How Secure Are Our Trusted Companies?

So I would like to invite the other set of speakers. Uh first of them is Pavan Karthik who has given a talk in the morning about how malware research could be connected with threat intent. Then we have Mr. Goravia who works on a similar topic and then his research has been very famous on LinkedIn if you'll follow him. Then we have uh Miss Palak Bansil who uh gives a talk like gave a talk on how Mac OS could be hacked. Uh then we have Mr. Faradat Sajjid who partnered with her and told us how to hack DLS and then finally we have Mr. Ravi Rajput who told you how to get hack cars. So I guess all

of them are great at what they do. All of them know how malares work, how to create them, how to hack systems and we are in for a lovely panel discussion this time. Guys, a round of applause please for all the speakers.

All right. All of us use Google, Microsoft Apple Chrome. A major fact about these is these are the organizations which actually produce the like major amount of CVS. If any bug bug bounty hunter out there they know how much they have reported to hall of fame pro these bug bounty programs of Apple, Google, Facebook only fact which change between these and smaller companies are these companies are little transparent about how much they get hacked and they have a public register and then smaller companies don't but then this still tells us that our data is not actually secure with them. So I'll take opening comments. What do you think? What should be the alternative? Are we like should we still

continue using all these apps or should we go to open source or something? Anyone? Okay. Hope I'm audible. Yeah. Okay. See um if you take M sorry now it man. Okay. Or let's put it in a more broader level the Fortune 100. Okay. So if you see the environment they have created it's like a must part of life right no one of us can imagine our life without any of this company's products whether software as a service platform as a service or any kind of product they have not being involved in our life in any other way we can't imagine that right so when we say like that we are going to transit from this products to that of the open-source

buildout of community that transition chances are very high is not going to happen and there is a reason why first let's talk about the legality of it okay um earlier I I I also didn't used to think in that perspective but recently due to certain events a certain discussion then I came to know okay this is a very hardcore Now when you see open-source community or the open source products or the resources that are out there they are falling under either MIT license or the GPL right on the other hand when you are talking about products from this fortune 100 500 or 5,000 companies they have to go through what socks GDPR PCIDSS tons of European laws UK laws and whatn not

and those are very stringent laws right? They find like hell, right? If something goes here and there, right? If something goes out of the line. So if you think in that particular perspective, which one you will look forward to? I'm keeping it as an open question for the audience to the product which is having MIT or a GPL license or to the product which has some background that in case something goes wrong there is going to be taken some some severe actions is going to happen or something is going to happen to penalize it which will be the uh one which people will prefer for obviously something that has a regulatory body something has framework something which

has been governed Right. So that is the first point I wanted to I will let other speakers bring up more point but yeah so so if we digress from the topic it also comes in would do you prefer closed source open source but then yeah all right so uh if you look at it Google Chrome which is like the most used browser released eight critical CVS which was allowing RC. So if you look at it, if I am cruising using Chrome or all these people are using Chrome and that thactor is real good at it, he would have been like able to compromise all of our systems. But then if you look at the XZ

CV which released where a person was able to hold access to that open source repository for an year and then no one knew although that same repository was being a requirement for all of these systems again. The scope of both of these are like huge. So there are two parts of it. Uh I mean first is privacy. Privacy and security both are completely different. So if you believe you want privacy, you would never use Chrome. Right. All right. And even there are vulnerabilities like it doesn't matter for you because you believe you want more privacy than any of these. And then you'll use private browsers maybe uh like to or something along those lines. But again if you use

or like lean more towards the privacy usability also reduces right because why do they even have all those tracking uh mechanisms which collect data and then share across the data. I mean it's mainly to help you get to what you want, right? I mean it's sometimes it's very scary uh because uh you you search for something on Google the next thing which Amazon shows is the same product what you want I mean that scares me a lot and not only searching you speak about it and then it pops up in your ads right so that is a privacy there so how many of us even read terms and conditions we just scroll down and then accept

everything right so even that is the main point where you should understand what is privacy for you like what data do you want to share. I think there are specific organizations which help you uh get your get to understand your own privacy like what data is out there. So that is the main important factor and then I mean everyone who uses a phone right or data related to our spending habits even though our phone claims not to collect it it will have the data in your device your privacy is the data being with you all those CVS which Mud talked about so these CVS are a hazard to your privacy but it's not directly affecting all right so it basically

means if If you want privacy, you will lose ease of use. And if you want ease of use, you'll lose privacy. Like if you get ease of use, you want quick sign in, you want no TPS, you want like I open the tab, I get access to my system, you'll have high ease of use, but then your privacy would be low. And if you switch it, if you want high priv privacy, you would have to set up 10 different things. You would have to open a VM, then you would have to run it through to, and then finally, you would have 2 kbps internet speed. And then finally you you would be able to open Facebook.

So I think let's uh there's a quality factor to the product that we're going to use. Of course privacy is important. However, a lot of time opensource products they suffer from lack of quality. Not always because the developers who are writing the code are not good but sometimes because there simply isn't enough money. Money is the is one of the biggest motivators of writing good product creating good software because well let's say there is a person who is writing uh software they have dedicated their life to it and they're building great things. However, even the most funded open-source developer may not be able to match up to let's say some someone some giant like Microsoft. It's a trillion dollar

company and regardless of how much we we say that Windows is bad, it's insecure. Well, in a in some ways it is true, there are so many vulnerabilities even in the most core and important components. So let's say if we talk about common logging file system, it is a common it's it's a core security mechanism within Windows. It handles all the logging and all the event logging and everything all the events that it creates. However, unfortunately it has been so much optimized for performance that it lacks it lacks security. However, the same company is also pushing the limits of cloud because they have a lot of money to push to put into research. This will be extremely

difficult to do through open-source software. So here you have to have a trade-off. Do I want highquality product backed by a big company which will guarantee its existence throughout many years, many decades or are you going for an open-source product which may or may not always be maintained. Also there's a myth that say that surrounds us where we think if it is open source must be very secure and as Mud correctly said XZ it completely shatters our idea where we think that open source means secure because the threat actor was there for a very long time and there might be so many more threat actors in a lot of other libraries. Okay. So do you all

remember Solar Winds? So supply chain attacks can happen anywhere and I think it may be a little bit easier with open source libraries because okay open question when was the last time you looked into node modules to see which transitive uh dependencies have which transitive dependencies which modules are they have to explain what nodes are what are transitive so node is a node is a runtime engine for JavaScript it runs on the server Uh if anyone has developed web applications here so it's NodeJS the node file yes NodeJS NodeJS u be it NodeJS Python net java how many of us go to see which libraries that we are importing and which libraries they are in turn importing how long this chain

goes there's an entire industry built around it we call it s we call it supply chain security uh you may have you guys heard of sbombs security software variable of materials. Look into that. It's super important. You need to know what kind of libraries you're importing, which libraries they are intern importing because you may not be using log for shell. Sorry, log 4j which is vulnerable to log for shell. But some library internally might be vulnerable to log for shell which can eventually make your application vulnerable. A lot of security products suffer from this. I don't want to name the names because well they are big uh they they're very big players and really big security vendors and while

they are patched now a lot of times they they use outdated libraries as well. However, since they have time and enough money, they are very proactive and they and they patch it and they have to do it because um as my fellow speaker mentioned, they're bound by some license. They have to do it in open source. They're like me maybe I'll do it tomorrow. It is possible. So, I think it is difficult to identify what kind of what are we optimizing for? Is it quality or are we optim optimizing for more freedom and privacy? Right? Is it also connected to the scale of these uh applications? Let's say Windows has a lot of features. But then if I look to a

dumber open-source uh OS, it would have less features and hence it is less like less prone to attacks or more secure because it has less functionality added to it.

I think you're 100% correct. Sometimes certain features do make things a little more insecure. So there's this feature in NTFS called alternate data streams. That feature essentially enables data smuggling. So it is a feature. It is a good feature. It was well thought out at the at the time and it was done for Mac OS and Apple files uh related compatibility. It can be used to leak data out of organizations. Of course, it is signaturized now. Of course, we can catch it uh post incident. Foreign can be done on top of it. However, it still is a feature that can be actively exploited to well leak data. So Ravisa should we go back to Maroti 800 or

should we buy that XUV700 is left or should we go back to Tanga? We should pay like horse Nokia 33 3300 uh 3300 right that is great sir so this will be the always fight right uh like if you are advancing okay you are deploying like you you are you are writing a code okay if you make it uh open source or if you make it like if you keep it closed source it's okay open source have a great chance of a supply chain attack. Look at the past, right? But the thing over here is adop I mean you know what is adoption rate? Are people adopting it? Are people using it? So as my past

experience is like I had worked as a vulnerability researcher. Okay. I had write zero days. we are more attracted to those like uh softwares where we can target to the mass right so that is the case you know if like it's it's obviously if you if your software become kind of a famous and people adopt it you are at a risk so it's like uh I read this somewhere that thractors are focusing more on Apple products now because higher higher net worth individuals are using those and hence they are more valuable. So like if you I want to attack seale executives instead of making a malware for Windows I would rather make a malware for iOS

and it's not like iOS is more secure or Apple based OSS are not secure than Microsoft just because there are less malware available for it. It's like researchers have spent less time developing malares for Apple OS than Windows and hence we see that correct. So look at the Pegasus uh spyware that happened right why it targeted WhatsApp only yeah makes sense adoption rate adoption rate why would I take make a piece of malware or let's say anything which caters only to this niche amount of people when I could hack all of them just by like hacking chrome I didn't get you like same I'm just adding to your point key I would rather make something

which caters to a lot of people than to a niche amount of people exactly so should All these organizations create their own set of softwares to because that because I don't have the software publicly available it is by obscurity secure so it so basically it becomes your own responsible if if I'm making a software okay if I'm making a software which is open source right and it is growing so fast now it becomes my own sole responsibility that I bring people for the contribution. Second thing if there is a vulnerability like there is a vulnerability being reported I become like I I patch it as as soon as possible if this attitude changes right which I

see uh in most of this because if I see any kind of a you know severe vulnerability in the you know Linux or any of the binaries used in Linux it hardly takes 4 hours to patch is it? It is real like it hardly takes four hours to patch. Okay. But if you take example of a Windows, it takes days. Okay. I have a mentor uh he's quite famous. I would not name him. He have a couple of zero days on Chrome but he will push later on like one by one you know because they he want to earn money. They want power. Yeah. All right. So it's the solution would be to either create your

own tools or like forget privacy. Yeah. And take responsibility. Okay. So if I want to like keep myself secure, I would install an open source and then take responsibility of its security on my own self or I'll outsource it to Microsoft key, they would do a better job than me. Is it is it that uh decision we have to make? Yeah. Anyway, like if you rely upon Microsoft or if you if you're using open source, your security is your responsibility. All right. So if you claim that Windows is less secure or Mac OS is less secure, it's your own responsibility. Make a wiser decision like security lies in your own hands. Okay. Uh what about privacy in all of

these things? Like are these organizations helping us in any way or like are these the Achilles heel for us? Um, okay. I think I won't give a straight answer to this, but I'll I'll maybe share a story and then leave the audience with a question in the back of their mind to think about. So, uh, we all know that US visa is one of the most difficult visas to get in the world, right? There are a lot of rejection rates there. So while filling the visa application for any country I'm not only talking about any particular company they ask lot of documents lot of information of us to be shared with them on their government website not Indian

government website their government website they'll ask us to share our ITRs our bank statements passports and other personal information now as I was reading through that how another government is validating my data that I am submitting and how they are trusting ing me to allow to enter their country you know by providing the visa. So as I was reading and researching it it was clearly mentioned that government of India or any country's government will not share our data with the other government. Only thing is that they can validate those documents that we are submitting. So example if I'm sharing my bank statement as part of the application form the other country's government will come back and ask my

bank okay is this your issued document? Can you validate the authenticity of that document? So bank will do that and say yes or no. Yes, I issued that document or no this is not my document. Somebody printed it at home. Made that document and printed at home. This can be done. But the question is is the other party other government or other authority trusting my country's government's data or whatever the second party is saying. Are they trusting their information blindly? And given I don't know given the history it's kind of difficult to digest that one party is trusting other parties you know uh validation blindly they are not doing any background check on their own just trusting the words of

the other party so like all all the panelists co-panelists told that we are everywhere we I'm using Apple products I'm using Google services I am on Twitter my information is everywhere all these entities is by any chance this party using my data that is available on these platforms and using it to crosscheck who I am as a person. Do I have any you know police complaint lodge against me in my country that I'm trying to hide or my country is trying to hide. Are they using the data that is being available on these uh you know on these platforms even though I signed the privacy agreement with them not to share that they'll not share my data with

every with anywhere with anybody at any cost but still are they doing it how how are they validating me as a person how how is it being happened how how they are issuing me a visa u just by trusting some other parties validation are they not doing any background check on their So this has been tickling me in the back of my head how it's how it's happening. So if anybody knows can I like start my own country and start issuing helping Indian citizens get visas to the US like I my it's not possible no is it if if this would have been possible Solomon Islands Bmud something like all right so this still come back like are we still

secure like is this all a myth that all these technologies actually made us more publicly exposed all our data is more publicly exposed even though we like take the best counter measures possible use Mac OS instead of Windows because it's more secure and still we would still find u our data exposed or is it like more because of us that we download that pirated Windows and then we get compromised like should we be spending more money to get better security or is it like a duty or job of someone else it's a collective responsibility I has discussed right so you shouldn't be downloading any pirated software ware neither they should be uh breaking the privacy agreement sharing data with

others without your consent as well as keeping their system secure. So I would take closing notes from everyone now. What do you think? Are we like exposed publicly on the road? Just just to add up on that uh pirated software. Um majority of us are uh security practitioners. How many of you know a guy named Dr. Larry Laauo? If if you have done web pen testing, if you call yourself a VAPT expert, you must have that. That sums it up, right? If you know that guy, so more or less somewhere or the other your data is obviously available. So yeah. All right. Opening questions. Uh if anyone wants to add something, wants to ask something.

You need to ask. Sure. After that. Hello. Uh yeah, so I am Akash Karade and I work as a security consultant. So yeah, one of the speakers said right, we must not use Chrome but uh we should use a to browser or to a suggestion not must. Yeah, I mean suggest but uh to my perspective uh it is like uh until you have uh a lot of time anything is hackable right we see zero days in almost all softwares right today so it's not about chrome or to browser right anything is hackable so all right so you need just motivation to get into something like that is what the crest is if someone is motivated enough that he

wants your data he'll get it Unless you start like destroying it. Okay, we have a question from backstage please. Yeah, so we talked about the open source thing and you know 90% of the thing kind of are on GitHub and it is owned by Microsoft. So so so now what's the reason that we are still doing so much ef putting so much efforts that a good view would be really good. So like I want to know your opinion like Microsoft is owning like 90% of the thing. See one thing is that uh I I kind of feel that there is a bit of a wrong consensus being made that if a company is owning a product means that

it has a control over that and I will tell you why. Yes, in the nutshell it's a product of Microsoft. So whatever Microsoft will say it has to do. But I will give you a scenario. GitHub is something that is used by majority of the organization out there. Right? Correct. Now think of it this way. Let's say XYZ company which is a fortuneund company has partnered with Microsoft that okay I'm going to utilize GitHub repositories or GitHub services GitHub enterprise or something now that XYZ company will it allow Microsoft because it will host its code and everything related to staging related to development related to anything okay in the GitHub so that it can pull down

integrated with the CI/CD pipeline seamlessly right now will it allow Microsoft or any other third party provider to have accessibility to that randomly without doing some background check or doing understanding the policies access controls and all the legality frameworks and whatn not will it allow no right that hope that answers your question I mean to add to that point I mean all the GitHub repositories right if it is public there is a right for you to get that data too so I mean there might be a slight chance that a lot of actual companies scrape the whole GitHub and get the public information and copilot is built on top of GitHub's data public data the public one is correct so that's

the reason why it is public right uh I was I was talking in the context of the private repository or the enterprise owned repository but again in enterprise the p public one yeah that is that it's like Gmail having access to all of our emails and we are reading someone at Gmail is like filling in OTPs for us I mean supposedly private should be private forever even if uh enterprise even even GitHub is not supposed to be able to see that that's why end to end encryption is there right that's why says we even we can't access the data and then WhatsApp might pull out of India if Indian government actually sanctions WhatsApp to remove the end to

end encryption or have their own encryption right so that's how tries to protect your security but in US I mean they have subpoenas to basically let uh I mean it's not only for WhatsApp any organization right if US government like subpoenas them like even Apple there were I I saw this multiple cases where unlocking a Apple device solves a very heinous crime so does Apple need to do this like they have lawsuits over like lawsuits running over this they will do it but Their question is if you do it once it will not stop the government from asking it to do it again each and it's like the big daddy is the biggest problem instead

of small threat actors it's like if the government wants to see it they'll see it and you cannot do anything about it I mean so it's it's not something like that it's that it is secure enough to protect your privacy but they will be able to do it it's like you have you you are the key maker right you'll still be able to break the key break the lock yeah All right. Yeah. So, any closing comments like final? Anyone else wants to add something? All right. Uh hello. Hi. Uh so I had a couple of points. Uh I think one that was raised regarding the MIT license. Uh so I completely agree with that point that uh

fortune 500 companies or well established companies are answerable to certain uh regulatory bodies. But if you just look into the past that we have seen time and again these companies violating these policies uh we have instances previously of uh Facebook, Microsoft uh different companies breaching them and then cases running on top of them and uh I think the penalty on them are the fines which I don't see it being that much of an impact for a trillion dollar company like Apple. I don't think a million dollar fine would mean anything. No, they would. Exactly. So uh the point is that even after having these policies in place uh these companies still end up doing that uh

breaching this policies. So would then would then the argument still be valid of the MIT license versus the GDPR compliance. So that's the first question. Uh and second question regarding was regarding the open source libraries uh opensource products and their quality of uh use. Uh I think that's a very fair point. there are multiple opensource products which don't match proprietary qualities but uh there's also I think like maybe uh could be wrong here but I think there's also a different side to it that um there are certain opensource uh products which are pretty well pretty good like uh competitive to chrome is the brave OS it's a very well-known OS it's kept up to date it's based on web 3 and

operating systems for that matter whether it's Kali Linux or whether it's just Linux right now uh we don't have a commercial alternative to that as widespread as that. So maybe uh quality of use is not that well for all open source products but I believe there are certain few which do give a good fight to proprietary. So I just wanted to know the views of the panel on that. We will take the MIT versus GDPR question later. Sure. I'll quickly wrap this up. The so what we have discussed is that your security is in your hands. If you want privacy, you have to lease like lose ease of use. And then while you download a software, make sure you are you are

making an active decision of choosing that software. It's not that software's responsibility of securing you or keeping you privacy and safe. You have decided to do that software as is. If it has those vulnerabilities, it's your responsibility. If it is secure, it's again your responsibility. Uh one last point. So, Chrome has its own open source version which is Chromium. So, which is used by multiple other browsers built on top of Chromium like Brave browser. Let's say Brave actually offers you a better privacy than Chrome. Why? It blocks the trackers. You can rewrite your own code, compile it and it becomes your own Chrome. And then let's say vulnerabilities, I mean you still have time to find out like maybe 10

vulnerabilities which comes up in the next year. But no one like we are not AI to read millions of lines of code remember everything and understand each each and every context and expect this to be a vulnerability too right so it's the crux of time or it's basically a let's say at the point of time someone who looks at the code might find out that this is happening and then that's how uh like any vulnerability it is Right sir. Yeah. So even I have seen that uh if you ask you know chity or claude or copilot or something to write a code they write vulnerable code. First thing second uh last take on this don't download the ped

software. Crack it your own. Makes sense. Yeah. You are a security researcher. No malware researcher. You claim on your CV that you are a malware researcher. You know reversing. Crack it on your own. Launch it. All right. That's it from our side. Thank you guys. A round of applause for the speakers and for the lovely audience. Thank you. Let's go.