Security Nation, S3, Ep. 1

Citizen Science and Medical Consumerism: Confronting the Tech Wisdom Gap in Modern Healthcare

July 13, 2020

 

Executive Director of BioHacking Village Nina Alli joins the Rapid7 team this week to discuss the intersection of tech and medicine on our latest episode of Security Nation. Stick around for our Rapid Rundown, where Tod discusses the two vulnerabilities that plagued infosec professionals over the holiday weekend.

Appears on This Episode

Jen Ellis
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Nina Alli
Nina Alli
Executive Director, Biohacking Village

Nina is the Executive Director of the Biohacking Village and 2020 will be her fifth year overseeing the phenomenal growth of the Device Lab, Speaker Track, and Hands On Lab at DEF CON. She has spent 16 years in healthcare, building/breaking/securing Electronic Medical Records, along with its connected medical IoT devices, and working in the Citizen Science area on microfluidics.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi, and welcome to this episode of Security Nation, the podcast where we talk to interesting people doing cool things to advance security in some way. Sometimes, we talk to cool people doing interesting things to advance security in some way. We've never had boring people. That is the bottom line that you should take away from this. It is always a good time.

Show more Show less

Tod Beardsley:

Zero snores.

Jen Ellis:

Zero snores. Thank you, Tod Beardsley, I appreciate that. So yeah, I'm Jen Ellis, Rapid7's VP of Product and nope, nope, nope, nothing to do with product. Where did that come from? Community and Public Affairs. Words are hard for me. Yeah, that stuff. Tod's with me. Yay, Tod.

Tod Beardsley:

Hey. Hey, also not with Products anymore.

Jen Ellis:

No. We never really cover your title. Your title's cooler than mine.

Tod Beardsley:

Are you asking what it is I do here?

Jen Ellis:

Yes, please tell me. What do you do here?

Tod Beardsley:

Okay. Well, I'm the Research Director at Rapid7 and I do a lot of the coordinated vulnerability disclosure junk, and also I'm an Infosec performance artist, so I do podcasts like this.

Jen Ellis:

I liked the Infosec performance artist. I feel like that's really what you aspire to be with your life, and also a professional quizmaster. Alright, so today's guest, I think is going to be a handful. I can't wait. It's going to be exciting. I already hear her giggling in the background, so today's guest is Nina Alli, who is the Executive Director of the Biohacking Village. If you have never checked out the Biohacking Village, then more fool you, you should totally do it, but Nina, welcome. Thank you for joining us. We're very excited.

Nina Alli:

Hi. How are you?

Jen Ellis:

Yeah, obviously a little bit manic and crazy. I feel like I was all right when I was in lockdown in the sun, but it's gloomy as shit today. And so yeah, now I feel like I'm scratching at the walls a little bit, so apparently, I'm a bit manic today. How are you doing?

Nina Alli:

I'm okay, question mark? Things are happening. Things are moving. The world is changing, thank God.

Jen Ellis:

Right. Watching the news is an interesting exercise at the moment.

Nina Alli:

It's actually my favorite pastime. I watch the news for white noise and for information. Is that not common?

Jen Ellis:

No, I think a lot of people are doing it, and I feel like a lot of people are also regretting it, and so you are not alone in watching the news obsessively, but I think it's an interesting time. I watch the news at the moment and it feels like I'm watching one of those “Purge” movies or whatever they're called.

Tod Beardsley:

I mean, the world is lawless. I realized this morning that, like you, Nina, I used to have the news on just constantly. And then Hurricane Katrina happened, and this was back in what, 2005 or something? So, 15 years ago. And that's when I stopped doing it.

Jen Ellis:

I like the idea that you've not watched the news since then. I know that's not what you're saying, but that's how I'm going to take it.

Tod Beardsley:

I really haven't. I read and stuff, but that's when I canceled my cable subscription. I stopped watching all cable news, all of it. Very little in the way of video, but God dang you, internet, and your bandwidth now, everything's video, so I find myself like falling into that same pattern I had 15, 20 years ago. I've just got to stop, because it doesn't make me happy. You know? I don't know. There's good advice out there of how to limit your news exposure, because it's all just trauma all of the time and your brain doesn't know the difference between a video and what's actually happening in front of your eyeballs, so good luck, everybody.

Jen Ellis:

Right. So, Nina, tell us about yourself.

Nina Alli:

That is such a loaded question.

Jen Ellis:

I know. That's why I love it.

Nina Alli:

First thing I'll tell you is I'm really bad at answering broad questions, so enjoy that. Gut reaction to that question is, hi, I'm Nina Alli. I am the Executive Director of the Biohacking Village and the rest of it goes, I have run the Village for five years. The Village has been open for six. I work in citizen science. I work in bioinformatics. I work in biomedical security. I have two graduate degrees, because I'm clearly in love with that kind of academic pain.

Tod Beardsley:

You don't like money. I got it.

Nina Alli:

There's a story behind one and then a story behind the other, so let's just get into that, right?

Jen Ellis:

Yeah, I love story time. Let's do it.

Nina Alli:

I was working at one of the hospitals in New York and I was actually going for nursing. I had a lot of the nursing stuff done and my boss was like, "Hey, so we actually need somebody to do more of the technical stuff, and you're really good at this. We'll pay for your master’s if you want to do it. Do you want to do it?" I was like, "Wait, it's paid for? Yes, all for this idea." So, did that, got the degree, and then my second one is in translational medicine, which is bedside to bench, so bench meaning the lab and bench to bedside. I was in their third cohort, and I took it because I was like, "This is fantastic. Academia is pretty much getting into the vibe of biohacking. They're understanding that this needs to be more inclusive. It's going to be so great." I was wrong.

Tod Beardsley:

Oh, no.

Jen Ellis:

Boo.

Nina Alli:

I did a lot of my coursework in talking about what I had done already, and I was ten years older than the oldest person in the room, aside from the professors. I had a lot of discussions about, "Hey, you need to bring security into this as well. It's not just all of these other things." They were like, "Yeah, pooh-pooh, okay, fine." I was like, "No, guys, seriously. You know what I do, right? Look, this is a thing. This is real." I did a presentation on security in one of my classes and I got a C, just hardcore C. She would not change my grade. And I was like, "But it's real. Security is real. You said it's real. Why are you arguing with me?" She just hard no, wouldn't do it. I said, "That's okay, because at the end of the day, I have a degree, and nobody's going to look at my grades and go, well, you got a C in this class." And I will explain to them that I brought security to the forefront and you finger-wagged me and said no, and then you can have that talk with them.

Jen Ellis:

When you got the C, were they like, "No, security's not relevant."

Nina Alli:

Yeah. Yeah.

Jen Ellis:

Well, I feel like probably lots of people who listen to this can relate to that, because they've probably been told that security needs to go away at some point.

Tod Beardsley:

Security is job four.

Jen Ellis:

How did you get from there to the Village?

Nina Alli:

It's actually the other way. The evolution of my professional life, I started working in a convent, went into the military, got out of the military, needed a job. Sat in a two-and-a-half-hour interview with a former Air Force guy, sat up the whole time. He's like, "You don't have to be nervous. It's cool." I was like, "Actually, this was how I was trained to sit." He was like, "I love this. Yes, you're hired," so I started working on electronic medical records in 2006, and this was when they had just started coming out and becoming more technical and electronic, et cetera, et cetera. So, I worked in a 22-location, multi-specialty facility in New York City in different boroughs and brought them up to a full electronic medical record in, I think, three years. And that was the fastest thing ever.

Jen Ellis:

Okay. There's so much here to unpack. What were you working at the convent for, or what were you doing at the convent, I should say?

Nina Alli:

I was an administrative assistant. I was a front desk admin. I pretty much did whatever they asked me to do.

Jen Ellis:

Amazing. Okay so you were working in a convent and you were like, "You know, this has been fine and all, but it's time for me to go spread my wings and kick this habit." So then you... I apologize to everybody right now, not just because of the quality of the jokes.

Nina Alli:

Good one.

Jen Ellis:

That's what I'm apologizing for. Then you went into the military. You were a Marine. Is that right?

Nina Alli:

Yeah.

Jen Ellis:

Aka a badass, and then you came out of the military and then what? You ended up getting a job in New York, working on electronic medical records.

Nina Alli:

Yes.

Jen Ellis:

Doing what exactly with the electronic medical records?

Nina Alli:

Initially, I was an implementation specialist, so I went around training people on how to use it, the physicians, clinicians, nurses, everybody, and then I started programming them. When I was programming them, I would break them.

Jen Ellis:

Okay, good.

Nina Alli:

I would tell everybody where they were broken, with this very high expectation of you should go fix this.

Jen Ellis:

That didn't happen.

Nina Alli:

And sometimes they didn't, sometimes they didn't. And when they didn't, I would. All of those things, and all of the new laws were coming down and we were all trying to figure out what was going on because they're really subjective, so it's always about how do you see this law? Okay, so if you see it this way, we can argue it out and then we can figure out what's going on and we can implement it in the way that we agree upon. That doesn't necessarily mean that that is the way that the government intended it, so we did all of those things as well.

Jen Ellis:

You and I have talked about, and Tod and I have talked about a little bit as well electronic medical records. They're not my favorite thing.

Nina Alli:

I don't think they're anybody's favorite thing, but they're my favorite thing.

Tod Beardsley:

Uh-huh.

Jen Ellis:

Why do they, how do I put this delicately? Why do they suck so bad?

Nina Alli:

Wow. Okay. I feel like this is over, so why do they suck?

Jen Ellis:

We're not in love anymore. Is this it?

Nina Alli:

Well, I will still hug you, but then I will promptly walk away. No, why do they suck so bad?

Tod Beardsley:

Well, I don't think it's a matter that they suck. It's that there's a ton of efficiency to be had there.

Nina Alli:

No, no, no. That's a completely valid statement. No, that's it. Yes, that's a completely valid statement.

Tod Beardsley:

I think that like, not as a concept, they don't suck and I think they're great and everything, but the security is just so garbage-tastic on them. Like it's, it's rookie stuff.

Jen Ellis:

Obviously not on the systems that you were working on, obvs. Look, I think the biggest problem that I have with them is the whole promise of them from beginning to end was supposed to be interoperability, the whole promise. This is how they were certainly sold in the UK whereas you can be from London and get in an accident in Manchester and get healthcare treatment, emergency treatment in Manchester and they will know that you're allergic to penicillin or to painkillers or whatever it is that they need to put, they probably don't put you on penicillin. I don't know.

Tod Beardsley:

It's a dirty accident, yeah.

Jen Ellis:

Right. I mean, God, just filthy. Imagine my shock and horror when my dad was transferred from a hospital to another hospital that was 20 miles down the road, and actually it was in the process of becoming part of the same hospital. It was only after he'd been there for 24 hours and they had put him into a medically-induced coma that they turned around and went, "Oh, we didn't know that he had a broken jaw or a broken wrist and a chipped vertebrae." And I was like, "I'm sorry, what's that? You didn't know? What do you mean you didn't know?" Yeah. I have like a bit of a -- and also Dad, if you're listening, which you probably are not because you have other things that you do with your time, but sorry for sharing your medical records publicly on a podcast.

Tod Beardsley:

GDPR. GDPR.

Nina Alli:

When I give talks, I do this. I do a quick brief of the history of electronic medical records because I feel like a lot of people have this same mentality of, these things are terrible. They suck. What are we doing? EMRs, the actual genesis of them are, if I was an OB/GYN and you were a cardiologist, we each had our own medical records because we've focused on only those things and those were the only things we cared about, but when you went into the GP, the general practitioner, they needed to see everything because they do a multi-system checkup on you, so those parts were put together with bubble gum, tape and prayer, and that's how the original electronic medical records came about, and then they just continued to build on those things.

Nina Alli:

The problem with building on those things were that it was people in the back end, may not have been physicians, nurses, clinicians, anybody that actually was patient-facing. I found that to be a big problem. That's why I started nursing school, because people that were working on the electronic medical records, that were building them, didn't understand clinical workflows, patient protocols, all the other things that go along with it. You're working in this very small vacuum of, "This is what I think it should be." And it's like, "Cool, but that's not how they do it," and if you're not doing it the way they do it, you're changing workload that you don't even understand. You may be harming someone.

Nina Alli:

That's why I did the nursing school thing. I also did clinical medical billing/coding, because I was like, if you're not billing for stuff, if you're not billing appropriately, you get rejected constantly, so we need to make these notes so that you can write what you need to write so next time you see this patient, you can follow up accordingly, do everything you need to do, get paid for your services and make sure that the patient is okay at the end of the day. I don't, that's my thing.

Jen Ellis:

Wait. Are you saying we should prioritize patient care? That seems insane.

Nina Alli:

You have no idea how hard I just eye-rolled you. I'm so, weirded out is the word in my head, by how medicine is done, where there's people in the room saying, "Well, it should be done this way. It should be done this way," and I will raise my hand and be like, "Did you talk to a physician? Did you talk to somebody that does this?" I worked in surgical oncology. I'm from New York, so all the hospitals I ever talk about are in New York. I was working in surgical oncology and she showed, one of the physicians I was working with showed me something. I said, "Well, who wrote this for you?" She's like, "I don't even know. Somebody just came here and gave it to me and told me that this is what I should use," and it was clinically incorrect for her practice and what she was doing.

Nina Alli:

We ended up sitting down and writing up all her workflows, of which there were 32. I was like, "What are you doing? Why are there 32 different workflows just for you as a physician, the patient and your PA and everybody else involved?" We knocked it down to about 19, which was much cleaner. In perspective, it was much cleaner, and we built the notes appropriately from there and it streamlined their workflow, their personal workflow, but it also streamlined the patient care because now it was, they could bring stuff in, they could omit things, they could notate appropriately. Medications were always a big deal because you mess up one letter, you bring up something completely different, you mess up how many milligrams or whatever the case is on something, you're going to hurt somebody.

Jen Ellis:

You're like, "Oops, I killed someone."

Nina Alli:

Right. Right, and there is no, "Oopsie, you killed somebody." It's like, "Oh my God," because it's cancer meds, right? So you can make some somebody necrotic without trying or just completely unnoticing it, and something happens to them. I'm a lot against that. I try really hard to make sure that if they're going to have to document that their documentation was right, the technology was working, the security was right. Just again, my ideal thing is, patients have to go first. I completely and utterly understand the concept of, we need all the things. Yeah, but we also need literacy between everybody that's working on these things. We need to have normalized conversations. The same way that doctors use their very particular nomenclatures, we need to normalize our nomenclatures and meet in the middle. We have to see each other where we are and then meet in the middle so that we can continue to progress. I feel like I just got on my bully pulpit.

Jen Ellis:

No, that's okay. We like it. Normally, it's just me on a soap box. I will say, when I spent three weeks watching my dad in a hospital, it did give me, I had spent, before that, I had talked a lot about healthcare cybersecurity and implications of risk and all that kind of stuff. I thought that I had a pretty good sense, as somebody who'd been to the doctor and been in and out of hospitals at various points, that I had a good sense of what the hell I was talking about. Then I spent three weeks sitting in critical care wards and watching, because when you're sitting next to the bed of somebody who's not conscious, there's just a lot of time on your hands. You look a lot at the technology. You look a lot at how the people around you move and what they're doing. You look at them when they're dealing with urgent situations and things are beeping at them.

Jen Ellis:

It did give me a much more profound appreciation of just how much effort has gone into designing this technology to be fit for purpose and trying to make it so that it is something that can be used to save lives. It was quite a humbling thing in a funny, old way, because I did think. I did have that moment of being like, "Wow, I really know nothing." Yes, Little Miss Opinion, maybe take a breath. I get what you're saying that there are lots of voices on the topic apparently, including mine.

Nina Alli:

And they're all needed. Honestly, they're all needed.

Jen Ellis:

Yeah, sure, but to your point, the most important ones are the people who are actually having to try and use this technology every day to save lives. We need to listen to them and think about how we make things work for them as much as possible, but we need to do it in a way where we're not sacrificing patient safety.

Nina Alli:

I was at an industry meeting with people. I'm not going to say where it was. A person in the right pocket corner said, "We can make those decisions now. We know what we're doing." I raised my hand. I said, "There's no way that you can speak elegantly or intelligently to this. Are you a physician?" He said no. And I said, "Is there any physicians, are there any physicians in the room? Is there anybody that works with patients in this room?" And he said no. I said, "Then we do not have jurisdiction to change something that we don't know." I said, "That's one of the main problems with what we do. We continue to change things without talking to the person that's going to be running it." We make all of these contraptions, and it's amazing. I love the technology and I love the spontaneous outbursts of brilliance, but simultaneously, we have an audience. We have people that are going to be using this, and we have to make sure that they're comfortable with it and that they can speak intelligently to it rather than...

Nina Alli:

My prime example for this is always pacemakers, because it's a tangible object. If something happened and you end up in the hospital and you need a pacemaker, it's not like the physician walks up to you and says, "Okay, so here are a couple of pamphlets of the pacemakers that we have here that are ready for you, so here's the pamphlets and here's the contact phone number in case you have questions. Let me know when you're ready and which one you choose." We don't get that option as patients. It's more like, "Something's going on. We need to fix this now. Get in the operating suite," and they just do the thing, and you're just grateful that you're alive. You don't really ask questions because crisis is averted, but then you don't know what technology you have inside you, because a lot of us don't know what questions to ask.

Nina Alli:

It's more like, "Thank you so much, amazing job." Example, real life example, my father was a paramedic for the Fire Department of New York. I think he's got, I think he retired after 27 years, and he's still a counselor for them. He has heart issues, things going on, and I went to the doctor with him. I actually don't know why, but I pushed myself into the appointment with him, and he heard about what the doct-

Nina Alli:

He needed a surgery, and he heard the surgery details, and he literally, I don't know what happened to this man. He stood up, put his elbows on the doctor's desk and flung his arm, not in anger. I think it was just nervousness. And half of the doctor's table stuff just fell on the floor. And I was like, "Are you okay?" And he's like, "I'm sorry. I'm just nervous. Just all of this just hit me. I'm sorry." And this is a man that understands medicine. If that happens to somebody that understands things like this, what happens to normal people? My mom is like, she's super in that place and I love her and I will share this with her so she can laugh at me about it, but my mom had one of the rarest cancers in the world and I went with her to the appointments because she was going to the hospital that I had worked at and I knew what to do and stuff.

 

Nina Alli:

Even she was like, "I don't understand what they're saying." And I said, "You have to say that in the appointment, because if you don't understand, you're walking out and they're just thinking that you're good to go. If you don't understand, you need to say I don't understand, so a counselor or whoever can come and have a conversation with you." And she's like, "Well, I don't want to bother them." And I was like, "Whoa, no." That is your job as a patient to understand your care. You can't just walk out of here thinking that you're good to go, but you have no clue about what's going to be taken care of.

Jen Ellis:

I think it is. I think people do think that they can't advocate for themselves in health care.

Nina Alli:

Yes.

Jen Ellis:

It's really important that they do.

Nina Alli:

Let's even think about how stuff is going on now, right? With this pandemic. If science and medicine were... I feel like science is, or at least science that I work in, citizen science, we're pretty open, but medicine has all of these barriers around it. I'll walk in and the doctor will tell me what to do. Like if it was diabetes, right? The first thing a doctor is going to tell you is, "Well, maybe you should lose some weight." Well, you know what else you could do? You could check my thyroid. You could check my pituitary gland. You could check my A1C. There are other things you can do to tell me it might not be my diabetes. 

Jen Ellis:

I agree with you completely. Even dumb stuff, like when I arrived to go see my dad, I love the fact that, by the way, we've just turned this into a thing about our parents' health. Yeah. When I went to see my dad-

Nina Alli:

No, just even on that, we're in the middle. I don't know how old you are, but we're that middle generation of, we have to take care of our parents. My grandparents are still alive, so I help with them as well, and children. We're in this place of, we have to help everybody. I feel like a lot of it is dependent on how much we understand medicine and how much we can help everybody else around us or in our families, whatever the case may be. Please continue. Chronic interrupter if you're not in front of me, if I can't see you, I interject.

Jen Ellis:

No, you're fine. No, what I was going to say is, I wanted to understand what was going on, and so I, when his doctor came round to do rounds on the ward, and he was, at the time, he was on ward they put you on when you have a brain injury and you've been either put in a coma or you're already in a coma. The doctor comes around and I said, "I'd really like to understand what's going on." He gave me this perfunctory answer, which was, he covered off what he believed was the important stuff. He was like, "There's no sign of brain injury, and we're focused on his lungs right now." Because my dad managed to break his ribs in 14 places and punctured both his lungs, so well done him.

Jen Ellis:

I will say, by the way, for anyone who cares and is listening, my dad is absolutely fine now. He came through it and you would not know that he had had this situation at all, but...

Nina Alli:

This is where you get your resiliency from, just in case anybody's questioning it.

Jen Ellis:

I wish that I had an ounce of my father's resiliency. It is, he is remarkable. I do like to refer to him as the Bionic Man at times. But yeah, so the doctor felt that he'd given me the most relevant information, and in all fairness to him, he's a super busy man. He's got a ward full of people who are all very ill and there's lots of people who want to talk to him, but my dad was saying that he also had a bunch of other injuries, because he had been in this horrific car accident.

Jen Ellis:

I was just like, okay, I feel like there's some information missing. And so I was like, "Okay, but what about the broken vertebrae?" I was like, spine seems like a big deal. Let's talk about the spine. He was shocked. The doctor was shocked that I pushed back on him. And so he answered the question but as if he was like, "Why are you asking me this?" And then I was like, I wouldn't stop. I was like, "Well, what about?" Because he'd broken his jaw. He had broken his wrist and he looked like he had completely smashed up his leg, but he actually hadn't. It was just really badly bruised. I kept asking questions, and the doctor literally looked like a rabbit caught in headlights. It was like nobody had ever challenged him before and asked him questions. And I was like, what is happening right now? I was like, "I understand you're busy. I'm really sorry to be taking up your time, but I really wanna understand what the situation is with my father." And he was just like, "As I said, we're focused on his lungs." And I was like, "Okay, great, but I am looking at the rest of his body right now and would really like to understand the situation." It is funny. You do have to push and push and push.

Nina Alli:

Is that just your specialty? You're just in respiratory, and who else should I be talking to is the next question.

Jen Ellis:

Right. What was interesting was, it's a long-winded story, and we have limited time, but they actually weren't.

Nina Alli:

I will clear my calendar for this.

Jen Ellis:

They weren't cardiothoracic experts. That's why he ended up having to move hospital when he almost died for the second time. It was good times. Anyway, as I said, he is fine now, and he would be delighted to know that I've been talking about all of this on the podcast.

Nina Alli:

I feel like we share a dad. I feel like we share the same person. Our parents, I think they would just sit there and tell little war stories about just their healthcare.

Jen Ellis:

It's obvious that you're a very passionate advocate about this stuff. Is that why?

Nina Alli:

Is it because I yell?

Jen Ellis:

Hi, have you met me? I only have one volume. Is that why you got involved with Biohacking Village?

Nina Alli:

Wow. Thanks for the softball. No, this is not. I had never been to DEF CON before the Biohacking Village existed. When it came about, I was a contractor at the security place and I had always worked in healthcare and they were trying to get into healthcare and I was like, "Guys, let's go and we should go to this. This would be great." They kind of told me no. And I was like, "Well, then I'm going to quit. I'm going to quit on you because you don't believe in me in this." That was in 2014 that the original Biohacking Village came about, and I wasn't part of that. I was just an observer and I walked in there and I think the schedule that had been printed versus the schedule that was on the website was off by an hour, so I kept missing talks.

Jen Ellis:

Oh, boo.

Nina Alli:

I finally walked in.

Tod Beardsley:

That sounds about right.

Nina Alli:

Yeah, and I finally just walked in and sat down and just by happenchance, I happened to sit by one of the organizers and we started chatting. I was like, "This is great. I love this. So amazing. Clap, clap, clap." That year, I almost gave my first DEF CON talk because somebody didn't show up and he's like, "Do you want to talk?" And I was completely verklempt. And I was like, "Uh, no." But then the guy came in and I was like, "This is great." I guess this is where the hardcore stuff comes in. Thanks, Jen.

Jen Ellis:

You told me you were up for it.

Nina Alli:

Right. Now I'm literally moving around in my seat, the uncomfortable truths, right?

Jen Ellis:

There's no pressure.

Nina Alli:

No, I know, but this is one of those things that, it's a thing. In December 2014, I got a phone call asking me if I wanted to be the project manager for the Biohacking Village so that I could help future stuff. And I was like, "Yeah, sure." I did a quick interview and they were like, "You got this." And I was like, "What? Amazing." I built out the first year. What I don't normally, under just circumstances, tell people is that I was also homeless at that time. I built out the Biohacking Village while sleeping on couches, in my car. I took as many talks as I could because I knew it would pay for the room and food and flight and give me an opportunity to meet other people.

Nina Alli:

And I traveled that year extensively to other conferences. I spent pretty much all the money I had. I was homeless for two years. The first two years of Biohacking Village that I ran it, I was homeless, and by the time I was done with the second year, I think I had $500 left in my bank account and I got a job and I started my Masters. So the same month.

Jen Ellis:

Amazing.

Nina Alli:

In August, DEF CON ended. I started a job three days later and started school, I think, a week after that. So when it's the, science is hard for people. Science is hard for people and getting into science is hard and maintaining who you are as a person is hard, but it's the trials and tribulations and challenges that you see who you are, right? Just my last anecdote for this part, I guess, is that I, when people... you learn who you are. You learn really quickly who you are after things like that. I try to be the person I needed when I was at my lowest when it comes to pretty much everything in my life, because I wish somebody would have looked at me and said, "I don't think you're okay and I think you're lying every time you say I'm okay and I'm not judging you, but you need to tell me, and you don't have to tell me now, but you have to tell me when you're ready."

Nina Alli:

I think that's super powerful, even now with what we're doing. Everybody's like, "Hey, how are you?" We're all exhausted. We're all exhausted from different things, and we don't know the circumstances of people's lives. I think we tend to hide things really well. I try to ask people, "How are you, but how are you really?" I will watch you when you talk to me. This is super social engineering now. I'm like, yeah, so the bio side of my life, I will watch you and I will watch your blood pressure in your face and your hands and how you move and how your eyes go and everything else about you, and you'll say you're fine and I'll say you're lying.

Jen Ellis:

Yeah, you've totally done that to me, and it's so uncomfortable.

Nina Alli:

It's not meant to be uncomfortable. It's just, you're lying and you might be lying to keep whatever you need inside and that's totally fine, but when you're ready, I'm here and I don't care what time it is and I don't care what I'm doing. If you call me, I will leave a meeting. I will fly out there to have a 20-minute conversation with whoever it is so that you can feel what you need to feel and we can figure out how to move forward. It's the same as, to me, it's the same as healthcare. It's essentially the same thing. There are so many people that we don't know their circumstances in life, and we're like, "But you should be fine," just because we don't know what's going on. I think if we were more sensitive to that sort of stuff, a lot of things would be better. Man, this is going to be an emotional podcast.

Jen Ellis:

Well, firstly, thank you for sharing. I think it's really brave of you to share, and you are obviously very brave and very resilient for everything you've gone through. I wonder if the current situation will make us any better about what you're talking about, what you're describing, like with having had a situation where I think we've observed people that we interact with often who are not people that we necessarily think of as being people who struggle and suffer with anxiety, we've observed a lot of people dealing with anxiety because of the situation that we find ourselves in, which is awful. I wonder if it will make us come out of this situation with a better appreciation for what that looks like and what the impacts can be and a little bit more empathy and compassion for each other or if we'll just forget and go back to normal afterwards.

Nina Alli:

No, no, no. We're not going to forget and go back to normal. That just can't happen. The quote I've been using recently, whenever I talk to people is, "People aren't afraid of change. They're afraid of losing control."

Jen Ellis:

Yeah. I think that's actually very true. I think uncertainty is harder than change,

Nina Alli:

Right.

Jen Ellis:

I think often when people react badly to change, it's because of the uncertainty factor more than once.

Nina Alli:

How do we make ourselves more resilient and say... This country has gone through how many different kinds of industrial revolutions? Why can't we do that with people, too? It's time for a change. This is a lot. Just for myself, even with my resume. So fun fact. Biohacking Village was the job that I was doing for two years, because I had nothing else and I was doing my thing. I ended up taking it off of my resume for a while because people were like, "Oh, well, Biohacking, that's terrible and you're a bad person." I was like, "What are you talking about? This is not terrible." I had applied for all these jobs and nobody would hire me. Then I took it off and eventually I got a job, but I also have military experience.

Nina Alli:

I had taken that off of my resume. When you look at somebody's resume, you look at their name and where they live and you get a lot of indicators of who they are. You can start figuring that out. Now with LinkedIn, you can literally see who they are. I think we need to... There's so much bias even with data, right? There's so much bias in data. Clinical trials are primarily done on white men and there's, fun fact, 51% of this world are women. We're not even taken into real consideration when it comes to that. It's like, "Well, this didn't work for men. Let's try it on women." No. How about we just do an impact study on both. More than that, it's not just like, let's try this in white men and white women. There's other people in this world that may need the medication and need to be in those clinical trials. Just from that aspect, there needs to be more inclusion. There needs to be more folks getting tested on these things.

Jen Ellis:

Yeah. Well, I mean, there just needs to be a lot more equality generally. It's insane that we're in 2020, still having these same conversations.

Tod Beardsley:

Yep.

Jen Ellis:

I feel like history will judge us and future generations will be like, "Wow, what a bunch of dumbasses."

Nina Alli:

Aren't we already saying that?

Jen Ellis:

If we're not, we probably should be.

Nina Alli:

Current state in America, you need a job to have healthcare. Fine. I don't understand the concept of that, because everybody complains so much about how healthcare is going to cost us later because people get on Medicaid or Medicare. It's much more logical and sensitive to give everyone healthcare. It might be a huge increase in people suddenly getting care, but it would also be because people didn't have care and that number that we would be spending and time that we would be spending on giving folks care will eventually start going down and people will be healthier and won't need so much care at later in life. The money will at least equalize because we would have taken care of problems from the beginning, not just, I have something itching me and then it becomes an ulcer and then it becomes infected and now you have gangrene and all these other things.

Nina Alli:

If we had equitable healthcare where people could take a day off or however much time they needed off to go to the doctor or even telehealth it, oh, my God, to see the doctor, get the care that they need, this would be so much easier. This would be so much easier. People would be better cared for. We wouldn't have so many healthcare issues in this country.

Jen Ellis:

I'm going to just say that as a Brit, I think I obviously have a bias in this conversation. It has always baffled me that a country that prizes quality of life the way that the US does and prides itself on the quality of life that people can achieve in the US does not embrace the concept of healthcare for everybody. That is just a strange thing for me. And look, hey, I will be the first to admit the NHS in the UK is not even close to perfect, although I will say bravo to them for the job that they're doing at the moment and thank you to them.

Tod Beardsley:

Yep.

Jen Ellis:

I want to be careful in how that comes off. I think there are big issues that the NHS faces and healthcare and providing healthcare for everyone is a really thorny subject. It's a very sticky subject. It's expensive and it's hard to do it efficiently. When you create private healthcare and you create competition, everything does become much more efficient. However, you also make a pivot. When you are providing free healthcare to everybody, your emphasis is always on what is the best way to cure people and get them out of the system. When you are competing in the private sector, your emphasis is on how do you treat people and keep them in the system. That is not good for patients. That is not where patients want to be.

Jen Ellis:

You want cures, not treatments, so I think that fundamentally, that is a broken rationale that the healthcare sector deals with that actually is creating a worse quality of life for people, even though arguably the quality of healthcare in the US is better. I say arguably. Obviously, it varies, and again, thank you to the NHS for the amazing job you guys are doing the moment. I wish you were better funded.

Tod Beardsley:

Well, and there's no argument, right? It just seems settled. Like you're saying, there is no economic argument that's sustainable. It's impossible to argue in good faith that privatized healthcare brings better outcomes, for dollars, for time, for quality. There is no argument for it at this point. We've been down that road. The only solution, the only explanation I can come up with is like, well, there's an evil force that wants to have privatized healthcare for racist and misogynistic reasons. That's what I'm left with. Tell me I'm wrong.

Nina Alli:

For a long time, I went to the Veterans Administration, so Veteran Affairs, for healthcare. And it's the closest that this country has to socialized medicine. I'm not saying it's great, but as a female, as a Latin woman, I had an IUD put in and I almost died from it because apparently my body is like the 0.3% of people that don't want it, so my body was shoving it out and I was hemorrhaging. My physician, I went back, I think, after 28 hours. Primarily, the 28 hours were not because I didn't try. I was actually told, "We don't have any doctors here today that can help you." And I was like, "Whoa, just get a surgeon." No, that was a literal conversation I had with my physician. So I went in the next morning.

Nina Alli:

I had no appointment, just went in. My physician saw me in the waiting room. They still do like last name stuff there. So he was like, "Insert last name here, why are you back?" And I said, "Because, sir, something is wrong. The IUD is just not right. Something is happening. I am unclear." And he said, "What are your symptoms?" I gave him my symptoms, one of which was pain. And he said, "Is this a pain you can learn to live with?" That is the way the military treats you. And I looked at him and said, "No, sir. This is not something I will learn to live with." And he said, "Let me see if my next patient comes in." The next patient did not come in. He took this out and insert graphic notice here. I'm there and he's got the paper thing in between me and him.

Tod Beardsley:

Yeah.

Nina Alli:

It was covered in blood because when he pulled the thing out, I had hemorrhaged so much that I just spilled out blood everywhere. I ended up with, he was like, "We need to give you meds. We need to take care of this." I was like, I would have died if I had not been so persistent. That's such an issue of being heard in medicine. I have another story about him, because he was not the greatest doctor ever for me. I ended up switching, but I had found out through some DNA analysis of my own. I was like, "Hey, I need this test." And he's like, "You don't need this test." I was like, "I am not asking you, sir. Please give me this test." When he gave me the test, legitimately I was 30 times, this one hormone was 30 times higher than it should have been. And he's like, "Well, maybe that's an anomaly." I said, "Okay." So we did it again.

Nina Alli:

It was still 30 times and we found what was going on. Again, one of those situations where I had done so much of my own research on myself that I could take the information into him and say, "This is wrong. I am not asking you. I am telling you because you're the... I totally get it. You're the one with the degree. You went to school for this. You know so many things. However, I am the expert on my body and I'm not asking you. One of us is going to find a way through this," so that happened, and I switched doctors after him.

Jen Ellis:

I think something people often lose sight of with health care is that what we know is based on what we've seen before and what we have then educated people on having seen before. At any given time, people can see something new that they've never seen before and they can draw erroneous conclusions based on things that they have seen before. That's why it is really, really important when you go in, just bear in mind that, much like, and I'm sorry that I'm going to do this. This is a little cheesy, because I'm about to make an analogy to cybersecurity, but much like cybersecurity, when you're diagnosing the problem, it isn't actually always the case that there are a finite set of circumstances or explanations or reasons. It's entirely possible it's something we haven't seen before, some set of circumstances. That's why we're getting some crazy experience. I think it is really important to just keep pushing back and keep trying and figuring it out, but it is hard. It's really hard. You have to be a huge advocate for yourself.

Nina Alli:

You need to have relationships with people. When the Biohacking Village folks and the citizen scientist and the DIYbio folks come together, it's not like we're all security people working on a thing. It's, okay, we need a biochem person and we need a bioengineer and we need bio whatever. And we need a security person and another programmer and we need a doctor and we need all of these things because we understand the concept of, I can't do this alone. There's no way that I know enough to make this on my own. Something else that I continue to think about when it comes to medical devices again, pacemaker, because it's easy. Let's make the analogy that it's very similar to an iPhone. Would you shove an iPhone into your chest and be like, "I got this. Good enough." Absolutely not. Nobody would.

Tod Beardsley:

Only if your doctor is the Joker.

Nina Alli:

I don't know if that's a movie reference. I don't watch a lot of movies. Okay.

Tod Beardsley:

Yeah.

 Nina Alli:

I definitely need to watch more movies and I have a list. I just, I don't get to them. I know, I know. Your Dark Knight thing that he shoved a phone into somebody's chest, there's so many mechanics and so much science and things that go into making a pacemaker. You have to make it so that it's insoluble. There's no water, no blood, no chemical reactions, because you have liquid tissue, right? Your blood is liquid tissue and it changes pH throughout the day. Minute by minute, it can change based on your food and environment and hormones. People have to take those things into consideration. When you're making a medical device, it's not just, "Let's just program a couple of things and put it in a hard case and shove it into somebody's body." There's so much more that goes into it, and I think people lose sight of that when we're talking about how to secure something and how to build things. There's so much detail.

Nina Alli:

Here's my last throw down. When I give talks, I ask people in the room, who's an engineer? Who does software? Who does security? Who's a clinician? Who's a patient? Two people raised their hands, and I'm like, "No, everybody is a patient. You are inherently invested in this talk.

 

Jen Ellis:

Tell you what, everyone's a patient now. And on that gloomy note, Nina, thank you for joining us.

Nina Alli:

Thank you for inviting me.

Jen Ellis:

I'm certain you'll be back. I look forward to seeing what you do with taking the Biohacking Village virtual this year.

Nina Alli:

Me, too.

Jen Ellis:

Which is what to doing, right?

Nina Alli:

Yes.

Jen Ellis:

As part of the virtual DEF CON?

Nina Alli:

It's going to be virtual. We're going to see how that goes.

Jen Ellis:

Good luck, and I will speak to you soon. Thanks very much.

Nina Alli:

Perfect. Thank you.

Jen Ellis:

So Todsley, what's happening this week in the world of security? Not much, right?

Tod Beardsley:

Oh, it's been a quiet week. Here's the thing: it's like we forget every time. It's like, "Oh, there's a major U.S. holiday? Let's roll out some 0Day, everybody!"

Jen Ellis:

Hooray! What could possibly go wrong?

Tod Beardsley:

We have not one but two, it was attack of the living network infrastructure, basically. It's infrastructure week this week.

Jen Ellis:

I like that, I like that.

Tod Beardsley:

Yeah.

Jen Ellis:

At least it's nice and theme-y.

Tod Beardsley:

Uh-huh (affirmative). We had two fairly terrible vulnerabilities. If you can hear my voice, you should have already patched these by now, and hopefully already know about it. But very quickly, if you for some reason just came back from vacation and haven't caught up on your email, here's the new hotness: one is, it is CVE-2020-2021, which is a delightfully memorable CVE number. It's not 2020-2020, which is weird, because I know the guy who owns that one. He's been holding onto it for something good. This might've been that something good.

Tod Beardsley:

But yeah, this is the PAN thing. This is Palo Alto Networks, and their SAML authentication scheme, so basically Palo Alto Networks, they make a bunch of stuff, right? They make load balancers, firewalls, very switch-y, router-y kind of things. And when you authenticate to it, you have this optional, and this is kind of where the bug is, it is in an optional authentication scheme that uses SAML, which is the Security Assertion Markup Language. It's the non-default way of doing things. It's a fine way to do authentication, but if you want it, you basically know that you want it and you go in and you set it, right? You say, "Yes, I want to do SAML." Everyone's like, "Yay, SAML!"

Tod Beardsley:

Turns out, there is a not-default-on identity provider validation that you should turn on. If you don't turn it on, then you're not doing this cryptographic certificate check, which basically means anyone can fake the SAML auth and then they can authenticate ... unauthenticated users basically become authenticated users. So this is bad news for security.

Tod Beardsley:

Yeah. And that was kind of the tricky thing about this vulnerability, it almost feels like not a vulnerability because it's just a configuration change to fix it. There was some confusion around it, but basically if you turn on this identity provider check, you avoid this bug completely, because then you're getting all your validation and all that. This was a big deal, people were excited about it, infosec people. It's an edge device, it's important, and the authentication seemed to be not working. But you can configure a way out of this, even if you don't get a patch.

Tod Beardsley:

So that's kind of a happy ending to this kind of thing. It's always nice when you can just configure something and not have to patch something, because that usually means an easier time with your change control review or taking things offline or rebooting things, you know, that are running in production. It's usually a lot easier to do this.

Jen Ellis:

So that was 2021?

Tod Beardsley:

That was CVE 2021. 2020-21.

Jen Ellis:

2020-21.

Tod Beardsley:

Uh-huh (affirmative), very fun to say. And that was right around June 29, it was the tail ... the very beginning of the week. End of the week was a whole other vulnerability called CVE-2020-5902, and I want you to imagine, I saw this on Twitter this morning, the distracted boyfriend meme of basically everyone was paying attention PAN OS thing, and then suddenly 2020-5902 came on the scene, which is the F5 big IP management console, it's a web console. It's the kind of thing, so F5 is another infrastructure hardware provider: they do load balancing, again, they do firewalling, more router-y, switch-y things.

Jen Ellis:

Oh, router-y switch-y.

Tod Beardsley:

Router-y switch-y. It's like timey-wimey, but networks. And it's in the TMUI, the traffic management user interface, and what this bug ... this is a for-real bug, this is pretty much-

Jen Ellis:

Yeah, this is a category 10, big bad boy.

Tod Beardsley:

F5, they did all the right things, as far as I can tell.

Jen Ellis:

Did they?

Tod Beardsley:

Well, they saw the vulnerability, they got reported, they had a fix, they did a vulnerability disclosure, they moved on with their lives. Other people saw this and said "Hang on, this is the worst possible kind of bug." Let's talk about the bug for a second. It's a web console that you use to manage your F5 infrastructure, and there is a pre-authentication, local file include, remote code execution vulnerability, so you could both, without authenticating to the thing, you could both write files to some arbitrary locations, but more important, you can then read them and execute them and run them.

Jen Ellis:

What could possibly go wrong?

Tod Beardsley:

This is a "upload your payload, run your payload," without any authentication.

Jen Ellis:

This is basically like getting the keys for free, right?

Tod Beardsley:

Mm-hmm (affirmative). It's a bad bug, and people rightfully lost their minds over this, because-

Jen Ellis:

They do like it, though, the way that you talk about it as if it's been a very bad bug.

Tod Beardsley:

All of infosec spent their holiday weekend complaining about this bug, talking about this bug, trying to fix this bug, because there was a patch. One of the knocks against this issue was that this is the kind of web management console you should never be exposing to the internet to begin with. F5 had this exposed by default years ago, but then they had turned it off by default in later updates of the OS, but we still see a bunch of it. We see thousands of these things out in the air. It's not tens of thousands, it's not millions, but it's thousands.

Jen Ellis:

I mean, when you say tens of thousands, it's about 9,000.

Tod Beardsley:

Right. It is less than 10 of thousand.

Jen Ellis:

Right. You are accurate, it is not tens of ...

Tod Beardsley:

It is merely one 10. And the other problem, of course, is that this is pretty ... if you're in the web exploitation game, this is an easy-to-exploit vulnerability, so it came, rightfully so, people were figuring out how this bug works, how could you test for it, but there was a lot of movement, again, over a holiday weekend, which tends to be great for hackers and bad for people with day jobs.

Jen Ellis:

Yeah, people who actually need a holiday weekend, who are exhausted. And particularly right now in the community, where you've got a lot of people trying to do multiple people's jobs with less resources. Yeah, it's been a bad year, it's exhausting.

Tod Beardsley:

This is the kind of thing that we really worried about seeing on the internet, where it's like, oh, we just need to get things to work, everyone's working at home, so let's just expose it to the internet.

Jen Ellis:

Right.

Tod Beardsley:

And I don't think that actually happened, actually, during the time of COVID. But it's the kind of thing that we worry about a lot when we're this remote situation, because it's a real hassle to pull up a VPN ... a VPN garden to put this thing in so you can do things like manage your F5 infrastructure.

Jen Ellis:

I do like your idea of a VPN garden, though.

Tod Beardsley:

It is.

Jen Ellis:

How does my VPN garden grow?

Tod Beardsley:

It is watered with the blood of hackers.

Jen Ellis:

It's watered with the blood of network admins.

Tod Beardsley:

Well, yes. In this case, yes. The best possible thing to do is get this bad boy off the internet. You do not want this on the internet; even if you had no bugs at all, there's no good reason to offer an authentication. You don't want to offer someone a chance to authenticate, with username and password, to the thing that is managing important parts of your infrastructure.

Tod Beardsley:

The big thing that we worry about is the fact that a lot of this year terminates TLS exchanges, so I have my HPS website and I want to go to that thing. Well, this thing says, "OK, cool, I will handle it from here and I will decrypt it and then send you off on the right way and re-encrypt it and do all that." Well, that whole decryption/re-encryption, if I'm an attacker and I own that box, that means I get to see all the cool stuff. I get all the private keys, I get usernames and passwords as they fly by. I can get a lot of good stuff.

Tod Beardsley:

It is the worst possible thing to own, to get pwned. Great if you're a bad guy, terrible-

Jen Ellis:

I was going to say, or the best, depending on where you sit in this whole thing.

Tod Beardsley:

Or the best. I think penetration testers especially will get a lot of mileage out of this bug over time, this is the kind of thing that you want it exposed, like on an internal network segment, or probably not the internal segment that everyone's on. This thing is a great case for why network segmentation happens, why you want to be real careful about this kind of thing. You might want to set up something where it's like, this thing is in a very isolated network and you have to RDP to something internally after already authenticating from external. This is a multi-hop kind of path to get to this thing, because this is an important thing.

Tod Beardsley:

So those are the two bugs. These things kind of tend to come in twos and not threes, weirdly enough. They're not like celebrity deaths. So that's what we got. There was a lot of drama about it, the drama terminates at the point of patch, and/or get it off the internet and move on with your lives.

Jen Ellis:

Okay, good. Well, until the next thrilling episode, hopefully there'll be no more category-10 0Days and/or celebrity deaths.

Tod Beardsley:

Hopefully not.

Jen Ellis:

So that just leaves it for me to thank you, Tod, for edumacating me, as per usual, and giving us the skinny on what's happening in the world of security. Amazing special guest of the week, thank you so much for coming on, we really appreciate it. Of course, the ever-patient, ever-wonderful Bri! Thank you, Bri.

Tod Beardsley:

Thank you, Bri. Sorry for screwing up your levels right there.

Jen Ellis:

I'm not sorry.