Cybersecurity and the importance of knowledge

Uh for now um while people are still walking in uh I would like to introduce Marcel who is going to give a nice presentation. I heard he was still preparing some slides this morning. So yesterday yesterday during lunch I added some. U so looking forward to uh hearing your talk. Thanks. So hello everybody. My name is Marshall Corn. Uh I hope all the projections and screens will be working and uh let's get started. So uh my talk will be a bit different than the talk before. It will be less technical so be prepared. Um so yeah a little bit about me. Um I'm uh um a bit of in in in between two jobs. Uh at first I'm um

co-owner and director of AT computing which is an open source consultancy and training company. Uh but I'm also uh what's called head of learning at complimentary group which is the parent company where I spent my days uh trying to figure out nice ways to improve our training courses for for our customers together with a team of uh of companies. Uh and recently I'm uh I became the co-founder of what's called DOSBA the Dutch open source business alliance which is an initiative here in the Netherlands to um make open source driven companies collaborate more. We didn't have such an alliance for 20 years in the Netherlands and now especially with all the uh the politics going on uh it's a it's a good uh moment

to gather and see if we can make open source a stronger ecosystem in in the Netherlands. Um I have some uh some features. I love obviously open source software. Uh I like uh to provide trainings and also to learn uh a lot and I try to share my knowledge every now and then. So that's a part of of my mission today. I also have a couple of bugs. The most important one is I produce I produce a lot of bad word jokes. And for the people from I do not like puff. Yeah, sorry. I don't like it. So why am I here today? Um first is uh I like to share my view. So uh I um

come go to places. I talk to companies. I talk to a lot of of peers uh within the cyber security community but also from from other uh jobs within IT. And that gives me some perspective and my general conclusion uh for the last couple of years already is that we have a fundamental lack of knowledge within IT in the broadest sense of of the word. So that's uh that's why I'm here. So I hope to do something about it with this with this talk. But be aware uh it's not going to magically disappear after this talk. So if you have uh the idea that you will walk out and know everything uh you will be disappointed. But uh I hope

that I will clarify why this is an issue and especially in cyber security as we uh as we are talking about today. So let's start with the basics. What is actually knowledge? So uh this is a definition you can Google it and you will get it as a first result. Uh but uh it's uh based on three main ingredients. So first there needs to be an awareness of facts. Well, that's a special form of uh information nowadays since facts seem to be uh discussed all the time. Um the second thing is that you need to be aware of information. So if some information is reaching you that you know that is reaching you and that

you know how to deal with it. That's that's part of of gaining knowledge. And the third thing is that you um need to actively experiment and apply uh the other two to uh to learn and to become uh more uh experienced with the subject. And the end goal of the knowledge is the so the result is that you have a theoretical or a practical understanding of a certain sub certain subject. So that's the goal of gaining the knowledge. So all this together um makes that you can say I have a certain amount of knowledge about a certain subject. So let's pick a subject and let's talk about pencils. Who here has ever used a pencil? Yeah, most of you. I expected

it. But I think um less of you will know actually what a pencil is, what it's made of, and how it's made. So, let's have some trivia on pencils. Um it's usually made of cedar wood. Not just every piece of wood, but cedar wood. And the fun thing is that although it's still a pencil, the more you dive into it, the more interesting it becomes because you can ask yourself why cedar wood and not some oak or uh some other type of wood. And there's reasons for it because um it's a soft kind of wood and that's good if you have it in your hand. It's nice on the touch, but also it's rot resistant and that's

very handy if you store your pencils that they will stay in the same form as you store them and not grow fungus or any specific animals on them. Also, um cedar wood sharpens easily and that's pretty nice if you break your lead that you can just sharpen it and it will not splinter and it will easily do so. Also, um it's easy to leer or easy to stain. So, if you want to give it a nice color, see the wood is is pretty fine. And a bonus, uh it seems to smell great and also be attractive. I did not know that wood had that uh um properties, but uh given that the internet says so, it must be

true. So, um another thing is that the lead of a pencil is actually made from clay and graphite. It's a mixture and depending on the mixture um the hardness of the lead varies. So if you have like the H or the HB numbering on on the pencil that says something about the mixture of lead and graphite. The more graphite there is the softer the lead will be and over one billion in in uh US numbers. So 50 mill pencils are sold every year on planet earth. So that's more around two pencils for every person on the planet. It's quite a lot and it doesn't use actual lead. Uh it's still stick stuck around. So also in in in

Dutch it's a potload but it doesn't use actual lead which is a good thing because it's quite poisonous. Uh but uh it it has been called so for ages and it will probably uh be still around. So, another fun fact is that uh when making a pencil, the lead is not drilled into the wood, but it's actually two slates of wood that uh get um slots drilled into them and uh the lead is laid in the in the slot and there's glue uh put on and then the two slots are glued together and put on the pressure to actually make the pencil. Everybody knew that of course. Who has used audio cassette tapes? Oh, there's fewer hands. So, I think that's

a bit of a generation uh thing here. This is an audio cassette and um you can do the same trick here. So, this is some trivia on compact audio cassettes. So, it's almost entirely made out of plastic. It's um um actually containing a a thin plastic tape and that tape uh is uh coated with a ferroagnetic coating and that allows it to um wound up on on reels. It's around 90 m of tape in inside a smoke cassette and that tape can be magnetized uh and semi- permanently store uh audio or data in in general on the tape. So if you use another magnet, it will be wiped or rearranged in some some other data. But

uh as long as you store it in a safe place, the data is there in a magnetized form. And um it's invented already in 1928 in Germany, but it really became popular when Philips um introduced the the compaccept, which is the the picture you you saw previously. And this can be played back on a variety of devices nowadays. I see already some eyebrows like where's this going to? Bear with me. So, who has owned one of these? Even fewer hands now. It's It's becoming more niche now. Yep. I definitely had a Walkman. It was like my first big spending when I had my newspaper job. It was 69 gilders back in the days. That was like a really large

amount of money for a Walkman. Uh that also had a radio. So, it was really cool. Um, and what also is cool, and you probably didn't know, is that with a magnetic tape viewer, you can actually see the audio on the tape. So, it's a it's a stereo track. So, you have two separate audio tracks, but it's um you have a a side and a bside. So, it's actually two channels of stereo audio uh that you can record and you can actually make it visible. So, this is the song that you've recorded on the tape. All right. So as mentioned what does this have to do with cyber security? Um get to the point. Yes. So

we have seen in the introduction the three main ingredients of uh knowledge. So we have covered some facts. There is some information um and we are on our way to gather some theoretical and practical understanding of what a pencil is and what uh a cassette tape is. So let's see. Well, yeah, we covered the facts, we covered some information about it, some trivia. Uh, but now um you have all been educated, but we need to do some practice as well. And this is where it becomes interesting because both the pencil and the cassette have an intended use case. So for a pencil, it is designed to write and to draw or to sketch. That's the intended purpose of a

pencil. That's why it's invented. The same goes for the audio cassette. It's intended to uh record and replay audio recording. So, you can record your favorite song and start dancing in an awkward way. It's it's all possible and it's designed for it. Um, and this is also interesting. I downloaded this image and it was called like this. It's pretty long and it has something to do with the pleasant women, but it's only a hand. So, strange. Um but uh if you look at this from a cyber security perspective, there is a real big difference between what we have just learned and cyber security because in most jobs you focus on executing the intended use in the intended way. So in

the desired way. If you're going to configure uh I just learned a lot about Windows and RPC calls. If you're going to configure a Windows system, you will do so by the best practice from the vendor. And that will tell you what's intended to use and how to use and how to install it. But with cyber sec security, it's all about the unintended use cases and the undesired way of using stuff. So that's a different field of play. And this requires a lot of more knowledge because there are far more ways to use a certain object in unattended ways than in um intended ways. Also, there are far more undesired ways of using it than desired ways of

using it. So, this requires you to have more knowledge about what's possible and not only looking at what's intended with it. So, this are two examples of unintended use from the same pencil. You can use it to keep your hair in place. It's not my problem, but some people have it. But also, you can use it to reset your modem or your router or whatever device you have that has the small uh uh pin that you can use the the stick the tip of the pencil to to reset it. It's not intended, but it can be used this way. Oh, this is bad. It's not playing. Uh, that's Yeah. Um, this was a this a hilarious movie of a guy using

two pencils as a drum track to record a drum track, but it's it's not working. Uh, but also use. Um, also a pencil and a cassette can be used to weaponize and that's something we like in security. Uh, it's perfect for stabbing. It's not intended to use it that way, but it definitely there will be people killed using a pencil. And also the audio cassette tape can perfectly be used to uh record propaganda which definitely will be the case as well. Um this is not advice. Also these are subject to vulnerabilities. So there are um attack factors that may or may not be applicable to the the object at hand. So as you can see they both will burn. um

they might be interested in cows or uh uh or magnets but especially they will suffer from the tariff. So that's the most important thing to to know and this way um you can start to develop a certain knowledge and a certain understanding that's a level deeper. So by looking at the object which can be a pencil or an audio cassette or it can be an certain IT tool or a certain platform that you're going to use or certain technologies you will get a better understanding of what is intended for what you can do with it but also what it's not intended for and what you should not do with it but what is still possible and this means that to let the

knowledge sink in deeper you will have to be a bit creative to think outside the box to experiment and to learn that way and also you need to be very curious to see can I do with it what can I do with it that's not on the menu or that's not in the manual of the certain um the object but this also has to do a lot with skill and competence so uh still studying what you're going to to use is important and this goes as well for playing uh the piano and to learn how to play the piano you can um first start to understand how the instrument works. So you need to know what the design is um

how to make sound with it etc. Also it's very handy if you're able to read notes because then that way you can understand or read uh music that other people have played. This can also be um reading source code in a certain programming language so that you can read programs that others have written so you can review them and see if it's all okay or not. And then if you're going to compose your own music, it's very handy if you know something about composition and know how to arrange stuff and how to uh use certain chords or keys in your composition. And this is all possible without um touching the piano. and you can reach some suns or IC squared

certification uh and uh live on uh very happily within IT security. But um yeah, this misses quite a point. So if you're going to study cyber security or piano without actually doing it, without actually playing the piano, you're still not making music. And if you're going to give a concert or you want to um perform in front of an audience, you really have to practice a lot. Just do it. Play the piano. um uh throw all your facts and information to it and start to uh to make music. And this is the only way to become proficient in playing the piano and this is the only way to become profic proficient in cyber security and

know how you can uh misuse something to get a certain result. And it was actually quite interesting in the in the previous talk where you had all the different steps that were required to uh to reach like the the admin level. All those steps um uh have been discovered probably by a lot of trial and error by doing so. You will you won't find it on Google. You won't find it by only reading a book. You will probably only find it by trying trying trying and getting to know how to uh to misuse it or how to walk uh walk around the intended use cases. And all this all this practicing all this u uh studying results in an

increase of your competence level. And I'm not saying this is like the truth but this is a quite famous uh uh graph where you have four different levels of being competent in something. And the first uh on the bottom is that you're unaware of your in incomp uh incompetence. So this does mean that you do not know what you do not know. And that's really hard because then you will also not know where to start with your journey to become more proficient in something. But let's assume that you get some help. Then you can come to the conclusion that you're aware that you're incompetent. So you're conscious that you do not know some some things or are

not aware of some things. And if you take it a little further, you can become competent on a conscious level. And this means that if you try your best, so you're consciously working on something, you can make it happen and make it work. And then you're almost there. Then then you're getting quite proficient. But there's a final level and that's where you become proficient unaware. And this is that it feels like a second nature. And I always find it interesting if you see Max Stopper racing around a circuit, he's just the car and and he are one. He's just so unconsciously competent in a formula for Formula 1 car or in anything with wheels. That's because he

practiced. He practiced and he really became like on the top level. And that's something you can only reach if you keep practicing and keep focusing on becoming better at a certain um subject. So this is really the area you want to be within cyber security that you practice it a lot so you become consciously competent or even better um unconsciously competent. During lunch, we had a bit of a discussion. Can a developer be a good hacker or can a hacker be a good developer? And I'm a bit skeptical about it because it's two different competencies. And it might be that you are uh writing a lot of code as a developer and become unconsciously um

good at it. But that doesn't mean that you're good at hacking because it's a different way of training. If you're constantly focusing on writing the best code, it's not the same as constantly training on writing the code that can be misused. uh most often. So the the one is more creative and the other one is just becoming better at the intended use. So the same goes for mastering Kali Linux and all the tools it comes with. The same goes for Python independent if you're going to use it for bad or for worse or for the intended use case or unintended use case. And to see how this works, I've put up a small experiment. So, I'm going to show an image and as

soon as you see what's wrong, please raise your hand. Let's see how long it will take in general for you to see

it. Uh, it takes some time for some people, but it goes quite quick. Yep. Still some hands showing. Uh, it's not totally clear, but there's a sticky on the bottom. So this is a demonstration of the unconscious competence. So within like a couple of seconds you saw oh this is a computer screen. You probably saw uh uh what was going on and that was a root password on the screen and you immediately realized that's not good. That's not the way we do cyber security. And you weren't actively thinking about it. It was going without effort. It was not really hard to to to make this calculation. Um but there was a lot going on unconsciously. So you already

probably see, oh, this is Kali Linux or Kali Linux-ish because it was generated. Um, you understand what the root account is. You know, uh, how to act when you see this and you know who to fire. Uh, if this is the case, that's that's immediately spot on what you know. So this is fast thinking. Another one. If you know it, raise your hand. There's one hand. A couple of hands, but it definitely takes longer. Yes, still more hands. Yeah, it's about the same amount as it was before, but it took longer. So, what happened? This was triggering your conscious competence. So, now you had to read the code and think, what's going on here? Um, and

this meant that most of you noticed that this con code is prone to SQL injection. it was just a variable directly pasted into an SQL query which is not the best practice and um sadly some of you just raised their hand because the person next to you did that that's statistically uh is is true um and this actually involved conscious thinking so you had to read the code you had to actively think about it this required effort and cognitive load so the other one was in a couple of seconds just it was there now you had to work for it and this is the difference between the two ways of uh of um working and this This is what's known as slow

thinking. Uh this is a disclaimer. CHGBT warned me that I asked for Kali Linux with a root password sticky on it that was violating the the policy but it drew it anyway. So it was a bit funny. All right. So the two thinking systems are quite different in nature because system one the fast system that we have seen with the Kali Linux example um is training your long-term memory and this is what you do in in daily life. recognizing faces, knowing how to read a face, so you can instantly see if somebody's happy or angry. This is all part of the the first system. And this is constantly operating but um unconsciously. So you're constantly

using it, but it's not costing you any effort, not uh fully conscious in that case. And the second system is what we saw in the second uh uh example where you actively have to think and have to reflect on what's going on and that's causing effort. So um this is uh what you're mostly aware of doing during the day and this is why you can say after a hard day of hacking that you say well I'm pretty tired because you've used system 2 a lot that day. If you find this interesting there's a book from Daniel Caraman that details this uh this systems uh in in a very uh uh interesting way. Um so uh that's u some

advice. All right. So the uh the thing is that our brain is not fixed. So you can improve the power of your system one. So the fast uh system and um you can do so by doing and by learning. So training actively on certain subjects will improve your system one ability. And this uh uh is universal. So if you're going to start reading notes when learning piano, at first you will have to use system two a lot because you say well what are those strange dots? But the more you practice uh it becomes easier and eventually uh it becomes to start uh um being part of system one and you will find it comfortably and you

will not be um reading it effortful anymore. And this means that a proficient musician will read score as sentences. It will just look at the at the score and say well I know what to play because I have already scanned it and I I'm aware of it. And I've actually experimented this uh experienced this uh during a recording session where a musician got a piece of paper and instantly said this is just random notes because he was so trained at reading scores that he immediately saw that this was a strange uh way of writing music and it was purpose of the of the play. So it was not a mistake but it was amazing to see that it was so fast to

see this is strange. I have never seen this before. or my system one is not recognizing it and this concept is universal. So for the scientists here among you, you will recognize this formula. I don't but you will if you have trained system one. Uh it goes for thread modeling, for hacking, etc. It's just training your system one and training your brain. So um it's trained based on what you train it upon. And it does not mean that if you're an expert in domain one that you're automatically also a domain in the other uh areas. So it's it's domain specific also um it uh keeps evolving because our brain keeps making new connections uh uh every time you

train it. So it can become better. And this is a reason why grandmasters in chess are so amazingly good in reading the board because they've done so many times their system one is all about chess. But it might be that they are really bad at other forms of puzzles. It it might be. So um keep training your system one and you'll become more proficient and also learn from others. That's also really efficient way to train system one. And uh this is something we do in our daily lives all the time from when we grow up. We will look at our parents and see what are they doing and that's the way we learn. Keep doing that. And

this also involves music. play together with others and you will learn a whole lot of new uh competences and and you will train a whole different level of your brain. So this is also something um that's in practice with cyber security incidents. If you know that welcome 2020 is a weak password probably you will not use it. also uh fishing mills, mfr fatigue, 98% of all attacks are still uh preventable with some basic knowledge. But if you do not get trained on it and you're not aware of it and not using system one to say well I lock my system or I'm aware of uh my MFA messages uh without even thinking about it that will

drastically improve your security uh at uh immediately but it's hard to get there because you need to train a lot. So to sum up, this means that if you get tangled up within uh a certain cyber security uh situation, it might be complex, but you know that you can trust that if you keep practicing and keep doing the same thing that you will come up with a brilliant solution that's not costing any effort because system one will help you with it. And this means that you know what the relation between different parts are and the solution is very simple if you know what to do. Thank you. [Applause] Thank you, Marcel. I uh You're welcome.

learned something new about pencils. I thought that's great. Thank you for your talk. Yes. Thank you. I will grab that one. Yeah. [Applause]