Now now your voices are all gonna get so much louder. Hello PA stands for pathetic audios Not here, it's all okay. Yeah. All right good and no feedback no crosstalk. That's all pretty good

It's almost like we know we're doing in the wood on our first rodeo one minute to spare. Who are we? One hello, do you know we're doing yeah

We just like to put out a lot of stuff on the table. It's kind of fun But yeah, so we're gonna record a dotnet rocks episode How many of you have ever heard a dotnet rocks episode that was recorded in front of a live audience? Lots of hands so, you know what your role is right louder. What is it?

Make noise That's right So what I'm gonna do is I'm gonna turn down this cuz I'm gonna kind of scream actually No, I won't do that I'll just go I guess I'm gonna say hey Oslo it's done it rocks as best I can Yeah, and I want you to scream and stand up and beat the person next to you

Take off your clothes and set fire to the building. Are you with me? Are you with me? That's what I want to hear Please keep your clothes on nobody. Nobody wants to see that keep it sir. Keep it goes All right, everybody's like who what all right, here we go

We have pushed the red button, okay, here we go. Oh

Boy Carl you sound great Well My voice says will show up eventually maybe Thank you for coming to the security panel at at NDC Oslo 2016, are you having a good show so far?

Awesome, I appreciate the fact that you guys are so outgoing Most Norwegians are very rowdy as you know, and Yeah, so Richard buddy. How you doing? I'm good. We're just about the end of this this sprint of shows for us It's been fun. We've done 12 shows here. This is the 11th one. Yep. Well more to go. I'm ready to go

So so we're we're paying our way here. Yeah, no question I'm very I'm very excited to be doing this panel security panel But before we get talking to the panel and the guests we have a little business to do Mm-hmm. First one is called better know a framework roll that music

All right. What have we learned? So you're actually seeing how the sausage is made We don't actually hear the music when recording you ever see you ever hear us actually say wow that music's really cool. That's a lie We add the music in later So we just sort of sit here for a moment and then then I'll segue and this is we call this an edit point

All our shows are edited. We have these amazing editors They even make us sound smart and so but this will all be fixed So when you go back and listen to the show just remember this conversation because it's never going to appear All Right, you ready? I'm almost ready because what I have to do and I'm using my phone where I should be using a PC Yes, but I've got a URL that I am now copying and pasting with my finger on my iPhone

Which is as you know the most fun part of computing So I can get to this link that I've copied before Yeah, and you wait for it. Wait for it. This is good. Troy's gonna love this In fact, he probably wrote the story because it's a security thing

So it's probably his fault the first probably his fault. So this is show 13 26, okay Go ahead. All right, buddy. What do you got? All right, so this is show 13 26 So if you go to you know the pattern 13 26 dot pop dot me and me Will bring you to this story

Us spies are building software to spot your suspicious behavior in live video nice And Every one of you guys is thinking oh you poor Americans

The intelligence community is working on amping up people recognition power to spot in live videos shooters and potential terrorists before they have a chance to attack Part of the problem with current video surveillance techniques is the difficulty of recognizing objects and people

Simultaneously in real time but deep intermodal video analytics or diva nice Research project out of the and I'm gonna put this in here quotes office of the director of national intelligence Will attempt to automatically detect suspicious activities with a help of live video pouring in through multiple camera feeds. I

Am no longer sunbathing in the nude Better off You know, this just walks that fine line between security and privacy, I don't think it walks it at all I think it's way over the way over the line. There's the line

There they go Sprinting over the line So, you know that I always like to find a story when we talk to Troy or other security people that just in elicits emotion around Privacy and security and that's a good one. Yeah, you're looking for the they're doing what reaction what?

Okay. All right. Well anyway, that's what I got Who's talking to us Richard grabbed a comment off a show 1295 the one we did with one Troy hunt? We talked about sequel injection and ransomware and all other kinds of good things Troy doing his usual job of scaring the snot out of us, right and David glass had this comment where he said, oh god, no not Troy hunt again

Every time he's on dotnet rocks, he makes me panic and change all my passwords and my pants Seriously though I am stunned every time I see a seasoned developer show a complete lack of interest in making their applications secure I can understand how new devs don't get it, but it still winds me up They seem to fit into one of these three camps one. Oh, I just never thought about it

It's baffling that this still happens today To it will never happen to me I just show them the weblocks of any app that they've ever worked on in the constant stream of port scans and login attempts usually bucks them up or Three, I just don't care the worst apathy is the hardest thing to fix

Why isn't security not just taught at level one, but made an integrated part of the process It's like giving a class on web development and not mentioning CSS, which in some ways is a kindness, but okay Every student developer should be given more trunk talk

Ever wondered how I can read every one of these emails perfectly Let me tell you the truth. It's my brother Jay who edits the show. He's gonna fix it for me. Where is it Jay? We love you Jay No, it's a Thursday show it's Brandon Brandon Brandon fix it Brandon fix No, it's a Tuesday show is it a Tuesday show yeah, this is Lawrence. Yeah, it's a large show

We have three editors Sometimes we need all three To make us sound smart all right they have a on their console they have a dumb fader and they turn it down It's like the brightness knob only it works all right, I

Gotta pick you can't laugh then we're gonna edit this in so you know yeah, it's gonna be a quiet step Every student developer should be given some Troy hunt talks to listen to hmm I'd have nothing to add to this. I think that's absolutely true agree and definitely a problem David Thank you so much for your comment a dotnet rocks mug is on its way to you And if you'd like a dotnet rocks mug write a comment on the website at dotnet rocks calm or via any of our social

Media we publish every show to Google Plus and Facebook, and if you comment there, and we read on the show We'll send you a mug and definitely follow us on Twitter. He's at Rich Campbell I'm at Carl Franklin send us a tweet. We print them out and post them on the walls

Of the Department of National Intelligence All Right well, I'm going to let our guests Troy Steven and Nile introduce themselves starting with you mr.. Hunt Yeah, I'm Troy hung up the guy in the thing just before That guy apparently the scary one the the Australian security guy out of our colonial collection here

It is kind of a colonial mob up here. Yeah Except for you. No Canadian mr.. Haunts is actually yeah, okay, Stephen I'm Stephen horns, and I'm not Canadian oh From the UK I'm a lead developer for a company called buying Butler and I also do some work for plumber sites

With Troy great cool. I'm not as scary as Troy though Now my name is Nile Merrigan. I work with cap Gemini one of our local Irish Norwegian imports here I kind of came up here and got lost and they won't let me go back home. I

Love you, honey We can edit that bit out right sure we will So their actual bios are on the website dot in Iraq's that comes you really find out how they're qualified to be here in the first place So a security panel where do we start? What do you think is what's going on in the United States?

And I'm the only guy yeah, I'm the United States, yeah, and I'm asking you guys what's wrong with my country actually Can we do we have to answer that politically correct or? I'm sure Trump's got your best interest

You try living next door to the guy good. I know I'm always lobbing scud missiles over the border build a wall I Mean the the breach culture, I think people are getting numb like they're just not even reacting to it anymore. It's become funny I think it's partly that no I mean we're recording this at a time where the last few weeks we've had things like myspace 360 million records

Yeah, Lee record for you, right? Yeah, I passed a billion records on the stages So I never been coined believe it or not and just time out for those who don't know what he's talking about Troy has a database of email addresses that you can look yourself up and to see if you've been hacked

It's called have I been pwned? Pw all your email addresses Probably does actually mine. I actually found mine in that from the adobe hack and I had to go change my password because of it So yeah, you said yes So we passed a billion s X a lot of VK the Russian version of Facebook, which was about another

93 million but that came after a day now, what was it recently myspace LinkedIn? Tumblr was there fling.com Everyone's going what so fling.com look it up after you get home But we had all these massive data breaches and the interesting thing is they're all from several years ago

They're like 2012 2013 But they're just surfacing now and what we're seeing is this sort of media buzz where everyone wants to believe that Everything is a data breach so that the news yesterday was it's Twitter Twitter's got 32 million accounts hacked and that's all the headlines and then the the chief security officer at Twitter's come out and said no

It's not ours. It didn't come from here. Yeah, so now we're sort of started It's almost like it's not just getting so used to breaches It's just automatically assuming the worst and everyone's just losing their minds over not even checking that they're actually legit. Hmm Because you often fall into a situation where you're the validation source now. Yeah. Well, I actually check stuff

So there's that but a lot of people don't and I guess that there are also parties out there that Sort of incentivized if you like by the fact there are breaches there are people that sell the data There are people that sell security services that benefit from other people thinking that data is out there So there's there's too many sort of vested interests in wanting there to be large data breaches and it's not in their interest to check them

Interesting Wow now, it's just evil all by itself. No, it's another level Well, and this is another This is an odd aspect of dealing with security just that you sort of got into the situation with this bloody website of being You know on top of every breach

Have you guys been responsible for systems have been breached like you've been on the other side of this Will you admit it? Luckily not but I mean I've worked for plenty of companies that make some pretty dumb decisions Right and I've had some pretty poor excuses for why they don't improve their security So but but haven't been punished for it with a nice public here is all of these Use your name emails credit card numbers and so forth and we blame Stephen Hawes

Not yet. I mean, there's one company I have worked for whose name I'm not going to mention Which I wouldn't be surprised if something did happen in the like it's sort of inevitable Yeah, I think what's interesting about the time delayed breaches It's just this idea that they may have been hacked But right now somebody's sitting on that data may be trying to sell it without making it public because it's worth more while that's unknown

Like just cuz yeah, it's not like somebody leads a card behind saying hey I copied all your data And is there any evidence that? Data that's stolen whether it's accounts or you know banking statements that are they used more for collateral, you know or

Prestige or whatever or do people actually buy them and then hack against those accounts and benefit You know actually commit other crimes with the data. Do you see both things happening? I certainly see both things one aspect of this I find really interesting

Is that there are a lot of people that that trade in data breaches the way you would trade in like baseball cards Right and a lot of the time it is actually kids. It's like legally children You know, and maybe they're 15 16 17 years old, but they're kids and they're going. Hey, I've got this one You know, do you have that one? Can we do a swap into a trade and I'm sort of looking at going Well, what do you why like what are you doing with this stuff?

Yeah, and you know, they want to do stuff like look up friends though Yeah, some of them want to sort of see how many passwords they can crack but it's bragging rights, too I mean you're a kid and you say to your friend on the bus, you know Hey, I've got all of LinkedIn's databases passwords and all that stuff, you know, you know Yeah, you you have like a certain Medal of Honor among your

script kitty friends, but you know that there's that and I do Hang on a second Colloquially speaking. Yeah, so there's that but the other side of it as well Is that there is a commercial upside to having breached data with accounts that actually work in other places So we've seen

Just in the wake of this news the last couple of days about there being some large amount of data that works with some number of Twitter accounts a bunch of people said hey my account my Twitter account has been broken into and there are people posting things like porn networks and Inevitably, there is some degree of monetization there where it drives traffic and awareness of the sites and there's there's definitely really sort of shady underbelly

To that which does actually have a commercial incentive as well Like with all the different breaches like if you've got access to all these kind of passwords and using those passwords And you can start seeing all the hashes You can start to draw conclusions of the type of security they're using and then start kind of maybe social engineering Especially if you can find one of the high-profile accounts that you know

They're not using to FA if you can get near a kind of CIO CSO or even like, you know Financial officer and you can use that then for advanced social engineering techniques social engineering meaning blackmail That's exactly it. There's there's everything. So, you know social engineering someone's going to click a link fishing from some Nigerian prints

But there's other things for example, they'll say well We'll try and insert something into your computer or and track out like some of your personal information maybe try and Activate your webcam at an inappropriate moments or make put some data on your computer that we can use them to blackmail you to get You to give us money because humans are the weakest part of every system

It's usually where we do get the biggest and easiest breaches out of people or out of any system we just try and find a user with a weak password or we try and strong-arm and it means somewhere and then Take over because there's a lead time about like 200 days between a Person that our system being breached and it being found by the The kind of security team if they don't have a proper kind of intrusion detection system in place

Well, I was just checking my facts here as a few days ago. Zuckerberg had his Twitter Pinterest and LinkedIn accounts all hacked Allegedly, he had a password of da da da Allegedly But we do know that he did have those three accounts act because we saw other people take over them and tweet and message on

His behalf so yeah talking about high-profile individuals that are the targets of these sorts of things Cuz wasn't that what the thing with the LinkedIn one once the LinkedIn breach kind of went public The latest one like from four years ago. They started looking for high-profile accounts and then started kind of posting It wasn't they were posting against LinkedIn passwords

What they were doing is they found the password for the person used for LinkedIn was the same one They were using for Twitter and then they had enabled cross-posting from Twitter to LinkedIn So people were then kind of saying oh, you know, there's there's nice LinkedIn You know your professional network and all of a sudden it comes up this porn URL from some CIO in like some company How did it get there that they hacked LinkedIn?

It's like no they hacked your Twitter because you didn't because with the LinkedIn had forced everyone to Reset all their passwords if you're involved in that breach So public service announcement don't allow cross-posting from Twitter to LinkedIn Especially if you use the same password

Here's the other thing like all of these accounts they haven't got multi-step verification turned on right like as soon as you have a Reuse password or a bad password. That is your your fallback position. That's your defense You know, you're gonna have the little SMS or the authenticator app So in the case of Zuckerberg here and those other ones I've obviously they just didn't enable that and it's there in all of these big social media accounts now

So every time you see one of those iron you you sort of go you you missed something really fundamental Well, like how many people like don't use to FA on everything 99%? Yeah, there was a figure Yeah, no that is factory It was I can't remember whether it was from LinkedIn or it was one of the other big ones just recently

It wasn't myspace because no one cares about that It was one of the big ones and they said Literally their statistic showed less than 1% of people actually enabled multi-step verification Well, and part of that would be that there's an awful lot of bad to FA implementations out there like it it cripples using the product Yeah, so even if you don't turn on to a failing I arrive in Norway

I go to log into Twitter and immediately get an email for Twitter going. Hey, are you in Norway? Which is not bad, right? I mean at least that's a useful thing but there was an interesting situation that happened the other day Richard you went to PayPal you logged in and He knows that he's from Canada and yet the PayPal page after he logged in was in Norwegian

That's to the button to switch it back to English that's to FA right there it just stops you using PayPal Well, I was gonna say do even should we even be using passwords at all now that we have password managers and things We should be remembering them now. I mean you don't need to remember most of them now, but I mean look

We've still got to use them It's just it's just a question of not getting an emotional attachment to being able to remember it Well, that's what breaks down a password manager. I like the one Richard uses. You don't actually know what your past Yeah, so I was laughing about right as I was logging into PayPal So I have no idea what my paypal password is. It changes itself every 30 days right like last pass does that for me?

Hmm. I don't even beats me. I don't know be pity if somebody found your last pass password. That would be a problem And that's sort of the issue when you talk about these kinds of tools now admittedly my last pass password is all about the entropy I'm pretty sure it's in the literally

It's a good idea to study some obscure Poetry like some Icelandic Vedas or something and then just take a poem, right?

Memorize it spend the time to memorize it and you got like five lines Now you have five passwords that you can remember just by number one, two, three, four and five So you can create yourself a little document somewhere that says oh this site is one this side is do you know? It may get into the problem of you know, it's a little cerebral. Okay, my mom she rings me up

She goes Nile. I'm gonna get a password book for the house and that point I hope the house of a password she was because it was gonna be the shared passwords for my mom my dad and my brother Or and people who came to visit and I was like, I was not too sure if my mom's trolling me Is the best social engineer in the house? I'm sorry, you know take off your shoes write your password. It's fine

Would you like a cup of tea What's your password? But I she sends me this and I'm like, um, I have to hang up and she goes why I said because right now I just need to scream out a window for a little bit Then I'll talk to you again, and I said it's okay. I just got you a Thing was one pass I picked up for and said here's a here's a subscription to that. Just go not to use that

She goes. All right, and At that point it was like introducing her to that. She was she's now Got so used to it that she's now kind of going. I don't know what my passwords nor do I care Yeah, and and it's but it's that education part that we were missing that why you should I need to know any passwords at all

Well, and the big thing here is like, okay great. You've memorized a set of pass phrases and then you log into Microsoft live ID what's between 8 and 16 characters? Yeah, right So it's like inherently a crappy password no matter what you do But a good password manager or at least let you set that to something that only is going to affect that The domain in fairness as well. Okay, 16. It's crappy and we should do another panel with Barry and beat him up about

However, it's 16 random characters like genuinely random characters that ain't getting cracks, you know The amount of entropy you can get out of 16 genuinely. It's not it's not too bad, right? But you know longer is better. Yeah, the xkcd for cartoon is correct, but it's it's it's degrees, right?

So like how long should it be? I mean maybe my mouse now because you like password managers So what what's the right length as long as no no exactly Oh 42 43 You know what? I mean? Like it's the math you can't lie with the mathematics

but once you get genuine randomness that the length doesn't have to be too much in order for the for the the strength of it to Be pretty off the chart what I don't understand is sites where you know You're supposed to pick a password and then they have rules right and the rules are can't use special characters Can't use numbers can't use the word select. Yeah

our drop table Only uppercase and lowercase letters. In other words, they're restricting the the strength of your password for what purpose? I just don't understand business rules. Why are you know because you know bytes cost money? Yeah

Because they're passing it as a query string and they don't want tokenization And of course, that's the funny thing for those who haven't maybe thought through it that the bytes cost money argument Once you hash it, that's all the constant length. Anyway, it doesn't matter how long the input length sort of goes away Yeah, and the cost of getting breached is a little bit more than the cost of the bytes in the first place But like that's do you bring that up now and we've got it was a new European directive involved in that called

GDPR and data protection and that like has if you get breached It's a minimum of 20,000 euro all the way up to 4% of your gross That'll buy a few special characters but like, you know, I think we were talking about 2fa and the whole way it

Breaks systems and for people to use the whole UX Security UX concept I think is a bit broken at times, you know how we we get this username and password box It doesn't tell you what we expect you to put in before you start So you start first off putting in a big password and then all of a sudden it says no You have to have something different. We need to have this means that it becomes a nightmare

I think that the UX guys have been Are now needing to kind of come up to the stage as well with the kind of the security part of it and say well How do you put this together? How do you make it simpler for users to understand and our users of our systems to say pick something good? Let's guide you through it Like we saw that, you know the little bar it goes from orange or red all the way to green on your password strengths

They're kind of a common thing now. Mm-hmm. So I got a question for Richard actually last pass is when they yeah I like lots. Yeah, so last pass you have one master password and then this thing controls and gets into all of your accounts Yeah Is there any time that you wish you hadn't used it like is have you ever been on your phone and not been able to log

Into something because the last pass didn't work on your phone last But so the only one thing you look for in a password manager is is it on all of your devices, right? And it and last pass is pretty good about being on on all those devices But I'm still using a win 10 phone because deep down I hate myself And the last pass client is quite crappy right like because nobody's working on it because who's got that phone, right?

And so you want to buy an iPhone nice There is a clumsiness now when I when I need to log into something and I and I've absolutely been in this situation where I Have to go to the last pass App and there is a mechanism for copy password Although you never see the password and then you have to flip back and paste it into

The thing you want to use it. So it is clump where it on Android. It's seamless, right? It is as it is on on any PC where I'm in Chrome I don't use edge because no plugins, right? So but in Chrome with when I'm properly logged into last pass when I as soon as a username password appears

It's just filled in. Yeah, but it's you know, and I never see the password It just it just happens like this the friction goes away The other thing the other thing that that though and I'm not gonna say last pass is the perfect tool Like it's the one that makes me happy there's a bunch of them and there's free ones as well if you want to do the care and feeding for them is the Cleaning up your own mess. So, you know last pass every so often reminds me

Hey, you still have a couple of old passwords that are the same on some old accounts Can we go fix those, you know, and and does it actually go to? Amazon PayPal whatever and change your passwords for you some sites have set up a service now So that things like last pass will literally change your passwords for you. So you don't have to do anything

God, I hope that doesn't get hacked. Yeah Right, you're totally right and it's like but again you get back to you Why do we use the cloud because in theory that the public cloud providers have the best people keeping that infrastructure running? These password services have really extraordinarily talented security people working there

There's only so many of those to go around I trust them when I trust myself to remember my Vedic poem. Yeah Number the same way we feel about running our own servers, you know We think about the battles we've had keeping the dotnet rock site running Hmm in the old days when we were literally running on our own hardware and now that it's in the cloud Well, it's still not perfect. It's better much better. So I don't think the password managers are perfect

But without a doubt better Hmm. Okay. There you go last pass good solution And only one of them pick a product The only thing you ever did what is the one thing true and all of these things is you must spend a little time Learning yeah and getting used to it and how often how often do you change your last pass password?

relatively rarely Because it's long. Yeah, and it's and you know sufficiently entropic and it's just not a big need to change that password Okay, cool You know in the end we're talking about data breaches, right? The issue here is The most common passwords are out in the wild now, right?

The big thing that comes from a data breach is those passwords are now exposed to the world And so you really don't want to use them again Yeah, and of course everybody does I I have I'm not going to tell you how many but I have several passwords that I rotate and every once in a while, I take one out of rotation and I add a new one because I can only remember so

much right and And that's what I think most people do. I don't think most people do that. I think most people have one password That's probably ten characters that they use everywhere Except it places that I'm allowed to use letters, right? Right and then the ones that doesn't like the number and yeah It's the consistency of all the sites that drives me nuts

You know a number of times you go there and says no you can't use this or even the length, right? Like how come the minimum length is always different and the funny thing is like I do a lot of workshops and I say to The companies, you know, what's the right minimum length and there's a really funny pattern everyone always says six eight ten It's always an even number Has anyone got like a minimum length? That's an odd number

Seven however brute force retries always an odd number three five Right, I don't know what just You only allowed to retry three times and then we'll lock you out I don't for I have a certain number of accounts in my life that are perpetually locked out Right. I mess up my American Express account almost every time in one way or another and I'm locked out of it

All the time and I just don't care enough about I've been locked out on my telco for years And I have a tough time caring. I just can't pick up my voicemail. I do not care And the one thing I always find irritating about password policies especially call for at policies Are the ones that make you change your password forced rotation? Yeah, just add a one. That's exactly it. You know, you can sell

Does it give you any extra security? Yeah. Yeah, you just had a number to the end I had a credit card that required an additional password when you went to use it online that it would kick into their own little iframe thing that you Had to enter in and you had and there was no password recovery So when you couldn't remember password because they had their own goofball rules of it didn't fit with any passwords

Before I was using the password manager You had to change the password So I go to change the password to tell me I already used that password so you can't recover the password We can tell me not to use it again. That's awesome Hey Richard, yeah, buddy. Guess what time it is now. I must be that happy time again Yeah, it's time to change my password to it's all about the entropy

It's actually time to give away sync fusion essential studio to one lucky member of the dotnet rocks fan club with over 650 controls sync fusions essential studio is the most comprehensive suite of components Available for dotnet and JavaScript and Xamarin. Yeah with world-class diagrams maps and charts

Reduce your development time save some money and get the best support in the industry These are just a few of the reasons over 800,000 people make sync fusion a part of their daily dev process and now individual developers

That's another point I Feel like Lou Costello here. Yeah And now individual developers and small teams well shit Don't get sick people it really sucks

And now individual developers and small teams can get access to every single control and sync fusions library for free for free The Community license also gives you access to sync fusions growing library of enterprise applications Like dashboard platform and big data platform that can help make sense of complex data

Support and updates are included too. It's a 10k value for free Check it out at sync fusion comm all right, buddy Who's our winner today's winner is Craig Lector? No golf claps

Craig You must feel like the luckiest guy in the world right now. Hope you're not listening with your friends at lunch Craig just won the sync fusion Essential studio that's a big pile of awesome from our friends over there if you don't know what we're doing here go to dotnet Rocks calm click on the big get free stuff button enter

No, get free stuff button Answer a few questions and join the dotnet Rocks fan club we have thousands of members all over the world and every show we like to give away stuff from our sponsors and every december we give away a $5,000 technology shopping spree to one lucky member of the dotnet Rocks fan club picked at random But you got to sign up to win and we ask our guests in every show if you had

$5,000 to spend on technology today Troy hunt. What would you buy? Everyone see those like unmanned missiles are out there. How much they go for oh Oh One of them a little a little more than five grand. Yeah, can we pull their resources? Yeah, y'all get together

Are you going to ride it? I don't know. I'm still deciding look kind of cool I mean, I just have the question like what what would you do with a missile exactly? What wouldn't you do well if you whatever it is it's only going to be one There might be this new president oh

Well done, sir Stephen haunts, what would you do with $5,000 I? Mean I'm quite good gadget-wise at the minute, so I don't really need any more tech. You're just talking crazy. Talk now Miss missile missile

So what I was going to say is now I've been working quite hard recently I could do have a holiday with the kids so maybe Yeah, awesome awesome. Yeah, but failing that I'll buy a missile with Troy the General Atomics That's that that's a drone. You're going all out now, but it can carry me. So it's the missile carrier

Halfway, there is troy's been sitting here googling missiles for the last few miles How do you get into the us anyway? I don't know so good injection. How would I get in there? so

So nile I hear there's a bottle of scotch that costs about five thousand dollars. Are you interested in that or something else? You know if he was like an iot bottle of scotch. Maybe but you know would that count I would like one of the hololens is actually yeah, then you could play with digital missiles

I think we just went on the missile thing all over all right, so you have three thousand So there's two thousand left from there, so there's twelve thousand dollars will that buy a missile because now you have missile And you can build a launcher And it's like he's checking the retail price. Yeah Yeah, they're two point three eight billion dollars No, that's the price now. It's only four million for unit

Bargain, we're closer. We've probably given away four million People a donation bucket. I can't think of a five thousand dollars scotch No, there's a fifteen thousand. Yeah, the the McAllen reflection. We're all that when we're up there in January was 15 That is the Shackleton Stuff go for it was only a few hundred bucks That's that's two hundred dollars. Yeah, but that's the second edition you get the first edition. It's a bit more expensive

You know the other key involves an arctic mission. Yes, and it has to be from 19 like in 12. Yeah Hmm I Yeah, this is these are not normal problems. We went we found this Up when we're up in Scotland we went to this bar and they had reflection by the shot. I think it was

$375 a shot mmm, and I didn't try one no because there were no good outcomes, right? I'm either gonna like this then I bought a $15,000 bottle of scotch and I'm in big trouble Yeah, or I didn't like it. I blew 375 bucks or something. I don't want that's that's almost expensive as a pint of beer oh

No, as I found my horror the other day. Yeah, yeah, absolutely true There okay there you go I quickly whipped out that by the masters of malt just to focus in on what's actually important. Which is expensive scotch and At 24,000 pounds for a bottle of balvini that'll do let's see but compendium collection

It's at least five bottles of balvini. Yes, sorry well That's a deal Mary's gone off the deep end getting more in our range How much is a pound these days anyway is it two to one one point five to one dollar somewhere in that neighborhood? Yeah, Glen Park was 62 2800 pounds That'll eat it up all right, so Niall still not interested

Maybe a hollow lens in a thousand dollar bottle of what was the one that was the you got for Kent that was a grand Oh, there's a Glen Park was 40 noise. It was very yeah, you'll buy a couple of those Yeah, I was burping oak for an hour Oh welcome to scotch

Escalated quickly I Don't want to talk about passwords anymore. I'm sad I really want to talk about Developers thinking about security like this some actions They've written software already, and they're working on the next round of work items for the next sprint. How are we?

Starting to talk about at least incorporating more security into software so that we're no it's not our app that was breached I think So speaking particularly from Stevens and my vested interests as plural side authors as well Education for developers is is really really cheap in terms of where you can spend your security money on there is

There's a lot you can spend on Practicing your security in a box and they big boxes with lots of blinking lights and thousands and thousands of dollars And they sort of do one little thing For one particular app or one particular company But you educate people and they get to reapply that over and over and over again And they also get to apply it at the time where it's that the cheapest to fix security

Which is when they're writing it because we know that for any bugs in software whether it's security or business features or performance The worst possible time to have to make a change is when the things all live and it's it's already out there It's that sort of exponential cost thing So yeah for me just getting these folks to sit there and and even just you know

Whether it's go through our courses or do some training or something like that just to sort of skill up a little bit and it It has a fundamental impact for a very little amount of money one fundamental thing. Everybody can do is use HTTPS everywhere I mean that that helps us a lot doesn't it because we really can't trust our routers and Link you can't trust the Wi-Fi. Yeah, I just watched I can't just

He's carrying his pineapple with him that's the kind of guy is but one of the things like is the security culture is like building this into your team and getting it together so that people are starting to think you know, I As a developer have a responsibility for this data that if it ever gets out and gets it could ruin someone's life

Sure. Now if you work for Ashley Madison, you know, okay if I did yeah, yeah, we wouldn't know Yeah, the the thing it all jokes aside like one I keep making this kind of point don't make my job any easier because it's it's it's it's getting to the point where it's getting too simple for to do a lot of the hacks anymore because

The researchers and we're all just looking for one mistake You're gonna make and you're trying to build your security boundary around your applications and we just go There's a little hole you forgot and that's it So think about what happens if when this gets broken into and someone steals all your data What would happen I'm so if you assume that okay, we've got hashing on all our sense of information we've got hashing across the entire

Database we've got like data level encryption. We've got all this other kind of different techniques available That's great. And then look at going well I've done that so I can if someone breaks in they can't get anything And then what happens if how do we stop people getting in and that's kind of the two parts

It's not just like let's build a huge wall around everything that doesn't solve anything Americans But I talked to the Paula Jenna whiskeys of the world, yes, she's like I'm gonna get in yeah, that's what happens now No, she is exceptional of all the most you not let that woman touch your computer

How I know There's a great story about her you want to tell it. Oh, I don't you guys know this story Because she's a she's a petite blonde Polish girl with an English accent because she learned English from an English very soft-spoken Goes into an office that's going to hire for pen testing half-hour early and asked the reception

She can get online to pick up some notes because she's really nervous about the meeting And then by the time she gets to the meeting 30 minutes later. She has every administrator password already So she said let us begin this conversation with all of your passwords It was from there it was a kind of a question of why you should we hire you yes, yeah

My question is why you shouldn't you you don't need to hire me you're done. Yeah So yeah, but I just sort of acknowledge this idea of that I'm not gonna acknowledge that You good you sure yeah

Habits But I just acknowledge this idea that penetration is going to happen. It's just really You know they and I've put my IT hat on here We talk about security in depth because it sounds good But the reality is there's no wallets unbreachable and it's just how far are they gonna go after that?

Data needs to be encrypted on the disk right so that even if it's taken. It's like good luck You don't have the keys. He should not be sitting in a text file marked keys. This is your other problem Well Troy Troy demonstrated in one of his talks earlier on about like a hashcat and how quickly he could do on Commercial grade hardware not even like you know kind of industrial stuff. It's just a commercial

consumer grade hardware yeah that you can just like a straight on GPU and how quickly you can cat crack passwords based off just just random brute force and It's astonishing and you know there There's no company specializing and supplying you with a box of 10 graphics cards that you can go off and just crack 350 billion hashes a second and you know that's how quickly it'll get through certain types of hashes

What about throttling password attempts? You know only allowing a certain number per second? Well, that's why I should do something like a password-based key derivation function What I mean what you're talking about Carl is like in the in the app itself, right? So when you're making HTTP request I see PS request you can only make so many per second or whatever it may be

But I guess in terms of password hashing It's a question of once the password storage has been compromised and someone's SQL injector sucked out all the passwords And you've got the hashes You've got no more apt to do any throttling and so to Steven's point now we're talking about things like pbkdf2 where you can

Effectively increase the workload of how difficult it is to create the hash So that you can you can slow the whole process down you don't stop it But if rather than being able to do you know 4 billion MD 5 calculations a second you can only do 4000 b-crypt calculations a second well you've just Increased your password strength a thousand times over right and made it just a little less interesting for anybody trying to break

You know if they actually wanted to work. They wouldn't be data thieves Well the thing is if it takes you say 20 seconds to crack a password right, but if it takes you 20 years Yeah, you know that that's the level of entropy because of the fact that they've got they've done a correct hash And it's it's altered correctly and everything's done right and you've kind of fun until they get a faster computer

Than you yeah, but that's that that's the thing you're kind of you're at you're up against the well We can crack more passwords my iphone that I can crack with my Computer not to write you know so, but I gotta tell you everything we've talked about so one more time I gotta tell you that it's only when I talk

It's like honey you keep interrupting me, but Everything we've talked about so far speaks to it's responsibility security more than developments Encryption on the disk password policy like this is stuff for the ops guys I don't know as a dev need to worry about this the devs are building the software which chooses the encryption although rather hashing function

I mean if fragrance like you go out and use the asp.net membership provider from 2012 you have chosen a product which is now going to hash with the sha-1 and assault and it's going to be pretty much Useless I mean, it's you as the devs who are going to choose how that gets stored on this It is choosing the active directory implementation, and that's sort of bright wood hashing, but in the app

It's it's mostly going to be the deaths or you choose to go and do the social login sort of thing you make it someone Else's problem hmm also many developers are putting that much effort into say doing record level encryption on personal information That's all great but if you Don't store your keys correctly, so if you just as you said before store keys in a text file on it

Who would do that a sony I've seen? Also work for companies to do that sure private keys on a hidden folder on c drive Yeah, cuz that'll fix that's protected no problem You know a lot of us working like regulated industry so finance health care So really need to start looking at things like hardware security modules or azure key vault right still feeling like an operations

Set of tasks right even when we talk about database storage as a whole I've got a DBA He's crazy right like he's he's been beaten up by the infosec guy enough and everything written into that dry That machine in that machine now is encrypted and the dev hasn't got a lot of responsibility for it He's going to be calling store procedures is going to write encrypted data, so here's a here's a story for you if I can speak

So here's a story for you. We add app v next which is my consultancy we pay our developers and our consultants usually by ACH and In order to do that we had to set up a special ACH account with our bank And they came out to the to the office and they told us everything and they came with an envelope and in the envelope

Was an RSA generator that was a you know battery-operated little fob and Every every minute a different number Alphanumeric number came up on the screen I think might have been 12 characters or something like that and so when you go to the website to log in

you're supposed to put in the number that's on the screen and so the Preferred way to do this is to wait till it flips because obviously you don't want to get caught Wait till it flips you put it in There's a there's a secondary algorithm Running the same algorithm on on the server that is matched to that key And so it will come up with the same number every minute

And it can you know that that is the way that you get in so there's never a password per se Oh, that's in addition to you know your regular password to log into the system, so there's two levels of security I thought that was really brilliant You know what some people do so that this is the interesting thing we get good Implementations like that and then people go and stuff them up so for example you you see

Instances of people getting their RSA token sticking it to a board pointing a webcam at it, right? So that it doesn't matter where they are they can go and actually access web I saw a guy write a blog post recently where he even wrote the code to OCR the token from the webcam

So they didn't want to type it in they didn't want to type it in nice So as good as we we build some systems There's always gonna be someone who wants to unscrew it up right that is software as a service Now is there a combination of that? Technology with maybe a near field RFID or something like that that can you know so as long as they have it in my

Pocket it reads the number from it, and you know can log me in now That's kind of convenient as long as it's secure of course and we all know RFID is really secure it is That's a joke, but if the developer

The developers have got the responsibility of kind of like okay They need to educate themselves enough to know what they're supposed to use to do if they take the kind of the basic Implementations like Troy said and use SHA-1 they may not even know that this is bad. That's another problem, right? You know we start seeing going. Oh, I mean. I'm hashing my passwords. Oh great. What are you doing? I'm using MD 5 Yeah, like okay great. Are you I'm using rot 16. You know

35 at least you're saving on this place But the thing that they may not know and that's and that's and that's the thing I said the education factor of kind of like okay. Why shouldn't I do this? What should I be using and people like us are saying you should be doing this? This is here's our cheat sheet for kind of avoiding certain pitfalls to just get you beyond

level zero and level you up to one or two and then you start to begin to see the light like this and Get to figure out that okay. Yeah, maybe I should be looking at this better You know I think there's the security culture building that into the concept that if this data is stolen What will happen? Rather than just people just saying oh, I've managed to create a user in the database

And I've managed to retrieve the user in the database. I've done my job well done you so we should be scaring our developers I like that you know all they got to do is listen to Troy's dotnet rocks interviews, and they'll be scared still But I think but I agree you know, but the put the fear of Troy

The shows we've done recently speaking about security besides you know terror with Troy is Can we get that as a podcast nice terror with Troy dot com? The old wasp top ten yeah, and and it's and it kills me that number one is still sequel injection Yes, hills me like I did a talk yesterday on it. It was like he's like people going. Oh my god

You're still here you kidding me. Yeah, yep Well, and I and I totally get that there's a whole bunch of legacy You know websites out there that are vulnerable and there are tools that will help you find them fast And then help you exploit them even faster, but I I would just hope we're not

Greenfielding sequel inject. Yeah, yeah, yeah, we are yeah, and I'll tell you why we are this There's a blog post that I show quite a bit from last year So you know talking 2015 where a guy has written out how to do Effectively a password reset in a spit on at C sharp With web forms which is I guess a bit unusual in 2015, but anyway, that's what he's done and the whole thing is

It's odd actually it's it's got one section of SQL code which is beautifully parameterized and works great and then the next section beneath that is just sequel injection all through it and This is a new tutorial. You know newish one-year-old Written there that then has a bunch of comments from all these people saying. Thank you. That's very useful

So how many people then gonna copy that and built the new stuff like that right? You know it still happens still a lot of new stuff that does that hmm cuz we like you know There's have you guys seen the deal? Oh really? Yeah, yeah, it's like you know a copy pasting answers from stock overflow. Yeah Like an O'Reilly book, but it's oh really. Oh really fake book covers. It's brilliant, but like that's what a lot of people

Do yeah exactly what the is security? How to ignore it and deliver your project on time? The thing is that people will just go this code works I press f5 the result that happens is what I expected grace don't touch it don't understand it run away ship it ship it

And I think that's what we're starting to see a lot of and as you know Developers are we're very good at going. Here's a problem I've written some code that solves said problem, but I haven't thought about who would actually use this and it's like trying to give You know and my son like a knife and or an axe or something cuz he'll just go well look daddy

So that that's what happens. I think that there's gonna be more like that I like the model of physical keys like you have a key to your house You have a key to your car and this security model has worked pretty much for a long long time And the whole idea is that there's one thing that's unique that you keep on your person all the time

And that's the only thing that's going to get you into your house Well, I mean what if your laptop had a lickin ignition switch? You know you like put in a key and turn it and then you can use it and all of the security flows from that I've a really good joke your house was good until you had windows in it

Yeah Even the key thing on the house I mean that the idea now is that you got to iot the house right right so you don't Because this is the beauty of it who wants to carry around the key

They say because you just walk up and you put your finger on the door. Oh, yeah, and hopefully it's your door when you do that, but we've we're seeing vulnerabilities in these sorts of things like there's an iot doorbell Apparently you need to have an internet connected doorbell and you'd ring the doorbell and there's a camera there somewhere But the problem is is that when your doorbell rang and you looked at the monitor to see who's ringing it

It wasn't your house When you start to wire these things in I mean it just doesn't take much to go real wrong. Yeah, I agree We ran it we ran up against us today And I want to say that Well, we'll edit that out. That's what's called an edit point. Changed my mind. I'm not going to say that

Yeah, we did a show with with Kim Carter when we talked about infosec And he talked about the OWASP zap library and just building that is part of your test sequence When you're building a website

You you're running through a set of security tests and one of the things is checking is you know the straightforward SQL injection vulnerabilities the things that the script kiddies would run to try and breach your site At least you're trying that yourself If you've got a build server just like there's a ton of CLI tools out there that you can just like plug in

Yeah, like nikto for example, just it to nikto dash H and it's a program that will Run through all the different vulnerabilities it knows and could quickly scan out your application and give you back a kind of oh We found this we found this is you're being wow being silly Then there's more advanced tools like arachne and which is a full-on web framework And if you're running Windows 10 with a new kind of anniversary that updates on it

It runs bash so you can run these like natively nearly now You just install it and it generates a nice web UI and has like a feedback. It gives you like Here's all the percentage of stuff. We found you I have a sequel I test have an XSS test and it can run these in command line But it also gives you back a nice kind of this is a bug for it for you

and you can discuss it or this is a false positive and Managers can see like okay your security tests are getting better and then you can start doing other kind of like static analysis testing and other type of But nothing kind of fails our works better than the kind of the human to test the logic These only just test the common little bits the stuff that we find a lot is like people where I go and I go

I try and walk through the code a little differently That's it, but I definitely recommend if you've got no baseline or do starting from scratch some of these little tools straight up They're free. Just knock them into your application session. You can be much quicker I've been running I mean we use a tool it's a kind of a fair party cloud tool called tinfoil security

Yeah tinfoil security. Yes it as a tinfoil hat Yes, so it does a kind of like an external test against your website, right? And then it gives you a security reports of any vulnerabilities. It's not built into Azure right now It's built into Azure and you can get it as a plug-in to cloudflare as well. Mm-hmm

Yeah, yeah, at least to have a sense, you know And I think all of you at one time or another has done a hack yourself first kind of session right the past few years is like we should this should be part of our process of developers is Pack on your own site so that you know What vulnerabilities are absolutely apparent and some of them might be your responsibility from a co-perspective and some of them might be operations

But if we're not building a new test sequence You're just not even gonna know are there any other tools Troy that you want to mention that that we should be looking at for? Analyzing our security situation. I think the main comment I'd have on tools That's because I saw Niles talk yesterday as well We should Nikto and you're running it in Kali Linux and it's you know, a lot of this stuff is very cool

I think one of the challenges is for a lot of developers particularly Microsoft developers working ASP.NET web This is really foreign territory. I mean out of interest how many people here want to spin up Kali Linux and run unknown tools This is one guy and he's got a hat and a beard

He's also Danish and a bit weird live up I think we have then established the point It is a it is a barrier to entry and this is why I kind of like the that the tinfoil such cloud flare sort Of stuff where you you effectively just route your application through some sort of a proxy which looks for these sorts of things Gives you a layer of security and by no means

Do I want to suggest that you shouldn't go through and actually understand SQL injection and cross-site scripting and all this sort of thing But there needs to be low friction stuff that works in a fashion that developers are comfortable with Otherwise, I just think it's too big a leap sometimes sure. Yeah, I agree. Yeah last words gentlemen Nile When do I get my whiskey?

Stephen No, I think I'm just totally over the moon that the airport strike is not happy. Yeah Until suitable stress. Yes. Okay, if I want to do a real kind of last words guys Seriously, don't make it like that We can walk up here and do really interesting talks because you've screwed up think of these guys out of business

Yes that I'm nearly kind of like suggesting people try and do that For kind of like secure your code secure data think really kind of closely about you know, what? You are working with and what happens if it gets out in the wild who will be affected Scare thyself. Yes, exactly

Troy yeah, look, I think it's For me, the big thing is experience stuff first hand So whether you go and get that and implore site courses from either of us stuff like hack yourself first Which which is a really popular one of mine where it just goes Here is how to do SQL injection like go and do it Don't just google for a website and do it like

Do it on the site that I created it for but experience it firsthand because once you get to play with this stuff It's actually pretty cool and a lot of people get really involved in it and then sort of get a newfound passion for it And with that I guess a key thing to say there is If you're gonna try and do these things do it on a site that you own not one that you don't Whereas you might be living in a box for a few years do it on Troy site

Yeah, all right. Well, that's the show guys. Let's give it up for our security panel I will see you next time on .NET ROBS

That's enough for the show, but if you've got a minute maybe you can take some questions if anybody's got a question That's in the left there, sir

Government provided identity services? Interesting. I'm sure that will work out just fine. They never get hacked. What could happen? So the Philippines election commission got hacked a couple of months ago and they lost half of their 110 million people, well they didn't lose, they know where they

are, because there are lots of backups now. I think it is, in one way it is necessary because you've got so many different government services which sort of need to get tied together to function effectively. In another way it's unavoidable because this is, it's not one of those things where you can say, well look,

I just don't want to give my information to the government. It's like, you kind of can't do that. So it's happening and I think that on balance it provides us a bunch of positive things, but you just kind of hope they're not going to do a Philippines and it kind of compares the contrast as to when we, Microsoft is asking us to do, to use identity

as a service from them. Yeah. And I wouldn't, you know, who's more qualified, theoretically, but either way you've got the same issue. You're going to put your identity responsibilities in someone else's hands. In the public cloud you could.

So I think it's interesting. Another question? I see a hand back here somewhere. This one down here. Right up front? Yeah. Are you scared of using the Wi-Fi here? It's open Wi-Fi, so, and Troy's in the room. Yeah. And he's got a pineapple. He's not afraid to use it.

There's only about six or seven of these devices running around the conference right now. So, you know, yeah, if you go to open Wi-Fi, just assume everyone is listening. So, you know, and it's intercepting stuff. So just get a VPN. That's why my VPN's on currently, sitting next to Troy. And he's not even got the Wi-Fi pineapple on. Hey, if you haven't seen those before as well,

these are Wi-Fi pineapples. So if you've seen my talks in the past, you would have seen me use this. But they're really super cool. Just Google Wi-Fi pineapple, and it allows you to hijack people's Wi-Fi, which, okay, it's cool. That's one thing. But it's a really, really good lesson about how you can't trust the transfer layer as well. And they are amazingly cool.

And they're only at like $100. That's it. And that runs off a battery pack that's currently suspiciously there. Let's not mention the battery. I told them what it does, right? Yeah. So what it does is a rogue access point. So every time your device pings out and looks for a specific access point, this device says, I'm that. So yours then goes, ooh, good, free Wi-Fi.

So you're like, if you open up your phone, it says, automatically connect to known Wi-Fi points. This device will say, I'm known. You'll connect, and it'll go, now, between me and the internet sits Troy. And he's a lovely Australian man sometimes. And he wouldn't ever fiddle with whatever I'm doing to go onwards.

But it is, that's the thing. You can't trust the transport layer. Well, and the first time your phone connects, what does it do? It goes out and gets your Google mail and Facebook and whatever and connects to Twitter and sees if there's anything. It's sending all those passwords out. But that's why all of those services are now SSL, right? With that big wave that made all of these sites go SSL was because of these kinds of exploits.

The real question is, is your mail server using SSL? With the username and password sending clear text, if it's not? Like POP3 is not secure. Yeah, it's text. It's just text. So you've got to, you've just got to have all these little devices. You like, you know, you can plug this thing in. And no one, it's like if Troy holds up again, it's the size of the thing.

It just sits in your backpack. It's like it's tiny, can be powered off a little phone charger. And you, you know, all of a sudden, you can always spot when these things are on, because all of a sudden you see a load of Wi-Fi points you don't recognize and your home one. You see every Wi-Fi. You see every Wi-Fi. Do you ever get funny looks going through airport security with that?

It's just an access point. Yeah, honestly, it's just a rooter. And it's kind of big for an access point. Like I've got one that's not much bigger than your thumb, right? Like they make them small now. Niall and I do also have some rather obnoxious ones. And Niall in particular has some some big aerials, which. Yeah, I've got the, I've got the suspect. Yeah, I've got the nine decibel aerials, which are kind of like.

But it's like four of them as well. It's like an upside down spider, or half an upside down spider. And they're exceptionally powerful. Like you plug them in and you turn on a hotel and all of a sudden like four floors are connected to you. And everyone's wondering why their home Wi-Fi is working.

It was a funny story. That's how I actually got to Oradev. Turns out when I was over in Poland, I plugged on this and one of the organizers from Oradev connected to my Wi-Fi point and decided to log into the Oradev database, which was running over HTTP at the time. So username and password for the Oradev database pops up and I'm like, oh, nice.

Oh look, I'm on the agenda. So ladies and gentlemen, if you ever want to figure out how to get to it in a conference, you know, pineapple. All right. I think we've got to leave it there. Another round of applause. Thank you.