Security Nation, Ep. 16

A Chat with Jonathan Cran About Intrigue and Security in the COVID-19 Pandemic

March 31, 2020

 

In a recent episode of Rapid7’s podcast, Security Nation, we talked with Jonathan Cran, Head of Research at Kenna Security, about his side project, Intrigue, and how security professionals are spending their time while on coronavirus lockdown. And, in our Rapid Rundown news segment, Tod and Jen discuss electronic surveillance and contact tracing in the time of COVID-19.

Appears on This Episode:

jen-ellis.jpg
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

tod-beardsley.jpg
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Jon_Cran.jpg
Jonathan Cran
Head of Research, Kenna Security

Jonathan Cran is an information security expert with a (probably slightly unhealthy) focus on security assessment based in Austin Texas. As Head of Research at Kenna Security, he's focused on driving innovation in Risk-Based Vulnerability Management and providing proven data-driven methods to help practitioners stay ahead of the threat.  He’s also founder and principal maintainer of the Intrigue Project, an open source intelligence orchestration and automation framework.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi, and welcome to this week's episode of Security Nation, the podcast where we talk to interesting people doing cool things to advance security at. This is coronavirus episode two. Dun dun dun!

Show more Show less

Tod Beardsley:

Yeah.

Jen Ellis:

Yeah. And Tod, the good thing is, is alive. You heard him, he just said, "Yeah." Hi, Tod.

Tod Beardsley:

I did. Hi, how are you?

Jen Ellis:

I'm good. I am sitting in the attic. I am the auntie in the attic.

Tod Beardsley:

I know, you're like a Gothic monster.

Jen Ellis:

And that's just my hair.

Tod Beardsley:

You're a crazy old lady in a London attic. Ooh.

Jen Ellis:

Yeah, my brother is writing poetry about me as we speak. Yeah, and the good news is, last night we got the announcement that it's another three weeks of this.

Tod Beardsley:

Great.

Jen Ellis:

So here I'll be.

Tod Beardsley:

Yeah.

Jen Ellis:

So Tod, I'm excited. We've got another of our good friends, a Rapid7 OG. I'm going to try and be cooler than I was when HD was on, since I was not even a little bit cool. When the bar is really low, it's easy to like go above it.

Tod Beardsley:

Yeah.

Jen Ellis:

So this week we have Johnathan Cran, J. Cran joining us, and he's an all-around good dude as well as head of research at Kenna Security. J. Cran, welcome.

Jonathan Cran:

Hi. Thanks for having me.

Jen Ellis:

It's so nice to have you on.

Jonathan Cran:

Yeah, I'm happy to be here. It's been a long time since we talked.

Jen Ellis:

Are you like suitably armed up? Got the toilet paper stack, you know, the works?

Jonathan Cran:

Yeah, we're woefully underprepared I think on the toilet paper front. Just use your imagination.

Tod Beardsley:

I was told not to reveal my own toilet paper status. It's like my first rule of prepping is don't tell people how you've prepped.

Jonathan Cran:

And I feel like I've got some wares over here I can trade you just a couple of rolls.

Jen Ellis:

I'm telling you right now, Cran, like you don't live that far from Tod. You should go make friends with him. Seriously.

Jonathan Cran:

No, no, they're doing lockdown in place today here in Austin, so I think we'll probably have to make a run.

Tod Beardsley:

That's right. Under cover of night.

Jonathan Cran:

Yes.

Jen Ellis:

I'm sorry to hear this. Vaya con Dios. I wish you well. So what are you watching these days?

Jonathan Cran:

Yeah. Well, I'm working at Kenna Security as head of research as you mentioned, and I've been working on a side project for a long time.

Tod Beardsley:

Like years.

Jonathan Cran:

Years, yes. Almost since Rapid7 days.

Jen Ellis:

And for everyone, it's called...

Jonathan Cran:

It's called Intrigue.

Jen Ellis:

Oh, and I am.

Jonathan Cran:

Yes.

Jen Ellis:

Alright, well I want to hear all about that. Before we get into that, I know that Tod has a question for you.

Jonathan Cran:

Oh god. Okay.

Tod Beardsley:

Okay. So J. Cran, people might have more time on their hands than usual these days, so my question to you is, can you recommend an underrated hacker movie? It doesn't have to be about hackers completely, it just has to have some hacking in it. Some movie or even TV show that is streamable that speaks to you, either through the realism of it, the ridiculousness of it, and why, why that choice?

Jonathan Cran:

Yeah. Well that's a really tough question actually. The first thing that came to mind was Altered Carbon, which if you haven't watched... And this may or may not be underrated at this point since everybody's kind of locked in. The second season just came out. And the stack concept is super interesting to me, the ability to sleeving into other bodies. Like that's so cool. I certainly want to be able to do that.

Jen Ellis:

I mean, like seriously. Like what it does and how it plays with the concepts of identity and how we understand them-

Jonathan Cran:

Yeah.

Jen Ellis:

And things like gender identity and that kind of thing-

Jonathan Cran:

Yeah.

Jen Ellis:

Is so fascinating to me. Like I haven't started on the second season yet, so no spoilers, and I will try not to give any about the first season, but the thing that happens in the first season is so interesting.

Jonathan Cran:

Don't pull a Matrix, don't pull a Matrix, don't pull a Matrix.

Jonathan Cran:

This is my hope. Yeah, we will see. I've started the started the first episode of the second season. It's a little action-y, you know? Like you want more. We'll see. We'll see. But I definitely recommend checking that out if you haven't.

Tod Beardsley:

Excellent. Excellent.

Jen Ellis:

So does this mean, like from your Matrix reference, does this mean that you're not just like desperately hanging out for Matrix 4? Which I believe is going to be a mash up with John Wick 4.

Tod Beardsley:

Yeah.

Jen Ellis:

Like I basically think what's going to happen is like Neo realizes that at some point he got sucked back into the matrix and John Wick is just all a creation of his matrix mind, and that actually... So the first half of the movie will just be John Wick 4, and then the second half will be Neo trying to get out of the matrix again.

Jonathan Cran:

Whatever this is, I guarantee you it's going to be better than the script. Guaranteed.

Jen Ellis:

Aw. So little faith.

Jen Ellis:

So the security community was having fun on Twitter yesterday in challenging people to give a GIF, or a JIF, for those who are wrong, of their favorite movies. So what what would you GIF be, J. Cran?

Jonathan Cran:

Oh, that is a good question as well. A favorite movie...

Jen Ellis:

While you're thinking of it, I will just share that Tod's was surprisingly heartwarming and awesome.

Jonathan Cran:

And what was it?

Tod Beardsley:

"You want the moon, Mary? I'll throw a lasso around it and pull it down for you."

Jen Ellis:

Oh my god. If I had known that it was going to get an impression out of you, I would have led with this at the beginning. Why is like nobody making you do a James Stewart impression on every single podcast?

Tod Beardsley:

You know why? Because Jerry Stewart is a short walk to Bane, Batman.

Jen Ellis:

Wow.

Jonathan Cran:

I can't focus.

Tod Beardsley:

I fall into Bane and everything ends in Michael Caine.

Jen Ellis:

Oh my god. And even that ends in Michael Caine.

Tod Beardsley:

Yeah.

Jen Ellis:

Accurate.

Jonathan Cran:

Yeah, I can't go anywhere from there.

Jen Ellis:

All right. Fair enough. Then maybe we should move on to Intrigue. So what is it? Tell us everything.

Jonathan Cran:

Yes. So if you go back to maybe 10 years ago to the Rapid7 days, I was pen testing and, you know, there were automation platforms that we could use. Maltego was one of them, we were often writing our own scripts as people do today. But what was really missing was like a framework to wrap around all the different OSINT tools.

Jonathan Cran:

And so that's kind of where it started was this idea of like a data-driven OSINT platform, similar to Maltego but with the plugability and kind of the openness of Metasploit. And so, it kind of evolved over the last few years into more of a generalized automation workflow framework. But it's really, you know, because it's built around a graph database, it's ultimately designed to quickly discover attack surface for organizations.

Jonathan Cran:

And that idea, the sources for that keep evolving. So there's, you know, over 130 different sources at this point, each called a task or a module. And those things create entities, and entities get pulled into the database and related to one another through those tasks. And so what you end up with, if you press a button or you plug in a domain and press a button, is a graph built around an organization with all the different pieces of attack surface that are interesting to attackers, like applications, hosts, people, email addresses, all those different things. And the key is the automation bit that makes it very, very simple to do this.

Jonathan Cran:

And so it's completely open, it's BSD-licensed and it is-

Tod Beardsley:

Sweet.

Jonathan Cran:

Yeah. It's on GitHub and it's super easy to get started. Like you just essentially run the prebuilt Docker image and it downloads and, you know, you're off to the races.

Tod Beardsley:

Wow. Okay. So that was going to be my first question, is like, oh, how do I run it? And you just said Docker. Cool. Yeah.

Jonathan Cran:

Yeah, because it's like, it's used as PostgreS on the back end. It's got a little bit of Redis. It's built in Ruby. So all those pieces together need to work. It's kind of API-first so that it can be automated. All those pieces together need to be on and OS, and so Docker was kind of the easy deployment solution.

Tod Beardsley:

Cool. And so before we started talking, you had mentioned some like COVID suspicious domains-

Jonathan Cran:

Oh yeah.

Tod Beardsley:

That you were looking at.

Jonathan Cran:

Yeah. So you've noticed, or maybe you didn't notice, there's kind of this initiative in the community to go find the scam domains that are being spun up around COVID, mostly because everybody is pretty, well A, they're bored, but also A, like nobody likes the fact that this is being exploited.

Jen Ellis:

Yeah. Yeah.

Jonathan Cran:

And so, there's kind of this group of folks on a Slack channel sharing information. And so when folks post corona or COVID-related domains, I'll pull those down, load those into an engine, an entry core engine, and then just kick off an automation pipeline that goes out and scans those things, grabs a screenshot of any application or an application endpoint. It discovers the services, fingerprints it, kind of comes back with a set of information.

Jonathan Cran:

And because in the hosted version of this I've got set of pre-collected information, I can tie it into that and tell you if it's known to be vulnerable through things like, you know, a DNS name that's discovered. If that's known to be vulnerable, it'll flag that. If there's a browser requesting a host and that domain that's being requested or that host name that's being requested is known to be vulnerable on one of the threat exchanges, these sorts of things can be correlated together to tell you like whether a given endpoint is, you know, likely to be associated with a given threat actor.

Jen Ellis:

So have you been working on this solo or is it a group of people?

Jonathan Cran:

Yeah, I mean, for the most part it's been, at least for the first couple of years it was me, and then there's been folks who have kind of floated in and out of the project. More recently, because it started to commercialize a little bit, there is a hosted version that's commercial, I've started to add some contractors in. So I've got folks working and actually helping build fingerprinting.

Jonathan Cran:

And one of the cool things, like I use this... The fingerprinter itself is standalone and also open source. It's called Ident. So it's Intrigue-Ident, just like core is Intrigue-Core. Ident is this, it's a fingerprinting library. And you might say, "Well, application fingerprinting is roughly a solved problem." You've got-

Tod Beardsley:

Well...

Jonathan Cran:

Yeah, exactly. That was my discovery as well.

Tod Beardsley:

Yeah.

Jonathan Cran:

There was no good BSD-licensed or open Apache, MIT, these types of licenses, no good piece of software out there that could be just plugged in that was easy to write fingerprints for. And oftentimes, I find that folks writing fingerprinting tools are kind of making a mistake. They're using JSON or XML or some sort of static format to define those fingerprints. The problem with that is like, so often, the source will tell you the version and you need to be able to dynamically grab that out of the page.

Jonathan Cran:

And so, this one's built in Ruby. It could easily be built in Python or Go, and effectively what it does is it goes out and first fingerprints it through, you know, a first page grab and tries to fingerprint as much stuff with that first page grab as possible.

Tod Beardsley:

So that's like a built with kind of style, right?

Jonathan Cran:

Yeah.

Tod Beardsley:

Yeah.

Jonathan Cran:

Yeah. And then by the way, like because of the way the fingerprints are organized, it's like vendor product version, so you can map it to NBD and we can do vulnerability inference. And it's fast, even though it's built in Ruby, which is relatively slow in comparison to Go and other things. In fact, we're doing-

Tod Beardsley:

You bite your tongue.

Jonathan Cran:

Yeah. All right, well we're on the same page about that. And so because it's only doing like one page grab for each set of fingerprints, like each finger print is built around the idea of a relative path. So most stuff's built around the base path, so you can run 500 checks with a single page grab.

Tod Beardsley:

Sure.

Jonathan Cran:

And so it's, yeah, it's pretty quick.

Tod Beardsley:

Neat.

Jonathan Cran:

Yeah. It runs standalone. It's also built into the engine. So, you know, whenever you scan a web server, it'll fingerprint it automatically. And then if you've got it set up, it will go and find vulnerabilities for that thing.

Tod Beardsley:

And you said that you started this while doing pen testing, right?

Jonathan Cran:

Yeah.

Tod Beardsley:

So I guess the label use is you'd use this for like open source intelligence gathering on a target that you're engaged with?

Jonathan Cran:

Yeah, I would say that's right. It's kind of recon-oriented. Like definitely my frame of mind has been, you know, I'm in that recon phase, I want to know everything about this organization. I want to put minimal effort into it. Like I want to put in the domains that I know about and I just want to press go and pick it up whenever it's done.

Tod Beardsley:

And off-label use then would be like, "Oh, I could use this defensively," right? Like I could scan my own stuff and see like, "Oh, well clearly I need to upgrade this thing that I didn't know I had." Right?

Jonathan Cran:

Yeah. That's where I'm seeing a lot of uptake is folks kind of scanning their own thing. And the cool kind of thing about this, like what's different about this, you know, there's lots of this stuff out there and everybody kind of builds their own automation, what's different here is like the fact that it's built around that database. And so there's this concept of the entity, and the entity has a type, so it could be a domain or an IP address or a DNS record, and you can plug in like arbitrary entities, even like a GitHub account, and it knows which tasks are relevant to that entity type.

Tod Beardsley:

Oh, okay.

Jonathan Cran:

So think like, you remember DB AutoPwn?

Tod Beardsley:

Uh-huh (affirmative).

Jonathan Cran:

Think like DB AutoPwn on steroids with the ability to do lots of other things. So there's some vuln checks in it. Like the most recent vuln that I wrote into it was the Microsoft Exchange one. I think it's 0688.

Tod Beardsley:

Yeah.

Jonathan Cran:

That's like, oh my god.

Tod Beardsley:

Yeah, that's no bueno.

Jonathan Cran:

It's no bueno at all. You have to have a user email address and you have to be able to log into the Exchange control panel. It's not OWA but it's the exchange control panel, which by the way is on by default-

Tod Beardsley:

Right.

Jonathan Cran:

And it allows anybody with any permission to log into, and then there's a static key that you can pull out of the cookies. And in doing so, you're now able to decrypt traffic.

Tod Beardsley:

Cool.

Jonathan Cran:

And you're actually using... What is it? Is it serialized on that? I'm trying to think of the serialization plugin. Anyway, regardless, it's RCE on that Exchange server. And I looked at the data and there's like 25% of these things patched at best.

Tod Beardsley:

Yeah.

Jonathan Cran:

It's probably closer to like 15% of these things patched. Nobody patches their Exchange box.

Tod Beardsley:

No man, that's an outage.

Jonathan Cran:

Yes.

Tod Beardsley:

It is pain to run like hot fallbacks on Exchange.

Jonathan Cran:

Yes.

Tod Beardsley:

Like I know it's possible. I think it's even like a question on, you know, whatever the MCSE equivalent is these days-

Jonathan Cran:

Yeah.

Tod Beardsley:

But nobody does it. It's very hard.

Jen Ellis:

I'm just going to pretend I know what you guys are talking about. Uh-huh (affirmative). Yeah. So hard.

Tod Beardsley:

Well, so patching Exchange almost always means a reboot still because it's all like, a lot of it lives in the Kernel.

Jonathan Cran:

Yeah.

Tod Beardsley:

And that means your mail server is out of commission for, you know, the minute, minute and a half, maybe two minutes that it's off, which, you know, it's kind of a long time for email.

Jen Ellis:

Come on. Email's dead. It's fine.

Tod Beardsley:

Yeah. Hey, you know, anything that drives another nail in that email coffin, I am on board.

Jonathan Cran:

Me too. And by the way, I wrote the translator from the OWA build version, so like OWA published as a version every time you see it, and there's a translation from that build number that it publishes to the Exchange version.

Tod Beardsley:

Oh really?

Jonathan Cran:

And so you can actually just use Ident, either via Docker container or directly, and it'll tell you the Exchange version running on the other end. So I did that. I actually like, working with BinaryEdge folks, I grabbed the 230 some thousand Exchange servers that are out there exposed to the internet, sorry, OWA servers, which are effectively an Exchange server-

Tod Beardsley:

Yeah.

Jonathan Cran:

And after looking at that data, it literally is like 15% of the internet's patched.

Tod Beardsley:

Wow.

Jonathan Cran:

And this thing has been out for at least a month, maybe two months. So it's like way behind schedule.

Tod Beardsley:

Is it though? Is it behind schedule? Like two months in, 15%.

Jonathan Cran:

Yeah. Yes.

Tod Beardsley:

I mean, to you and me, it sounds pretty low, right? 90 days is pretty typical for like a change control review board cycle on something as critical as your Exchange server.

Jonathan Cran:

Yeah.

Tod Beardsley:

So I'm not super-duper surprised that that's so low.

Jen Ellis:

Also, people have been kind of busy with this thing that's happening right now.

Jonathan Cran:

That's the thing-

Tod Beardsley:

Oh, there's a thing going on?

Jonathan Cran:

Yeah. Yeah, I heard this a thing. Essentially, we did some looking at Kenna Security because we got sort of the vulnerability scan data, and so there's this series of reports called the prioritization to prediction reports, and we can dig into this later, but kind of the gist of it is Microsoft's the fastest of all the different vendors to patch.

Tod Beardsley:

Yeah.

Jonathan Cran:

And within, don't quote me on these numbers, it's in the volume three of the report, a breakdown by vendor, and Microsoft is the fastest. And usually it's like, within 30 days, at least 50% is patched.

Tod Beardsley:

Sure.

Jonathan Cran:

Now, there's some nuance here. Like desktop stuff is obviously faster to patch. As you brought up, Exchange is usually a manual thing. Desktop is effectively patched faster just because it's automated and there's-

Tod Beardsley:

And all of the current desktop stuff has auto-patching enabled already.

Jonathan Cran:

Exactly.

Tod Beardsley:

Like it's hard to... You have to go out of your way to not patch.

Jonathan Cran:

Yeah. So these numbers may not directly apply. I will just say like if you look at that number, which is, you know, as official as a number as I can provide, it's way, way behind schedule.

Tod Beardsley:

Yeah.

Jonathan Cran:

And I think a lot of that's due to the current situation, the current global situation where people are trying to figure out how to work from home, let alone patch their Exchange server.

Tod Beardsley:

Yeah.

Jonathan Cran:

Like if email goes down now, I would say it's more critical than it would be six months ago.

Jen Ellis:

Well yeah.

Tod Beardsley:

Well, and in my experience with Exchange, you know Microsoft, I love you very much, but oh boy. I would say like, I don't know, the rate of Exchange coming back from a reboot is like, I don't know, 70% of the time. It takes a while. And plus it does like all the weird indexing stuff that it does-

Jonathan Cran:

Yeah.

Tod Beardsley:

In its own goofy way when it comes back online. So that, like I was saying, like a two minute reboot time, that's to get going, right?

Jonathan Cran:

Yeah.

Tod Beardsley:

And then there's a bunch of indexing that happens. So you're looking at an outage.

Jonathan Cran:

Oh, those moments are terrifying by the way. Like you're just sitting there, you're going, "Please, please."

Tod Beardsley:

Yeah, and it's garbage. And like Microsoft is great, Exchange, you're wonderful, boy, that reboot... Really. And this is why everyone's like terrified to reboot it. It may be perfect now, but like anybody who's been doing sysadmin for a while knows like, oh no, you never want to reboot that because, finger crossed, maybe it'll come back, maybe it won't.

Jonathan Cran:

And this is why Office 365... You know?

Tod Beardsley:

Yeah. Yes.

Jonathan Cran:

Like just get me away from this problem, please. Which is kind of interesting in and of itself. Like you see this transition of, you know, these sort of enterprise services to cloud services, and this is great. I mean, like this is, I think, a positive thing for the security of the organization.

Tod Beardsley:

Sure. And at Outlook 365, they know how to like hot swap exchange, you know?

Jonathan Cran:

Yeah.

Tod Beardsley:

Like they've done it a million zillion times.

Jonathan Cran:

Yeah.

Tod Beardsley:

Go cloud.

Jonathan Cran:

I've been thinking a lot about sort of this transition and like what are the effects on vulnerability management? You know, like everything's becoming application security, everything's becoming misconfiguration. Like you see a lot of data leaks these days-

Tod Beardsley:

Sure.

Jonathan Cran:

And then when I talked to folks, like a lot of their concern is data leaks. And there's some interesting tooling out there. LeakLooker is one that's been kind of pushing this forward. I'm also building some into Intrigue. And really the folks who are doing kind of the fastest and best scanning of the internet for this, at least as far as I know, are the BinaryEdge folks-

Tod Beardsley:

Yeah.

Jonathan Cran:

Who are actively and quickly scanning the cloud providers looking for open databases. And obviously Shodan and Censys are doing similar, but the fastest seems to be BinaryEdge today. And so you can actually just go search for these open databases and troll through them. There's a whole bunch of... And the reason I would stay away from it is like, the CFA implications are like pretty terrifying.

Tod Beardsley:

Uh-huh (affirmative).

Jonathan Cran:

When you start to look through other people's data. Like you now have exceeded authorized access. I don't know that that's been worked out. Even if it's an open database, even if it's sitting on the internet, you know, like there's definitely some considerations there. So I would just caution everybody, before they jump in...

Tod Beardsley:

Yes. And don't take legal advice from a podcast.

Jen Ellis:

That is also a good call.

Tod Beardsley:

But hey, if you're a pen tester and you're on engagement, you've got your get-out-of-jail-free card, go nuts.

Jen Ellis:

Oh my god. Again, do not take advice from a podcast]. So Cran, this sounds like it's been a real labor of love for you.

Jonathan Cran:

Yeah.

Jen Ellis:

So what's next? What are looking for?

Jonathan Cran:

Yes. Yeah. I mean, I definitely want folks to contribute. The fingerprinting is like one easy place to jump in and just start to add fingerprints. So I'm also doing some kind of fun stuff with it where I'm scanning... You know, I basically loaded in the Crunchbase database and a few other sort of big databases of companies, and so I'm pre-scanning organizations very lightly. Again, keeping mind of that CFA sort of thing, and just kind of getting a lay of the land of what organizations actually look like from the outside.

Jonathan Cran:

And so that's actually providing a bunch of good data which is allowing us to improve the engine. And so one of the things that was kind of different, you know, with tooling in the past, is like you didn't have that stream of data of it actually being used in the wild, and so, you know, I've got it plugged into Slack, so every time it scans a new organization, it comes back with a set of fingerprints. We look at those fingerprints and we add those into the repository. And so that, you know, the fingerprinting stuff is getting very good very quick.

Jen Ellis:

Awesome.

Jonathan Cran:

Yeah. I would say like we definitely want to have folks contribute and take a look at it and use it. It's very easy to just kind of like get started with that Docker container and plug in a domain for your organization.

Jonathan Cran:

Now one caveat, it's accuracy and scoping is a thing. And so, you know, the way the engine works, it's the graph and it's Spyder is based on rules, you know, it'll follow DNS, it'll follow WHOIS. It will be relatively inaccurate at first. You do kind of have to train it where to go. So just like with, you know, think like Burp, right? There's a scoping component to it. Like we're working on those components now for the engine.

Jonathan Cran:

In the hosted service, because we've already kind of scanned everybody and we have a sense of which domains belong to which companies, it's a lot more accurate. Whereas with the open engine, you've got to kind of like guide it a little bit. So there's, you know, like work required to make that thing really awesome for you.

Jen Ellis:

I think it sounds great. What have you, like as you've gone through this-

Jonathan Cran:

Yeah.

Jen Ellis:

And it's been a long time, like where have you hit the biggest roadblocks? What were the biggest challenges?

Jonathan Cran:

It's funny, you know, I'll get busy and I'll step away from it for months at a time, and then I'll kind of come back to it when I have the problem again or when I get excited about some particular solving a problem on it. What I like about it is like it kind of scratched my own itch or it solved my own problem, and for anybody kind of thinking about their own tooling, I would definitely suggest, you know, kind of going down that path somewhat obviously. Like the more you can solve your own problem, the more interested you're going to be, and the more you're going to learn technology in order to solve that problem.

Jonathan Cran:

And so for me, the biggest challenge I think was, you know, there are times when you have to rewrite certain core components and you're like, "Oh, I already solved this problem." This is like the fourth iteration of this thing. So you know, every time you rewrite it, you're a little smarter, you learn a little bit more, you try new technologies.

Tod Beardsley:

Ideally.

Jonathan Cran:

Yeah. Yeah, fair enough. You know, I started out on rails, I moved it off rails. I was like, "Ah, this is too bloated." So I'm learning.

Jonathan Cran:

And by the way, the most recent stuff, the coolest stuff for me most recently was like getting really good at DB optimization or database optimization, and indexing and that sort of thing. Like I didn't learn that stuff in school. My database teacher taught us XML, which he thought was going to revolutionize the entire database world. It did not.

Tod Beardsley:

That is wild to me, this notion that, "Oh XML, it's the OG NoSQL?" What?

Jonathan Cran:

It actually kind of was in that sense. I think he was one of the maintainers of the spec or like one of the builders of one of the other specs around XML-

Tod Beardsley:

Oh.

Jonathan Cran:

And that's why he was so excited about it that he neglected like every piece of information outside of it.

Tod Beardsley:

Sure.

Jonathan Cran:

So for me, that's a cool thing. You know, like you have these challenges and you're like, "Why is this thing slow? Like let me dig into it." And you have to learn how to diagnose the system, and then you have to learn like what the underlying problem is and then, you know, actually solve it. So that's cool.

Tod Beardsley:

Well, you know what? With this global lockdown of nerds around the world, I hope-

Jen Ellis:

You know it's not just the nerds that are locked down?

Tod Beardsley:

Yeah, I know, but I'm thinking of the nerds in particular because, you know, this may be a golden age of open source over the next two or three months.

Jen Ellis:

You know, as you were talking, what I realized is how much we have covered open source projects-

Tod Beardsley:

Yeah.

Jen Ellis:

In episodes, and I was thinking, that has Tod Beardsley's sticky fingers all over it. Anyone who thinks that I have any influence over this podcast, no. No, no, no.

Jonathan Cran:

Love it.

Jen Ellis:

Roll in slyly, easy. "Oh yeah, no. We'll totally do that thing."

Jonathan Cran:

Where else can you experiment though, you know? Like where else can you just like jump in and try something and solve your own problem? Like it's been so fundamental to my own growth in terms of being able to build things that-

Jen Ellis:

Aw.

Jonathan Cran:

Yeah, it's super cool.

Jen Ellis:

That's a very heartwarming message. I like that. All right, cool. So what would your advice be? I mean, you gave a little bit just now.

Jonathan Cran:

Yeah. Well jump in. I mean, start with a modern technology. Golang's a good one to kind of play around with. You know, Python, everybody knows Python. I would say start there. Solve your own problems. Don't wait for other folks. You could try contributing to other people's projects too. I mean, like that's definitely a thing.

Jonathan Cran:

Here's a good piece of advice. If you help other people with their project, they will help you, and they will help you-

Jen Ellis:

If you build it, them will come.

Jonathan Cran:

Well, sort of.

Tod Beardsley:

If they build it, I will go. How about that?

Jen Ellis:

Right.

Jonathan Cran:

But I find myself kind of mentoring these folks who, you know, have just popped up for whatever reason and they're trying to solve their own problem, and I'm helping them grow in ways. And in fact they're learning things and then teaching me, and it becomes this kind of cool community of like educating each other. We've got a Slack channel where we're sharing information. And as part of that, like I really, really enjoyed that and I end up spending like way too much time kind of mentoring and helping, but I enjoy it and it's fun, and it's giving them value and like I get value out of that. And so, you know, why not?

Jen Ellis:

This is awesome. I'm super excited to hear about it. Give us the weblinks again that people should check out.

Jonathan Cran:

Yeah, so it's intrigue.io, so I-N-T-R-I-G-U-E.io.

Tod Beardsley:

Lovely. And we'll link in show notes as well.

Jonathan Cran:

Cool. Come check it out.

Jen Ellis:

Yeah. That is awesome. Thank you so much for coming on J. Cran. We really appreciate it and it's exciting to hear about this and see it coming to fruition.

Jonathan Cran:

Thanks.

Jen Ellis:

The only way to say that word.

Tod Beardsley:

It's a weird way to say that, but okay.

Jen Ellis:

I hope that you will come back on. We want to hear about some of the cool stuff that you're doing at Kenna-

Jonathan Cran:

Yeah.

Jen Ellis:

At some point in the future. I know that you've got some great research projects going on there, and we want to hear more about how Intrigue's going in the future.

Jonathan Cran:

Cool.

Jen Ellis:

So yeah, please come back.

Jonathan Cran:

Thanks so much for having me.

Jen Ellis:

Awesome. And stay safe and find a source of toilet paper.

Jonathan Cran:

See you guys.

Jen Ellis:

All right, so Tod, Rapid Rundown COVID, edition. What have you got for us today? Also, do you like how the sound quality is improved because of my magnificent new gaming headset? It's like no time has passed at all, except somehow I've got much clearer.

Tod Beardsley:

I am very excited for your new work at home life and learning productivity tips and sound engineering, and I heard a rumor you bought a desk for someone else's house.

Jen Ellis:

I mean, I haven't bought it yet. Actually, what I've done is I spent my, fun ways that people spend their weekends, I spent my weekend looking at every desk that's available online in the UK. But yes, my poor family, I'm basically like, "You don't mind if I just buy furniture for your house, do you?" And meanwhile, all the news reports are like, "You're going to be staying where you are for the next three months," and I'm just looking at my family going, "Sorry."

Tod Beardsley:

Yeah.

Jen Ellis:

"Hi."

Tod Beardsley:

Well, it will be a fun family project to build a desk.

Jen Ellis:

Yeah.