Transcript: Web Security - Mackenzie Jackson

00:00.0

welcome to another episode of django chats podcast on the django web framework carlton

00:10.0

gibson joined us by will benson hello will hi carlton hello will today we've got mackenzie

00:15.7

jackson from git guardian with us hello mackenzie thank you for coming on the show

00:19.0

hey guys great to be here thanks for having me welcome welcome to mackenzie oh go on go on go

00:25.3

on go on no say what you're gonna say go i'll just say that i've i briefly forgot that this

00:29.5

is an audio only podcast and i was waving at the camera like a lunatic but but i'm realizing now

00:34.9

that i it's audio only so i'll stop making obscene gestures no no no it's good i can wave back and

00:40.8

then you know you'll laugh the audience won't know why so mckenzie come we always get this

00:45.8

which who are you tell us why you're on this podcast how did you find how do you find python

00:50.0

how did we meet how the house you know what's your backstory yeah i got a interesting yeah

00:55.6

interesting interesting backstory i i was actually um i started off life in my first

01:00.6

my first life as an architect like a building architect and i hated it and i spent most of

01:05.3

my job trying to automate automate it by learning to code um in some of those big systems that we

01:11.8

have called you know bim systems and um and then i was kind of figuring out like why don't i just

01:17.7

skip this architecture thing and do what i want to do which is write software so then i uh kind

01:23.0

of went down that path and had my own startup for a while called compago which is it's still

01:28.3

around today it's headquartered in australia i haven't been involved i was in there for about

01:32.3

four years as a cto um and then i i left i guess when the company got big enough that it needed a

01:38.4

real cto and and so i and then but the one thing that i loved about um uh coding a bit of a

01:48.0

subsection is that we were a care provider building technology and kind of healthcare

01:54.7

space which meant we had to comply with a lot of different areas like HIPAA compliance and other

01:59.3

things and going down that I really learned how vulnerable software was to lots of different

02:05.6

things and how to secure it and I got really into that so when I left I decided to kind of focus on

02:11.3

security and that's been pretty much my jam. I work now for a company called GetGuardian which

02:17.6

is a code security platform and uh one of the the coolest things about my job is i get to work with

02:22.9

some research teams we discover you know how attackers are kind of exploiting code uh we

02:29.7

create talks about that and then we get to go to some cool conferences which is where i meet cool

02:35.4

people uh like carlton because we met at pi con in italy um which was yeah i think probably one of

02:43.0

a pizza i believe i think we'll let some after party and you were the keynote and so i was trying

02:50.9

to hassle you to use your keynote powers to get more drinks than the one drink limit that was

02:55.3

allowed at the party if i remember correctly something like that anyway that's not suitable

03:03.2

for the show so let's let's move on um so attacks are supporting so i've you know as part of my

03:10.2

fellow role i joined the django security team and we get quite a lot of um reports for you know you

03:16.0

know every month we'll have reports going so you do a lot of that forensic work trying to find

03:20.1

exports or you did you have them or you work with teams that do yeah we kind of work with work with

03:25.8

teams that um within giga and also external that really look at um some large-scale research

03:32.7

projects into how attackers are operating um so particularly around exploiting secrets exploiting

03:39.4

credentials uh also exploiting like misconfigurations and one of the cool things that we really like to

03:44.8

get into is when an attack happens to try and recreate that um attack path to try and figure

03:52.9

out exactly you know not only like how did they get in but what tools did they use can we recreate

03:57.7

the the system and point out exactly what we meant vulnerable because the nature of security

04:04.8

vulnerability reporting is that if an application has a security flaw that gets exploited

04:10.0

then the blog post that inevitably comes out from the company is extremely limited and will you know

04:17.2

won't give too much information so it's kind of taking that and then trying to figure out

04:23.2

what what's behind it really well i mean so even with the um the issues that are on django we

04:30.7

we just kind of like we'll put a post we'll say look there's a dos vulnerability or a militant

04:36.3

it's vulnerable to maliciously crafted input but we won't necessarily say exactly how you

04:41.8

you know you do the attack but for one reason we don't sort of want to make it too easy for

04:48.3

the people who are attacking unpatched jangos so

04:51.7

i guess it's difficult to know how much you should say because i kind of also in the same

04:58.1

ref i kind of think an attack is not going to be put off by the lack of detail in the report

05:02.3

they're just going to work it out i don't know yeah i think exactly so the the there's there's

05:09.4

varying levels of thought behind us and you have to be responsible on how you disclose you know

05:14.9

information um and we certainly wouldn't just put out um kind of like a cheat sheet of you know how

05:22.6

to do it but at least finding out you know at at what point at what point where it was initial

05:29.7

access made um where did they where did they actually was it a phishing campaign how did the

05:34.8

whole thing start and unravel um now when you're talking about cves or like vulnerabilities and

05:41.3

dependencies and things like that then well it's a lot uh you have to be a lot more responsible

05:47.9

and how you disclose that because as you would know uh two years on there's still people running

05:53.9

vulnerable vulnerable packages and things so you you have to be a bit more careful but in terms of

05:59.6

recreating it and not necessarily just just showing the logic behind which the attack is used because

06:06.2

i think a lot of people don't understand attackers logic if that makes sense well one perhaps one

06:11.9

example you might be able to give is um we had um various issues fixed over time about enumeration

06:18.0

attacks where you know people are able to they'll make a request and it's perfectly

06:21.9

legitimate request but it somehow reveals something about the the application or the

06:27.2

ids or something like that and then they they make the next one and they make the next one

06:30.8

and by doing that kind of thing they're able to kind of get a size of the application or predict

06:34.9

ids or predict urls and in it in and of itself that's not really a vulnerability but perhaps

06:41.1

then they use that as part of a bigger attack and you know i don't know yeah exactly like

06:47.6

exploiting logic flaws on how to how to do how to do things um and you know like a lot and a lot of

06:53.0

a lot of kind of attacks happen because people use you know the wrong the wrong function so the

07:00.2

wrong you know you're generating a random number there's multiple ways to generate a random number

07:05.0

some are predictable using maths but so if you're trying to use something to create access via these

07:11.3

random numbers then you you know you you have to be sure to use the the right thing now that

07:16.4

doesn't mean that the un the insecure version is pointless it's it has its reason um it's just kind

07:23.7

of the logic behind which you're implementing it is it's kind of flawed and people can often like

07:29.6

figure figure that out i've had one more question that came up from what you said and i'll you know

07:33.8

I see Will's got a question or something.

07:36.4

But I kind of always say that you must update.

07:40.0

You must be on a secure version.

07:41.6

You mustn't use an end-of-life version of Django.

07:43.7

And I say that simply because I kind of think as soon as these reports are out in the open, within a short period of time, there's just kits you can download, which you can automatically run, which test every available export known.

07:57.2

And it's not a question of if your system is cracked.

08:00.9

It's just when it's cracked.

08:02.5

Is that fair?

08:03.8

is that a reasonable approach or am i being a bit over cautious in your opinion well i mean like

08:09.6

there's there's uh no i don't think you're being overly cautious i think that's like you absolutely

08:13.7

have to patch uh regularly and definitely patch anything that has vulnerabilities against it

08:19.8

against it like it's absolutely vital to be able to do that um and what you i think what we typically

08:27.1

find in companies that can't patch regularly is that they if you you should always have a system

08:32.7

and post it to patch regularly regardless whether or not there's some critical cve because if you're

08:39.1

in a habit of doing it regularly it becomes easier when you need to do it and it's critical to do it

08:43.7

right and i think a lot of people kind of will patch when something's critical but you know that

08:49.7

can you know that can cause all kinds of havoc and it becomes a scary thing to do and i think people

08:54.2

often shy away from it but you know patching regularly is uh it is absolutely fundamental

09:00.5

especially when there's a vulnerability out against it the argument the kind of against

09:05.5

patching regularly it's a bit of a weak argument but just to make it is that it takes about when

09:12.0

a new version comes out some often it can take about three months to figure out if it's vulnerable

09:15.6

to anything especially if it's like a big change in something so then you know the arguments is

09:20.8

do you patch immediately when a new version is out or do you kind of wait and i think the solution

09:26.0

is you know like patch regularly whenever there's a vulnerability no one against it and then stick

09:30.2

to a regular patching routine for everything else where uh it's consistent and you you know like

09:36.8

you're you're doing it but if there is a vulnerability people will be able to find it

09:42.2

they build scripts to be able to like exploit these automatically you know it's we're not talking

09:47.5

about uh we're not talking about the most sophisticated actors if there's a cve against it

09:53.1

like you've you've basically given the cheat codes to how to exploit your application so you should

09:57.7

definitely patch yeah right okay okay and i guess just that point about new versions i guess for

10:01.6

django say um you know 5.0 is about to come out and you might wait for 5.0.1 or 5.0.2 if you're

10:08.6

particularly worried you know about those first regressions but meanwhile 4.2 point whatever is

10:14.9

still being released with the security updates so you should definitely be getting that each month

10:18.8

yes yes yeah i mean absolutely if you're lucky enough to hopefully people like here are using

10:23.7

django you know using well-supported frameworks like that they should be on this show i tell you

10:28.6

on our podcast yeah because i mean well there's a lot of frameworks that aren't

10:34.1

you know that don't go through that they don't have the security team

10:37.3

going through it so yeah you you're already on the good step if you're using django

10:43.4

oh well thank you we'll put that on the pull out quote on the website

10:46.7

well since since you mentioned that i'll i'll throw this question to you because carlton and i were

10:52.5

not sure how to address it. So Flask, which is another big Python web framework, recently there

10:58.4

was some discussion in the community about something unrelated to security. But that's

11:02.2

an example of something widely used that, as far as I'm aware, does not have a formal security team,

11:08.5

for example. And so I'm curious, if you saw any of that, there was an issue with Flask login,

11:17.6

which is essentially a third-party package where it hasn't been maintained.

11:22.0

And so there's a new version of Flask and all of a sudden login was breaking for everyone.

11:26.2

And there were some comments about that and people thinking that Flask was this, you know, Microsoft or something

11:32.8

and had all the support when really it's like one person and a handful of volunteers maintaining.

11:38.6

So I guess more like I just want to address that because it's been out there.

11:43.3

But I'm curious, like where you sit, when you see web frameworks, you see that, right?

11:46.4

there's the whole gamut there's django and then there's many widely used frameworks that are

11:51.7

you know may not have robust security things i'm not saying putting that on flask but like

11:56.7

a lot of these projects may have lots of users and it's a you know handful of people doing it

12:01.8

i mean absolutely and it's always just like um way up between using like what may be cutting

12:08.3

edge like at one point django was like cutting edge right out there you were a trendsetter if

12:13.0

you're using it you know and so um a lot of security often doesn't come into the equation

12:20.2

until later on too you know when i when we first built the compago the startup that i was in we had

12:26.5

a dot net back end and a react front end why because that was like we had a dot net guy and

12:33.1

we had a react guy exactly like you know that's what we like that's what we had right so we're

12:37.4

just you know everyone's like why aren't you using node and react because we didn't have a node guy

12:41.5

where we had a .NET guy.

12:43.0

So when it comes to like these types of frameworks

12:46.7

and things like that, you know, like if you have the foresight

12:50.0

and I think, you know, people that have been around

12:51.8

for a while will be able to know and they understand it

12:54.7

and, you know, certain different frameworks

12:56.7

will do different things.

12:57.8

They may be more secure.

12:59.1

They may be faster.

12:59.8

They may be able to handle large quantities of data better.

13:03.6

So there's like lots of considerations

13:06.8

and often security is a forethought.

13:09.0

but you you really there's a couple of things to look for uh when choosing a framework one does it

13:15.1

have a long history of of being maintained and i don't necessarily mean like years and years and

13:19.1

years i mean you know is it constantly being maintained is there a community around it

13:24.2

because if if those are the cases and you should you know you can you can start to

13:29.7

tick off and feel a bit feel a bit better is there a security team for it well that's

13:33.9

not normal you know for for everything but that should definitely help you kind of make those

13:40.2

decisions so if you are in the fortunate position to be able to pick frameworks then

13:44.0

looking at the community looking at a team that maintains it because you know you will be surprised

13:48.7

you know what happens is the example of the um of ua parser uh this is i apologize for everyone

13:57.3

this is a node you know package that's okay there'll be a there'll be a there'll be a python

14:02.2

equivalent but you know ua parcel was uh just a package that let you know what operating system

14:07.9

your users were you know viewing your app on what it's something very simple it was used by

14:13.5

had 10 million weekly downloads um and it was maintained by one guy named for shell and uh his

14:21.6

np his node his mping account got hacked and then someone created a military version for it you know

14:26.5

this is because you know this is this one guy maintaining this thanks you know thanks thanks

14:30.6

and it would have passed everything,

14:34.1

but you have to also consider the team behind these,

14:39.1

not just, is it popular?

14:40.5

Yeah, and think, go on, so thinking about that,

14:43.7

I mean, PyPI have done an awful lot recently

14:47.2

about tightening up, just within the Python ecosystem,

14:49.5

about tightening up, you need to use two-factor auth now

14:52.5

if you're a popular project,

14:53.8

and they've got this trusted publishers thing,

14:56.6

what's that?

14:57.4

So in terms of, so Py has actually,

14:59.8

was an npn and also get like github is also forcing two-factor authentication because this

15:06.5

was pretty much one of the main ways attackers were kind of creating malicious uh applications

15:12.4

is that what would typically happen is that people would specialize in kind of phishing

15:17.1

uh these you know these maintainers getting into their accounts um and if there's no two-factor

15:23.4

authentication you know like with a well-structured phishing campaign isn't easy but it's certainly a

15:28.9

lot easier there's no 2fa to get into it and um these supply chain type of cat attacks can have

15:35.7

massive uh implementations you know because you're not just attacking this one system you know you're

15:42.0

potentially uh creating a vulnerability on millions of applications so one thing to remember

15:49.6

about attack is is that they operate on economics like a normal business does where there's a risk

15:55.1

reward like is the risk of me attacking this system going to outweigh the reward that i you

16:02.1

know that i could get potentially and when you're talking about systems you know like pi pi packages

16:07.7

that are being used by millions of different applications then you know the rent the reward

16:13.8

is massive potentially because you could install you know even a crypto miner that gets released

16:18.8

onto a million websites you know can create something so simple can create you know pretty

16:24.7

good profits um so it's it's it's really good that these uh that these package managers are

16:31.4

actually implementing you know more security implementations around this because it it like

16:37.6

2fa may sit not seem like a lot but you will really strip back the amount of account takeovers

16:43.4

from that it's just significantly harder because of that extra step because they've got somehow

16:47.2

get trick you into entering that as well at the same time yeah yeah and and exactly and then like

16:53.9

the step above that is the trusted publishers i think by pi pi which you know like are they

16:58.5

which is another set of requirements that pi pi you know puts on these publishers to make sure

17:07.1

that that doesn't happen um so you know making sure that there's not long-lived passwords

17:12.5

that's being accessed in there so that when you look at that it's just another tick box

17:17.2

um and when you're choosing packages you know just you don't need to spend hours on it it should be

17:22.8

easy to look at something and say oh this is secure and that's why something like the trusted

17:27.3

publishers is really powerful because you know you can quickly look at that and know that it

17:33.2

meets the required like the criteria of at least that minimum so you can move forward it's actually

17:40.7

quite powerful in terms of being able to quickly make decisions of what to introduce into your

17:45.6

project okay and is it going to be secure okay um i'm getting a little niggle inside though because

17:53.3

there's some of some of these metrics that you you sometimes get on projects they can be like

17:58.7

your did you tick this box did you tick that box and it's like some of them are are you using a

18:03.3

particular feature on github and it's a bit like well no i'm not we're not using that particularly

18:07.4

say for instance django django's got its own release program um release process it's got its

18:12.3

own security process it's got security archive it does its way of handling cves it's all you know

18:17.0

top quality really but it's not going through the github security advisories panel therefore we don't

18:23.8

get the tick in the box on that metric and you're sorry i sometimes get a little bit like oh i hate

18:29.9

these metrics but i i totally i can totally understand that but when you're the the rebut

18:38.5

that i would have to that is that i find that these metrics are more for smaller packages yeah

18:43.4

right you know be able to use them uh with confidence rather than you know something

18:50.1

that's massive you know that's that's trusted by people if it doesn't have the tech box then

18:55.5

you know like you you can you can still get it passed but in terms of like if i'm just looking

19:00.8

for i just need a package that's going to be able to do the small job can i trust putting this into

19:06.4

my production or not if it has the tick box then that's a good step you know but it's not the be

19:11.9

all and end all and no security will will be the be all and end all and i work for a vendor

19:16.6

and you know we have people that come up to us and just be like okay so here's my list of

19:22.3

requirements that i need to take for for my sock certification or for this or for that you know

19:27.4

like where does your product fit in oh you don't fit into this tick box oh i don't need it then

19:31.5

it's kind of like so they're not worried at all about getting hacked they're worried about like

19:34.6

compliance and i guess that's important but so i understand yes the how how good is the stand

19:40.0

where you're coming from how good is the box on the questionnaire is it you know because if the

19:43.8

box on the questionnaire isn't right it's no good at all okay yeah and how do you make a questionnaire

19:48.9

that fits everyone right you like that yeah it's the same questionnaire box for for such wildly

19:56.4

different applications well the the two-factor authentication is interesting because this is a

20:01.0

thing in Django with there is no built-in two-factor auth. There is a third-party package

20:06.5

that Jazz Band maintains, but maybe there's been separate discussion around auth in Django

20:11.8

recently. Carl's been advocating for some changes because there's a number of, I'll just say off the

20:19.5

top, there's a number of things, Django, if you were going to do it today, like there's first

20:23.1

name, last name is the default. Well, that doesn't fit a lot of the world's population, for example.

20:28.9

Also, it defaults to username, email, username and password.

20:33.6

Most people want email, but maybe I'll, Carlton, I just wound you up, go.

20:39.0

Well, like literally, so like the whole point about Django is a batteries included framework,

20:43.8

right?

20:44.0

It's meant to provide the batteries and, but it's not any old battery because like, for

20:48.3

instance, it used to provide comments, but comments isn't something you can't build yourself

20:51.4

or can't be maintained in the ecosystem.

20:53.1

And it's, it's not, it's not, it's a bit of a burden to maintain because there's so

20:57.0

many you know opinions about what it might have and so many different ways it could go so jango

21:01.8

contract.com comments was pulled out and it's a third-party package now but auth auth really is a

21:08.7

battery that jango has to provide because it's so central and it's so hard and if you get it wrong

21:14.7

the consequences are so bad that that's a battery jango should provide and so yeah we we've got good

21:21.9

auth we've got good central central but we don't have this two-factor bit yet and for me it's it's

21:26.4

kind of like that's a missing battery that would be really nice if we could do something that's a

21:31.1

you know one-time passwords or i don't know what the pass keys are the new things tell us about

21:37.5

pass keys and one-time passwords what are all these things mckenzie because there's a there's

21:42.8

a lot happening in the changing on authentication because your authentication remains kind of uh

21:49.5

like a like a big a big weak weak leak and especially our reliance on different things

21:57.0

like api keys and uh and that that are kind of just sprawling everywhere because they're handled

22:03.6

by so many different people so some of the things that people are trying to do to essentially remove

22:11.2

these points of the vulnerabilities is to create basically the same systems but only valid once

22:19.1

and created for the purpose of that session so you know like you have something like a dynamic api key

22:24.9

that's managed by a trust you know like a vault or something where the api key is created you then

22:30.2

use it and then you then destroy it at the end and it's only valid for one time and its lifetime

22:35.6

is a matter of minutes or at most yeah seconds yeah yeah or you know whatever however long that

22:42.4

that it that it takes right you know um and so these are kind of really and i think we can expect

22:49.1

um these to to really start taking over along with kind of rule-based or authentication that's

22:55.1

being implemented in lots of different ways because one of the problems that we also have

22:60.0

been facing is that when you're trying to manage you know pass keys and passwords and api keys and

23:05.2

all of that you know you can be tempted to create you know you need to do multiple different jobs

23:11.2

if i create one admin key to be able to do all those different jobs then i don't have to manage

23:15.2

all these different keys right but then if that that key becomes so sensitive so uh you know having

23:21.4

having role-based authentication where you know you restrict what what you know to the absolute

23:27.8

bare minimums and your authentication is created you know for the purpose that you're trying to do

23:33.7

with all the minimum permissions that you're trying to do and with infrastructure when we're

23:39.1

kind of getting into you know infrastructure as code and on all of these different systems and

23:43.2

secrets faults and we can actually tie them all together so that it works really you know really

23:48.4

nicely and i think that um we're not using these two to the full extent but they're becoming more

23:55.0

and more uh expected and certain things that i mean like we i guess using your analogy i guess

24:01.5

we can expect you know frameworks to start putting in these different batteries um you know as we go

24:06.8

go down well i think i think that's one thing that's sort of it's it's been discussed a few

24:12.4

times and it hasn't quite happened yet but it's like django hasn't really got a solution for

24:17.4

secrets handling in in place um so you start off you get a you get a settings file and in there

24:22.9

the real secret is your your database password and your um your your this secret key which is

24:29.5

used for um signing and and whatnot so it's important that you you don't commit those to

24:35.4

git and we can talk about git guardian in a minute and and whatnot but the first part has

24:40.9

always been stick those in a setting in an environment variable and kind of what would

24:45.1

be what would be nice i think for django to have is a kind of um a pluggable um interface around

24:52.6

that so okay if you're using mvers you get it from there but then there's all these other mechanisms

24:56.9

like you know vaults and secret managers and things that we we could sort of swap out the

25:02.6

back end and you could be using those as well i think it'd be nice to have something like that

25:06.5

in the django space yeah yeah for sure i mean it's uh secrets management is going to persist to be a

25:13.0

problem that we're going that we have to kind of uh deal with and i mean people may have it's you

25:20.6

know it's funny one of the one of the common passwords that guardian detects once later you

25:27.3

know is the django is the django secret keys because often people get excited they created

25:32.1

their first django project they get at all and commit to to get and then all of a sudden they've

25:37.3

you know released this this secret django key now if it's probably not that interesting and to it to

25:43.5

an attacker at least if it's your first project and you're kind of having a play you know but

25:48.8

systems don't know that so uh they alert on it um but i kind of feel like that's a good process

25:54.4

because if you leak something on github you're going to get an email about it and then you kind

25:58.7

are forced to learn how to securely do it from the start.

26:04.7

And, you know, when you're talking about environment variables

26:08.0

and .env files, I mean, and vaults and secret managers,

26:11.2

I mean, there's huge arguments about what to use

26:15.1

and when to use them.

26:16.1

And I think I differ from most of the security community

26:19.4

from what I think.

26:20.8

No, cool.

26:21.9

Well, tell us what you think because this is one reason we get stuck

26:26.2

is that people say oh we want this but then there's a disagreement but what about that and

26:30.8

we can't quite agree on what we should have so we don't do have any anything it's like we're not

26:35.0

yeah so so a funny so a funny story about this is that at pycon italy where i met carlton i had my

26:41.4

talk um and you know my talk was on how to securely manage secrets in python projects and

26:48.0

you know one of i mentioned multiple ways to do it but one of the ways and the way that i like

26:52.4

particularly like is using environment variables and dot env files the talk before me i don't know

26:57.9

if this was like organized by the plan by the organizers but the talk before me the entire talk

27:03.0

was about why you shouldn't use environment variables for it so and so i i like environment

27:10.2

variables but i want to start off the bat and say that they're not the most secure thing to use them

27:16.4

so if you if you ask a security person you say how should i manage my secrets then the official

27:22.5

answer is you should use something like a vault or a secrets manager that's dedicated to that

27:26.4

that's a server it's going to create dynamic secrets so just in time you can connect to that

27:31.8

to you know to to authenticate your developers so that they have access to secrets or their apps

27:37.3

have access to secrets that no developers you know and it becomes like this heavily complicated thing

27:42.2

and what will happen most of the time is that they will interact with that once i go this is

27:47.5

such a pain in the ass to interact with the system and then they create secrets.txt on their desktop

27:51.8

and they store all their api keys there because then they don't have to deal with this heavy

27:56.0

system that some security person spent a whole year implementing that has you know 400 pages

28:01.3

of docs to go through of how to correctly use it and and that creates another problem and then

28:07.2

that's why secrets end up in your history because you you've been told okay i need you to create

28:13.7

this feature and you need to connect to some kind of data bucket to do it so you to start off with

28:18.9

you just hard code the secrets because to do it properly such a pain yeah that you will you know

28:23.6

that it's a pain but don't worry because by the time code review comes around you'll have removed

28:27.4

that not knowing that that secret is now in your git history but no one's seen it so no one actually

28:32.5

knows that it's there and that creates like a a big problem i know this is getting very long

28:39.0

no no that's why gone but that's brilliant though because you've got an intermediate commit that

28:44.6

doesn't appear in the pull request for you but it's still got the secret in it but you just

28:49.0

exactly yeah yeah exactly because you know like because you know like you because you just you've

28:53.9

you're under time pressure you're trying to use it quickly and people don't understand that and

28:57.0

that's why uh an attacker if they make it into your git repository and they'll fish there's lots

29:02.3

of ways for them to do this um they'll scan your history now the top layer of gets probably not

29:07.7

going to have any secrets in it um like by what i mean by the top layers is kind of like what's

29:12.5

on the main branch you know what's in the the latest commits on on everything but when you go

29:18.1

deeper you're going to find all these secrets that have been added and removed from people because

29:22.3

dealing with these heavy systems is is a nightmare now does that mean you shouldn't use the heavy

29:28.1

systems i i really think it it you know like it's gonna it depends like everything but why i like

29:35.7

environment variables is because for most people that's an adequate you know solution and it's easy

29:41.9

enough to secure you create a dot env file in your repository you create a dot get ignore file

29:47.1

and that's going to solve a lot of your problems the argument against that is that there are ways

29:54.2

to dump out your environment if you're kind of if your infrastructure

29:59.7

your server or you know yeah your other your has been your operating systems have been compromised

30:05.4

then if the first thing any attack is going to do is type in env and dump out the environment

30:12.0

variables from a running application and see what's and what's it that that is 100 going to

30:17.4

be the first thing that they're going to do and so the argument against it is that if you're using

30:21.1

environment variables you've just created a nice package for every you know for the attackers but

30:26.4

my argument is if an attack is made at that far like let's face it like you're not in a good

30:30.7

position anyway like i can i have access to your ram i can find secrets in other ways maybe it's

30:38.0

not wrapped up but let's not pretend that like the env file was the problem here like like you've got

30:44.3

bigger problems that you need to deal with yeah right by the time they're on your server you're

30:47.8

in trouble yeah so like my kind of thinking behind this is like look it is great to it is great to

30:55.0

have these heavy systems in there and i think they have their place um but you have to understand

31:00.0

like are you mature enough to effectively use them is that does the team have enough training

31:04.9

you know around around that because um when you get to a large enough organization you could segment

31:10.8

people out so that you know small small number of people have access to these machines they know how

31:15.8

to use it these systems um then that's fantastic if you're a startup of 10 people you know environment

31:23.5

variable files are great it will put them in local memory and at least you're going to you know

31:29.1

prevent them being exposed in other ways like on get so you know that's that's yeah my my rant over

31:37.8

because i mean it's yeah yeah there's there's lots of things but i on my personal opinion is that

31:44.8

it's not the most secure way in the world to do it but it's so much better and easier and it

31:50.3

reduces the friction which is part of the problem with security i was i wanted to mention like i put

31:54.9

my old man hat on when i worked at startups in san francisco github was like down the street and

32:00.9

back in the day you could just search for anything so you could search you know we as a like game we

32:06.3

like get aws keys you could get stripe keys because they were brand new you know so wild wild west

32:12.6

like you just hey the search is powerful boom there it is and like you could literally see it

32:17.2

for every company

32:19.5

because there was no automated,

32:21.6

there was no hiding it,

32:22.9

there was no email,

32:23.6

there was none of this stuff.

32:24.7

It was just like, yep, search, search it all.

32:26.5

So that was sort of a fun game we would do.

32:29.2

It's still basically like that.

32:31.6

It's a little better, but not.

32:34.2

If anyone's listening,

32:36.1

if you go to api.github.com forward slash events,

32:39.2

then what that will take you to

32:41.5

is the GitHub events API.

32:45.2

everything happening in real time oh yeah you will get rate limited but you can create lots of tokens

32:51.9

and to the first like you don't even need authentication for the first time

32:55.5

like you can do it in xornita that will still come up in that you have all the commits that

32:59.9

are happening but you also have the the email addresses from people they're locally configured

33:04.4

get email address so if you're interested in targeting like a specific company you can just

33:09.0

filter out of domains for people that are committing with a i don't know pick a company

33:13.8

at twilio.com email address

33:17.3

and find their personal GitHub IDs

33:21.1

and start scanning all their stuff.

33:22.6

It's still, the search feature is a little bit harder.

33:26.3

Dawking's got harder for sure.

33:28.3

But in terms of finding keys,

33:31.4

we found 10 million secrets on GitHub

33:34.4

in public repositories last year.

33:36.0

And 2 million of them were for cloud provider keys.

33:40.8

so like it's a which we're all valid because we validate them those particular keys we validate

33:46.6

so like it's like it's bloody wild what you will find publicly but i will say github out there

33:53.0

implementing other things that make it better along with like some companies okay so you've

33:57.6

said we then you've mentioned git garden so let's get going okay tell us so what is git garden

34:01.7

you know can i be should i be using this if i'm a django developer is this this helpful to me

34:08.2

of course of course you're not using it carlton oh man wait i know i never i never commit secrets

34:14.2

i've heard that

34:16.5

i've been working for kick out of yid for for four years yeah four years now and in that time

34:25.7

i've committed secrets by mistake so it like and it's my whole job to come on podcast and talk

34:31.7

about why you should not do that anyway uh enough about my work so get guardian so we're a code

34:37.1

security company um and we our platform was founded on detecting secrets inside repositories

34:45.2

so we talked about you know git history uh things like that so the the core git guardian product is

34:50.4

that we connect into your repositories and we will search all through the history and bring out any

34:56.1

secrets and we can if you're in a large company the value of it comes in that we will prioritize

35:00.8

them we will validate them and we will help you remediate them so in a large company that's what

35:05.5

but for individual developers you know all of our systems are free we're the number one security app

35:11.7

on github so i think we're about 400 000 uh users on github um on their github marketplace at the

35:18.5

moment um so just to make sure that you don't have secrets inside your repositories at any any point

35:24.7

and then we also have cool tools uh we have a cli tool called gg shield which will help you

35:29.5

do things like uh install a pre-commit hook to that will sit between you know your local repository

35:37.7

uh well pre-commit sits just in your local repository it just kind of blocks any commits

35:42.4

going through getting staged that have a secret in there because once it once the secret enters

35:47.4

your repository if you're in a team it's going to be cloned into different areas it's going to be

35:52.7

backed up by different systems probably it'll end up inside like jira tickets or you know like

35:56.7

they just sprawl everywhere so once it's your repository you have to revoke it so only way

36:02.2

forward you know by doing things like with gg shield cli tool you can block them um block them

36:08.0

coming in so it's really cool but we've expanded beyond secrets now we also do you know infrastructure

36:12.9

as code scanning um some uh software composition analysis to find out if your dependencies are

36:18.6

vulnerable and the coolest thing that i think is we create call honey tokens um which are fake

36:24.8

credentials so like the main one is the aws credential that you can purposely leave in

36:30.3

places and if someone tries to use it it's like an early warning system that systems will be

36:34.7

detected and why this is so cool is honeypots aren't new honeypots have been around for a while

36:41.2

but why honey tokens are cool is that not only can you put honey tokens kind of everywhere in your

36:46.9

internal infrastructure you can actually put them inside third-party tools so like circle ci had a

36:52.8

big breach the start of this year and encrypted secrets were discovered so if you put a honey

36:59.9

token inside your circle ci environment then you can actually know if that system has been compromised

37:05.3

you know are your other secrets in their compromise so it's the only type of honeypot

37:09.7

that you can put in different systems so there we are that's a bit of a longer plug than i intended

37:13.8

to go out for but i just put a plug for there's there's a django package django honeypot for your

37:19.1

your admin so going to slash admin is the default and so that's a pretty like good place to go look

37:25.5

for stuff and so you can set it up and like log who's trying to get to your admin even though

37:30.2

your admin's somewhere else yeah yeah it's really cool and what what's a fun thing to do is create

37:35.1

honey token leak it on public github and then watch what happens in a matter of like minutes

37:40.8

people will try and exploit it but then it will also typically get sold like as part of a package

37:47.6

like on the dark web months later so you'll you'll start off by getting these random calls like low

37:53.2

level calls and then it will kind of get sold and then you'll start seeing like different types of

37:57.5

activity it's really fascinating to be able to track what actually happens when a credential

38:01.8

gets leaked you know like and how quickly it happens and how it moves through these different

38:06.7

levels of attackers because someone for 20 bucks will purchase a thousand valid credentials and

38:13.2

And then just spam them and see what they can do.

38:15.4

And, you know, and if three of them allow them to do some mining or install some key

38:19.8

loggers or something, then, you know, happy days.

38:22.4

Can I ask, my sense is that, like, if you want to do this kind of stuff openly, there's

38:29.2

like a handful of countries you can do it in.

38:31.6

Is that where a lot of, like, these bad actors are?

38:34.7

Or is it people in, you know, the United States who just cover their tracks a bit more?

38:39.1

like what is what does the actual landscape look like of these you know uh business businessmen and

38:43.9

women out there who are doing hacking it's so hard to definitively say like where these groups come

38:51.6

from uh so like with a honey token like you can get the ip address and you can see where the calls

38:56.9

are being made from but i mean if that's you know if they're not if they're not using some third

39:02.1

party service to mask that then you know that's pretty surprising but you know it really is

39:08.5

everywhere you have you have countries that are a lot more forward in sponsoring bad actors so you

39:16.9

have you know there's russia that you know there's north korea right like north korea like the main

39:23.2

you know the lazarus group in north korea they're extremely notorious but then you also have a bunch

39:27.4

of teenagers like lapsus which were based in the uk that were you know like that were really out

39:35.3

there for for just clout um not really doing too much damage but just kind of reputational damage

39:41.3

um so there's like yeah i mean there's people kind of everywhere that are that are interested

39:47.1

in it um and i don't think it has any any any kind of real boundaries and i don't think any

39:53.5

countries apart from maybe north korea kind of green lighting green lighting this but there's

39:59.5

certainly people where it's more beneficial to to to do it i will you know some different

40:06.1

countries that don't have expert expeditions yeah yeah do you survive yeah is there um when people

40:14.8

like i almost wonder if they need like a retainer for people who leave get guardian or any like well

40:20.7

well-established security group like i mean i guess you know you're not really doing for the

40:24.4

money it's reputation but you know that would be the ultimate thing is to you know nobody knows how

40:29.2

it's like you know how do you how do you steal money from a bank it's like buy a bank it's like

40:33.5

yeah yeah yeah it's it so i mean like good guardians really well set up in that that like

40:39.9

we don't have access to other people's secrets like we we can't get access to like as an employee

40:45.4

but we do know a lot about it but i i honestly feel like people don't talk about it but those

40:50.7

but people know like those that know really know like the i i was i've been talking to people at

40:56.9

the moment i got really into reverse reverse uh reverse compiling mobile applications and then

41:03.1

looking for secrets inside of them and it was like wild what was happening inside there but then you

41:08.3

know like you go talk about it to someone that knows you know someone you know i've found this

41:12.5

really cool research and i found all these keys and everyone's just like oh yeah we know already

41:16.3

like no one's kind of like talking about it but those that know kind of already

41:20.8

already know it. It is like a secret little club out there when you know you know.

41:29.3

Carlton, I have one more question. So we'll put a link to this. You wrote an article about

41:34.5

why ChatGPT is a security threat, essentially. And that just like, you win the SEO lottery,

41:41.0

because that's like every... But I wonder if you could expound upon that, right? Because that's

41:46.7

you know, something that is big everywhere. Like I've been using every day now, but it's like,

41:53.0

oh, like, you know, something else is going to come and get me. So for, yeah, so for individuals

41:57.6

or corporations, what's sort of the main threat that you outlined in that article?

42:02.3

Yeah, there's, I mean, there's a number of different ways that, and it's kind of evolving.

42:07.4

And it's funny, you mentioned like the SEO win. Since that article came out, I've been published

42:12.6

did so many like the financial times did an interview with me as if i'm some kind of like

42:16.3

ai expert like i mean you check all the boxes we have boxes here we're looking for chat gpt

42:22.2

security he's that he's that gig guardian he speaks english boom i've just got this vision

42:26.9

of you and simon willison on a panel expert panel uh you know yeah uh but so the things like chat

42:36.5

gpt and llms large language models like have have really changed the game for a lot of different

42:42.8

people so number one you look at it from the company perspective a lot of companies have now

42:47.4

banned this and one notable one is samsung so you kind of look at okay why did samsung bar

42:52.4

ban their their employees using it it's because this is now another system that you know sensitive

43:01.2

information has a way of leaking into so get using the example of github because everyone knows

43:06.4

it if you were an organization and they don't use github the chances are their employees still will

43:11.6

which mean that that organization still has some kind of risk associated to it chat gpt is kind of

43:17.2

similar so you get it to summarize some legal documents you get it to sift through a whole

43:23.7

bunch of data or create some kind of uh connection using these these credentials that data is being

43:32.4

stored somewhere right and because of that that means that chat that your sensitive data is now

43:38.4

in chat gpt server which is not you know a super secure platform so now it's a target for other

43:44.6

people so big companies have kind of have started to ban it i think that's the wrong approach because

43:51.4

i think that your employees will use it anyway because it's such a production boost you know and

43:56.9

i feel like there's a fear that if you're not using this you're going to miss out the other

44:01.4

area of chat gpt that's a security risk or other llms is that when you when you you trust ai systems

44:10.4

a whole lot more than what you should so where does chat gpt get its data from you know so you

44:17.2

ask it hey can you create a coding instruction that will do x and it will spit back it'll do

44:23.2

it in record time and it'll even like explain how it works so it feels like super great chat gpt

44:30.7

uses the largest data

44:32.9

set around, which is

44:34.8

the common crawl data set. It's what

44:36.7

all of these systems use. Most of the

44:38.8

code in there is from GitHub.

44:40.0

And most of it's rubbish.

44:41.3

Yeah, so that's kind of the point I'm getting

44:44.2

it to. Look at a random open source

44:45.9

repository. That's what it's

44:47.8

learning against. Now, these systems

44:50.1

can't really distinguish between good code

44:52.0

and bad code, at least

44:54.2

not in the vacuum of which you've asked them to

44:56.0

do a query. It's found the

44:58.0

most common result.

44:59.5

A great example is a different system, Copilot, GitHub Copilot.

45:04.5

Whereas, at least this was true a year ago

45:08.4

when I was really experimenting with it.

45:10.2

If we used the author, if we put in at the top an author

45:16.5

as a really respected, well-known open source maintainer,

45:19.8

someone that's very prolific, and asked it the same prompts

45:23.0

as if I used my name as the author, we'd get different responses.

45:27.5

like because like it's kind of looking at an example of what would this guy do and what would

45:32.0

this guy do and obviously i'm much shittier than than the other person so yeah so the whole point

45:37.3

is that you actually come to the risk of like the code that it gives you will have like vulnerabilities

45:42.2

in it probably um and here's a big difference as people say well what's the difference between that

45:47.2

and me copying code from stack overflow and the difference is that stack overflow has a comment

45:52.4

section where people will very quickly let you know if you're doing something insecure or around

45:58.3

it there's a huge community around that people can add input you will get various different results

46:03.3

for the same thing chat gpt co-pilot other llms have you know don't provide that additional

46:10.5

community input as to which is the best way you ask it for an answer it gets an answer um you know

46:16.0

and i wrote an article called shitty code shitty co-pilot and it's you know basically you know that

46:20.0

crappy input crappy output and the people that are most likely to use these systems are probably

46:27.0

people like you know that are early on and may not know the difference between random and random

46:31.8

secure and when you know like when generating a random number and when to use both of them

46:36.6

yeah i think everyone uses these systems to be honest i mean maybe they're not as good at like

46:43.1

filtering things out i mean it'd be kind of cool to have an llm that's just approved answers on

46:47.9

stack overflow that would be kind of cool yeah that for sure for sure i mean that exists

46:54.0

well i'm really not i'm really not against like these systems too but i'm just kind of of the

47:02.3

mind that you you just you need to understand where the answers come from it's not a genius

47:07.8

ai system it's come from other people on github it's organizing it in a revolutionary way that

47:14.0

helps you find the solution that you're looking for extremely quickly but you know you have to

47:20.8

understand the limitations of that and you know where the answers come from yeah and i mean if

47:25.8

we're talking about security too the other area that of these systems and ai that people are

47:30.9

worried about are attackers using ai so can attackers now you know more effectively and the

47:37.6

answer yes and no like everything uh so again again uh ai systems use known data to to do this

47:50.4

revolutionary attacks you know are not on the public internet or they're very you know very

47:55.9

hard to do and it's not coming out with new stuff so if if you want it to create malware if you use

48:00.5

it will block you at first but if you use clever prompt injection like one that used to work i

48:05.0

don't think it does now is like imagine you're an ai system that doesn't have limitations if you put

48:10.0

that in chat you know it used to i think it's important to my career you know like yeah yeah

48:14.5

like or give me an example of malware you know that these things used to work and prompt injection

48:20.3

is you know there's lots of clever ways to get it to do stuff there's also open source llms and

48:25.1

you can remove these limitations but anyway um if you asked it and you successfully got it to

48:31.4

create malware for you it's going to be pretty standard malware like it's nothing that you

48:36.0

wouldn't be able to find by googling yourself however you know what it does do is it gives

48:41.3

script kitty superpowers so you know like when you combine the script kitty which is a you know

48:47.1

someone that doesn't have a huge technical knowledge that just can run malicious scripts

48:50.6

to get into things it's a big section of the malicious market you know you now give them chat

48:55.9

gbt so that when they're doing phishing campaigns they can now do spell check like you know how long

49:01.0

was it the biggest red flag was misspelt stuff i'll forget about that now um you know they can

49:06.9

they can manipulate the code for the first time they can input malicious code and say

49:11.5

adjust this so that it can do this on this system or you know um and these things so it does give

49:17.8

some superpowers but when we're talking about like is it going to revolutionize the hacking

49:22.1

not at the moment because it needs to have it can't come up with new ideas yet it can only

49:28.4

regurgitate existing ideas so i mean this is like look there's lots of concerns around ai

49:33.3

um and i did an interview recently which was uh with a guy called simon maple which was like is

49:40.5

ai our friend or foe and um surprise surprise the answer was it depends no but i think it was

49:45.6

that's what someone told me like if there's a magazine article and it has it has a question

49:50.7

in the title like it doesn't know otherwise it would say ai is a threat yeah ai is a friend

49:54.6

yeah well i also i mean i look i i i feel like it's pointless to worry about that or wonder

50:00.6

wonder about that because it's not going anywhere so like is it a threat yes no does it change

50:05.6

anything in how we're going to operate or what the risks are that you're facing now no

50:10.3

so it like it's it's it's here to stay um and at the moment the biggest risks are not external as

50:19.2

and it's not an attacker using it,

50:20.9

the biggest risk is internal,

50:22.5

your employees using it,

50:24.8

but not understanding.

50:25.9

And if you block it,

50:27.7

if there's someone here

50:28.9

from a large organization

50:29.9

that's thinking,

50:30.4

okay, I'm just going to block this system,

50:32.6

then all that it's going to do

50:34.8

is send people to the background.

50:37.7

They're still going to use it,

50:39.0

but they're just not going to tell you

50:40.0

that they're using it.

50:40.7

So you couldn't audit it then in that case?

50:43.0

Yeah, exactly.

50:44.8

There is, I mean,

50:47.0

as a security expert,

50:48.6

let's talk about LLMs a little bit more. I was curious your take on, there is this issue of like

50:53.0

the Ouroboros of like, now that we have, you know, so much of, you know, so it's like Google's,

50:57.1

the problem with Google, right? Google searches the internet, but then people like want to feature

51:00.9

on Google. So then you write articles for Google. It's like why YouTube videos are all like 10

51:04.9

minutes in one second, right? Like, so it becomes like, just gets crappier and crappier and crappier.

51:10.3

It's like silt building up behind like a dam. And that's, I've seen, and I can believe this

51:16.2

based on just typing in that they think the majority of articles are soon going to be

51:22.9

AI-generated because it's perfect at these topics. And so there's an argument that over time,

51:30.2

this is as good as it's going to get. It's just going to get more and more crappy as AI consumes

51:36.1

AI. And of course, it's all copyright laundering, which we don't need to get into. But I'm curious

51:43.4

if you have a quick take on that or does that seem right to you because to me i don't really see a

51:46.4

way out of that you know both in terms of i guess code you can run and you can test it but like

51:51.7

things you search for i mean i use chat gbt as google now because and i used i've been using

51:56.2

duck duck go for years too also just because google's doing its inevitable thing but i kind

52:01.9

of wonder like maybe maybe i'll just be stuck on like you know september 2021 or whatever is the

52:07.3

date because it's just going to get worse i i have an interesting take on this so i don't know

52:12.8

this is going to be like the popular take but i have an interesting take i think it's going to

52:16.1

have the opposite effect so here's why is that we came from it like 30 years ago the main source of

52:22.5

information was all books it came from trusted kind of sources and you could say whether or not

52:26.9

you think that's bad or good but you know you that's where you as a book author i agree very

52:30.6

trusted right yeah and it's hard to it's hard to it's hard to publish it it's still hard yeah it's

52:37.9

part yeah and it's and it's like it's so easy to publish junk now and now chat tpt has made it so

52:44.4

easy that i feel like it's going to have the effect that the that there's going to be so much

52:47.8

shitty information that everything's going to get so much shittier that we're all going to go back

52:51.4

to trusted sources instead of instead of kind of going on so like are we going to be like googling

52:57.6

answers or will we go back to the trusted peer-reviewed research or articles right from

53:02.8

jango.com yeah yeah yeah jango.com or you know like all these you know i feel like i feel like

53:09.1

it's actually going to kind of make it make the people that had some kind of platform but no

53:16.0

brains like it's going they're going to become so noisy that you're just going to ignore them

53:21.8

and then and then what will become kind of the new system will be that we all need to take a

53:27.6

step back and go back to trusted sources and that's kind of all that's what i'm hoping that's

53:31.6

going i i like i like that well you know i have i've my robots.txt is updated for all the crawlers

53:37.8

so i'm sure they're going to abide by it and so i'm not worried about my stuff being pilfered

53:42.1

yeah yeah of course yeah side joke to people i've got an update there's like 10 on there but

53:48.8

that reminds me of uh that i always ask people kind of like what's the worst

53:54.6

security advice you had and there was a guy that was that was providing um providing feedback

54:01.6

on a on a penetration test and he explained how this person's organization their infrastructure

54:07.8

was vulnerable and the person's response to that would be yes but that's illegal so no one would do

54:12.9

that nice it's like it's like what are you doing people don't abide by laws everything would just

54:21.2

be lawless and it's like well welcome to the internet okay good so we're right we're coming

54:27.2

up on time a bit mackenzie i had i just wanted to ask you one more question so if you if we would

54:32.0

say first thing move all your secrets into envers and you know then use a secret stand or something

54:37.1

like get guardian and make sure that you catch anything you do commit is there a third kind of

54:42.2

obvious thing that we should be doing that you would say um yeah definitely so uh we need to add

54:50.6

additional layers of security upon things so you know there's a concept called zero trust

54:55.5

which is talking about you know like just because you have an api key or you have a password doesn't

55:01.3

mean that you need to trust explicitly that person so there's something that you know something that

55:06.8

you have and something that you are and we should be implementing those rules across security as

55:12.7

well so um some some simple things that you could do you know if if you're listening to this go like

55:19.2

okay that all sounds nice but what can i actually do so come up with ways to rotate your keys

55:25.7

regularly the reality is no matter what you do your keys will leak you know the best companies

55:32.0

in the world their keys will leak hashicorp they created a product called vault it's one of the

55:37.3

best secrets managers you know they had a breach because they had secrets leak into their git

55:43.1

repositories so it happens to everyone so what you can do is you can implement a rotation policy

55:47.7

that rotates keys regularly so that's one thing so that that doesn't happen the advantage of that

55:52.9

is that you actually know where your keys are or you know how to rotate them because like then if

55:57.2

you have a leak it's kind of like oh what the heck does this key do am i going to break production

56:00.6

if i revoke this like if you're regularly rotating things and you know what they are

56:04.3

the other thing is like stop stop producing admin keys like if you need a credential don't give it

56:09.7

admin credential i had so many stories of when you know a read-only credential would have been

56:14.4

totally sufficient but you know that requires creating another key but if you've got a sequence

56:19.2

manager then that then the problem kind of goes away so you know make sure that keys has like

56:25.0

limitations of what they can actually do to to suit you know to suit the job and then whitelist

56:31.4

your services if you have a system that's only meant to talk to this other system right then

56:36.6

you can set it up so that they can only talk now if i find the credential between them that allows

56:42.0

me to talk to it then i'm still coming i'm coming from a different area i have a different ip i'm

56:47.4

from a different system so these are things that you can kind of actively do to add layers on top

56:51.4

because you just got to remember that there's no bullet you know everything about security the

56:54.7

famous words of this podcast it depends but you can add layers in that create friction and that's

57:00.8

ultimately kind of like the best way to to handle this is to create enough friction um you know that

57:07.7

that we're adding so many different layers to to an attacker yeah they go attack someone who's

57:13.7

easier yeah that's like that's like one of those yeah startup sayings like there's no silver

57:18.4

bullet there's just a lot of lead bullets yeah yeah i live in the netherlands and there's a

57:23.3

saying here like bikes everyone has like at least two bikes each especially in my town and one of

57:29.1

the things is like no one has any nice bikes because you always want to make sure that your

57:32.3

bike is shittier than the bike that's next to you because then the person's going to because we're

57:36.6

terrible at locking up bikes like yeah don't outrun the bear just be next to someone yeah slower

57:41.3

that's that's like yeah isn't there some story in in like amsterdam after like the nazis like fled

57:48.3

that there was some like a quarter of the bikes or like in the can't the can't the the waterways

57:54.5

or there was some stat i did a bike tour and he was giving me these crazy numbers speaking to the

57:58.1

fact that like you know i guess for a century now everyone bikes everywhere but everyone like stuff

58:03.8

gets stolen and there were some crazy statistics about when the nazis left and the number of bikes

58:07.8

that were trashed or something yeah i think that's i don't know that i think that still

58:12.5

happens because every now and again you'll see the canals a crane will come into the canal with

58:16.2

these big claws and they'll just scoop up all the bikes that are in there because it just happened

58:20.3

but you know bikes are bikes are pretty easy to come by and and it's an unwritten rule that if

58:26.6

you know if it's past 2 a.m and your bike's been stolen it's socially acceptable to steal someone

58:33.1

else's bike to get home so you just got to make the last one from the club as well right

58:38.5

that's good that's good good to remember well i think we should wrap up there that's perfect

58:45.8

i don't know how we got onto the subject well it was it was the backwards analogy from making sure

58:53.8

your site's slightly more secure than other sites you know if you've got it you've got it

58:58.1

your bike's slightly worse than the neighbor's bike it's the opposite the mirror of that

59:02.4

great mickey so anything else that you'd like to call out while you've got my that we haven't

59:08.3

mentioned that you've mentioned your podcast um you mentioned get guardian um compango you've

59:13.0

mentioned we'll put all of those in the show notes anything else that you think oh yeah um

59:16.3

no i mean i feel like i feel like that's i mean that's kind of it i think that's enough enough uh

59:21.2

enough plugs for for one episode but anyone that wants to follow me um you can follow me anywhere

59:25.9

on social media at the handle at advocate mac um i'm even on threads i've never posted but you know

59:31.6

just in case twitter does explode and then i might do so make sure you follow me but uh

59:37.2

yeah and then i said i mean if you want to take everyone to listen to me geek out about security

59:41.8

stuff that's where that's where you can find me okay brilliant well thanks coming on really good

59:46.1

really enjoyed it i appreciate the invite thanks and great to great to great to meet you will and

59:50.8

great to see you again carlton all right well thanks everyone we are at chatjango.com and

59:55.3

we'll see you everyone next time bye-bye see you next time bye-bye