Security Nation, Ep. 18

How the MassCyberCenter Helps Elevate Cybersecurity Initiatives in Municipalities

April 16, 2020

 

In this week’s episode of Security Nation, we had the pleasure of speaking with Stephanie Helm, director of the MassCyberCenter. In this interview, we discuss how she went from working in the Navy to becoming the director of this new initiative in Massachusetts and how her team is helping municipalities develop incident response plans and getting buy-in and budget for security amidst other priorities.

Stick around for the Rapid Rundown, where Tod chats about Recog, Rumble, and contact tracing amid the COVID-19 pandemic.

Appears on This Episode:

Jen Ellis
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Stephanie Helm
Stephanie Helm
Director, MassCyberCenter at MassTech

Stephanie Helm is the first director of the MassCyberCenter at the Mass Tech Collaborative.  Commonwealth cybersecurity resiliency and the cybersecurity ecosystem are the top priorities for the Center. A career naval officer, she served a 29-year career as cryptologic/information warfare officer.  Prior to joining Mass Tech in 2018, Helm served as a consultant with the U.S. Naval War College in Newport, R.I., providing subject matter expertise in cyberspace, space, and information operations. Her work with the College focused on supporting war gaming efforts to integrate cyberspace operations into plans and operations.

As a naval officer, Captain Helm held numerous leadership roles, which focused on cyberspace operations and information operations, including as Deputy Division Director, Chief of Naval Operations (N3IO) in Washington, D.C. She served a tour at sea from 2001-2003, as the Deputy J2/J39 for the Commander, Second Fleet/Striking Fleet Atlantic.  Captain Helm served as the Commanding Officer of Naval Security Group Activity Norfolk and tours of duty with U.S. Central Command in Tampa, FL, the National Security Agency in Ft. Meade, MD, and Naval Security Group commands in California, Italy, and Maine.

She received her B.A. from the University of California and her Masters from the U.S. Naval War College.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi, and welcome to the latest episode of Security Nation, the podcast where we talk to interesting people doing cool things around security in some way. I feel like I need a new intro, it's getting stale. Anyway, I'm your host, Jen Ellis, I'm Rapid7's VP of Community and Public Affairs, and with me is my amazing cohost, Tod Beardsley. Although he's not with me in person because we don't do that right now. There is no..

Show more Show less

Tod Beardsley:

We are not psychotic. No.

Jen Ellis:

Not a thing. We are social distancing so well that we are on different continents.

Tod Beardsley:

Yes, that's right. Six feet, try 6,000 miles.

Jen Ellis:

Take that. Okay. We have a very exciting guest. I always think our guests are exciting. I love them, but secondly...

Tod Beardsley:

They wouldn't be here otherwise. It's kind of a Jen selecting population.

Jen Ellis:

It would be so great if I was like, "This week we have a really boring guest." But it's not true this week. We have a great guest, who is Stephanie Helm, who is the director of the Massachusetts Cyber Center. Hey Stephanie. How you doing?

Stephanie Helm:

Great, Jen. Great, Tod.

Jen Ellis:

Thank you for joining us. We appreciate it. The MassCyberCenter... So Rapid7, for those who are not aware, is headquartered in Massachusetts. We are in Boston. Actually right at the TD Garden where the Bruins play, which is a pretty awesome spot to be in and we have beautiful offices. If you're in town, come and have a look. I am not there right now. I am in my brother's attic in somewhere outside Luton, which is a very different thing to being above the garden in Boston. But never mind.

Jen Ellis:

Stephanie is going to tell us all about the MassCyberCenter, which is actually still a relatively new initiative, but a very exciting one. Rapid7 are big, big fans of this. Huge supporters. Before we get into any of that, Stephanie has a fascinating background. Stephanie tell us a little bit about your background.

Stephanie Helm:

Well, I was in the Navy for 29 years, so that usually is sort of an odd thing for people to wrap their head around. I have a degree in Slavic languages and literature and I was recruited into the Navy because of my language background. I became a cryptologist, which is a field that worked with GCHQ and National Security Agency and it was a very interesting line of work. We transitioned into information warfare during the course of my career and I had a number of very interesting tours. I was a commanding officer, I was assigned to the second fleet back in the day and was assigned to a ship then. Got to go to a NATO exercise in the Baltic, which was a lot of fun. Got to do a lot of interesting port calls as well as a lot of good work.

Stephanie Helm:

I had a tour of the Pentagon, the National Security Agency, and I ended up at the Naval War College teaching and then after I retired I worked in the War Gaming Department and I integrated cyber operations into traditional war games. That was sort of my background before I joined the Massachusetts Cyber Security Center.

Jen Ellis:

I mean that's a lot, you've done a lot. That's kind of amazing. Super interesting. I mean you were in the Navy at a time when there really weren't very many women serving in the Navy. Right?

Tod Beardsley:

Oh, that's very true. Some of my best friends in the Navy were fellow women that were... We were often the only woman at a duty station so when you met somebody that was at a different duty station and they were the only woman, you kind of asked each other, "Well, how's it going and what do you do here and what do you do there?" I have a lot of good male friends and colleagues from the Navy as well, but there's just a special bond when you're kind of the first one to do a lot of different things. That sadly was the way it was in many cases in my career being the first here or the first there. Then by the time I retired happily, there were a lot of women in the Navy and we were on ships and on aircraft and then later they were on submarines. More fully integrated now than when I joined for sure.

Jen Ellis:

We have... One of our coworkers that we love and work closely with, Deral Highland, who's the head of our IoT practice, he was on submarines for about 20 odd years and I frequently have conversations with him where I just stare at him and I'm like, I don't understand how. How are you not insane? How did you do this? It's like my worst nightmare. Yeah, it takes a special person to be able to do that. I think. All power to you. Yeah. Let's talk about the Mass Cyber Center. How did this whole thing come about?

Stephanie Helm:

Well, it was an idea that came after Gov. Baker visited Israel. It's one of the only outside of the United States trips that he's taken since he was governor. He looked at Israel and the health sector that was there as well as the cybersecurity sector and he kind of came back and said, "We can get our act together. For Massachusetts, we've got a lot of the elements that are really, really supportive of a good cybersecurity ecosystem and we need a focal point for the state that kind of can help us do that." So the center was established in 2017, and I joined the center in 2018. I was the first director and then subsequently have hired two employees so there are three of us. But one of the things that helped the center get established was a thing called the Massachusetts Cyber Security Strategy Council.

Stephanie Helm:

Adm. Mike Brown, who's a retired admiral who I worked with on active duty, he's the president of the council and it was created with really great people that are so supportive from academia, from the private sector to help me kind of get guided as the center was established. So Corey Thomas is a member of the Cyber Security Strategy Council and when you say Rapid7 is a special friend, I have a lot of special friends in that council that have helped me along the way. From things like trying to create a mission to try to understand where the strategy ought to go to and then as we've tried to plan and execute key activities, the strategy council members have just been super helpful with providing input in guiding me through this as well as providing their personal support or resources to help events happen.

Jen Ellis:

It's been two years and I'm sure that it's been a crazy two years in that time.

Stephanie Helm:

Oh my gosh, yes.

Jen Ellis:

By the way, congratulations on hiring. We should give a special shout-out to your team, who are fantastic.

Stephanie Helm:

Yeah, we're a team of three. The strategy that we have settled upon, there are three main efforts in the center. One is dealing with the ecosystem, which is, looking at all of the riches that Massachusetts has in terms of cybersecurity between companies and academics and which has a good talent pipeline and research that's ongoing. As well as a lot of startups and a very vibrant investment community that looks to trying to capture new ideas and innovation and help them grow and get integrated and connected with other parts of the cybersecurity ecosystem to make it really good. Ecosystem is one priority that we have.

Stephanie Helm:

The second one is resiliency for the state. Looking across the state as well as municipalities as well as citizens. Then the third one is just a general outreach, communications awareness about what the heck is cybersecurity and why should I care and what can I do about it? I would say that's a very important element of what we do because it seems to be very daunting to people outside of cybersecurity or the IT world. They are not technical in nature perhaps so they're resistant to getting the whole spiel because it very quickly loses them. I think one of our elements has been trying to create awareness that is approachable for people so that they can better understand what the issues are related to cybersecurity. So those are the three priorities that we have within the center.

Jen Ellis:

Yeah. Those are all really, really important things. How's it going?

Stephanie Helm:

I think it's going pretty well. You always think you can do more.

Jen Ellis:

I was going to say you don't sound like you're brimming with confidence as you say that, but then I also know you well enough to know that's partly because you're just a very humble person. You have a little bit of imposter syndrome going. As don't we all in the security community.

Tod Beardsley:

Well, I expect that security people are generally pessimists anyway, right? We all try, right? We all try to be very optimistic about the things that we do. We all see the... We've made such strides here and oh my god, look at these next three mountains we have to climb.

Stephanie Helm:

Right, right. I am looking at... There is a lot of work yet to do.

Jen Ellis:

Well you've... When you say here are our three priorities, they are three massive priorities.

Tod Beardsley:

Yeah.

Jen Ellis:

It's not like you've got small projects. Those are huge that they have many sub-projects, each of them. It would be shocking if you didn't have a lot of work still.

Stephanie Helm:

Yeah, I would say that we've worked an awful lot recently on the resiliency piece for municipality.

Jen Ellis:

Which is great.

Stephanie Helm:

I'll talk a little bit about that because given the COVID-19 response that is ongoing. This is really hitting local governments really in a hard way. There's a lot that they have on their plate and as cybersecurity professionals already know, the adversaries are taking advantage of all of the flux. Whether it be related to the ongoing uncertainty about how the COVID virus is going. Whether it is about people transitioning workforces to work remotely, people losing their jobs and stimulus packages and checks coming in the mail. All of those themes are things that the adversaries are using to try to get people to click on links that they ought not to or to use the new architecture of the remote operations to potentially be an avenue that they can get into somebody's system.

Jen Ellis:

Yes.

Stephanie Helm:

You'd like to think that they would be taking a break, but they're not, and the municipalities are seeing not a decrease in attacks, but if not the same, more. We have continued to try to keep focus on the resiliency piece about where can we be helpful. One good partner that we've had in this process has been members of our resiliency working group. We've got an ongoing working group that meets once a month. There's a sub-working group focusing on municipalities. If you go to our website, it's got a toolkit to help municipalities, which was started long before we got into this crisis, but because we have that resources capability on our website, we're using that to update things such as tips to do teleworking. If you're a municipal leader, here's some of the considerations you might want to take into account as your workforce goes to work remotely.

Stephanie Helm:

If you're an employee, here are some of the things that you should be mindful of while you're working remotely. So we've done information on telework. We've also put together kind of a listing of links of information to resources such as the csisa.dhs.gov website, which is the critical... Cyber Security and Infrastructure Security Agency. They've got information on there about cybersecurity best practices and things that you should take into account and resources that you can use from them. We've got things like the FEMA website that can help you with rumor control. So if you're trying to counter disinformation that you find on the internet, you can check this website. We're trying to be as helpful as we can without getting in people's way and it's a balance, but we know that the municipalities would appreciate to have some additional assistance and as we can do that we want to be helpful.

Jen Ellis:

It sounds like you guys have been super helpful and for an entity that's still relatively new, relatively young, still navigating and to some extent getting off your feet. That's amazing. It sounds like you've super hit the ground running in this particular situation and I think that is one of the better things that's coming out of the COVID situation. I say, "Looking for the silver lining", is that we have seen some really incredible responses from some quarters and it sounds like you guys have definitely used this as an opportunity to jump in and drive value where you possibly can and serve your community, which I think is really awesome. So thank you for doing that.

Stephanie Helm:

Yeah, thank you. We've also had a lot of good partnership with the Massachusetts Municipal Association because they hear directly from the mayors, the town managers in the select board on issues relating to municipalities. We've partnered with them as well to help us be... Sometimes they're a conduit of providing us information like, "We've heard people ask for this." Then also we've worked with them to try to push information out in a way that might be useful for the towns and cities.

Tod Beardsley:

I do have a question, Stephanie. Who is your audience? Maybe this is a dumb question, is it the municipality workers, is it like political folks, is it people who live in cities and towns? Which is everyone. I'm just curious what your scope of your audience is.

Stephanie Helm:

Yeah, Tod mostly it's... We're trying to link through town leadership to whatever IT resource they might have or cybersecurity resource. Most of the cities which might have a lot of cybersecurity assets that they need to have protected, probably already have a fairly strong IT team and even maybe a dedicated CSO.

Tod Beardsley:

Sure.

Stephanie Helm:

Smaller cities and certainly at the towns, they may not have a CSO, they may not even have a dedicated IT person. In some cases, some of these municipalities are so small the public works director is also the guy that checks the server every now and then or something.

Tod Beardsley:

Sure.

Stephanie Helm:

It may not be that elementary but there are varying capabilities across the 351 municipalities. One of the things that we've heard is that if you're the IT guy at a city or a town, you have a hard time making the case to leadership about why cybersecurity needs to continue to be funded. Some of that is because scarce resources and it's a difficult decision for a small municipality to say I need to buy another dump truck or I need to buy additional cybersecurity resources. Not trying to second guess those decisions, but understanding that sometimes explaining why cybersecurity is an ongoing initiative that has to be resourced in order for it to be effective, it's not just by one thing and you're done. It's the people, it's the process and the technology working together on a regular basis to keep you safe.

Stephanie Helm:

The other thing I think we've tried to do is tried to help make at least one thing as a priority for all the municipalities. That has been having an incident response plan. We think that having an incident response plan, just the process of planning brings up a lot of issues within a municipality as they put that plan together. At Mass Cyber Center, we're part of the Mass Tech Collaborative, which is a quasi-governmental organization under the Executive Office of Housing and Economic Development. We've got a contract that's about ready to hit the street as a selected contractor that's about ready to go create workshops throughout the state, designed to have municipalities come together and using a template, create their own incident response plan.

Stephanie Helm:

We're hoping that by providing a workshop environment that the town, the leadership as well as the IT, as well as the cybersecurity people coming together to figure out what that incident response plan needs to be for their own individual municipality and how it fits in with their broader continuity of operations and their larger risk decision making processes within their city or town. We think that is the way that we can help through the workshop communicate not only with the town leadership but the IT and the cyber-folks.

Tod Beardsley:

That's fantastic. I was involved in a project for some Massachusetts municipality government things just a little while ago. That was when I first learned this whole of devolution of power throughout Mass... Massachusetts is rabid about local governance to the point where basically everything... The buck stops at the town manager basically. Right? So listening to you talk has really helped me come to terms with like how Massachusetts does things because it's not just these guys. I've always, like in the past couple of months I've come to realize town managers are often choosing between updating Windows licenses or filling potholes. That's kind of a... That's called wild budgeting process. But the fact that you're there to help them, especially with things like incident response plans, that fills my heart with joy and I'm very happy since my company is headquartered in Massachusetts, I'm glad to hear that it's not on the brink of chaos all of the time.

Stephanie Helm:

No. Well, you're right, Massachusetts is a home rule state and so 351 different IT architectures and 351 different cybersecurity challenges, right? So you can't get too prescriptive about what you think people ought to do. There's some basic guidelines in the CIS best practices that you'd like to promote, but we think approaching each town or city with their incident response plan tailored to their own needs and their own resource availability is very important.

Stephanie Helm:

The other thing is this is recognized by the state and there's a program called The Community Compact, which is where municipalities can make an application that says, "I would like to embark on improving my IT infrastructure or my cybersecurity infrastructure." They can make a proposal to the state, get money for that, and then be able to fix some of their own identified problems. That program is independent of what we're doing, which is why we selected the incident response plan because we think it dovetails nicely with other elements that the state is already trying to do through The Community Compact.

Stephanie Helm:

Then the Executive Office of Technology Services and Security. They also have grants that they've awarded to support cybersecurity awareness training for employees in different municipalities. There are elements across the government to try to reach out and help and we're working together within our organizations to try to synchronize all of our efforts including things that are done at the public safety level to kind of come together and say, "Here's a menu of things available to you municipality, we would like to help you be better resilient in this area."

Jen Ellis:

One of the things that you've hit on a lot in that and is a big theme that I think is a common theme for security professionals regardless of what particular world they are working in, is these themes around trying to get buy-in often from a constituent that is perhaps not as sophisticated on security or as immersed in security as the security pro is who also perhaps is trying to balance other priorities, other demands of budget, other considerations for the organization. Having to try and bring many stakeholders together and get people on the same page and working together, which obviously in the world you're in there's a huge amount of politics associated with that as well. It's called politics in fact. But politics exists in any environment where you have groups of people. So it's just as true in the corporate world as it is for you. What advice would you give to people who are trying to get some sort of project, some sort of security project off the ground and get buy in from other stakeholders and are struggling to do so?

Stephanie Helm:

Well, I would... I'm not a technologist, right? I am the Slavic languages and literature person. So I...

Jen Ellis:

You spoke Russian to them and they gave in. Is that what happened?

Stephanie Helm:

Well, I trained in the cryptologic field, which is highly technical and I had to learn how to grasp what the technical issue is and try to translate it so that I could understand it myself. Right? I'm not naturally embedded into that technology field. I think that's one of the things that many times when the IT or the cybersecurity person is trying to convince someone of the importance of what they want to do, if it can easily get into language that the person that they're trying to convince is not a member of that language. So translating that, and I'm not talking about dumbing it down. I'm talking about making it approachable because the person they're talking to probably also knows a lot about the wastewater management system and patching roads and finance. There's a lot of complexity to running these municipalities and this is also important and it has to be presented in a language that is consistent with other decisions that they're making in the town.

Jen Ellis:

Yep.

Stephanie Helm:

So that is, I think, one step. I've actually found most of the people that I'm working with in this resiliency working group, they are pretty good about translating it. So I think many of them know that's what they have to do. Then it is trying to be compelling about why the investment that you're going to make in this area is as important or more important than some of the other investments that they have. That goes into more broadly understanding what risk calculation is a senior making right now when they're talking about their budgeting and resources. Is it a health and safety issue? Is it a finance issue? A human resources issue. Many people say, "We ought to look at cybersecurity as if it were a utility. Much like water, much like power, much like road services." The problem is when you have a parade, Brewster and Bloom or whatever in the spring, you can't run your cybersecurity program down the street the same way you can do a fire engine, right? Or the... Right?

Tod Beardsley:

To be fair. Not much of a problem today.

Stephanie Helm:

That's true.

Tod Beardsley:

Unless it's a very long parade with lots of space.

Stephanie Helm:

Sadly, because of today, because of our huge dependency right now on connectivity remotely, understanding that, yeah, I don't want anybody Zoom bombing my video or getting into my system. I think everybody intuitively understands that this is an important issue and we're not always going to get as much as we want, but I think we have to be at the table and we have to be engaged. I think that would be where I would say.

Jen Ellis:

Can we just momentarily... I think that's great advice, but I just want to momentarily reflect on the fact that Zoom bombing sounds way too friendly and fun for what it is. Like I don't think they've done themselves a service here with this term. I think everyone's like, "Yes, Zoom bombing!" No, it's a bad thing.

Stephanie Helm:

Yeah.

Jen Ellis:

Not a fun thing. Anyway. I think that's great advice. Thank you. I'm really glad that you are working through all these issues and getting the buy-in and thinking about how to slot in with what drives value for them. Anytime that you want to parade, we will just get a lot of dudes in black hoodies for you.

Stephanie Helm:

There you go, the black hoodies.

Tod Beardsley:

Perfect.

Stephanie Helm:

Right. We could totally make this work. We can totally do a half a parade, but just understand that their slogans are going to be very snarky on the placards that they're carrying and they're not going to look like they're having fun, but they will probably be having some fun.

Tod Beardsley:

So mean, Jen.

Jen Ellis:

Yeah, Tod would actually come and he would have fun. To wrap up, one of the things that we always try and do on the podcast is we try to give sort of practical advice to people who are interested in running their own projects in some different area. Now it's probably unlikely that we're going to have too many listeners who are like, "I want to go and build resilience for a state." Or who are even in a position to be able to do that. But we may have some people who are security professionals who are interested in helping their state become more secure and offering their expertise. What would your advice be to people who are in that situation? Who want to get involved in their state but aren't really sure whether their state would be interested or what's the best avenue?

Stephanie Helm:

Well, I would say if we were talking about all politics are local, cybersecurity issues are local and many of the folks that are on the strategy council have mentioned that I live in a town and I talked to my town management about where are we in cybersecurity. Not everybody has somebody in their town that has reached out to either the town manager or even the IT coordinator for the town to offer just to be a mentor or even just, "How's it going?" Kind of a thing. If you live in a town and you care about cybersecurity, maybe check out what the town meeting is like and maybe what your IT folks are up to. Maybe you can offer some suggestions. Now, in some cases, maybe they are not in need of help, but maybe they're, you never know at some point in time when there's a contingency and they're like, "I really sure could use somebody to run this by as a thing."

Stephanie Helm:

That's Massachusetts. Everybody lives somewhere and whether your IT infrastructure for your city or town is governed by your county or by your city, maybe that's an opportunity to help. I think just engaging and listening. One of the things that we did last fall was a listening tour. Part of cybersecurity month is going to be probably an event where we can bring municipalities together and talk about what the issues are. We had cyber security week last year in the middle of October and we held an event for municipalities. We learned an awful lot. We had some input, we thought we knew what the problems were, but it was... It was really important to hear in their own words what their challenges were that they were facing every day and where they thought we could be helpful. So asking the question and listening to what the problems are may be a very important step as well.

Jen Ellis:

That's great advice. Thank you. I appreciate it. Again, congratulations on the progress that you guys are making. Thank you for the work that you're doing. Rapid7, as you mentioned at the start, have been trying to support as much as possible because we think it is a fantastic and important initiative and that you guys are doing really awesome work and we particularly appreciate that it's in our backyard. So thank you and we look forward to continue to work with you. So yeah, thank you. Thank you so much for everything you're doing Stephanie.

Stephanie Helm:

Thank you. Thanks for all your help.

Jen Ellis:

Okay, so thank you very much again to Stephanie for coming on and telling us about what she's doing for the Commonwealth of Massachusetts and also thank you to Stephanie for what she's doing for the Commonwealth of Massachusetts.

Tod Beardsley:

Not just talking about it.

Jen Ellis:

Exactly, actually doing stuff. We love people who actually do stuff.

Tod Beardsley:

It's kind of the theme of the show.

Jen Ellis:

It is kind of a thing for us. Yes, it's a crucial point. So what else is happening in the world right now, Mr. Beardsley? I hear that that thing is still happening, that COVID thing. Still a problem.

Tod Beardsley:

I feel like we're settling on the unpleasantness, is something to call it.

Jen Ellis:

The unpleasantness. Oh, I like that. It's so ...

Tod Beardsley:

It's feels a little British.

Jen Ellis:

It is very British, it is, but also Southern. It seems very Southern to me.

Tod Beardsley:

Yeah, it does. So yeah, there is a mashup of culture there. Well, there's a couple of things I want to talk about. One, I want to give a quick plug to the Recog Network Fingerprinting Framework. I read a blog about it, if you just google Rapid7 Recog, you can read all about it, but basically Recog is currently my favorite open source project that Rapid7 helps out with. It's not Metasploit anymore.

Jen Ellis:

What?

Tod Beardsley:

Yeah, Metasploit has grown up, left the house, they're finding out who they are now in the world. Recog is still at home though. Recog is the forgotten middle child that have suddenly been noticed.

Jen Ellis:

Are you sure that Recog wasn't the surprise baby you didn't expect but now you're just in the place where you can have fun with it?

Tod Beardsley:

Oh, no, no, no. We've got hundreds of those. We actually do have hundreds of open source projects. It's shocking how many we have, literally hundreds. I think it's like 200 and something.

Jen Ellis:

Are we open source junkies?

Tod Beardsley:

A little bit but Recog is probably the third ... I describe it as the third most popular open source project that we have.

Jen Ellis:

Wait, what's the second?

Tod Beardsley:

Meterpreter, which is the Metasploit payload, so you can talk about it as part of Metasploit, but is its own different thing you can use ... and people do use a Meterpreter by itself. But Recog is great because it is a ... so it's an open source, very open source. It's 2-clause BSD for licensed people who care about that kind of thing and it lets you fingerprint devices and services. It's geared a little bit more towards devices than individual services. If you listen to this podcast you probably know about and Nmap, Nmap is wonderful. We all love it and we actually license it and ship it and all that jazz, in Rapid7 products. But Recog's stuff is different.

Tod Beardsley:

Like I said, it's more geared towards identifying devices given a XML-based fingerprint library, which is the thing that makes it cool. It's also wrapped in Ruby. So if you hate Ruby and hate XML, this is not the project for you, but if you are cool with either or both of those things, this is very much the project for you. By the way, if you hate it, feel free, re-implement it. It's 2-clause BSD, I don't care. Rewrite it and go or Python or Rust or whatever, but just use the same fingerprint database because that's the thing that makes it cool. We have like thousands of signatures in there. We use it in Sonar, we use it in neXspos and InsightVM, we use it in Metasploit and other things use it, namely Rumble. Rumble is-

Jen Ellis:

Ooh, Rumble.

Tod Beardsley:

Yeah, Rumble discovery on Twitter. It is the current passion and also money project from HD at Critical Research. HD Moore, who you may have heard of before. He's actually been on the show and he's talked about Rumble and Rumble is pretty ... It's an asset management system that uses fun hacker tricks to identify things so you can use it to do asset management in your company. A lot of people are working from home today so I talked to HD and he is offering Rumble for a limited free-trial period right now for people who are transitioning to work at home and want to know what's on their home networks.

Tod Beardsley:

But you can help out on a couple different fronts. You can use Rumble to identify all the weirdo stuff that's in your network that you didn't know about and you can use Rumble to identify stuff that you do know about but Rumble doesn't know about, which tends to mean that there's lacking a Recog fingerprint for that particular device. So you can just pop on over to GitHub, update the Recog fingerprint, move along on your way knowing that you have helped people figure out what the heck is going on on the ethernet around them. So that was supposed to be a quick plug. It was a little less than quick.

Jen Ellis:

Well, that's enthusiasm and passion and I am very happy to hear Recog getting some love because it does always end up being slightly overlooked in favor of that other magnificent open source project.

Tod Beardsley:

Yeah. See and Metasploit's got a bunch of rules, man. It's hard to contribute to Metasploit these days without reading a lot of docs. But Recog is fresh and fertile and easy to just jump in, it's a much smaller project so it's easier to get your whole hands around it.

Jen Ellis:

Nice.

Tod Beardsley:

Rather than with Metasploit, you tend to have to pick a spot and focus on that.

Jen Ellis:

Very cool and props to HD for offering the free limited term license So, that's cool. So yeah, if you are wondering what to do to get involved in something, feeling like you're lacking a little bit of community, this could be a good thing for you to do. So get involved, have a look. Okay, what else is happening in the world, what non-Rapid7 things are happening in the world?

Tod Beardsley:

Right. So in tech and security news, I think the biggest thing to get announced that's been a rolling announce is the Apple and Google partnership on developing contact tracing technology. I don't want to say app because specifically they're not building an app, but what they are building is an API that works on iPhone, so it's a common language for iPhone and Android to facilitate contact tracing, which is the first thing.

Jen Ellis:

What is contact tracing?

Tod Beardsley:

So contact tracing is, it's something that epidemiologists do. So in the time of an epidemic or pandemic, if you get sick-

Jen Ellis:

How very topical.

Tod Beardsley:

... epidemiologists come in and say, "Oh, you got sick, let's find out where you've been for the last two weeks." People tend to be pretty poor witnesses of their own life. They don't know where they were three, or four, or seven, or 11 days ago exactly. They often forget things like, "Oh yeah, I went to the grocery store to get beer some day." Or, "Oh, I ran into a neighbor, nine days ago." Incidentally, this is why eye-witnesses are really not great witnesses, except we treat them as first-class evidence in court. It's a little weird, but contact tracing is important to tell how you picked up whatever virus it is. Obviously we're talking about COVID-19 here. Contact tracing is super hot right now and Apple and Google are throwing in on this and so that ends the factual part of the reporting, now onto opinion.

Jen Ellis:

Which is, let's face it, what we all care about.

Tod Beardsley:

Yeah. It's interesting to me because there are good cryptographers and people who know what they're talking about who are around the spectrum on this, I don't think it's ... It's not universally seen as a good or bad move. I don't know if it's 50/50, I don't think I'm both-siding this but there are significant opinions pro and con. So the con opinion is it is impossible to do this and also maintain things like privacy and security, it just cannot be done. And the pro is Apple and Google have released the documentation and it's pretty okay, especially in the time of an emergency. So for me at least, I'm landing on the pro side. As you know, I am an optimist and Pollyanna about some things. I do think Apple and Google have some of the smartest cryptographers on the planet. They're not the smartest, those guys work at the NSA.

Jen Ellis:

Hey, they might work for other governments too.

Tod Beardsley:

Yes, there are other wonderful governments that hire cryptographers as well.

Jen Ellis:

It feels like that really stuck in your throat to say.

Tod Beardsley:

Boy, NSA is so A game when it comes to this kind of stuff. But the docs are pretty good, they're pretty solid and that's point one in favor is they have released docs and they've released the entire framework. Point two is that it's a framework and on an app, so it is an API, it enables application building. If it does screw up, it will almost certainly be the app's fault and not the API's fault. So when you're building software, you build an application and that's the thing that has the buttons and the thing that people touch. Almost always, it leverages some onboard API. So that is written by the maker of the operating system, or the mobile operating system. So in this case it's Apple on Google for iPhone and Android.

Tod Beardsley:

So they're basically making it easier to do contact tracing through Bluetooth touches. So you may not know this, but your phone has a Bluetooth radio and it's always pinging out and it's always saying like, "Hey Bluetooth friends, where you at?" Even when you're out and about. What Apple and Google are doing is making you able to use that Bluetooth signaling in a reasonably, which is a matter of opinion, reasonably secure way.

Tod Beardsley:

So it doesn't do things like, I don't know, upload all of your stuff to essential database so everyone can paw through it and find out where you've been for the last month and a half. That would be generally bad.

Jen Ellis:

What if you're like me and you consistently turn your Bluetooth off?

Tod Beardsley:

Then you would be opting out, which is point here, is that Apple and Google are very much making this kind of an opt-in, it is a voluntary regime that they're offering here.

Jen Ellis:

The word "regime" rarely sounds very voluntary.

Tod Beardsley:

Well, we'll see how voluntary it really is, though. In all likelihood, any app that that ships is technically voluntary. I can envision a future where it's like, sure it's voluntary. Just like having a credit card is voluntary. Good luck participating in modern society without some kind of credit card or a Social Security number or something like ... It's voluntary but with teeth. Generally speaking, I trust the API but like I said, there are informed opinions that is both sides here. This is not like a climate change both sides, some scientists disagree. You can go look up your own references. I think the most cogent argument I've seen saying this is a bad idea, is from Moxie Marlinspike who has a super fun name to say.

Jen Ellis:

And is a giant privacy advocate, so that makes sense.

Tod Beardsley:

He's a privacy guy. He's the force behind signal and he's a top-notch cryptographer that does not work at the NSA.

Jen Ellis:

What? How is such a thing possible?

Tod Beardsley:

I know, right? No he is, he is top-notch and he has concerns. The main concern I have about this stuff, that I think Moxie talks about, is the ability to basically be a jerk using some of these apps. I'm reminded strongly of the kids in Wuhan in China, where they had shifted to a school from home setup and-

Jen Ellis:

Did you just correct yourself from using the word regime?

Tod Beardsley:

I felt like I was using the word regime too much. So they moved to work from home and they figured out that if they downvoted the app that they got their homework on, they would no longer get homework. So they all just gave DingTalk this one star review, which is the app that gave their homework, and it got yanked from the Apple Store. So this is an example of oh, okay, so creative people are going to jack around with this data a lot. I can totally see high school kids saying, "Oh, I'm really not interested in going back to school. I like this school from home thing. So I'm just going to flood with a bunch of false positives. I'm just going to keep saying that, 'oh yeah, I'm totally infected, I'm infected and also I've seen everybody and they're infected too.' " And just slamming out a bunch of bad data.

Jen Ellis:

Cunning.

Tod Beardsley:

Yeah, yeah and this is exactly what happens when you have an anonymous platform, it's the 4chan of contact tracing. So not super great, so that would be a downside. But again, this is something that an app could mitigate or an app might say like, "No, no, no we're going to not let you be anonymous too for it," or whatever and people are going to have to decide whether they want or not. If it is truly voluntary, you're going to have less opt-in, but maybe that doesn't matter because maybe you only need maybe 10% or 15% to opt in and make it useful. I can tell you, epidemiologists love this kind of thing. This is the kind of toolset that epidemiologists of the past wish they had. It's like, "Wait, you are carrying around a device that is recording exactly who you were near for the last two weeks," and that is gold for ... assuming that you don't muck with the data that is, that is real gold for people doing contact tracing.

Jen Ellis:

It does seem though that the data piece feels like it's key.

Tod Beardsley:

Yeah and that's the thing. You have to assume that the people using it are altruistic, they want to help. I think you can probably box people out if it's shown that they're giving a lot of false data, it's like, "No, you're a jerk. You don't get to use this anymore and sorry, we just don't get to do it."

Jen Ellis:

Are you proposing a pop up that says, "You're a jerk."

Tod Beardsley:

Yeah. Stop being a jerk, come on. I mean, we're trying to get back to normal here. You can have a system where ... Like a credit card, you don't get to participate in society without this thing so it's not really that voluntary. This is what they're doing in Wuhan now.

Jen Ellis:

Yep, that sounds not very voluntary at all. That's true.

Tod Beardsley:

It's not. So in Wuhan right now, they have this notion of a green, yellow, red QR code that it's your health QR code and you scan it when you go to the subway, or you go to the mall or whatever. If it doesn't come up green, you don't get to enter. So now you have huge incentive to cheat. So there will be ways to hack it and it'll be a whole thing. So I do think it's on the whole positive, it will make the job of containing future spread easier but it's not going to ... First up, it doesn't solve the immediate problem of there's basically no testing in the US or UK. So in the areas that you just have continuing upward trends of new cases, it's not for that, but it's also not for that. It is for the future. So we haven't seen any apps that actually use it yet, we'll see how they come out. But on the whole, I think it's neat and I hope and I'm wishful that people will just not be jerks for just a second and give this thing a chance once we're in a position where it could actually use it.

Jen Ellis:

Okay, cool. I'm still not turning my Bluetooth on though, so ....

Tod Beardsley:

It's okay if you do, that's fine.

Jen Ellis:

All right, well thank you for talking us through a bit, I appreciate it. Again, thank you to Stephanie, our special guests for this week. Thank you to Tod for being an amazing cohost yet again and plugging Recog to everybody and thank you to our amazing producer, Bri, who is self-isolating but has not managed to figure out how to isolate herself from us just yet. We hope that you guys are all doing well and we look forward to the next episode. Thanks.