Security Nation, Episode 8

From BlackICE to Typed Advice: Rob Graham Talks What It Takes to Write a Cybersecurity Textbook

October 11, 2019

 

In this episode of Security Nation, we speak with Rob Graham, founder of Errata Security Consultancy, well-known security blogger, and soon-to-be book author. In it, he talks about the process of creating (and naming!) BlackICE, and his new efforts to write a book “out of spite” to right the security wrongs he is seeing in the industry. Rob also shares some of his writing process and advice for others looking to take on similar projects. 

Also, join Tod for the Rapid Rundown where he discusses how security pros can weigh in on election security through the Election Assistance Commission’s 2020 Election Administration and Voting Survey (2020 EAVS) and IT-ISAC’s request for information in the Election Industry SIG. Tod also reveals some key findings from Rapid7’s latest Industry Cyber-Exposure Report (ICER), which examines the level of exposure in top German organizations. 

If you like what you hear, please subscribe below! We release episodes every two weeks, each featuring a new guest who is doing something positive to help advance security. Our next episode will be released Friday, Oct. 25. 

Appears on This Episode

Jen Ellis
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Robert Graham
Robert Graham
Owner, Errata Security

Robert Graham has written several cybersecurity tools, including the first intrusion prevention system in 1998 known as BlackICE. More recently, he's written tools for sidejacking HTTP connections, and masscan, for scanning the internet at scale. He frequently blogs on cybersecurity-related issues at https://erratasec.blogspot.com, and has many tools at https://github.com/robertdavidgraham/

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi and welcome to another episode of Security Nation, the podcast where we chat with people who are doing cool things to advance security. I'm your host, Jen Ellis. I am Rapid7's VP of Community and Public Affairs, and my co-host is the fabulous Tod Beardsley. Hello Tod, how are you doing?

Show more Show less

Tod Beardsley: Hello, Jen. I'm doing great.

Jen Ellis: In this week's episode, we're going to be joined by our good friend Rob, Graham, and we’ll be chatting with him in a little bit. First, we’re going to do the Rapid Rundown and Tod is going to educate me on some stuff that’s happening in security right now. So what’s happening with you, Tod?

Tod Beardsley: Guten tag! I am coming at you from Nuremberg, Germany, where I am at ITSA right now, but I'm going to be talking about U.S politics instead at this Rapid Rundown. Are you ready?

Jen Ellis: Yeah.

Tod Beardsley: Yeah. All right, good, Fräulein! Yeah. So, this week was announced at the Election Administration and Voting Survey for 2020 by the Election Assistance Commission. And this is a survey that the Election Assistance Commission is putting together to send out to election officials to figure out all kinds of stuff, ranging from registration to like voter experience. And the reason why I bring it up today, security and technology. And there is an open comment period right now. It opened this week and it'll be going through I believe Dec. 21. So if you're a security mucky muck and care about things like election security, you should comment on this thing.

Tod Beardsley: We have a link to that in the show notes and I bring this up in particular because there's not one but two requests for comments going on. The Election Assistance Commission thing is one. The Election Industry SIG, which is a tiny little sub-group in the IT ISAC is also looking for comments on the election industries. They're calling it like an open coordinated vulnerability disclosure program, which is really big news, actually. It is I think the first time that all of the major election equipment vendors have acknowledged that yes, there are bugs. Yes, they don't know about all of them. And yes, they know you know about them. And so, they are looking to build this thing and they're very much looking for requests for comments. So if you have any background or interest in vulnerability disclosure on voting machines, all the way up through like voting management systems, give that a look. That was announced a little while ago, but time is running out for that one. The comments close on Oct. 21 So get on it. It's a great opportunity.

Jen Ellis: That sounds like a really big deal.

Tod Beardsley: Yeah. It's a great opportunity for people who are big into election security and voting machine security to no longer just have to vent about it on Twitter. Like they can help shape-

Jen Ellis: What?

Tod Beardsley: I know, right? They can actually do a thing.

Jen Ellis: Oh, that sounds counterproductive, though.

Tod Beardsley: No, no, no. We're big fans of coordinated vulnerable disclosure and it warms my heart. I was in the room when it was announced at the CISA Summit just like three or four weeks ago. I was looking for an opportunity to bring it up here because I do want people to pay attention to this thing. Provide your comments, your experience, your input, especially if you're somebody who has been around the block a couple of times when it comes to vulnerability disclosure. This is kind of new for this industry, but they seem sincere about it, right? And it's everybody. So, like between these three or four companies, they cover like 90% of the election hardware in use in the U.S. So, I think it's a great next step for them. I don't think they've solved security, but they do acknowledge that CVD is a thing.

Jen Ellis: Let's be honest, none of us have solved security.

Tod Beardsley: No.

Jen Ellis: They're not alone in that regard, but this is definite progress, sounds like. It sounds like forward motion. And for the naysayers who say that like nothing ever changes, this is exactly what we need to start seeing progress being made and change coming, positive change.

Tod Beardsley: For sure.

Jen Ellis: So, yay. I love it! This is really cool.

Tod Beardsley: Yep, yep. I think it's really positive, the CVD part. The Election Assistance Commission work is also really important because even just by putting together a survey asking questions about security gets people thinking about security. So, I do think that any kind of expertise that our listeners, who tend to skew pretty nerdy in these areas, could provide would be great. Again, those links should be in the show notes. If you get this through iTunes or whatever normal podcatcher of your choice, click through those. The first one is that regulations.gov. You can search for it. The second one is that it-isac.org. You can search for that, but they're both pretty near the top of those respective pages.

Jen Ellis: Cool. Awesome.

Tod Beardsley: Yep.

Jen Ellis: So it's all good news in the world today, right?

Tod Beardsley: Pretty much. If you're looking for some bad news, though, we just released a brand-new research report called the ICER for Germany and that is the Industry Cyber-Exposure Report.

Jen Ellis: ICER. It sounds so cool.

Tod Beardsley: Yes, very good. It's part of the reason why I'm in Germany and by part, I mean all. We surveyed basically the top 320 companies in Germany. Everybody that's listed as a Prime Standard company on the German stock exchange and we do our normal exposure measurements for them. So, this is the fifth in a series. We've covered U.S., Australia, U.K., And Japan, and Germany. And so, we're able to take a look at like how is corporate Germany looking. Pretty great when it comes to SMB, not so great when it comes to DMARC, that is the seven-second version of that report.

Jen Ellis: And how does that compare with the other countries we've looked at, then?

Tod Beardsley: The SMB stuff, so like the exposure of SMB and Telnet is vanishingly small in Germany. I think it's the smallest of the five regions. The U.S. is still a little bit of a horror show there, but Germany has gotten the message from WannaCry and NotPetya and Mirai, really, a couple of years ago. So, there's very little exposed Telnet and SMB in Germany.

Tod Beardsley: As far as the DMARC configuration, DMARC is a email security apparatus that hooks into your DNS. Basically says that mail that comes from a domain is actually sourced from that domain. German companies do not care about this. About 91% of German companies surveyed have either no DMARC, DMARC policy set to none, or unusually broken DMARC that doesn't actually do anything. So, they're in a situation even where like they think they have the stuff, but they don't have the stuff. So, that's even worse.

Jen Ellis: Are they using something else to protect themselves against this risk?

Tod Beardsley: I'm sure that they're using components of DKIM and SPF, but DMARC is kind of the name of the game these days. This is like table stakes.

Jen Ellis: Doesn't SPF protect you from sun damage?

Tod Beardsley: Absolutely not. You're looking for Sun Protection Factor. This is Sender Protection Framework, I believe is what it stands for.

Jen Ellis: Oh, easy to use. I make that mistake all the time.

Tod Beardsley: So, I'm sure they have something, but it's not DMARC. And DMARC is the standard. It's been the standard for several years. There are governments around the world who are really pushing to get this implemented all over the place and standards bodies and all that. So if you run a mail infrastructure and you're not running DMARC today, you are behind the curve.

Jen Ellis: So if you're interested in the reports, all of the ones that we've done are on our website in the research section, so you can check out. Once again, those regions are the U.S., the U.K., Australia, Japan, and now Germany. Is that right?

Tod Beardsley: Correct.

Jen Ellis: See, I was paying attention.

Tod Beardsley: We will likely also have like a wrap-up report, like real short at the end of the year that compares all the regions to each other. I mean, we have all the data, so why not?

Jen Ellis: Yeah, sure. Why not? Well, because it's Christmas and we want to get drunk. Okay. So, awesome. And so, does that leave us with going to our special guest?

Tod Beardsley: Indeed.

Jen Ellis: Oh. So yeah, time to welcome Rob. So this week our guest is, as I mentioned at the start, Rob Graham. Rob has a security company called Errata Security Consultancy, and is very known both for the blog that he writes on Errata's website, which if you're not familiar with it, you should check it out. Rob does a great job of going over things that are happening in the security landscape, and he is not shy to share an opinion, which as somebody else who is also not shy to share an opinion, I appreciate that a little bit. It does make some of his blogs quite controversial. You should totally check them out. They're always worth a read.

Jen Ellis: The other things that Rob is super famous for... He's done some pretty cool shit in the past. Some pretty important cool shit like BlackICE, which I think Rob's going to talk to us about a little bit in a minute. And Rob also runs something called Masscan, where he scans the internet, which again, is something that Rapid7 likes to do. So we've got loads in common with Rob, and we like him a lot.

Jen Ellis: He has told us that he is not going to troll anybody, but I don't believe him, particularly as he said that this promise was only good on Sept. 31, so yeah, we know what we can do with Rob's promises on that one. So we wait to see what happens today. Somehow I think I'm going to get trolled a lot today. I think he and Tod are going to go to town on me, so hi! Welcome, guys!

Tod Beardsley: No, not at all.

Jen Ellis: So, Rob, why don't you tell us a little bit about BlackICE since I did a stutter-y job of mentioning it in the intro and it's a cool thing.

Rob Graham: Yeah, so BlackICE was something I wrote 20 years ago. It was eventually bought out by companies, and eventually bought by IBM who then, that's where products go to die.

Jen Ellis: But nobody ever got fired for buying IBM. That's like an actual expression.

Tod Beardsley: It is.

Rob Graham: So IBM's this weird company, it's got its own huge market, but it's its own market. Like, you're either an IBM customer or you're not. And so, there's the outside world and then there's this inside world that's just IBM. So anyway, BlackICE was the first IPS, and was the first in a lot of technologies that are pretty common these days.

Jen Ellis: I'm going to assume that people listening to this podcast know what IPS stands for, but just in case...?

Rob Graham: IPS is an intrusion prevention system. It sits inline, so it detects intrusions, like the intrusion detection system but can also block them. And so we had a desktop version and a network version. And so, if you were in cybersecurity 20 years ago you probably installed it on your desktop. But if you've been in cybersecurity for only the last 15 years, you've never used it.

Tod Beardsley: I have used BlackICE by the way, Rob.

Rob Graham: Yeah, because you're an oldie.

Tod Beardsley: Correct.

Rob Graham: So we did lots of cool things with BlackICE , like user mode network drivers, which for a lot of people they think, "Well, for performance we need to put everything into the kernel." And we did the opposite, we put everything in the user space, including the hardware drivers, and that's how we achieved good performance. And nowadays that's pretty common. So if you look at a lot of network security products under the hood, you look at what's happening with the Linux kernel, but actually all the firewalling and stuff, that's happened in user space, because it's very standard now to use user mode network hardware drivers.

Jen Ellis: Do you think it's a bad thing that every time somebody says "the kernel," I want to make a Colonel Sanders joke? Do you think that that means that my security creds should get revoked? Like, I'm not allowed to work in technology because I want to make a Colonel Sanders joke?

Tod Beardsley: I think you definitely get demerits, so watch your step, Ellis.

Jen Ellis: Are we working on a merits and demerits system?

Tod Beardsley: Mm-hmm.

Jen Ellis: Why didn't anyone tell me? Oh, the stress of it. All right, okay, so it's in the kernel or it's not in the kernel. That's what you said, right? It's not in the kernel.

Rob Graham: So it's not in the kernel. And also how to do parsers... How to parse network traffic efficiently. It's kind of a black art that again is common today, but back in the days, it was very difficult for people to know how to parse traffic. Parse network protocols. It's one of those things, there's a certain way of doing protocol parsing to be safe and fast, and then some people know it and most people don't, so it's not in textbooks and stuff. But it's a known thing but is yet... Most people don't know it.

Tod Beardsley: It's kind of like this InfoSec oral tradition, right?

Rob Graham: Right.

Tod Beardsley: Like, you don't get it in your network programming class but you do get it in your intro to security class.

Rob Graham: And even then people don't do a good enough job on it.

Tod Beardsley: Well, alright.

Jen Ellis: So why did you call it BlackICE ?

Rob Graham: Well, you know when you write software, there's often a code name. So I lifted the code name from William Gibson's “Neuromancer” book because "ice" stood for Intrusion Countermeasure Electronics, that was sort of what we were building. So one of them was called BlackICE , that was the type that would fry your brain because in-

Tod Beardsley: Yes, it will kill you.

Rob Graham: ...in his book, everything has a direct, physical, wired copper connection, so they could send voltage back to fry your brain. Of course, in reality, right after the book was written, everything switched to fiber optics and so that's no longer possible. But anyway, that was a temporary code name for the product that we just decided, well, we'll just make it the product name. And I always felt kind of bad about it, because you're just lifting a name from a book, right? So you're not giving credit to the author and stuff.

Rob Graham: So a few years ago, William Gibson tweeted about how people lift product names from his books all the time. He was talking about Wintermute. Someone had created a product called Wintermute and that was the baddie of the book. And so, he said people lift names from his books all the time, but they're never successful. And then someone tweeted back about BlackICE, how it was wildly successful back in the day. So then, I tweeted back saying I felt kind of guilty about this, and that I lifted the name but never did anything. And William Gibson came back and said, "Well yeah, if you just buy me a new MacBook, we'll call it good." So I bought him a new MacBook.

Jen Ellis: Oh my god, I love that. That's so great.

Rob Graham: A MacBook Air, the highest-end that you could get at the time with like, nope, all the goodies... I never get the-

Tod Beardsley: All the goodies.

Rob Graham: ...the protection plan of stuff, and so I got that. And so it was the most I’ve spent on a laptop, I think, forever because it's more than I did for myself.

Jen Ellis: Is this the story of how you and William Gibson became besties?

Rob Graham: Yeah, and so he sent me a satchel, the Buzz Rickson satchel. He had this Buzz Rickson products in his books that don't exist, so then Buzz Ricksons made the products, and so he sent me one of them. And so, yeah.

Jen Ellis: That's pretty cool.

Tod Beardsley: That's kind of amazing.

Rob Graham: His last book’s got me credited in there for providing computer services.

Jen Ellis: Oh, my god, I love that. That's so great.

Rob Graham: So yeah.

Jen Ellis: Well I'm sure he's a really big listener of Security Nation.

Tod Beardsley: Well, I'm sure he will be now.

Jen Ellis: He's listening to this whole thing and he's like, "Ah, Rob, the times we've had... Me and that laptop." It's amazing. Okay, well, next time that you and he are having like a sleepover and you're braiding each other's hair, let us know. Totally sounds like fun. Cool. Alright. I was going to ask other questions, but I feel like you've basically... Like, can we just talk about that a bit more? Like do we need other stuff?

Tod Beardsley: Yeah. Speaking of people who write books, I hear you're writing a book.

Jen Ellis: Oh, right! This is why we have Tod. He's a professional. I just want to talk about braiding people's hair. Okay. So yeah, you're totally writing a book. Tell us about that.

Rob Graham: Yeah, so I'm writing a book on securing network code.

Jen Ellis: Not the next great American novel?

Rob Graham: It's not the great next American novel, no, but I'm kind of doing it out of spite, mostly because that's really my motivation for most things in life. yes. Because everyone's doing it wrong, and so I want to show how it can be done right. And so a lot of things on how to secure IoT devices and stuff focus on more of the hygiene approach of, like, body odor and not, we're all offended by body odor, but health is not hygiene. Health is just specific things about exercising and eating less sugar and not about whether you take a shower every day. Your neighbors care about if you take a shower every day, but that's not really health.

Rob Graham: And so we had this idea for IoT devices and other stuff that focus on hygiene, which is sort of just like waving your hands over the problem about how to secure these devices. Like the recent thing that Zatco's doing with showing how all the IoT devices don't have ASLR enabled. And that would certainly help things, but that's sort of like hand-waving. Like where do these security problems begin? So ASLR helps you, like when you have a security problem, that you know it's less likely to be exploitable. So, that's a hygiene sort of thing. But where do the security problems begin with, and how do we refactor the code to get rid of them?

Rob Graham: Recently, Exim is a popular email server, which I think your scan was like, 57% of the internet, of publicly accessible email servers, run Exim. And so Exim is a prime example of no amount of ASLR stuff in the back-end and that no amount of hygiene will fix the problem because they've got fundamental core problems they haven't solved.

Rob Graham: What Exim does is they pass all their strings through this generic scripting system, which can have these replaceable variables, like you say, "Put username here," then the default username gets replaced in this string... Or it's actually a full scripting language where you can call function calls and DLLs. It's really nasty, and they pass everything through it, so they pass things like the host name they get from the SNI field and an SSL certificate through this system. So it's not simply a host name... You can supply, actually, a full script as the host name that you're connecting to. And that's really, really, really bad, and it's a common problem that you have throughout the internet on all these projects that people don't define what the input is supposed to be like. This is just a host name. It should only be a host name. They sort of say, "Well, I'll accept anything that's in this field coming through the cell connection and whatever it is, I'll apply no sanity checking, whatever. I'll just pass it on through the rest of the system. Someone else can handle it."

Tod Beardsley: Well, there's a lot of assumptions there, right? Like, yeah, I'm expecting a host name, so probably 63 characters or so, so it'll be fine.

Rob Graham: So whatever, it'll be fine. And if somebody needs something else, they'd probably want it for good reason. And this is the internet from 20 years ago or 30 years ago, this robustness principle of being very lenient on what you receive, and what that means now, and Exim's a great example, is that input is Turing complete. Turing complete is this notion that something is not simply data but a full programming language.

Rob Graham: So a host name is a full programming language. That's now an Exim spec, basically. It was never defined by this, just by the lack of doing any validation on this field means it's a full programming language, and therefore you could hack Exim by providing more than just the host name. And so that's something that again is not taught about parsing. There's this LangSec group of academics who focus on this, but pretty much nobody else, that says that input is a language, effectively, and it controls back-end computation and you should probably know what computation it controls. In Exim's case, they didn't. They just said, "Hey, we'll just take this input, pass it on through this system as a program where I have no idea what happens after this point, so I won't worry about it." But from a hacker's point of view, they can control input, and control computation, and hack the system. So anyway, it's primarily things like this, how do we identify these problems in existing code and how do we refactor them and get rid of these problems?

Tod Beardsley: Well, and how to avoid them in the future too, right? Because this particular Exim bug was introduced three trivial versions ago. It didn't exist before then and presumably it's been squashed, and it'll never come back, right?

Rob Graham: Right.

Tod Beardsley: But that's the problem.

Jen Ellis: Right, right, right. I think that's super interesting. I think that, to your point, I think a lot of people are not thinking of themselves as developers and yet are developing things.

Rob Graham: Right.

Jen Ellis: And so, this problem that you said, where they're using this language and not understanding necessarily what the implications could be, that seems like something we might see more of somehow. Yeah. Cool. I mean, okay, you did it out of spite, but what made you actually get off your spite seat and think, "I will actually invest time and effort into this," and like what's your plan with it? Where do you want to go with it? Is this something that people are going to use as a textbook for university courses? Or, what's the deal?

Rob Graham: For two things, one of which it would be useful for university courses. I know a number of professors, and they don't have a textbook on teaching students on how to secure the code. I mean, there's a few resources, but they tend to be hygiene-focused rather than, "I've got this problem here, this causes issues." Now here's CVEs working backwards. If you didn't have this, you wouldn't have the CVE. So there's not really a good textbook like that, and so I'd like there to be the one.

Rob Graham: And second of all, I'd like there to be something that I can point to saying, well yeah, I go to a company and consult and say, "Well here's a textbook you can read on how to fix your problems." So that I don't have to tell you, you know, verbally.

Jen Ellis: So what you're telling me is that instead of talking to your clients, you're going to point them to a textbook you've written? Brilliant.

Rob Graham: Oh, I'm still charging the same amount, of course. But yeah.

Jen Ellis: Well, presumably, yes, you'll charge them the royalties for the book. Buy this book from Amazon and you will have the answers to the questions.

Rob Graham: So there needs to be a tech second point just saying, "Here's all the stuff that's kind of wrong or superficial doesn't really help you much. Here's something that will that's right." So, it'll give me more opportunity to say what's wrong by being able to point to something that's right.

Jen Ellis: So is it purely focused on issues that are developer side? So it's all about secure by design?

Rob Graham: It's developer side, yeah. Though it turns up into your things on policy and stuff because there's a lot of policy that's not based upon technical resources. They're sort of saying, "Well this sounds good from a policy point of view, I wonder if it'll work," and well, there'll be more texts and more data around, but whether that's actually a good policy or not.

Jen Ellis: When you say policy you mean public policy, not security policy?

Rob Graham: Right. Public policy, sorry.

Jen Ellis: Yeah, yeah. No, I mean, I think that there is a lot of conversation in policy circles at the moment around secure by design and how we can incentivize the right behaviors, and so I think you're right that having better information on what that looks like is helpful for policymakers and having people like you to participate in those conversations and help educate those people I think is positive. So yeah, so cool. So how long have you been doing this?

Rob Graham: Oh, for six months. It's pretty much, I do my walking in the evening for exercise and think about things, and then come back and add it to the text.

Jen Ellis: Nice. So this is your evenings that you're writing away. And how far through do you think you are?

Rob Graham: I've probably written more words than will be in the book, and then I keep paring things down to be more focused on the topic. Because I want to ramble on, like this is all important stuff, but is it really focused on the topic? So yeah, I'm worried about... the Notes file is like, "you know, this is really important stuff, but how important is it to the text?"

Jen Ellis: So you're going to basically provide teaching aids as well for the university courses. I can see it becoming a whole franchise. It's going to be a whole thing.

Rob Graham: Yeah. Well there's a bunch of code I've written, too, and parts are up on GitHub already, of demonstration of like, "Okay, Exim is wrong. Here's what you would do with Exim to make it right."

Jen Ellis: So you're going to have merchandising and everything. It's going to be amazing. All right, this is really cool. So do you have a timeline in mind?

Rob Graham: No, because I'm really bad at such things and it'll probably meander around for a year. It's like Masscan or SideJacking or BlackICE. When I started actually getting serious about it, it'd already been like a year or two into dabbling.

Jen Ellis: I think a lot of people can relate to that. But I think that's one of the big things is taking on new projects is how do you motivate yourself, and how have you been motivating yourself?

Rob Graham: I have no idea. Yeah.

Jen Ellis: Is it just when you get angry about stuff, is that what it is?

Rob Graham: You know, spite is a great motivator.

Jen Ellis: It really is.

Rob Graham: Being able to say, "This is wrong and here is right." Like, I write blog posts and most of them are out of spite. Like this recent Crown Sterling thing of, they say they cracked a 256-bit RSA key in 50 seconds. So, well, I know how factoring works, and so I did it out of spite. It's pretty much download the factoring software and do my own factoring of the keys and it takes about 50 seconds. I mean it's the same, that's pretty much what they did. As far as anyone can tell, they just did what everyone else does and that they get the same results. So, the fact that, how long does factoring an 256-bit RSA key take, that's knowledge that, out of spite, that these guys were idiots. Someone actually needs to do the test and then write it up.

Jen Ellis: You're so living the life that Tod wants to be able to live.

Tod Beardsley: Oh, I don't know.

Jen Ellis: No comment.

Tod Beardsley: I'll argue about the OSI model just as much as the next guy, but I don't know if I'm mad enough to write a book about it.

Rob Graham: Oh yeah, when I'm at the airport, and I've got a three-hour layover or something like that, so I just get into a long tweet stream of what's wrong with the OSI model. Again, out of spite, it's like, it's all wrong, it's always been wrong and the teacher who taught to you knows it's wrong. That's the thing about it.

Tod Beardsley: That's the crazy part.

Rob Graham: Yeah, no one knows what the session layer does, but they continued teaching it as if they do know, as if it's a thing, because it's not a thing. And so all the students end up not knowing what the session layer is, and feeling like something's wrong with them.

Tod Beardsley: Right.

Rob Graham: Like, "If only I were a better student, I would actually grasp this."

Tod Beardsley: Right. "I would understand this dogma that has been handed to me."

Jen Ellis: What? That sounds totally bona fide to me. Work harder, students!

Rob Graham: And the reality is the professor didn't know what it was. They were just regurgitating what was in their textbook and the textbook writer didn't know what it is, and they were just regurgitating what was in something they read.

Jen Ellis: Why are they doing that, then? Why does it continue to perpetuate? Why do we not find better ways of doing it if that is the case?

Rob Graham: Because that's the standard. How dare you disagree with what the standard is. It's the government.

Jen Ellis: Oh, it's dogma, then.

Tod Beardsley: Yeah, it's dogma.

Rob Graham: So you're not allowed to go against dogma.

Tod Beardsley: It's also, OSI is super easy to teach and it's easy to test on.

Rob Graham: Yeah. It's like, "What's layer six of the OSI model?" Layer five, sorry. See, I'm already getting it wrong!

Jen Ellis: Back to school for you.

Tod Beardsley: What is layer five? I don't know, like a session, I'm guessing. I don't know.

Rob Graham: Yeah, so layer five, session, layer six is for contagion, layer seven's out-

Tod Beardsley: Yeah.

Rob Graham: So there is no session or presentation layer in any network, it never existed and it never will exist, and that's something that's still in the model.

Jen Ellis: Okay.

Rob Graham: Because they were the created the model before they created the networks. They were hoping it would exist.

Tod Beardsley: Right.

Jen Ellis: So aside from finding motivation and finding time, have you run into any challenges as you've been writing your masterpiece?

Rob Graham: The thing is, again, is focus, is I want to write about so much. Like, this is a great topic, but I start writing things that are off-topic. Like this is really interesting, cool stuff, but does it really help you solve this topic right here, right now? So I write to write too much.

Jen Ellis: How do you force yourself to have self-discipline around that?

Rob Graham: I don't know. I'm just sort of spiraling in towards the center. It's not disciplined so much, it's just ruthless editing at the end.

Tod Beardsley: I mean, TCP/IP Illustrated is three volumes. So there is that.

Jen Ellis: And each of those volumes is next to your bed.

Tod Beardsley: No, just the one.

Rob Graham: No, no, it's all wrong. So I don't-

Tod Beardsley: You've already burned that book.

Jen Ellis: Oh my god.

Rob Graham: TCP/IP Illustrated, it was already dogma back in the 1990s, and it continued to perpetuate bad... You know, it's not just the session layer, it's all sorts of things, like how do you do byte ordering... That was wrong. One of the epiphanies of programmers when they remember their networking class using TCP/IP Illustrated was, oh my god, integers, we have a two-byte integer. The bytes can be in either order on the network, either left to right, or right to left. And that's a big epiphany for them, that's what they remember from a networking class. But how it was taught was wrong. So TCP/IP Illustrator's wrong.

Tod Beardsley: Oh.

Jen Ellis: So there...

Tod Beardsley: Hot take. Come on, TCP/IP Illustrated. Take that, Addison-Wesley.

Jen Ellis: So what have you learned through the process of writing this masterpiece, Rob?

Rob Graham: I've learned to appreciate all textbooks, because it's a lot of work and I don't know how they happen, because it's really a daunting task. I just thought I'd take some blog posts I've done the past on these topics, and just collect them together and put them together in a book, and it's much more than that.

Jen Ellis: So I like the sentiment very much. I'm super curious as to how this new sort of enlightened view has actually worked in progress for you. Like, when was the last time you picked up a textbook and read it and were like, "I fundamentally disagree with all of this, it's complete BS." Did you have that moment of being like, "No, no, no, I'm going to respect the fact that somebody put their time and effort into this with a lot of work." Or were you just like, "This person's an idiot!"

Rob Graham: Yeah, I've learned that sort of to be a little BS.

Jen Ellis: Baby steps.

Rob Graham: Baby steps.

Jen Ellis: Okay, cool. So if somebody listening was like, "Oh my god, I am totally wanting to write a book about this thing," maybe they're listening to you, and they're like, "I really super disagree with everything that Rob Graham just said. I'm going to write a textbook that goes against everything he says." What advice would you give them? Maybe I shouldn't ask you to give advice to people who disagree with you.

Rob Graham: I would love to see such a thing, because when someone disagrees with you, you learn a lot more than when people agree.

Jen Ellis: I agree with that. Oh no, no, no. Sorry. I disagree. I disagree!

Rob Graham: I make it very easy for people to disagree with me.

Jen Ellis: That is so well put. It's like you're doing a service. You do. You make it really easy for people to disagree with you and I appreciate it.

Rob Graham: Lots of people do disagree with me and a lot of times they're wrong, but sometimes I learn things. And there are things when I'm wrong, and people tell me that, and take the effort to explain to me exactly how wrong I am and it's kind of rude I guess from one perspective, but you learn a lot.

Jen Ellis: I will say, all joking aside, and I do love to tease you, but all joking aside, I will say that I have always found you to be somebody who is very open to listening to different points of view, and also to having the actual discussion and explaining your point of view. And for me with the policy work that I do, we talked about public policy earlier, I have found that to be incredibly valuable, and has helped really sort of refine my thinking and shape some of our policy positions. So I'm super grateful for that. Thank you.

Jen Ellis: And as you say, we don't always agree. Sometimes we get closer to agreement through the discussion, and sometimes we won't. We have slightly different political leanings, but I really appreciate the fact that both of us are quite opinionated people, cough, cough, but I think both of us are people who appreciate having other people help challenge our assumptions. And knowing that we've kind of gone through that process of, "Is this the right thing? Do I really think it? Okay, yeah, I've tested out, I really do think it." Or perhaps, "Oh no, now I've heard that point of view... Actually, that's a great point of view, and I'm going to tweak my thinking," so I appreciate that about you very much. Thank you.

Rob Graham: It's also okay that people disagree.

Jen Ellis: Yeah. Oh 100%, it's healthy that people disagree.

Rob Graham: I can't imagine anything worse than being in a room where everyone agrees with you. That'd be the worst thing.

Jen Ellis: I mean, I always think a little bit of, if everybody knows the stuff that I know, then what's the point of me?

Rob Graham: Right.

Jen Ellis: The point of me is that I have a British accent and I swear a lot.

Tod Beardsley: Right.

Jen Ellis: Okay. Great. Well, Rob, thank you so much for coming on and telling us about your masterpiece. We look forward to reading it. Tod will understand it, I probably won't. And yeah, if we can do anything to help let us know! Tod, as ever, thank you for educating me on all the things and stuff. And Bri, our amazing producer, thank you for putting up with us and making it all work. Check out our next episode where we're sure to be talking to somebody else who's awesome, and have a great week until then. Thanks.