judging. Now, a big round of applause for Elliot. Woo! Woo!
Right, just before I properly start and tell you what on earth I'm actually going to be talking about, can I get someone at the back to start a stopwatch? And I want everyone mentally to take a bet on how long this hat's staying on my head throughout the talk and how far into this 30 minutes I'm going to manage to get with this on. Because this is my first time presenting at a conference. So I'm really excited to share this with you guys. And just to kind of help leave nerves, I always had a thing with my mates that if you're feeling stressed, you put on something a bit more colourful, something just to brighten
up the mood. So we always got out lays and just, you know, just a bit of lay just really helped make everything better. So I'm going to tell you what I'm talking about and then go into conference and all the usual stuff. So... overclocking sunflowers. So what on, or in, are I actually going to be talking about? So just how machinery moves with electrical, we all know that machinery moves through electrical signals. And so an Arduino might control these electrical signals just the same way that we move through electrical signals. Those controlled by our brain, But to further extend this, we also know that we don't need an Arduino for things to move. We can entirely, with no chips, no anything, just
have the electricity doing a much simpler circuit. And this is what we find in plants a lot of the time. Plants are able to move our brains, so this is, largely speaking, a thought experiment, kind of talking through whether or not it's possible to use living plants. and just things that are around us and maybe if we're sitting in front of computers all day and are completely you know surrounded by screens having a wee plant really helps with your mental health really helps a lot of things like this but can we actually use it as a form of multi-factor authentication so there's a question I'm hopefully going to be answering for you guys today And
so here's kind of what I'm going to be going through. All the questions on your mind will be answered. Am I mad? Of course, the obligatory who am I? How I actually came up with this idea? How you'd actually go about measuring it? And the next step, what we could actually do today if we really wanted and we had the right tools, what we could get set up in probably a couple of hours if we really tried. So who am I? I'm Elliot, most sometimes known as Cyberku. I'm part of the Edinburgh Napier Cyber Security Society. I'm the vice president this year, was president last year. Right now I'm interning with National Grid as a SOAR engineer. And I absolutely love bad ideas, as you can maybe tell
from this talk. I love bad what we can actually learn from bad ideas. I don't believe that they are useless. That bad ideas can really help us in numerous ways. We've taken this idea, me and a few of my friends from Edinburgh Napier and Glasgow and those are the other Scottish unis, and we've created a thing we like to call Seasides, which we call Bad Talks by Good Students. where you do purposely bad talks about bad ideas and you just need to try and get it to work just to boost your confidence speaking. And also, I'm a lover of very high quality, very smart, sophisticated puns, as you may or may not see throughout. And,
of course, I'm very prepared and would never, for example, the night before this talk, be sitting in a pub finishing off my finishing off my PowerPoint. I wouldn't do that, right? I wouldn't. Also, what I definitely, definitely wouldn't do is, well, I definitely wouldn't be sitting at the back at lunch and stuff just still editing and making sure that, like, not even naming my presentation so it might get lost, just leaving it as something. I wouldn't do that. I'm very organised and I wouldn't leave anything until the last second, right? So, first question on your mind, am I mad? Am I mad? So the idea of using plants for things that aren't necessarily what you would usually use them for, not normal biology
and all that, is not necessarily uncommon. There's things like modern biology. I don't know if any of you have seen this guy. He's a real fun guy. Right, right, some of you might have missed it there, but that was actually one of my smart puns. And I can, don't worry, this is for all levels. So just to make sure, I feel like I should warn you all so you know a pun's coming, just so you can prepare yourself or you know to laugh so you don't feel left out. Tell you what, why don't we do something like, we'll put a pun warning up. So we'll have this guy come up. I'm saying bottom left hand corner, bottom left hand corner, yeah. For
you guys, just any time I'm about to say a pun, just so you know, you know to warn yourself and then like, you know, oh yeah, it's the, it's the pummel bee. It just gets worse from here, guys. This is entirely what my talk is. So we'll try this again. We'll be like, am I mad? Well, there's more than biology. Really interesting guy. Talks a lot about the psychology behind it as well as not only he basically plugs his synthesizer into living plants and uses the electrical signals from there to create music. Really, really interesting. This would be nice to have. I'll stick this a bit in the third. And you get things like this coming from mushrooms. So it's quite a fun guy. But
yeah, there is... There's other people who do things like this. You've got Greg Greer who did a whole TED talk about it. Just kind of going over things like Venus fly traps and the mimosa plant, not to be confused with a drink. Which are both moving plants, so as we all know Venus fly traps close their mouth. The mimosa plant, also known as the sensitive plant, closes its petals over whenever you touch it. this creates really easy to detect electrical signal. So Action Labs also done a few things like this, this guy from YouTube, which is actually where I first came up with the idea. So I mean, let's see, basically, basically what I'm trying
to say is, yeah, I'm mad, but I'm not the only one. So where did this idea come from? Because as we go through this journey, I think it's really important that we remember our roots. throughout this. So as I said Action Lab did where they hooked up a sensitive plant to a Venus flytrap and when they touched the sensitive plant the Venus flytrap actually closed because you're able to send the electrical signals on and you're able to measure it look something like this and so the question became clear in my mind where it was like well if we had enough sensitive plants together. You've got basically a binary system. You've got open or closed. Is it sending out an electrical signal or isn't it? And if you've just got
some bit of non-volatile memory to remember that, could you make an entire computer out of sensitive plants? Now, I'm not smart enough to actually build that off in my mind or anything or anything like that. But maybe I can make it more cybersecurity related and more actually tangible. Something useful, almost. So, the first question, which was one I spent so long trying to work out, because every single video about it, everything, always was like, yeah, you just plug it in and you go. But, well, okay, so, largely speaking, you ground the ground wire... stick that one in there, and then add a voltmeter to it. For things like sensitive plant this works, because it's a
big movement, lots of electricity. Like with humans, when we're actually moving our fingers, when we're moving about, the electrical signals are a lot easier to detect than some of the smaller things firing off in our brain. We can still detect them, but it just adds a bit more complexity to it. So, what is possible right now? So what we've got is we've got a plant that when we touch it, it sends out an electrical signal that we can easily detect. And we can do that with each petal, each leaf. I don't know why I'm there. So we can do that with each petal, with each leaf. So really what we've got is we've got something
that we tactilely touch. and then we're able to determine what we've touched through. Well, I mean, really, we've got a keyboard, or the very beginnings of a keyboard. All we need to do is, I don't know, find some software that helps with it. So, like, you know, just like rubber duck, but we want to make this easily. So, well, if we've got an Arduino, Arduinos have boards in place to build, basically, bad USBs, and that allows us to really just with a bit of trial and error put together a very basic keyboard as it was and we can use that as a password. So in terms of multi-factor authentication, we've got about four different types of authentication and we need a combination of these to
create multi-factor authentication. So we've got things you know, knowledge. What we've created there is something you know. It's a password that you need to know how to operate. You need to know how to operate the plant and you've got a password. Check. Next type, things you are. The issue with things you are, the plant's not going to prove you are anything. That doesn't really fit into this. What I'm going to go on to now is things you have in your procession. You own the plant, you've got the plant in your procession. Can we prove it's that plant? And things you do. Now this one's going to be a bit more, slightly more abstract, but your daily routine might involve watering your plant. It might involve not watering your plant.
When you go away on holiday, do you want your plant to still log you in? Well, no, but if we manage to relate it to things you do, surely we should be able to get something that as soon as you go away on holiday, your physical item doesn't work. It's mixing together things you have and things you do. That brings me on to the why, because we've just got a keyboard, we don't have anything useful. But that doesn't mean it's not useful. First of all, it's changing the way we look at plants, potentially. You may all of a sudden come up with a new idea, or you might go somewhere else on this. Or you
might just learn something that's not too useful, but just a fun novelty. You can invite your friends over and go, hey, look, I can log in with my plan, I just need to stick my hand in it. But we could create a lot more secure systems, theoretically, with a plan. But how do we measure this one? Because if we are not using a sensitive plan, if we're using a normal one, It's really, really small, tiny electrical signals that are measured. And really, we want to do it over a long period of time because what we're wanting to do is we want to see if it's normal behaviour, largely speaking. We are seeing if it's the
right plant, so we need some signature of the plant. So that's how the plant's electrical signals behave over a long period of time. And we are wanting to know if it's reacting to the outside world differently. So, I can't remember what pun I put in here. I'm not going to lie to you guys. I was hoping I would have notes up on the screen, but I didn't set it up for that. But we can stick it in an oscilloscope and then we can measure over a long period of time. The issue is, as soon as you've got an oscilloscope measuring, there's background radiation. The oscilloscope helps with it. But really what would be ideal, just
for the measuring in a learning stage to work out what's normal, and just for testing to see if this would be possible, is we need to... a Faraday cage would be ideal, something to just remove electrical so really really what we're wanting to do is well and first of all I'm going to build my oscilloscope, let's not let's not get too far ahead of ourselves, I need to build my so I'm going to whip out my soldering kit and use it as a few days distraction so I don't need to actually do things I need to do. So yeah building up my oscilloscope and then we're here where we we just we've got all this
electrical signals around it that are just it's making it really hard to tell what's the plant what's not the plant yeah there's ways you can work it out but it's just i mean what would really be ideal is if we could just shrink it down and then if we if we had some cheap faraday cage somewhere like some something that's just accessible around the house i have a microwave exactly perfect so if we manage to get it in a microwave and we start measuring it we get a lot better And here's where actually a lot of the questions that I don't have the answer to come up in this talk because it's what the diodes
are made out of. Yeah, we've ground one diode and we stuck the other one in the flour, but largely speaking, there is loads of different papers talking about, oh, no, no, no, you want to use titanium steel, you want to use glass, you want to use this, you want to use that. And they've all got different properties, they've all got different abilities. So you start looking at that and you go, well, we're going to need to test to see what actually works the best, which gives us the greatest indication of what is there. So now what? Really, we're going to need to trial and error. We need to go through those different things, try out those different plants, see if that works really. And
it's largely just because we could see From all the papers, they've shown that outside factors, you watering, everything, plants react to it. There's plants that sense if a bee's nearby by listening for the sound of the bee fluttering its wings. And if it hears that, it will release more pollen. So that you can measure through the electrical signals to some extent. So all these things show that you whiff, probably with a well-trained AI, you could create what is normal for a plant and basically create UBA for, so UBA is User Behavioural Analytics. So just determine whether or not it's the correct plant or whether or not the plant's acting differently. So all of a sudden you go on holiday and you've got Jimmy next door coming in to
water your plant. He waters at a different time of the day than you, this and that. So you've got a real give and take at that point where you need to ask, are we are we wanting to oh no I missed I forgot to water my plants today I can't log in sorry phoning up your work being like oh that's me out today or really are we wanting to be a bit more forgiving or wanting maybe three days without watering and then that should cut off but really I feel like it would be a really really good bit It helps give extra morale. It's something nice to look at. But also, we could use it as multi-factor authentication. We could use
it as both something you have and something you do. So, yeah, it kind of works. All scientific papers point towards this, even if they haven't put it in these terms. I've got those references afterwards if anyone's interested. Reach out to me, come find me, I can get them to you. So, things you have, things you do. theoretically possible to create an actually useful plant as multi-factor authentication. So I know you guys are thinking, what does this mean for me? What is my future organization going to look like? So it's going to look like a kind of basic, I've just thrown up some security places here, not necessarily an encompassing one, but just an idea so then we can remember that maybe in the future we'll have
the gardeners with us or bought the nests. Thank you, that was the best one I came up with. I was so happy. It was that and Pumblebee. I was so happy with myself for like three days straight after that. So... There's also CRISPR, which I'm just going to cover quickly. It was the 2020 Nobel Chemistry Prize. It's genome editing. It's getting to the point where you can have take-home genome editing kits, which is great, but you've got all issues of interacting with the outside world. Is it going to damage the ecosystem? Is it all that? I feel like should we not exhaust... what plants can do without genome editing before there's loads of papers about oh we could edit it and then it can store our information it
can do that and can do this and it's it can do so much right now we just need to think about it in a different way we just need a bad idea to bring it all together so maybe next time you hear hack the planet you can think of it just slightly more literally and Thank you. That's all. If there's any puns that you are very disappointed I didn't have, please at me on Twitter and use the hashtag Pumblebee. Yeah. Thank you very much. And that's my time. Now, you missed the opportunity to do Hack the Plant. Yeah. Honestly, I expected you to remove the E. The fact that the succulent lasted the entire talk, I'm super impressed with. Do we
have... Any idea what he was just... I mean, questions. Questions. Other than if my plant dies, does that mean I don't have to work today? You kind of blew everybody's mind. I'll take that as a good thing and leave it there. Indeed. Everybody, a round of applause for Elliot. Thank you very much. That was easily the weirdest one so far. Excellente. Okay, what do we have next? Because, he says, hardly getting up the schedule. Oh, I'm looking forward to this one. But we do have a 10-minute gap. So if you want to quickly go grab flowers from outside or even just do toilets and coffees and stuff, then in 10 minutes we'll be back with Rick and Nuclear
stuff.
Hello, hello, hello. Put the phone away. How rude. Right. We are incredibly lucky to... have fire without Ben being on the stage. So we have Rick who's going to talk about things he's learned in the nuclear industry, which hopefully don't push that button. But lovely picture, actually. Yeah. I mean, my first thought was it was a photo, but actually, no, that's awesome. But yes, a big B-size round of applause for Rick. Thank you. Thanks very much, everyone. It's really awesome to be here when I'm not freezing my butt off and I can actually feel my toes. I think the last time I was speaking here at B-Sides, it was the first year through, and a show of hands,
who was there for that one? You brave people, you've actually managed to get through without frostbite. That's awesome. Today, I want to kind of... Take a little look through. I was just saying it's really interesting that some of the conclusions that some of the guys came with the talks this morning kind of head in the same direction that I'd planned for my talk today. So that's either really encouraging or we're all heading down the weird path and we need to start redressing that. But who am I? I'm Rick. I've got the pretentious title of Lead Cloud Operations Specialist. I work for consultancy, so you can imagine they like to give pretentious titles because it brings
in the dollar. I am older than the internet. I know I don't look it. It's my youthful ginginisms. I'm the last of the Generation X before we started sliding on the Y-path. I'm a veteran of multiple different incidents of critical systems. I work in the clouds and currently I look after some critical national infrastructure for Scotland. Not in the nuclear industry. I just happen to like tinkering with physics. So, if I was to say to you, what's your perception of a nuclear worker? What's the sort of thing that comes straight to mind? Oh, yeah. I wonder what sort of things, radiation suits, crazy people, and I guess that yes, pretty much the entire industry is now rattled around
to come up with the idea that Homer Simpson is your typical nuclear worker. This will be a talk with some audience participation, so I hope you've got your voices ready at some points. When we're talking about nuclear incidents, we have an international scale. This one goes from being, "That's not too bad, there's a bit of paperwork to sort out" to, "Oh God, half the planet's on fire!" So, bear this in mind when we start going through some of the scenarios that we've had and what that's actually meant. I'm going to relate four incidents. in the history of the nuclear industry, the lessons that we've learnt from those, the changes that happened in the nuclear industry and the bearing that it has on IT systems. And I'm going to wrap
those around four different concepts for what a business could be, from small companies through to enterprises. And for our first one, the start-up, which looks at having to learn as we go, we go all the way back in time to wind scale. How many people here have heard of Windscale? Good grief, more than I was expecting. I was expecting all the youth to be in here, so I wasn't expecting to know what it is. Windscale is now called Sellafield. The original one was built in the early days to kickstart the nuclear industry in the UK. It is the first and worst nuclear incident that we have ever had in the UK. It is terrifying that we didn't end
up with a worse environmental disaster. And you'll be surprised to know that they have not actually decommissioned the molten mess that is the pile. And that's not actually going to be completed. Well, they say 2037, but the guys are reckoning it's going to be in the 2040s. What was it put together like? Well, this was a first generation nuclear reactor, so a bit like the Manhattan Project. You've got a big chunk of graphite and you throw some nuclear fuel into the damn thing. An interesting one that the UK decided to do was they didn't want to water cool it because they'd seen some problems with an American reactor that was very much the same. Big 50-foot pile of graphite, loads of fuel loaded into it. And the Americans
were having problems with some cooling and the thing getting too hot and potentially hitting a nuclear meltdown point. So the UK went, "Aha, we're not going to water cool it, "because if we lose water, the thing's going to burn to the ground. "We'll air cool it. "So we'll put some ruddy great fans at the front of it "and then we'll force air through it to cool the thing." Now, you might notice from here On this diagram, there's no way that actually seems to be pulling energy out. There's no turbines. There's nothing that actually generates electricity. Why is that? Well, it was to kickstart the nuclear industry program, but it wasn't actually to generate electricity. And you
kind of think, okay, well, you know, is that just that it's... It's a scientific thing. We're trying to learn things. And yes, that is the case. We were trying to learn about nuclear reactors. Brand new industry. First in the field. The guys were kind of getting to terms with what was going on. They put some chimney scrubbers in. because if you're shoving air past things that are nuclear fuel, you kind of want to make sure that if there's radioactive particles, you filter those out before you throw it into the environment. They didn't really want to have to do that because they're expensive, and by the point that they'd thought, maybe this is a good idea to put some scrubbers on there, they'd already started building chimneys. So
they ended up with them at the top, which is why it looks weird. The control rooms, very basic controls. But the whole point was that we were making nuclear material so we could blow stuff up. And at the time we're trying to get in bed with the Americans to get the nuclear program. It's post-war. The Americans want to keep all the nuclear secrets to themselves. They want the bomb. They want in control of it. UK is wrangling for that. So the government puts pressure on. We need to get a bomb. We need to get this massive detonation so that we can be in league with America and share nuclear secrets. To do this, they realised
that these cartridges and these weird shaped things here, these actually had the nuclear fuel in. These were pushed through the pile, they would react together and they would generate products in it that you could then use for nuclear bombs. Great, no problems, fine. These things are fairly safe-ish. We're kind of learning what's going on. We've had a few kind of minor incidents with getting the thing online, but we need to do it faster. So what do they do? They start trimming off the fins from these things so that they can create more heat, more generation. So what happened? Well, the temperature on this pile rose at one point. And they'd seen this before, and they were starting to learn the physics behind this, that if you put enough
nuclear product next to graphite, it changes the structure of graphite, it starts to get hot, it starts to store energy inside it. This basically ends up with hot zones that you can't cool easily because it's stored energy. It's like having a big battery or a capacitor that you're throwing energy into. And the only way to discharge it is to get everything hot and let it all cool out naturally. So, okay, they've got this thing that's called a Wigner release where they basically heat the whole thing up and they let it cool down again. So they did that and it didn't seem to work and they thought, that's a bit funny. Okay, we'll do it again.
So they got the thing hotter and at this point they're thinking, This is getting quite hot, this is close to graphite melting type temperatures. Better turn the fans on. So the fans are ramped up. The radiation monitors start to kick off that there's particles going up the chimney. So, okay, maybe we've got a burst cartridge or something. This has happened before, because the cartridges get pushed through the pile and then they drop into a pit and sometimes they don't drop into the water properly and they have to have someone push it with a stick. and get it into the water. You know, real safe things. It was the 50s after all. So, they think, okay, maybe this is a burst cartridge. Lift up one of
the lids. This thing's on fire. So, everyone, I would like you to repeat after me. Blimey, governor! Hold my cup of tea, I've got an idea. Excellent, let's turn the fans on and put them really high power to blow this out. Who knows what happens when you put lots of oxygen into a fire? Yes, that's right, the entire pile goes up in flames. So, this spreads the fire out to the other channels. They attempt to start ejecting the cartridges using scaffolding tubes and all sorts to get things out of the way and create a fire break. And then they're kind of like, "This isn't working, there's still graphite on fire and there's all sorts of nuclear fuel on fire and this is really bad."
Okay, we've got some carbon dioxide that's just been delivered for the nuclear reactor that we're just about to commission next door. Let's pile that in, but they couldn't deliver it in sufficient quantities, so... Let's pour water into it. What's water made of? Hydrogen and oxygen. When it gets hot enough, you get a nice gas that explodes and you get some nice gas that explodes. So... This is a little bit risky. They try this and start shoving horses in the front of the thing to get it cooled down. Doesn't quite work. They eventually think, right, what the hell do we do? And one of the guys who's running the place is on top of the pile, looking down into the flames, trying to look from an
angle so he doesn't get completely burned away with the radiation. Shut the fans off, shut all of the air off, seal the place up. So they did that. Flames died out instantly. And they continue piling in water for the next day to try and stop the rest of it. Lessons learned. Fans, fans, really, guys? So they started to learn about what the effects are caused by stored energy. They start looking at the way that we're doing this. This isn't the best reactor type. Let's scrap that. Let's do something else. A lot of this was covered up, which is why a lot of you probably don't know about it. Because at the time, we were trying to make sure
that we could get into the nuclear programs. So what do we learn in IT from this? New processes will always put you into unknown situations quickly. And when you're in a startup, for those of you that probably work in a startup, you'll have experienced this. The first teams that implement a new technology are going to have to learn skills quickly. You're going to have to figure things out that you've never seen anyone else do. If you're not going to design safety features in at the beginning and consider potential outcomes, you're probably going to run into them. Because Murphy's Law says that anything that's going to go wrong is going to go wrong. And you need to document all of the processes as you go and be prepared
to write off the first versions. I've been there. I've been in the startups. We've learned some of the lessons. We've fought the fires early on. But once you get past your startup, you start moving into an established business. So hey, this thing's kind of working. We're rolling out to more things across the country. Who's heard of Three Mile Island? A couple of years. Not many of them. Three Mile Island is basically the incident that brings us to the Simpsons. So when you think of nuclear power and the Simpsons and the chaos that it is and the crazy plant that there is, that's basically based on Three Mile Island. Three Mile Island was two nuclear power plants on
an island three miles long. It's in the name. Americans. It was the most significant accident in the United States commercial nuclear industry. It happened in 1979. On that crazy scale, we're also at number five. So wind scale was a five. It had disaster beyond its surroundings because it ended up with loads of people contracting cancer. This was also a five out of seven. The biggest thing for Three Mile Island was that It was the financial impact that actually mattered most to the company because we had a $4 billion asset turn into a $1 billion negative liability within the space of around two hours. It was a product of the manufacturers basically knowing information and not sharing
it with the people that were running their plants. And it basically stole the nuclear program in the US through fear. So what was it like? Well, as you can see, it's not a pile like Windscale was. And there's a whole generation bit on it. We're going to generate some electricity. We've got our reactor building, we've got our turbine building, we've got cooling towers. You can see something that's a little bit different on this one. And this big thick line around here is something that came in on these Generation 2 reactors, which is containment building. Nice big thick structure, several feet thick, reinforced concrete, creates an environmental shield, creates a blast shield, should there be anything, keeps everything nice and condensed inside. Diagram on the
right is the state of the nuclear core after the incident, and you can see there's a load of chloride at the bottom there that basically is the melted fuel and some of the cladding. So what happened? So the manufacturer was already aware that there were problems with some of the valves. They didn't tell anyone about this and some other plants had encountered the problems. There was a similar incident 13 months before Three Mile Island and fortunately they were running in a low power mode on their reactor and they discovered that the valves were stuck in the pumps. Full system checks basically weren't being done because, well, it's a brand new plant. Why would you want to do
full checks? You know, it's new. I'm going to check it. That's costly. That takes time. Maintenance wasn't being undertaken correctly. There were some examples in the presidential report of the stalagmites and the stalactites. starting to build up on some of the coolant pipe work and that sort of thing should have been spotted straight away. The operators themselves were basically untrained. Some of these guys are clever enough guys, but they've not really had any hours on the reactors. Control room itself was really poorly designed. stuff everywhere. If you can imagine the Simpsons and the way that Homer has his panels, it was basically the same. Everything's shouting, everything's screaming off constantly, and there's buttons everywhere, there's control things, you
have to scoot from one side to the other, and basically you'd get fatigue. Now we can see this in the security industry, we can see this in the operations industry, that if we've got alerts that are coming in, if you've got 50 alerts screaming at you constantly, what happens? you start to ignore all of the alerts. You stop worrying about anything that starts screaming at you. So what happened? Okay, the primary pump to the cooling circuit fails. No problems, we've got backup pumps. So, automatic start up of the backup pump, no problems. The plants in the generation 2 are designed to be semi-self-healing. So, great. Starts up, automatic start up of the pump, boom! Pump starts to run,
we're gonna get water coming through the thing. Backup pump couldn't deliver any of the water due to the fact that someone had manually turned off the valves. So the temperature rises in the reactor because it's got no ingrush of water. The water that's stuck in that loop is getting hotter and hotter with the reaction in there. Okay, no problems. Second safety thing happens. The temperature's risen, the pressure's gone up because the water's getting hotter and hotter. The relief valve opens so that it doesn't get too high pressure. No problems. Relief valve goes, starts to dump out some of the pressure into the relief tank. No problems. Because that's opened, the reactor now goes, I'm in an unsafe state, I'm going to scram. Scram, for those that don't know
it, is a city-controlled rod. And originally it was Axeman, because it used to be, when it was early days, a guy with an axe chopping the rope, letting the boring rods drop through, kill the reactor, kill the reaction. It's now the... automated systems that basically do that for us. We don't have a guy with an axe dropping everything. So okay, system scrammed, reactions stopped. Indication in the control room says that the valve is now closed, but it's not. The emergency core cooling system basically goes, this thing's hot, so I'm gonna dump a load of water into the thing. Great, excellent, all of this is automated. If it had stopped about here, this would have just been a footnote in the nuclear industry, but they
didn't. So the operators go, "Well, why has the ECS, like, gone on? Like, the valve's closed, like, everything should be fine. I'll turn you off." So the operators turn off the control cooling system. The backup pump valve was discovered closed, and so they manually opened it again for the inlet pump. The water from the reactor loop continues basically then to pour through the reactor and into the relief tank because we've got the relief valve that's still stuck open. The reactor core basically starts to get uncovered because you're dumping all of the water out faster than you can flood stuff in. At some point, some genius goes, "Oh, you know what? That tank's getting full." We've got a gauge that says that that tank's getting
full and it's starting to overflow. there must be a valve that's open. So they go and they manually get down on the floor and they shut the thing. So everyone say, "Hey y'all, I got a great idea. Hold my beer, I'm gonna put the ECCS back on." Awesome. You put something cold onto something really hot, what happens? Yeah, that's right. You pour cold water onto a hot metal it's gonna start to crack. So they start pouring cold water into the damn thing, it cracks, the nuclear product starts to release into the product, into the reactor vessel, and then hydrogen is produced inside the thing because now you're splitting water because it's getting so damn hot, and you've got all sorts of different reactions going on, and
then it explodes inside the thing and sets off some pressure sensors, and that damages the core even more. Yeah. Lessons learned. So... In all of the process there was a huge chunk of clean up, there was a load of decommissioning that they had to do over the next few decades. There wasn't a lot of outside environmental impact because most of it was contained in the radiological environment. A lot of it was contained within the buildings, it was designed to do that. they discovered that this defence in depth worked. So we had automated systems that were working, some idiot turned things off, some idiot turned things back on again. But on the whole, if they just left it, the automated systems would have worked. The defence
was working. Maintenance was absolutely critical to make sure that that was going to work. Sensors and indicators should indicate the state rather than what was happening, it was showing the electrical connection. Could I send a current to the valve instead of is the valve actually closed? and one of the things that they changed on all of the generation 2 and then generation 3 reactors is to actually indicate where the valve is they realize that training is massively important and now in the nuclear industry you do like three weeks on the reactor normal conditions and then one week in a simulator which looks exactly like your standard control room except everything goes wrong that week and
you basically have to train on what to do so They looked at the control room, they realised that there were tags over things you couldn't see, bits and pieces, you had to go from one side to the other. They've regenerated all of the Generation 2 control rooms and all of the Generation 3s were very different as well. All the new generators, generating reactors, basically have passive cooling so that you can not rely on this ingress of water so you can just literally let the thing scram and it'll cool down with convection. Gen 4s are brilliant. So what do we learn in IT? Well sharing information around faults and common failures downstream is super important. How
many of us have suffered with products where something's been known to the manufacturer but they haven't told us? Huge security hole in a product, major flaw in it, data goes missing. They could have told us, we could have patched it, we could have fixed it, we could have done something, but they haven't told us. We've got to make sure that we've got defence in depth. And this is something I try and design into any of the cloud systems that I'm working on, that you are not just relying on one single thing to stop the whole process, that you've got multiple stages. Maintenance is absolutely key to ensuring safe practices. If you don't maintain the thing,
by entropy it's going to start to degrade over time. You're going to run out of patches, you're going to get out of your software cycles, you're going to end up with bugs creeping into the system. Automated processes can and do work. If you can automate it, automate it. Get it off someone's desk, get it off someone's mind, because they're going to forget about it, they're going to mis-key something. Automate the systems. Provide your teams with clear observability about what's happening. This is key for operations for security personnel. You need to know what's happening on the system. You don't want to know something that's happened five days ago unless that's what you're searching for to do some root cause analysis. You need to know now, live, what's
happening. So we've got an established business. But we go through some hard times. We get to the struggling business where we're having to run as cheap as possible with limited experts. Chernobyl. Who's heard of Chernobyl? Yes. Who lived through it? Oh, there's only a few of us. Chernobyl. Obviously, we've had recently quite a bit of interest in the HBO series and things on it, which was a quite good adaptation. Chernobyl was, to this day, the worst global nuclear incident ever. which happened in the old Soviet Union, which is actually now in Ukraine, and some of you will know that there's been renewed worry and concern around that with Russia moving all of its troops through Ukraine and going through
all of the danger zone. It was ranked 7 out of 7 on the international nuclea
Related talks
19:16
31:12
1:13:09
39:36
8:14:55
41:26