Security Nation, Episode 11

Discovering a New Path in Asset Discovery: An Interview with Metasploit Founder HD Moore

December 04, 2019

 

In honor of the 10-year anniversary of Rapid7’s acquisition of Metasploit, our latest episode of Security Nation features an interview with its founder, HD Moore. In it, HD gives his opinion on Metasploit’s current state and breaks down his latest project, Rumble, which makes it easy to discover what types of devices are on your network.

Also, stick around for our Rapid Rundown, in which Tod talks about why routers are the best holiday gift and what to do with old tech to make sure data has been securely wiped. 

Appears on This Episode

Jen Ellis
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

HD Moore
HD Moore

HD Moore is CEO of Critical Research Corporation, creators of Rumble Network Discovery, and VP of Research for Atredis Partners, a research-driven security consultancy. Best known for founding the Metasploit project, HD’s work continues to focus on the nexus of security research and technology.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Welcome to this week's episode of Security Nation, the podcast where we talk to people who are doing interesting things to advance security. I'm your host, Jen Ellis. I am Rapid7's VP of Community and Public Affairs. And with me is my amazing co-host, Tod Beardsley. How you doing, Tod?

Show more Show less

Tod Beardsley: Ahoy, Ahoy! I'm doing fantastic. And I'm very excited about today's guest.

Jen Ellis: Oh my god, I can barely contain my excitement.

Tod Beardsley: I know, your security fangirl is showing.

Jen Ellis: It really is. Is it more awkward when it's someone you're friends with? It is, yes. So, wait, I mean, god, what if he comes on now and denies we're friends? Oh my god, the drama. So yes. So without further ado, Mr. HD Moore!

HD Moore: Hey folks.

Jen Ellis: I think that pretty much everybody who works in security knows who HD is, but in case you don't and I'm overstating, HD has done a lot of cool things to make him quite known in security, including inventing Metasploit, which is a thing that we kind of have an interest in, but right now these days, he's the VP of R&D at Atredis Partners and he's also the CEO and founder of Critical Research, out of which he has launched a new project, which he's going to be speaking about today, which is very exciting. We asked HD to come on because one, we love him and any chance to get the band back together is very exciting. But two, October was the 10-year anniversary of Rapid7's acquisition of the Metasploit Project, a project that HD started more than 10 years ago, and we thought this was a really great opportunity to sort of acknowledge it, say thank you to HD for everything he has done and continues to do, and then talk about the new stuff that HD is working on and what great new things he's moved on to. So, thanks for joining us, HD!

HD Moore: Oh, thanks for having me.

Jen Ellis: And I'm sorry for being overexcited and awkward. I just don't get to see you very often. It makes me very sad.

Tod Beardsley: Me neither. And we live in the same city.

Jen Ellis: How is that even a thing? Like, surely you go to AHA! events together.

HD Moore: I swear I see more Austin people outside of Austin then actually in Austin these days. It's kind of the curse of working from home is that you don't really leave for lunch breaks or really anything.

Tod Beardsley: Yep.

Jen Ellis: And when you say working from home, like let's be clear, we're talking about like a pretty tricked-out compound. So, like, it's not like people are just like, you know, dropping by to like, say hi. 

Tod Beardsley: There are multiple layers to get through.

Jen Ellis: Right? You have to, yeah. Then you get into the underground bunker and like, I still haven't gotten that far yet, so yeah. It is pretty badass, actually. I like it. It does look like you could survive many sorts of different types of attack. Like when “The Purge” becomes a real thing, it would be safe in your bunker.

Tod Beardsley: I'm excited about the new underwater level.

Jen Ellis: Me too, particularly in Austin in the summer.

HD Moore: There's actually literally an underground bunker that we found when going through construction documents. It was buried during the last round of construction on this plot. But technically it's still down there. There's still a storm shelter.

Jen Ellis: Of course there is.

Tod Beardsley: Rad.

Jen Ellis: Of course there is. It makes perfect sense. So, talking of things that you’ve built, let’s talk about Metasploit! Tod?

Tod Beardsley: It is 10 years on since Rapid7 somehow acquired this crazy open source project, Metasploit. HD, are you pleased with how things have gone? I mean, I know I am. Since you're on this podcast, I expect you are? Any comments, even positive or negative? You know, I think we live in open source land. So I think it's fairly normal to have some comments, some praise, and some criticism. So anything come to mind for you?

HD Moore: Yeah, I mean early on, I mean if you go back to 2003 when we started the Metasploit project, like 16 years ago I guess now, it wasn't that popular. There were a lot of folks using it, but it wasn't, you know, considered a tool that people actually wanted to use, wasn't considered safe to use. It wasn't considered something that you should legally be able to use, in a lot of cases.

HD Moore: So we've kind of, we've definitely got value of the controversy, but if you look at kind of the time that Rapid7 acquired the project, we only had about 33,000 users based on our subversion stats at that point. Fast-forward about a year or two, post-Rapid7, I think we're up to like 200,000 or 300,000 monthly users who are downloading the project? So, even though it was being managed by a corporation and being kind of run a little more professionally, it actually increased the user base substantially by at least 10x over those first two years and these days, who knows what it is and maybe you guys have stats on it.

HD Moore: So I've been very happy. I'm happy that one, the project is still alive, it's amazing that so many people had been involved with it, that people are still contributing to it, that it's still serving as this kind of living archive of research techniques that have been discovered for the last 20-something years that are being turned into code that's actually maintained. So, you know, managing a Ruby project I'm sure is not the most fun thing in the world given how often dependencies change. But at the same time, you guys are doing a great job of keeping the project up and running and making sure it's viable and still relevant to today.

HD Moore: If you look at the types of things that have gone into Metasploit over the years, it started off being very focused on stack smashing and buffer overflows and heap overflows and all that fun stuff. Those became a little bit less relevant after all the mitigations went into place on the various operating systems, but things like logic bugs, protocol information leaks, things like web application vulnerabilities, those things don't really go away and if anything, have gotten worse. So, it’s been really cool seeing Metasploit take on things like ICS, everything from like car protocols via the adapter and things like that.

Tod Beardsley: Yep.

HD Moore: Just a huge gamut of stuff that Metasploit does now that we never thought was even relevant to the project back in 2003.

Jen Ellis: And I will just jump out as the cheese monster on this podcast and in life generally and just say a very quick like huge, huge thank-you to all of the people who contribute to Metasploit. There is a super active community, as you said, and Metasploit is what it is in very large part thanks to that community. So thank you to all of you. We really super appreciate what you do.

Tod Beardsley: Yeah, for sure. Like, I mean as far as I can see, Metasploit is one of the very few corporate-sponsored truly open source fix. We don't just code with the windows open, we rely heavily on contributors like you and I think that's really unusual. I mean, I started at Rapid7 shortly after that acquisition. It was shortly after because I wasn't super sure what this Rapid7 company was about?

Jen Ellis: Still not really.

Tod Beardsley: Still, still on the fence. We'll see. But they haven't screwed up Metasploit yet. So that's kind of why I'm still around.

Jen Ellis: Duly noted.

HD Moore: There's definitely not a lot glory in working on Metasploit. Most of what we did was basically kind of code janitor work, cleaning things up, making sure things work properly, making sure dependencies work correctly even after other things upgrade. So I feel like the core of Metasploit always has been the community. And the project, the kind of the responsibility of the maintainers is just to make sure we can keep taking in new research and keep building out what the community provides. And I feel like Rapid7's been doing a great job of that.

Tod Beardsley: Hey, well that's wonderful to hear.

Jen Ellis: That is wonderful to hear. I'm all misty-eyed over here.

HD Moore: You guys are great janitors.

Tod Beardsley: Thank you!

Jen Ellis: That's the nicest thing anyone's said to me for a while. Yeah, so enough of this misty-eyed bullshit, let's talk about what you're doing now.

Tod Beardsley: Yeah.

HD Moore: Sure. So probably as far as I've ever been doing computers and even product computers, phone lines and stuff, I've always been really excited about kind of exploring networks and finding out what's out there and seeing all of the, just the weird menagerie of equipment that is connected to phones and networks and wireless and RF and all kinds of fun stuff. The work on Metasploit was great in that we got to touch lots of different protocols, look at lots of different devices, look into tons of research. Shortly after, I guess while I was still working on Metasploit, I started doing a lot of internet-wide scanning research and that meant looking at pretty much the whole internet and trying to figure out what protocols they're running, what services were exposed, using some of that to do vulnerability research and find vulnerabilities, but I've never really kind of got tired of it.

HD Moore: I still enjoy that process of like exploring and finding out what's out there and doing everything from fingerprinting to protocol recognition and that's kind of led to my current project. About a year and a half ago, I started a project called Rumble Network Discovery, and what we're trying to do is make a very easy, very effective way to identify what's on your network. So basic glorified ping scanner, but incredibly more accurate and faster and more useful than anything else out there today. What we noticed is that as corporate networks become more and more hardened, as people go towards BeyondCorp, they've got fancy SDN stuff in place now, they've got hybrid cloud deployments. They're treating the internal networks like a lot of folks used to treat their external, so most desktops have firewalls enabled. They're scattered with all kinds of random IoT and consumer hardware devices now as companies installed everything from smart TVs to, you know, internet connections to coffee machines and whatnot.

HD Moore: So we're seeing a lot of really interesting equipment show up on corporate networks. We're also seeing corporate networks becoming more hardened than ever before. And as a result, standard discovery tools just don't work anymore. If you're using something like a standard port scanner or even your standard IT discovery tools or technology tools, oftentimes they can't provide you good information anymore. I can't enumerate everything to the Active Directory because all of our desktops have a firewall enabled. So how do you actually do accurate discovery when all the security mitigation is already in place? And that's kind of what we're trying to do with Rumble. We're trying to take the same approach that a company like Rapid7 would take for vulnerability management, where it's very research-heavy. We're trying to find different ways to leak information about a device to tell you whether or not it's been patched. We're doing the same level of effort just to identify what a device is.

Jen Ellis: Is this a paid service or solution, or is it free? Tell us, tell us everything.

HD Moore: Sure thing. It's a commercial project, so we had a beta that ran for about six months or so that was open. We still have things like free trials so you can sign up and play with it for sure, but kind of the core public output from this thing is contributing back to open source fingerprint repositories. So even though the core of the product is commercial and we're doing everything we can to actually build a sustainable business out of it, hire people, all that fun stuff, we're also contributing back all the new fingerprints that we developed directly back to the Recog project, which is also managed by Rapid7. And for folks who don't know the background of Recog, Recog is, if you go back a few years, we took the Nexpose fingerprint database within the commercial Nexpose product, made it open source, and then we modified Metasploit and Metasploit Pro to also use the same database and going forward, we've had not just Rapid7 maintaining this thing, but lots of other companies who are contributing fingerprints back into it. So it's becoming kind of a cross-company, open source fingerprint database that is used by multiple products, including Rumble. So as we build out new Rumble fingerprints for things like TLS fingerprints, TLS subject and issue or regexes, all the mDNS work we put in recently, all that's going right back into the open source Recog project, which then in turn powers things like Nexpose but also Metasploit, Metasploit Pro, and other projects that are based on it.

Jen Ellis: Awesome. I do love a free ad, and I would highly encourage people who are interested in fingerprinting to take a look at Recog and, ideally contribute. If you have fingerprints, we want them. Yeah, get involved.

Tod Beardsley: Yeah. We talk about open source a lot at Rapid7, and I often say Recog is, I would say, the second most popular open source project that we have, if you lump all the Metasploit projects into one. So, not counting Meterpreter, not counting Metasploit payloads, but if you discount other things, everything connected directly with Metasploit, that is Metasploit-only, then Recog is definitely our second most popular. Like right now, I'm just looking at the stats right now. We had a commit six days ago on that. Like it is under active development. We have a bunch of releases. It's got like 250 stars or something like that, compared to Metasploit's like 18,000 stars.

Jen Ellis: Not really in the same sort of a planetary system, but yeah.

Tod Beardsley: But hey, it depends on you and if you like Metasploit stuff and you, for some reason, like to write things in XML, Recog is your project. It's great for protocol nerds.

Jen Ellis: It's funny, I was all sort of giddy with excitement of the start of this episode, but really this is like your ultimate episode, we're talking about open source. How excited are you, Tod?

Tod Beardsley: I'm delighted.

Jen Ellis: So HD, I remember when we first chatted about Rumble, one of the questions I asked you was like how does it relate to Nmap? Because I had heard some people sort of comparing the two and it seemed like maybe there was a little bit of confusion around that, so maybe you could help clarify that.

HD Moore: Oh sure thing. I mean, Nmap's great. I've been using it for, I think, 20 years now. It's kind of a gold standard for port scanning. The things that you want to do with Nmap are typically, you know, port scan the network, identify services, and what Nmap is really good at is telling you what a very particular service is running but also what exact OS a device is running. What it's not so great at is telling you what the device physically is. So, Nmap can be a great tool for telling you exactly what Linux kernel version is running on which device or which web server's running on which port, but if you're trying to figure out, is that thing a Roku, is that a smart TV, is that a printer? That's not what Nmap's about, so it's kind of a different level of discovery and that was a great Swiss army knife for all kinds of other stuff.

HD Moore: But what we're trying to focus on with Rumble is how do we very quickly identify what a device is, what its purpose is, and other information about it, such as like it's MAC addresses, its extra IP addresses, things like that, very quickly with the least amount of traffic that we can send. But we don't necessarily care about all the security stuff. We're not looking for vulnerabilities, we're not looking for the exact kernel version. That stuff isn't necessarily relevant to our use case. So it's a little different use case in that sense where, Nmap is a great kind of general-purpose tool. And it's used by, tons of people, of course, but also by tons of products.

HD Moore: There's a lot of discovery products out there that embed the Nmap engine in it and they all call it slightly differently. Metasploit Pro uses Nmap internally, as well, for discovery. So it's not a terrible tool, it's great for discovery work, but it often requires a lot of tuning to get the exact results you want when you're doing product integration. So we started the Rumble project with kind of a different set of goals and we had, as a result we got to make different trade-offs. The way that Nmap does things like retry handling and send retries is different from how we do it in Rumble. The default probes that are sent by Rumble are quite a bit different than the default probes by Nmap. We focus a lot more on manufacturer discovery protocols, on extracting information from squirrelly kind of oddball fields.

HD Moore: Rumble can identify the MAC address of a device, multiple hops away through 15 different protocols. We'll leak it out, of course, through things like NetBIOS, but we'll also use things like SNP fields, version three, even when you're unauthenticated to it often reads the MAC address back and engine ID, but each vendor encodes it slightly differently with different byte sequences and different padding. So we just did a ton of research to try to figure out how to actually extract, for us the most useful fields about these devices, which are IP addresses, MAC addresses, and you know, device-identifying information through all sorts of fun protocols. And so a lot of that work is back in the Recog project. A lot of it doesn't, because it’s part of our kind of core Rumble IP, but that's kind of our goal. And that's kind of the difference is that Recog is very much focused on device identification, discovery, and Nmap really is a Swiss army knife.

Jen Ellis: So, I mean, it sounds like they are fairly complementary, then.

HD Moore: Oh definitely. I mean we kind of expect most people who have an interest in tools like Rumble probably have already used Nmap and vice versa. There's definitely a lot of overlap there. It's more of a question of if you're just trying to do a quick identification of everything on your network and you want to know what the thing actually is, that's where our focus on the Rumble side may pay off better than using, you know, Nmap or another open source tool and the command line. Not to say you can't get similar results, but it often takes a lot more work.

Tod Beardsley: So I have a question and maybe this is a dumb question. Can Rumble tell me like if I have a device that has several IP addresses on the same network, can Rumble tell me, oh that's all just one machine and it's one of these?

HD Moore: Yep, absolutely. That's one of the things we spend the most time on. If you look at the two things that really set Rumble apart these days, it's well, I guess make it three. You've got remote MAC address discovery, which goes a long way towards uniquely identifying a device and also identifying multi-home devices. Because if you can, if you can find out 15 devices on the same network, have the same MAC address, you can almost guarantee they are the same physical device. So using things like the MAC address, you can uniquely identify hardware.

HD Moore: I mean the nice thing about having a SaaS product is we can figure those things out pretty quick and blacklist them. So we have a pretty good idea of which MAC address are bunk, which ones are not unique in those cases. Same thing on the IP side. We'll find ways we can leak the list of interfaces of a device remotely without credentials.

HD Moore: So we'll use things like NetBIOS, get the list of remote IP addresses on a Windows device unauthenticated across the network, across multiple hops. We'll then use the fact that we can see all those multiple IPV4 addresses on it. We can then link those devices together in the display and say these are actually all the same physical device. And kind of the last piece where this all really comes together is now we've got a way to uniquely correlate devices across multiple hops away. You can then track them as your IP addresses move. So we spent a whole lot of time doing things like accurate ISP tracking, and I think it's like inventory, like never discovered asset inventory is something that most people in the security space are using security products to accomplish today.

HD Moore: You know, a lot of people I talked to are using things like Metasploit, using Nmap, using Nessus, using Nexpose. They're using all these products that are not really designed for inventory, but that's the best thing they have available because it works the hardest to identify devices. So looking at that problem set of like, hey, everyone who is using security products is using them for inventory. But these products weren't really designed to be doing inventory. So Rumble's an attempt to build an inventory-first project and really focus on just doing discovery and that's it.

Jen Ellis: So where's, what next? Where are you, where are you headed next with this thing?

HD Moore: I hope I work on this the rest of my life. It's a lot of fun.

Jen Ellis: Okay. So you said that you did a beta recently, that closed and now you're building customers and it sounds like there's a few different people working on it. Is that right?

HD Moore: Right now, it's just me. We had about 3,000 users in the beta tracking about 3 million assets. After we'd gone through the first, I guess, month and two-thirds of sales we're up to about 75 paid customers. We've got a pretty good roadmap ahead, and we're hoping to start hiring people starting next year.

Jen Ellis: Holy cow, HD. That's really cool. Congratulations.

HD Moore: Oh, thanks. I mean, our customers have been amazing, like our users were great on the beta side, you know, the product wouldn't be what it was today without all the feedback we got from users and all them calling out our boneheaded mistakes in UX, things like that. It's still definitely not the product we want to build, it's definitely not done yet, but we feel like we've gotten a lot closer because of the great feedback from the beta community.

Jen Ellis: That is, that's awesome. So what you're saying is, and I appreciate that you're breaking it to me gently, but you're saying you're probably not going to come back to Rapid7.

HD Moore: Probably not. Wish you guys the best, but...

Jen Ellis: Okay, that's fine. I will. I'll clear up the little shrine that I built to you. It's fine. All right, well thank you very much for coming and telling us all about this. And again, thank you for everything that you've done in the open source world for the projects that you have invested a lot of your time and your effort into and a lot of which has benefited Rapid7, but also has benefited the broader security community a huge amount. We all appreciate that. Thank you for continuing to contribute to Recog and to Metasploit.

Jen Ellis: I think it's a great and important thing for the community that you're still involved in those things and people know that you care about them, which is lovely. Even though you are the busiest man on earth and starting a new company and also at the same time have a job at Atredis. It's amazing. So yeah, thank you. Thank you for what you're working on and Tod will see you at the next AHA!, it sounds like.

HD Moore: Sounds good. Thanks for having me on.

Jen Ellis: Okay, Tod. So, I guess it's time for the Rapid Rundown. 

Tod Beardsley: Yeah. So the Rapid Rundown this week. Well, it is a holiday time here. We're recording this just a couple days before you're hearing it. So, I'm right out of Thanksgiving, which the easy thing to talk about would be like Cyber Monday stuff, but we're not going to talk about that today. What I do want to talk about is how to give your family the gift of security for Christmas.

Jen Ellis: All I want for Christmas is a little bit more security.

Tod Beardsley: Right. I think most of the people who are likely to be listening to this podcast probably finds themselves drafted as IT tech support for their family over the holiday. Either they are swinging by, or there is some kind of get-together. We just got through a get together, and I would just want to underline that rather than telling your family to just not get phished, which is not terribly actionable advice, here's something you can actually do. If you happen to be near some family that probably don't care too much or know too much about cybersecurity stuff at home, offer to take a look at their router, their home router. It is quite likely it hasn't gotten an update in a long, long time and it just would behoove you to maybe go through, look for a refresh.

Tod Beardsley: I'd say most modern routers today have some kind of check for updates. Some of them even, I know Belkin in particular, are doing updates kind of in the background without any user interaction, which is great. But a lot don't, so this is also the kind of thing that tends to last a really long time in people's houses. They don't have really any moving parts. They can conceivably live 10 years or so without ever getting an update and this is a fine thing to do. This is a service. You can also offer a good and that is, buy them a new router for Christmas. Not only that, you can configure it ahead of time. So, what I would suggest doing is buy a family member, parents or kids or aunts and uncles, cousins, whoever, buy them a router, just something modern and fairly recent. They tend to run under $100. You want to go like over $30 probably in that narrow range. It will be reasonably modern. It probably has this automatic updates and you can configure it yourself and then just ship it to them with instructions. You know? Because you can open the box…

Jen Ellis: Wow.

Tod Beardsley: ... set up a username and password, do all the things you're supposed to do. You could set up an IoT password. This is what I use my guest network functionality for on my router. Mine is called “IoT Dumpster Fire.” That's where I stash all my IoT stuff and people who come over for Thanksgiving and they want to get on my wireless, I'm like, "Oh, yeah. Just join IoT Dumpster fire. I don't care." So that way those devices end up not talking to other machines on your network like your work laptop or your regular phones or anything like that. So, it's a pretty great way to keep things segregated. Network segregation comes up over and over again on every pen test finding, and so do a little proactive anti-pen testing in your own house and in the homes of your loved ones.

Jen Ellis: I'm so sad that I have not been invited to Christmas at the Beardsley household now. Boy, do I hope that I get you for Secret Santa one day because you are clearly the king of imaginative gift-giving.

Tod Beardsley: I think it's great. I think it's a fine thing. And you can rewrap the router and you could have nice calligraphy instructions on how to plug it in and how to throw out the old one. By the way, when they throw out the old ones, you're going to want to probably. .... You always want to recycle things, but do a factory reset before you get rid of these things because that way all the old data goes away, so things like old passwords and stuff.

Jen Ellis: I'm super interested in this topic. So, the old tech things like do a factory reset wipes the data, how effective really is that? Can people come and take that tech and figure out a way of getting the data back? I say, sounding paranoid.

Tod Beardsley: Well, so it's better than nothing.

Jen Ellis: Oh, that's reassuring.

Tod Beardsley: It's better than not wiping it at all, but when it comes down to the forensic value of hitting factory reset, that's kind of up in the air still. It depends on the device. It's down to every manufacturer. It's like when you would erase a hard drive for people who used to erase hard drives a long time ago. Now we just, now we don't, but you would like... There's an erase and then there's a secure erase that overwrites everything with zeros or random zeroes and ones, right? For IoT stuff, typically the kinds of things you'll find on IoT junk that you end up recycling are just like WiFi, SSIDs, and passwords. If you change it every couple of years, which is not a bad idea, anyway, that doesn't really super matter unless you're the sort that is reusing passwords all over the place, in which case, stop doing that.

Tod Beardsley: Beyond that, there are IoT devices that want to talk to your Amazon account or your Google account or something like that and they may be storing passwords or tokens or something like that. So, when it comes down to it, I can't say that factory reset always works all the time. I can't even give a guess on how often it doesn't work. We have looked at this in a lab setting a couple times and generally speaking, factory reset is good enough. I don't think we have like an army of cyber-thieves hanging out outside of Goodwill waiting for people to drop off their IoT gear. Not yet, anyway. Your risk is pretty low, right? There is no criminal enterprise looking for this thrift store tech. But if you're tossing older things, especially things that did store passwords instead of like tokens or something like that, I don't know. Erase them carefully, whatever that means.

Jen Ellis: Yes. That would be my question. So, if you are a little more paranoid about this or for some reason you have a different risk profile, are you talking about like a giant magnet? Are you talking about putting it in your microwave? What is the best thing you can do here? I'm assuming not putting it in your microwave.

Tod Beardsley: So we want to generally recycle electronics because they have heavy metals and stuff. You don't want that in landfills and junk, or going into the ocean. That said, taking a drill to it, magnets are not like— unless you have access to crazy powerful large rare earth magnets, then that's not going to do much for you.

Jen Ellis: Yeah.

Tod Beardsley: It turns out things are pretty hardened against that today, but physical drills are pretty great. A reciprocating saw with a metal blade. A blade for metal, that works out pretty well, also a wonderful holiday gift, because who doesn't love a reciprocating saw?

Jen Ellis: Again, I am very sad that I am not getting a Christmas gift from you, but now I know what to get you.

Tod Beardsley: Oh no. I already have one. Thank you. I just got one this last week and it was great.

Jen Ellis: Did you get that in the sales? Because if so, we should talk about tips for shopping online.

Tod Beardsley: I'm not talking about tips for shopping online. So physically destroying the... Most IoT devices don't have like a hard drive or anything like that, but they have flash memory. Locating that, especially if it comes with like an SD card and pop that SD card out and then you're pretty good on data. Pop out the SD card, put it in a drawer and then get rid of the rest of the thing. It is unlikely you're going to have a lot of data left on the device.

Jen Ellis: Okay. And when you say, "We want to be recycling electronics," do you mean recycling, recycling? Would you mean sort of as you said earlier, Goodwill, that kind of thing?

Tod Beardsley: You're going to want to drop them off either at a purpose-built recycling center. So, something like Best Buy tends to run these things. They'll have like a bin and then they'll just go recycle it and pull the metals out. Goodwill, if you're worried about the data on the device, I wouldn't go the thrift store route. The fire department actually, is a pretty good source. You can call them and say, "Hey, what do I do with my old electronics?" And they will tell you they often run their own bins because you're not supposed to throw out old batteries and stuff. You're supposed to like... When I was growing up, you gave it to the fire department, and then they would get rid of them and that's still true today. You can still give them a call and they'll tell you what to do with them.

Jen Ellis: Will they give you a ride in the truck?

Tod Beardsley: If you are under six, then probably.

Jen Ellis: Okay. All right. Okay. So that's just a note of caution to people just so we manage expectations. We don't want anyone turning up thinking that they're going to get some sort of wonderful day out. All right. Thanks very much, Tod. I now have to try and figure out something to get you for Christmas that isn't a drill or a router, apparently. 

Tod Beardsley: Wonderful.

Jen Ellis: Okay. So, I think that concludes this episode of Rapid Rundown. A last little, little thing. There's some interesting things that happened, apparently policymakers do not like to drop everything for Thanksgiving, so there were a couple of interesting things that happened at the end of last week and beginning of this. So, both OMB, the Office of Management and Budget and DHS CISA have come out with requests for comment on proposals around vulnerability disclosure processes for federal government agencies. So, I highly recommend that that people who are interested in this topic, and Rapid7's a huge supporter of coordinated vulnerability disclosure and organizations having a way for people to report and for them to triage.

Jen Ellis: I highly recommend anyone else who interested in this to go and check those things out. I think if you Google, "OMB VDP” or “DHS VDP," you should be able to find them. Then this week, a couple of different senators came out with two different proposals for privacy bills. So what we might do is depending on what else is happening in the world, next episode, we might invite our very good friend, Harley Geiger, who runs Rapid7's public policy program, to come join Tod and I, and he can talk through some of this stuff for us.

Tod Beardsley: I love talking to Harley.

Jen Ellis: As to I.

Tod Beardsley: And you will love hearing him.

Jen Ellis: All right. So, Tod, thank you very much. Thank you as usual for educating me and putting up with my stupid questions. Bri, thank you for everything you do, including not hitting me on the head, and thank you again for our special guest, HD Moore, who we love and adore. Oh my god. I ended with a poem!

Tod Beardsley: It's a holiday rhyming miracle.

Jen Ellis: It is. Thanks.