Security Nation, Ep. 20

Advocating for Tech Literacy and Transparency: A Discussion with I Am The Cavalry's Josh Corman and Audra Hatch

May 01, 2020

 

On this week’s episode of Security Nation, Josh Corman and Audra Hatch of I Am The Cavalry share insights into the software bill of materials (SBoM) and software transparency. Stick around for our Rapid Rundown, where Tod breaks down the latest iPhone bug that wasn’t and Sophos bug that was.

Appears on This Episode:

Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Josh Corman
Founder, I Am The Cavalry
Joshua Corman is a Founder of I am The Cavalry (dot org). Corman previously served as CSO for PTC, Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research, analyst, & strategy roles. He co-founded RuggedSoftware and IamTheCavalry to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. Josh's unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serves as an adjunct faculty for Carnegie Mellon’s Heinz College, a Cyber Safety Innovation Fellow for the Atlantic Council, and was a member of the Congressional Task Force for Healthcare Industry Cybersecurity.
Audra Hatch
Audra Hatch
Product Security Specialist, Thermo Fisher Scientific
Audra Hatch is a Product Security Specialist at Thermo Fisher Scientific.  Previously, she spent 15 years as an embedded technical resource for Cardiology in a large hospital system where she supported clinical applications and medical devices used in echocardiography, cardiac catheterization, and electrophysiology labs. In this capacity, she helped to bridge the gap between clinical and technical perspectives and priorities.  She is a volunteer with I am The Cavalry—a grassroots organization focused on issues at the intersection of computer security, public safety, and human life—and is a working group co-chair for NTIA’s multi-stakeholder process for Software Bill of Materials (SBOM).
 

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi and welcome to this latest episode of Security Nation, the podcast where we talk to interesting people doing cool things to advance security in some way. I am your host, Jen Ellis. I'm Rapid7's VP of Community and Public Affairs, and with me is our amazing cohost, the very finest Tod of the Beardsley. How are you doing, Mr. Beardsley?

Show more Show less

Tod Beardsley:

Wow, well it is definitely feeling like day three at RSA.

Jen Ellis:

Is it, boy.

Tod Beardsley:

I'm great, obviously.

Jen Ellis:

Yes, peachy, just peachy. It is actually a beautiful day in San Francisco, which is nice.

Tod Beardsley:

It is.

Jen Ellis:

Global warming has that going for it, at least. A topic for another episode.

Tod Beardsley:

That's not how this works.

Jen Ellis:

Okay, so maybe we should just move along quickly. So today, we are joined by two of my favorite people. It's not going to sound like hate because I am obviously going to tease him mercilessly, but two of my favorite people, so Josh Corman, who is founder of I Am The Cavalry and Audra Hatch, who is also an active member of I Am The Cavalry. And maybe that's a really good starting point is just to say, well, welcome to you both. Thank you for joining us, particularly after a week at RSA, blah, blah, blah, but maybe you could start off by telling us a little bit about I Am The Cavalry, and why that name?

Tod Beardsley:

I've heard of that.

Jen Ellis:

You hopefully have, yes.

Josh Corman:

So we started almost seven years ago at DEFCON and BSides Las Vegas, and I kind of recognize that I was getting increasingly worried about our dependence on connected technology and areas affecting public safety and human life, and we were doing a pretty rubbish job at protecting credit cards and intellectual property and I kept looking for the adults in government that were going to go fix it for us, and I couldn't find any. It's not that they're terrible. It's just no one was thinking about it or talking about it yet.

Josh Corman:

So I kind of said to others, "The cavalry isn't coming, no one's going to come save us," and when you realize that, you can either scream in the darkness and get depressed, or you can say, "Well, if no one's coming, what can I do?" So, we asked the hackers, "Will you be a voice of reason in tech literacy? Will you be a helping hand on issues where bits and bytes meet flesh and blood?" So, cars, medical devices, etc. So, the idea was let's be what's missing, and initially, it was 50 people, and then 100, and I think at this point we stopped counting, but we think it's about 800 folks. Initially hackers, now public policymakers and high-trust relationships at FDA or in DHS or different things.

Jen Ellis:

And it's all over the world as well, right? It's not just here.

Josh Corman:

Yeah, it's really exceeded our expectations, but the goal was to try to accelerate our preparedness.

Jen Ellis:

You always exceed my expectations, largely because they are very low.

Josh Corman:

And one of the reasons it works so well is because we started with empathy and teamwork.

Jen Ellis:

Oh, okay. Yes, point well made. Nicely done. That was a good rebuttal, I like it.

Josh Corman:

And we didn't just look for the most elite hack scores, but we were looking for the-

Jen Ellis:

Oh, this is how I'm involved.

Josh Corman:

That's why you're involved.

Jen Ellis:

Oh, got it. Nice.

Josh Corman:

We looked for people that were complementary to our skills.

Jen Ellis:

I'm so rarely complimentary, let's be honest. Cool. No, all joking aside, which is hard for me when I'm talking to people I genuinely like unfortunately, I think Cavalry is a really cool thing. I think it's a great initiative. I am biased because I do participate, but I think a lot of really good stuff has come out, and can you give us a couple of like quick highlights, some examples of what's come out of the work?

Josh Corman:

Well, we initially started with automotive because there's only 20 carmakers and we figured that would be easier than 10,000 medical device makers, but it was actually the Food and Drug Administration that was our best and earliest teammate, and we've had a pretty profound impact on their pre-market guidance on the minimum requirements for medical devices. Their post-market on how they do recalls, we help to affect the first safe and orderly recall of a medical device. It's purely for cybersecurity reasons before anybody got hurt, and I think those successes got Congress and others to pay more attention and ask other departments to work with us and ultimately, the one I'm most proud of is that trust we built with the FDA got me on a congressional task force for health care, to give a hacker's perspective, not just an industry perspective.

Josh Corman:

And one of the top recommendations out of that was a software bill on materials idea that all medical devices should have a list of ingredients and because Congress liked it so much, FDA is doing it. Now Commerce Department's trying to build on, I think we're going to talk about that, but they're trying to build on voluntary best practices for maybe adding transparency to the software we can soon build on.

Jen Ellis:

Super cool. I think, really want to get into that and hear more about that process. I just want to give, as you said, a quick shout-out to the team at the FDA who have been extraordinary in partnering with the security community and working on the stuff and sort of leading in a way that we haven't really seen from any of the other sector regulators yet. Hopefully they will.

Tod Beardsley:

I often point to FDA as the example of the kind of government organization that's doing it right, that came from a place of darkness and now are exemplary.

Josh Corman:

We were told the FDA was part of the problem, but I found Suzanne Schwartz, specifically, and her team are incredibly brave and what we realized pretty early is they're hackers, too, because it's really tough to make big changes in government, but they have absolutely found every possible way to maximize progress within their frame and it's some of the most important team relationships in my entire life.

Jen Ellis:

They've been extraordinary and I mean to the extent that they've come to the last several Vegas hacker summer camp extravaganzas, they've been at RSA numerous times. They've really done everything they can to actively participate in the community. So big, big shout-out to them, big props to them, and also as we're about to move on to talking about the process, it would be remiss not to also give a big shout to Allan Friedman at NTIA who was leading the process and I think arguably one of the earliest of the gov-ies to sort of immerse himself in the security community to be super present and active. He actually volunteers at a bunch of community events and is an all right, all around great guy, albeit very curly haired. Yeah, let's go with that. Sure. Absolutely. This is why we have you here. Thanks.

Josh Corman:

And a hell of a dancer. Yes.

Jen Ellis:

And the gold jacket says it all. Okay. So tell us about this NTIA process and tell us about SBoM. You talked a little bit about why it matters. Can you build on that and expand a little bit maybe?

Josh Corman:

Just so we don't skip it. The use case that was most compelling for government. I mean, the idea of a software bill of materials is not new. We're basically stealing from Toyota supply chains in the 40s. Deming introduced this to make the most profitable and high-quality cars in the world for 40 years. It's hard to look at manufacturing or chemicals without, or even food without noticing your ingredients, where they come from. It's very foreign for software, but the example I use during the task force is about a week before we started our first meeting, Hollywood Presbyterian Hospital in California in LA shut down patient care for a week because they had a single Java D serialization flaw in a single J boss library in a single technology and it took out the whole hospital, and I said to myself, if an accident can take out a hospital, what could an adversary do?

Josh Corman:

And we do have adversaries that want to take life. We do have cyber-caliphate and tracking Junaid Hussain. So I said, this is avoidable harm. We're not going to stop everything with SBoM, but the real key issue for them was they were warned SamSam was doing this, but they said, what's a J boss? Do we have any? I have no idea. So, we wanted a way to say am I affected and where am I affected quickly, and it's a pretty simple thing to do to steal from proven practices and other industries. By the time the task force was done, as the ink was drying and was being read by Congress, WannaCry took out effected to varying levels about 40% of the UK hospitals and trusts and in London specifically there were no trauma centers and stroke centers open. So it was pretty bad.

Josh Corman:

If you had a stroke, you probably couldn't get care in the three to four hours you needed to without getting to somewhere pretty far from you. So that really motivated people in Congress. Congressional oversight was House Energy and Commerce. They said, we really liked this idea. You can't defend what you do not know you have. They wrote a letter. HHS said, let's do it.

Jen Ellis:

Oh, props out to Jessica Wilkerson as well since we've been loving on the gov-ies today.

Tod Beardsley:

Yeah. In fact, she was in house oversight at that time, but now she's in FDA so she can actually see this through, but when they had the mandate to go do it, FDA said, we're going to put this in pre-market. You can't bring any medical device to market without having a list of ingredients. You should probably know what's in there. Hint, hint, it probably shouldn't be full of known vulnerabilities, but if there's a new one later, we can at least know quickly and tell the public. Well, commerce saw that and said, “Whoa, wait a second. If FDA creates a standard, what if it becomes an accidental standard for everybody? Cloud software, mobile devices, IOT cameras. Let's take a multi-stakeholder approach and let's maybe see if we can make something that works for everybody.”

Tod Beardsley:

So in a voluntary capacity, NTIA did what they do, and they did multi-stakeholder and said to FDA, if we come up with a standard in time, will you use it? So you have this nice little pilot where FDA is going to mandate it for safety, critical regulated devices. They're willing to use the byproduct of these meetings, this multi-stakeholder thing. We've had four working groups in phase one framing use cases, standards, and formats and then the one that Audi and I were in was, well we did the use cases. There's also been a healthcare proof of concept where I think it was six hospitals and six device manufacturers said, we'll make SBoM's for you. You can consume them. We'll see if there's any value, we'll see lessons learned. So instead of talking about this, we'll just go do it.

Tod Beardsley:

Well and that's the important distinction, right? Like you said just a moment ago is that these are not lists of known good software. We're not making promises that we're not shipping bones, we're making promises that we're shipping software and here's the list, which is interesting because it's like, it's easier, right? It's easier to mandate something like that. If you go down the path, which I know it has been talked about before of like, oh well, let's just say we're not going to ship bugs. I mean that clearly doesn't work.

Josh Corman:

This shouldn't be controversial. It's controversial because it's not being done yet, but think about this 10 years from now, 15 years from now. We're going to look back and be like, how did we ever not do it this way? You got to build something.

Tod Beardsley:

It's like when we looked back when humans drove cars around. That was a crazy time. It was super dangerous and tons of people died.

Josh Corman:

But right now, you have to do work to make these pretty soon. In fact, it's already happening in some ecosystems, but simply the act of making software will spit out an SBoM as a byproduct in one of these standard formats or a plural and it is not extra work to do. You just have evidence of what you put in that.

Jen Ellis:

So you guys are coaches of a group.

Josh Corman:

We have shifted from phase one to phase two. Yes.

Jen Ellis:

Amazing. As we know, I'm big on awareness and adoption. It's my favorite.

Audra Hatch:

Would you like to join our working group?

Josh Corman:

Oh, gotcha journalism. Wow.

Audra Hatch:

Not to put you on the spot or anything.

Jen Ellis:

I am very interested and I have contemplated joining the working group. I just also have a small time constraint challenge that means I'm trying not to over commit. I mean, look, I'm recording podcast episodes all the time. How am I to fit anything else in?

Audra Hatch:

Can we mark you down as consultant?

Jen Ellis:

Yes. Oh my god, I love this. Perfect. Let's make things a little more easy. Okay. So how's it going? How is the project going? Have you nailed it? You're like, we'd totally know how we're going to drive adoption. It's done.

Josh Corman:

Well, phase one ended somewhat recently, so we published four documents, which you yourself could read at nta.gov/sbom. So those are the fruits of the first four working groups. Ours is, I think several of them have morphed, but ours is morphed from capturing use cases and best practices from the people that have been doing it to maybe localizing and translating these into the jargon and the nouns and verbs of different industries. So while we took a community of interest and we narrowed it towards these crystallized four documents, now we're in an expansion stage where we're saying, okay, if someone uses procurement language at a bank, well when you're talking to the federal government, it's not called procurement. It's called acquisition.

Jen Ellis:

So do you have people who represent those segments participating?

Josh Corman:

We have several new target demographics participating, but we have many gaps. So we're looking for introductions. We've enumerated the groups and industries we thought were most adjacent. The most popular conferences or trade associations or ISACs, and most of the first calls had been creating reusable materials, like frequently asked questions, documents. We tried to create a golden PowerPoint deck and we realized actually there won't be a single PowerPoint deck if they're brand new.

Tod Beardsley:

Yeah.

Josh Corman:

This is going to be why it matters and how to get started. If they're intermediate or maybe in the walk stage of Josh Corman, bingo, a crawl, walk, run. It's more about here's some things that you're going to run into and they're worth fighting through, but here's the journey you're going to experience and so I think we're pretty much in the stage of for these new demographics, what do they need and let's prioritize creating and packaging those things.

Audra Hatch:

In phase one, we had four large deliverables. I know in phase two for each of the groups we're targeting smaller deliverables such as the frequently asked questions two-pager documents on how to get started and after the recent webinar, we sort of shifted to asking the community what do you not have yet and what do you need from us? We have an idea of what we want to provide, but we do want feedback on what would be helpful.

Jen Ellis:

What's the response to that look like?

Audra Hatch:

It's only been a couple of weeks and most, I think most folks are here at RSA. We've had a couple of conversations while here.

Jen Ellis:

So there's more to do before we have the results through. Okay. Well, I will look forward to hearing more about what those have.

Audra Hatch:

And we're continuing to solicit feedback on that.

Jen Ellis:

That's great. That's really helpful.

Josh Corman:

It takes patience too because there were so many great problems tackled in phase one and we have great answers and documents for them, but part of the outreach is they're asking brand new things or questions that are brand new to them, but well-trodden for us, so we have to remind ourselves, okay, we did this a year ago, but they don't know that. So we are being the welcome wagon that's patiently saying, Oh, that's a great question. In fact, if you look at this section of this document, you'll get your answer.

Audra Hatch:

I see some of our role is helping to funnel people into the right groups as well. So if you're a highly technical person, we'll get you into the standards group or we've gotten a lot of questions this week about naming and earlier in the week, we talked about some of the challenges and trying to engage folks on helping to seek answers and solutions.

Jen Ellis:

When you say naming, are people concerned with the term SBoM?

Audra Hatch:

No, not the term SBoM. The naming of software, unique identification of software. So naming and aliases and how software can... Allan has a couple of examples com., sun.java com., oracle.java. What are you calling what you're putting into your SBoM? I know from speaking with some of the other medical device manufacturers, when they were creating their SBoM's for the phase one, proof of concept, if they went down into their, further down into the dependencies, they could have included a package that was called something else by one of their third party vendors and so they had two versions of the same thing called something different. So for folks interested in those kinds of problems, trying to funnel those people to the right group.

Jen Ellis:

It must be a lot of complexity that you're addressing with trying to find a way through this and I expect that one of the priorities is she's trying to tackle that complexity and make it as simple as possible.

Josh Corman:

Yeah. I think some folks over engineer it in the crawl, walk, run trio. Some of the banks have been doing this for several years. When they buy software or hardware they are told, they say give us your SBoM. It could be a PDF, it could be a fax, it can be with or without hashes. It could be with or without versions, but they want to know can you give one at all? When they started getting them in more consistent, if you couldn't, by the way, they would ask for a 20% discount because it's going to cost them more every time there's a flaw and they were getting it, but later they said, okay, now that we're getting them in semi consistent formats, they started looking at their most problematic software incidents and they said here's a list of not permitted technologies and they would scrutinize that during the process and if you have really, really old software parts in there that are high risk, they may ask you to commit to updating that within a certain timeframe or it might be harder to sell to them.

Josh Corman:

So we think the act of transparency will allow people to make more informed free market choices and if they don't care about hygiene, fine. If they care a lot, they can, and even my own journey, I had to do product security. The first step is I have no idea what's in that, and the second step is, holy crap. That's in that, and the third one is I can get rid of most of that old stuff with minimal effort, and then the next step is these ones are going to be really hard to fix and so there's a journey going through that, but when you fast forward, you have much higher quality software with much less elective attack surface and elective vulnerability with maybe fewer total projects, maybe higher quality, better performance.

Josh Corman:

In some cases, we got rid of tons of unnecessary code bloat. It was just, we didn't even know why it was in there. There was one software package we worked on that had like multiple versions of a very large package that weren't even being used. People didn't even know why they were there and when we looked, it's like we don't need it. So when it's been opaque, we've never had to care. It's going to be a bit disruptive as we start to do this, but eventually, we're going to be in a better place.

Jen Ellis:

So one of the things that I've noted with this is the project's been going on for a year and a half, which is great commitment from NTIA to keep engaged. This was a great commitment from all the people participating to keep engaged that long and it does seem like looks to people have stayed in it through the journey. What is the sort of vision of like how long it will continue and where you'll get to and what are your goals?

Josh Corman:

Well the NTIA is a year and a half but I think I've been doing this since 2013. The rest of the world- 

Jen Ellis:

You were doing it before it was cool. You're an SBoM hipster.

Josh Corman:

Sure. Wow. No it was actually July of 2013. There was an Apache struts to vulnerability and a lot of banks got hit with it and they realized, Oh I think the phrase I used was, it's open season on open source because prior attacks were usually against bespoke code.

Tod Beardsley:

You mean prior tax like in?

Josh Corman:

In the financial segment, but what happened is they went and systematically got rid of all their vulnerabilities in that particular code base and they got re attacked a couple of weeks later because it was in their WebSphere, their Cisco routers, their Juniper. It was a kind of everywhere and that was when I realized this is a big problem. Jim Ralph in the financial services ISAC realized it was a big problem, but then Heartbleed a couple of months later is when the rest of the world realized it was a big problem because nobody knew which version is open and so they were using. You might recall it happened right before tax day and irs.gov didn't know if they used it and should we panic or not.

Josh Corman:

So the journey has been longer there. I'm not trying to expand the scope too much, but I think for me, because my journey on this, the intensity has been on healthcare. I think FDA is very close to putting this into action. With the minimum viable inventories we would call in out of NTIA so the NTIA may proceed, may go along, but I think the real adoption is going to happen when FDA puts us in the practice, they kicked the tires, we make some mistakes, we iterate. They just announced yesterday that the new draft for pre-market guidance is coming out or just came out. So I think we're very close to enforcement for FDA and that's where the rubber meets the road. So they're going to take a fork.

Tod Beardsley:

Like I say, it'll be okay to like screw it up a little bit. I mean it's the first one, right? So it's the learning opportunity.

Audra Hatch:

That's what the healthcare proof of concept is also for, and we just kicked off the second healthcare proof of concept 2.0 with a goal of, I believe our goal is to complete that by September. We're starting the process of selecting devices. We brought on additional medical device manufacturers, additional hospitals and other healthcare delivery organizations, and the goal since the beginning has been to iterate and to try this process to test out what the framing group has indicated is the minimum viable for an SBoM and did. So the 2.0 is designed to stress test that.

Josh Corman:

And she said this earlier, but we don't want these huge deliverables that take nine months to make. We want lots of little ones. So I keep acting as if NTIA, if they got hit by a meteor, we'd be okay. They're not going to do this forever. I know Allan would love to be Mr. SBoM for the rest of his days, and we're really looking at the mainstream adoption with NTIA. There are higher assurance use cases. I know the Pentagon and MITR really, really want providence and pedigree things and if we have a good foundation, people can extend it. We're using SWID, SPDX and even sometimes cyclone DX and there's some international standards groups looking to build on that too and as long as the FDA and the rest of us get that minimum viable, the extra stuff is gravy and we can get smarter over time.

Jen Ellis:

So for people who want to get involved, what should they do?

Josh Corman:

Call Allan, right? Let me share his personal cell phone. I think the good starting point is ntia.gov/sbom. Those are the four really well polished documents and we each have weekly working group calls. Ours is on Fridays, 1:00 PM Eastern.

Audra Hatch:

That website also has information where you can, it does have Allan's contact information where you can reach out and he'll sign you up or you can reach out to one of us.

Josh Corman:

And depending on your role, you might want to be working with a say, Art Manian and his lovely mutton chops. Lovely, lovely mutton chops. On the framing group, there's a standards group which has turned into more of tooling adoption because it's one thing to talk about what the output should look. We now want every Jenkins package manager to spit these out revealed from the healthcare proof of concept 1.0. There's other adjacent tool chains that might want to get involved in tooling. A lot of these folks want to put those SBoM's into their inventory and asset management or their configuration management tools or their service now.

Josh Corman:

So those vendors have put people in the groups now and they're building on it and I think that's the hard part for the hackers is we look at what's wrong with something and we haven't stopped to say, if we had this, if we built this, how much better would IT be? How much more reliable would software be? So there's plenty of things missing. That's why we're building them, but there's a very motivated crew. In fact, I mentioned we started this journey in 2013. Some of the people who hated it the most were the really, really big software manufacturers that had a lot of technical debt. Now on Monday, one of the presentations was from one of the biggest opponents to SBoM.

Josh Corman:

They're doing it because out of their natural evolution, they get pinged so often by their customers. Do you have a flaw here? Do you have this here, and then they were finding that instead of fighting the software bill of materials, they're realizing this is the most efficient way to triage and deal with the increased market requirements to have this transparency. So people are coming around. We just have to be patiently impatient and I think at this point, SBoM's are inevitable and I can't wait to see what comes by use of their adoption.

Jen Ellis:

Yeah, I think that evolution is great and it's good. It'll be interesting to see where it goes. All right. So Josh and Audra thank you so much for joining us.

Tod Beardsley:

Allan, thank you for joining us.

Jen Ellis:

Yes, thank you for practically joining us and thank you to everybody who's working on this. I think it is a great project. I think it's super important and will help us get to a higher degree of transparency and preparedness. So thank you for your efforts on this, particularly considering I have dodged and shirked for some time.

Josh Corman:

But now you're a consultant.

Jen Ellis:

Apparently so. Look at what happens. So I hope that you guys will come back sometime in the future and give us an update on where we are with it. When I say we, I mean you guys obviously because I'm just a consultant.

Josh Corman:

In some ways, it's so unsexy, but in other ways I know it's going to have a huge impact on the safety and defensibility of our digital infrastructure.

Jen Ellis:

You're talking about SBoM, not Tod, right, because he's very sexy. I just want to be clear. You'd only be half right.

Josh Corman:

I try not to state the obvious.

Jen Ellis:

All right, thanks, guys. Thanks so much, and enjoy the sunshine in San Francisco.

Jen Ellis:

So that was a great chat with two of my favorite people, Josh and Audi. Thank you for coming on.

Tod Beardsley:

Hey, they're still my favorite people too.

Jen Ellis:

Once again, we have traveled in time. How do we do it? It's amazing. It's not amazing.

Tod Beardsley:

It's not. It's really straightforward, actually. It's just how time works.

Jen Ellis:

It's not as amazing as UFOs. I knew I could get it in. Hooray!

Tod Beardsley:

Oh, god.

Jen Ellis:

All right. Fine.

Tod Beardsley:

We're not talking about the U.S. Navy talking about UFOs on this podcast at all.

Jen Ellis:

Just Google Pentagon UFOs. I made it sound a little bit like the Pentagon created the UFOs.

Tod Beardsley:

Not wrong!

Jen Ellis:

I don't know what you mean. Okay, so what are we talking about in the Rapid Rundown today, Tod?

Tod Beardsley:

So this week I've got two things. I have good news and bad news. What do you want first?

Jen Ellis:

I would like the good news first. Is the good news, the lockdown is over?

Tod Beardsley:

Negative in a big way. No, lockdown is still in effect except in Texas. Great. Sorry everybody. But anyway, the good news is that there's this iPhone bug that got reported that was a really big deal. It's basically a no-click remote code execution exploit against the mail app.

Jen Ellis:

Wow.

Tod Beardsley:

Yeah, it's a big deal.

Jen Ellis:

That does not sound like good news. Unless your idea of good news is hacking people. Okay.

Tod Beardsley:

No, no, no. I'm building up to the good news. But your reaction is correct, it is like OMG, we should be dropping everything and dealing with this. There were indicators compromised. There was a lengthy post from the company that discovered this ZecOps with a Z. So it's like SecOps but Z. So it's even more American I guess when you replace S with Z, but maybe not in this way.

Tod Beardsley:

Anyway. So ZecOps did this thing. Anyway, it turns out not a bug. The follow-on reporting from Dan Goodin at Ars. Dan talked to Apple who, Apple kind of famously doesn't confirm or deny bugs. And this was also the case in here until kind of blew up and Apple said, not a bug. It's crashed. Don't get me wrong. It's totally crashed, but there's a big difference between a crash and a security vulnerability. Crashes often, well not even often, sometimes get you into a place to do code execution, but this is not one of those. It is merely a crash when you have a bunch of special conditions.

Jen Ellis:

How do you mix those things up, though? One of them is from a code execution and one of them is not.

Tod Beardsley:

Well this is why... Oh, and I just wanted to say too, the corroboration comes from this guy HD Moore who also has looked at it and said, "This doesn't feel like a bug."

Jen Ellis:

He was like, "And I know bugs."

Tod Beardsley:

Right. And so that's the thing, this is why in security research, when we find vulnerabilities, we prove it with a proof of concept. So the POC does in fact trigger a crash and it looks kind of funny, but the POC didn't go so far as to actually prove it. And the pock was never released publicly. It was just given to Apple.

Jen Ellis:

Which is reasonable, to be fair.

Tod Beardsley:

It is very reasonable. What's not reasonable is-

Jen Ellis:

They're doing a huge press cycle over it and being like, "It's totally a thing."

Tod Beardsley:

Yep. Especially when it was something like two days, three days after they told Apple and Apple is like, "We don't confirm or deny." It's like, "Cool, well I guess we're telling everyone in the world." If you've been around the block, you know this is how Apple operates and if you want to report bugs to Apple, that's great and I really encourage you to do it. But also don't get to bent out of shape when Apple doesn't say anything for a little while. And a little while being in the neighborhood of 60 to 80 hours. You can wait a little longer than that. We like days, not hours.

Tod Beardsley:

So anyway, so that's the story that I got really bent out of shape over this and then saw what amounted to a retraction. And it's also, by the way, not even a retraction. The folks at ZecOps are still pushing that this is a vulnerability, but I don't know who's paying attention to them anymore. And I'm sure they're great and they're smart and of course it's not easy to find crashes. Even non-exploitable crashes. So good for them. And I'm sure they probably learned a thing or two about working with Apple.

Jen Ellis:

So you got bent out of shape, you mean on AttackerKB?

Tod Beardsley:

I do mean that. So we had just launched AttackerKB, which we talked about last week and I'm like, "Hey, this is a perfect bug for AttackerKB. I'm going to go in here and rant and rave about this." And then, a day later or two days later or whatever it was, I'm like, well it turns out that's not a bug. And so this is actually a really great way to exercise AttackerKB, because now I don't know how to perfectly say, "This bug was actually a hoax." I don't have a hoax category here. So feature request, AttackerKB.

Jen Ellis:

This does explain why, so Andrew, who we often give a shout-out to, hi Andrew, why he was giggling to himself about AttackerKB and your entry. He was reading it and he was like, "Oh he's written about the iOS thing." And then he started giggling and he was very happy with things. And now I understand why. I'm guessing that you went on a bit of a tear and he found it entertaining.

Tod Beardsley:

I do. And like I got accused, AttackerKB for trying to turn it into Reddit or something, which I'm really not, but I kind of am. It's got the arrows on the side and just really looks like Reddit. So of course I'm going to be-

Jen Ellis:

Were you like, "How do I create sub-Reddits? What's happening?"

Tod Beardsley:

I know, but anyway, this is not about tech either. All right. Now, since you opted for the good news, you got the good news. No hair on fire. Iowa's bugged. Bad news. There is a hair-on-fire Sophos XG firewall bug. This bug is kind of a big deal, and we have it on the blog. If you just Google probably "Rapid7 Sophos," you'll find it. We have pretty excellent SEO. Thanks, Patrick, our SEO guy.

Jen Ellis:

Yeah. Thanks Patrick!

Tod Beardsley:

And so the deal is that Sophos... First off, there is a patch available. You can go patch it. So if you run Sophos firewalls on your perimeter, please patch it because it turns out auto-patching, it does not appear to be enabled by default. You have to actually go turn it on, which is normal for network gear. You don't usually want network gear just patching itself out from under you because it's critical. But that also means now you're taking the responsibility to keep up on this kind of thing.

Tod Beardsley:

So if you have Sophos XG firewalls in place on your Edge, there is a pre-auth, SQL injection vulnerability in the web app management interface for this thing, on the internet side. And so apparently, and I have opinions about this, there is a web app management capability on the internet side of these firewalls, which is insane to me.

Tod Beardsley:

That's insane to me. Maybe that's how you want to do it and that's why you bought Sophos, but it just seems very odd to have a whole web interface on the internet side. We talk about this basically all the time, anytime we talk about exposure it's like, "Hey, and don't expose your web apps or your critical network gear to the internet." But this is by design in Sophos land, which is weird. But anyway, so pre-auth SQL injection, so basically bad guy can show up to your firewall and take control of your firewall. If that sounds bad, it's because it is.

Jen Ellis:

It's really bad, yeah. It's quite bad. Is it just me or have we, in the last couple of weeks we've had a spate of pretty bad bugs that have come out? Am I feeling that because we're all working from home and sharing news stories more and so I'm just hearing about it more?

Tod Beardsley:

That may be part of it actually. It may be like a perception bias because of exactly what you said. Also, by the way, we're doing this podcast twice as often.

Jen Ellis:

Sure. But it's not just the podcast, it's like conversations internally. So we had that exchange vulnerability that if you haven't patched exchange servers, please do so. And then we had the VMware one, and then the big hoopla around iOS, which ended up being overblown, and now-

Tod Beardsley:

Nothing, yeah. The giant pile of Zoom bugs that weren't. So here's the thing, here's what I suspect is not only are we all working from home, but tech journalists are also all working from home. So they've got more time to find weird bugs lurking on the internet. Here's the secret: the internet has always been buggy. It barely, barely works. And it is through the herculean efforts of very talented people that make it work every day. There, I said it out loud.

Jen Ellis:

You are not the first person to say it out loud.

Tod Beardsley:

No, I'm not the first person, but I've said it out loud. I am now the most recent and now I'm not. But that's the thing, there's always been bugs like this and if you want to go looking, you can find them. And maybe that's part of it is we're just reporting... I would say too as a culture we're more dependent on the Internet than ever and we're way more dependent today than we were three months ago. It's just in our face constantly and so we actually care about these bugs more.

Jen Ellis:

Oh my god, I legit didn't have internet earlier on today and I really did think that the world had come to an end. I was just like, I was fine with lockdown. Now I'm hyperventilating. I was like, what will I do? What will happen?

Tod Beardsley:

Yeah. I often think of those poor people in 1918 who have like ball and cup basically that's their thing, and some kinescopes that they might have around. It seems like 1918 pandemic is way worse than this one.

Jen Ellis:

Also, end of the end of the war. There was a lot going on.

Tod Beardsley:

Antibiotics, or the lack thereof. So anyway, that's my two for this week. iOS, no big deal. Sophos XG, big deal.

Jen Ellis:

That was pretty great. I like it. Thank you. Yeah, and just as a reminder, patch your shit if you possibly can. If you can't, take it offline.

Tod Beardsley:

ABP, Always Be Patching.

Jen Ellis:

I like that, you weirdo. All right, it just leaves me to say a huge thank-you to you for talking us through all this great stuff. Thank you again to our guests who were just here a moment ago in the attic with me. Or in fact, I'll say several weeks ago. But thank you to Josh and Audi, and thank you as ever to our amazing, talented and above all incredibly patient and understanding producer ,Bri. I would tell you what to check out next episode, but I've got no idea what's going to happen.

Tod Beardsley:

No clue.

Jen Ellis:

Check it out anyway. Hooray!