Desi: Hello, everyone. Welcome to the Forensic Focus Podcast.
Si: With our usual levels of professionalism.
Desi: Yeah, we started talking and I was like, “Let’s start recording”. So welcome, everyone. It’s been a while since we’ve done a podcast with just the two of us, Si. We have done plenty. I think last month was pretty hectic. We haven’t had anything this month that’ll eventually roll out. Last month we did about five or six, I think?
Si: Yeah, yeah. There’s a queue waiting to go out, but other than on Discord, we haven’t had an opportunity to actually sit down and chat about the state of the industry or the state of the world. Actually, let’s not talk about the state of the world. It’s a horrible mess. Let’s talk about the state of the industry. Oh, that’s horrible. No, that’s not horrible. It’s fine. I lie. I jest.
Desi: Well, depends on how you look at it, because there have been a lot of layoffs continuing on from last year across the industry in a lot of it. I don’t know how much it has hit the digital forensic space, and I think government is always pretty safe. When I think about military jobs and policing, if you’ve got those kind of jobs, generally they’re pretty stable.
Si: I’m going to say, I don’t think there’s been any layoffs that I’m aware of, but it’s an understaffed industry as is. Actually, I saw a job advert today on Forensic Focus, I hasten to add, you know, worth going and looking for the Met Police. They were after a video and moving image forensic expert, and they were actually paying a salary that wasn’t entirely terrible for a change. I mean, it’s not as good as it could be, but it wasn’t entirely terrible. It was actually a living wage, which if you’re working and living in London is, you know, kind of important.
Desi: Can I just point out, we also have two fluffy animals on the screen. You’ve got one hanging off your microphone.
Si: I’ve got three of them. There’s a bull here, actually.
Desi: Oh yeah, a bull.
Si: There’s a pheasant.
Desi: Oh, I can’t see it in my view, but other people might pick that up.
Si: I’ve got Darwin sitting on the shelf over here. The sloth lives here and just hangs out on the microphone upside-down keeping track of stuff.
Desi: I like that one. I haven’t named this one, but I got this for talking at BSides.
Si: Let me guess, it was somewhere in New Zealand?
Desi: No.
Si: It wasn’t? Is it not a Kiwi?
Desi: No, it’s an Echidna, okay.
Si: Oh, it’s an Echidna.
Desi: Kiwis are birds.
Si: Yeah, but they have no wings, and thus they are basically indistinguishable from echidnas.
Desi: These are little wings here. No, so I got this for speaking at BSides Brisbane. They had run out of presents to give to the presenters, which was completely fine. And they were like, “You can choose out of an off-brand Lego, or this little thing.” And I was like, “I’m probably going to throw the Lego out, but I will keep this, so.”
Si: Oh, that’s cute.
Desi: And the reason that he’s there is because he was on the bottom of my bookshelf and my dog had got it and it was in her mouth and I was like, “Where did you get that from?” And I forgot that I put him down there.
Si: So what was the talk on? He says going off-topic before we even get to the topic.
Desi: Yeah, so I did a talk on, I think at BSides, yeah, it was taking your tabletop off the table. So it talked about doing tabletop exercises from a consultancy view when I did consultancy incident response, that kind of thing,
where it was always theoretical, and you had injects that you went through the slides, and you had people sitting in the room doing stuff. And the whole point was, so if someone says, in this scenario we would go collect firewall logs, and those firewall logs go back 30 days, then that would be an action item coming out of the TTX to go, “Alright, in the next week you have to go collect firewall logs in a reasonable amount of time and then see that they went back 30 days.”
So it validated the processes that everyone kind of said. But then you could break those action points up. So the idea was to collect all the action points and then go, “Alright, over the next two months, we need to achieve two to three of these action points per week.” And then you would come back at the end of two months and go, “What did we achieve? Where did we find there were gaps in the processes?” Someone was away and they’re the only person that can do it because they were on leave and we couldn’t do this process and we realised we don’t have anything documented for it.
It had started when I was working at Dragos doing some of the work there, but then that’s just a generic thing. If you say you can do something, go and do it. If you can’t do it, figure out how to do it and document it. So yeah, very basic stuff, but it was just, the amount of tabletops I’ve done since I left the military is, I can’t count how many I’ve done, and it’s always been someone saying, “Yeah, we can do that”, and I’m like, “Show me your process”, and they’re like, “Oh no, it’s just the two guys out the back, they know how to do it”, and I’m like,”Are they here? Are they on a coffee break right now? Have you got hit by ransomware right now? Are you struggling?” So, yeah, just stuff like that. It was a good talk.
Si: Ah, good. Well, I’m glad. I’m glad it wasn’t me.
Desi: Actually, I think it’s on my YouTube channel. So if people do want to go see it, go check out my YouTube.
Si: That and the sweaty Cyborg’s eyes. I mean, that is still, you know, the niche of niches that I think is brilliant. So, you know.
Desi: I’m trying to get nerds into fitness. I think you’re part of my fitness thing on Discord, so you’re always lifting strongman stuff now.
Si: I am back into training. I’m not competing this year, but there’s a competition going on, so we’ve got a whole bunch of equipment in, and it’s like, okay, so how does this work, and how is it actually going to work in the competition? Simon, go and lift that up. I was like, okay, fine. It’s a car. Let’s do that. That seems like a reasonable thing to do of a day.
Desi: If people are interested, join my Discord, and you can watch Si deadlift a car.
Si: If you are genuinely interested, the competition is running in Oxfordshire. The website is oxfordshire.rocks. If you go there you can see on the rules page there’s a video of me doing three of the events and one of the gym owners doing two of the events. But I’ve got the car deadlift. What have I got? Car deadlift.
Desi: The little pivot thing?
Si: Yeah, the pivot thing: Conan’s wheel. And then I’ve done something else on there.
Desi: The axe hold?
Si: Oh yeah, the bloody axe hold. That thing is horrible.
Desi: The sun is shining. You put your back against the wall and hold like 20 something kilos up.
Si: Yeah, so it’s a static hold of a trophy axe which actually I sponsored the competition for a couple of years back, I bought one of those. I now regret it because they keep coming out and they keep going, “Here, take this and I’ll film you”.
Yeah, it’s a 20-kilo static hold. It’s very weird how different the shape of a weight makes it. I can do a static hold with a weight plate with both arms out like that for a hell of a lot longer for a 20-kilo weight than I can with a dumbbell like that or with the axe which pivots in all sorts of really weird dimensions. So yeah. Anyway, digital forensics stress relief. And we were going to be talking more actually I think in the following year, I don’t know if you’ve seen an article came out recently about mental health and lots of people rely on fitness as part of mental health, so I’m sure we’re going to come back to this at a later date. But yeah, I think we have naturally sedentary careers: we sit down and we spend all day at a desk.
Desi: Yeah, you’ll see under my desk, I bought myself a desk treadmill so I can walk while I work.
Si: Does it work?
Desi: Yeah. Apparently it goes up to seven miles an hour. I’m afraid that if I run on it it’ll just snap in half.
Si: Oh, so the desk goes up?
Desi: Yeah, the desk is like a sit/stand desk. So this desk will go up and then that’s just leaning against the wall. So it’s like a flat treadmill that you can put on the floor. So I normally walk on it. One kilometre an hour I can do, I can write an article. Two kilometres an hour I can respond to emails. Any faster than that and I can only read, I can’t type.
Si: Yeah, you can’t type at the same time. That was the thing that always made me wonder is that, yeah, I could sit and read something or watch a YouTube video or whatever because effectively that’s what you do in the gym, isn’t it? Is, you know, you put something on the treadmill, whether you’re running or whatever.
Desi: It’s really good if you’ve got work meetings, right? So people have back-to-back meetings, they’ll sit in a company meeting for an hour where you don’t need to have your camera on. There is hundreds of people in the meeting. Do an hour on that while you’re in the meeting. You’ve just got to sit there and listen. You’d be checking your emails in the background anyway. So yeah, that’s kind of the approach that I use for using that treadmill.
Si: No, that’s a really, really smart way of doing it. Yeah, no, absolutely. Good stuff. Cool.
Desi: Yeah. All right, so we did have some topics that we wanted to talk about today. One was the companies doing some shady stuff.
Si: Yeah, I’m going to say it’s an interesting one because we talked about this and we talked about this when you were in Oxford with me and we sat over some very nice noodles in the place we went to. We were saying that there’s practice, and there’s nothing wrong with the practice of using open source tools within the product.
That is what open source means if you look at the definitions of it. The shadiness comes around for me in the clarity in discussing that, because it’s very much what I’ve seen in a lot of cases, and again, we’re not going to call out anybody in particular, but what I’ve seen in a lot of cases is that people go, “Oh, we’ve added this feature, and we’re brilliant.” when what they’ve done is they’ve integrated somebody else’s brilliant feature into their product. And, you know, it’s the taking of credit for somebody else’s work. Now, I think I called out, not called out, I asked somebody during an interview we had recently, they said they were using something and I asked if they had put it back into the open source stream.
Desi: Oh yeah, that was the last one that we did, I think.
Si: Yeah, and they said that they did. And that’s cool. That’s fine. I mean, if you are contributing back in. But it’s not transparent. I don’t find it transparent, and I just feel that, you know, it must be very disheartening to be an open source developer who’s doing amazing work and making this available to the community, for it then to be taken and sold on. And again, there’s nothing wrong and there’s no illegality in this, but sold on as somebody else’s work. The licensing works, the process works, but it’s just that taking of credit for somebody else’s work. And it’s something that narcs me generally.
You know, copyright is an important thing. And in academia, it is the problem, sin of all sins. Plagiarism is the sackable, hangable, hung, drawn and causable or offence. It’s the end of your career. So the fact that in industry, we accept it as a, “Oh yeah, they’ve integrated that, and isn’t it great?” without going, “Hang on a second, look, somebody spent months, years potentially, writing this product and you’ve just added it in and you’re now making money off your next new feature” which isn’t giving credit and it’s not giving back into that ecosystem. And that’s just something that bothers me, I think.
Desi: Yeah. So I have an analogy and then a story to go with this. And the analogy is, I think, cover bands doing music. You know that there was an original song, and you can appreciate what they’ve done to change the original, but obviously it’s not theirs. And I think that’s where software for companies like this could go. Because you could go, “Oh, there’s a whole bunch of original open source software that goes into this, and these are all the things that they did around the workflow to make it easier to use all this.” But then if you realise how transparent that was, or the fact that, oh, this key feature is just this open source project, you can make the decision to go, do I want to do all the effort to do the workflow, and I go get the open source project and put it into my own stuff and maintain it myself for my internal company, or do I pay someone to do it?
Because that’s the trade off, right? Is that you could go do it yourself, or you pay for the workflow, right?
Si: It is exactly that, because, effectively, that’s what Red Hat is. And you’re talking about a massive, multi-million dollar company that is just like, “You can’t be arsed to update the kernel yourself? We’ll get that for you.”
And by the way, you can pay for extra support and they feed into upstream projects So yeah, it is that. And it’s a business model that works. It’s like, yeah, I have created this thing that holds together a whole bunch of other stuff. And, you know, I can guarantee you that behind what we’re currently recording through, there’ll be FFmpeg and there’ll be all of the good stuff that, you know, does that back end video processing.
FFmpeg is the industry standard and, you know, amps use it behind the scenes and they call it out and it’s quite interesting if you actually look into the software, it tells you it’s got all of the licensing details in there and all about it and they aren’t afraid to say this. But what they do tell you about, and I’ve been on their training, is they tell you about how they have automated the process of looking at the output of FFmpeg in order to be able to allow the tool to extract stuff.
So they’re up front about it. Yeah, you could do it yourself, but it’s much nicer to do it not on the command line, but through an interface. And that’s a business model. So it works. It’s a good thing. So yeah, I love the cover band analogy.
Desi: Well, so the story that I have to go with this is I did an incident response once where it was for a technology company that is very well known, they sell their software for a very expensive price, and I got given access to pretty much everything, because it was a fraud case with, kind of, execs. So, I got access to engineering, everything. And as I was looking through, I was doing a bit of threat hunting, and a few things flagged, and I was like, “Oh, this is weird”.
And then I realised it was in their project folders. And part of it I was like, “Oh, maybe it could be exfiltration.” So I started digging into the binaries themselves. And then I realised it was just their whole software was just renamed Sysinternal tools. All of it. And I looked at the script to run the program; it was essentially a GUI that would just call these binaries to run things.
And then my mind was blown. I was like, “Fuck, I could create a company like this and just write a script with Sysinternal tools if my GUI skills were better” kind of thing. But it was the first time that I saw it where it was so blatant and I thought that these people had written like a software that did all this, but they literally had just used stuff that came from Microsoft and repackaged it and renamed it.
I was like, “Why would you even rename it?” Like, because it would compile and sit in the back end, you wouldn’t even see it at all, but, man, I was blown away by that, couldn’t believe it.
Si: Yeah, I think the thing is I guess from a forensic perspective, you’re kind of like, when you’re writing a report for court, you’re saying, “Okay, I’ve done this, I have done this, and I know what my steps are to have achieved this, and these are the tools that I have used.” And if what you’re saying is, “Okay, I have used tool X” but tool X is actually really tool Y just with a GUI on the front of it, it kind of undermines what you’re saying.
"If what you're saying is, ‘I have used tool X’, but tool X is actually really tool Y, just with a GUI on the front of it, it kind of undermines what you're saying." Click To TweetDesi: Yeah, because you don’t understand what’s in your own tool.
Si: Yeah. And that’s a concern, isn’t it? And it’s like, well, okay, but there’s no known issues or vulnerabilities with tool X. Great. But there is actually a known vulnerability in tool Y. But because you can’t put that link together in your head because it’s not been disclosed or not clearly disclosed, you’re in this position of like, well, okay, how much can I trust the tool? How much can I, I mean, we should be verifying everything anyway, so that’s not necessarily a big issue. But even then, if you’re using two tools that are verified-
Desi: I was just about to say that, what if you’re verifying off the same open source tool?
Si: Exactly. You know, so it could be horrible. So yeah, I think this is an interesting point.
Desi: Yeah, this tool would have been used in everything, like incident response. It would have been used in digital forensics and court cases and stuff as well. So yeah, it just blew my mind. And then I was like, “What other companies are just doing the same thing?” Like, similar to their competitors, I was like, “Are their competitors just doing the same?” And it goes to your point with the validation. If you even validate between two competitors, are they just using the same tool in the back end and your validation is actually not validation at all?
Si: Because it’s the same confirmation of the same error in exactly the same tool. And actually-
Desi: No, you go.
Si: What I was going to do was change topics. So if you have something else to say, go with it.
Desi: Oh, so I don’t wanna change topics. I do have another story about companies kind of like taking credit for stuff that’s not theirs.
Si: Yeah. Go on.
Desi: So, a friend of mine did a kind of boot camp course thing with some cyber education company, and I don’t think they completed it or if they did complete it, they felt like they didn’t really get anything out of it. And they got a job, I think at the beginning of the year or end of last year. And they came to me and they’re like “Hey this company has reached out. What do you think? They want to do an interview.”
And I was like, “Well, what do you think? Do you want to do it?” And he said “Well, it could be good for my own personal branding and it’s just good experience, too.” And he’s done some interviews before, he’s done one with me, actually one of mine, and he just wasn’t sure, and I said, “Well, if you’re not sure, get them to send you all the questions that they want to ask first, because it’s good to prep anyway.” which is what I do for mine; I normally send all my questions to people first.
And then a couple of days later, they sent him the thing, and he sent it to me, and he was just like, “Yeah, I don’t think I’m going to be doing this interview.” and all the questions were like, “How did the bootcamp help you get a job? What really resonated with you?” I was like, “Did they do anything to help you? Like, did you feel like that bootcamp did anything?” He was like, “Nah, not really”. And so it was just this, they were trying to take credit.
And he did heaps of work himself to get the job, did other courses and everything. But it was just this company that had reached out because he’d got into a good company and they were going to take credit for it, and they were going to use it for their marketing and everything else. So, it just made me think of like, I always go back to, now that I’m in the job that I’m in, I read a lot of marketing stuff, and I read a lot of threat intelligence stuff, and I read a lot of statistics, and it’s like, where are you getting these statistics from? Like, what’s your sample size?
And a lot of it is qualitative surveys. And I’m like, this isn’t data-driven, it’s not research, you’re not publishing how you got to these statistics at all. As far as I know, you could have thrown a dart at a dartboard that has percentages written around it and gone, “Yeah, cool. 75 percent of what’s happening in the industry is because of blah.” And, yeah, this whole company thing just made me feel, it goes, like, this was all, came from our first conversation about how much snake oil there is within the cyber industry, and both technology and education piece is there’s just so much of that at the moment.
Si: I was going to say, he says backtracking slightly again to a slightly different story, I was there, I went to a conference and I was sitting with a friend in the audience and he works for a well-known vendor. And somebody stood up and they were giving this presentation on something to do with vulnerability management. But all they’d done, basically, was they’d renamed vulnerability management into something else and then were claiming it as a new thing.
I can’t remember what they, you know, especially if I told you what it was, it would become almost certain who it is. But basically, they just rebranded it and then went, “We’ve got this amazing solution for managing, for dealing with the risks in your business.” And we’re like, “That’s vulnerability management.” It was like, yeah: snake oil.
Desi: I think it’s so hard. I get the whole point that advertising is needed, but then my critical thinking brain just can’t comprehend it sometimes. And it’s so frustrating and it’s so important for, I think everyone in the industry, whether you’re technical up to executive. And I think higher up executives are really good at critical thinking and really good at if a vendor comes and tries to sell something to them or someone tries to come to them they’re very…I get there are exceptions, but I-
Si: I think I’ve met every exception going.
Desi: I think in general if you reach that level and your company is going well They are very smart, very critical thinking people. I always find it’s that middle ground where people are coming through the ranks, but they have decision making power, and they may not just have that next level of critical thinking. But it’s so important to always question statistics like what the actual use cases are, whether it’s going to work.
Si: I mean, I think there’s a famous quote from an English politician, I’m going to say William Pitt and I’m going to get it wrong, but “There’s lies, damn lies, and statistics.” which I think sums it up perfectly well. I think also, you know, and I don’t think I’ve said it before, but one of the things I try and teach students when we’re doing doing a forensics course, and it’s a bit difficult because it’s not exactly a technical subject, is actually the ideas of logical fallacies.
I mean, I’ll put a link to the site that I use and I think it’s called yourlogicalfallacyis.com or something, but it talks through the idea of things like a strawman and some of the other concepts around building an argument that appears to be, a correlation is not causation. I was talking about this with my daughter in the car this morning funnily enough, and there’s an amazing site, again, I’ll find the link for it, but it’s correlation is not causation and it shows you two graphs that map almost perfectly.
Because I talked to her about it before I think the example she remembered was something like the number of male suicides and the sales of a certain type of cheese are almost directly correlated, and the number of swimming pools in the US and the number of shark deaths. Also, again, it’s sort of a direct correlation. And obviously, there’s no causation in there whatsoever. But it just really brings to light the ludicrousness of drawing conclusions on the basis of one thing versus another just because they have a similar pattern.
Desi: Yeah. So apparently, I looked up that quote, and apparently it was Benjamin Disraeli?
Si: Disraeli, okay.
Desi: Disraeli, yeah.
Si: Another Prime Minister, I think. Unlike Americans, I am unable to recite every single leader of our country. To be honest, they change so quickly nowadays, I have no freaking clue anyway. So, who’s in today?
Desi: So true. Yeah, I’m super interested. I did statistics early on in uni, I almost went down that path of being just a statistician. And you do essentially a scientific experiment and then right at the end you do your interpretation of your results. And our lecturers were super funny. They were like, “You can interpret your data in any way that you want.” You can just change a sentence and it changes the whole meaning of what your actual hypothesis and your study did which was just super, super interesting. You can see that that’s used everywhere in marketing and advertisement and everything.
Si: Especially, again, similar graphs I’ve seen is you have what effectively is an entirely random plot of data. And then you can get an average line to go through it in whichever direction you actually want to prove whatever your point is. It’s utter insanity.
Desi: Yeah, because you can also put like, you have a random bit of data, you can also add thresholds to then get that line down, so you’re excluding the data that you don’t want in there that changes the point you want to make, right?
Si: And as we gently segue to the problems of artificial intelligence within the forensic industry with our applied statistics.
Desi: It’s just not as advanced as we thought. That’s the problem.
Si: So yeah, I’m going to say, I will use this to gently segue into the other topic of conversation that we sort of mooted at the beginning of this, which is that recently in the UK there’s been a lot of press covering something called the Post Office scandal. I don’t know if it’s reached as far as Australia or international news.
Desi: No. I haven’t read that yet.
Si: So effectively, I’ll do a brief pressie of the background, which is that the Post Office, I mean, that is what it says on the tin: it’s the service in the UK that deals with mail and delivery of parcels and packages and stuff like that. And the way that it works is that effectively you have small branches that are distributed across the country and they are run as independent businesses; they’re franchised into the Post Office. But as part of that franchise, they were given a computing system called Horizon, which was created by Fujitsu and kept track of money. Okay? It’s an accounting system.
Unfortunately, it turns out it didn’t do that very well, occasionally to the tune of tens of thousands of pounds. Now, Fujitsu insisted that their software was correct; the Post Office insisted that the software was correct; and thus the postmasters, the sub-postmasters who were dealing with the shops were accused of theft for the fact that their books didn’t balance; some of them balanced the books by putting their own money into the system to make sure that it worked so that they didn’t have to deal with the problems; some of them were prosecuted by the Post Office for theft and were charged and convicted of criminal offences; and sadly, one or two people were so appalled by this internally to themselves that they took their own lives because of it.
I mean, if I’d been accused of stealing £20,000 I hadn’t nicked, I’d probably be quite upset about it, as well. Especially when you get found guilty by a court and you know internally that you’ve done nothing. So this has all come out now and there are various things underway to pardon people involved, although even that’s being screwed up because a blanket pardon isn’t necessarily a good way of going about dealing with people who may have been stealing because you’d need to look at each case on a case-by-case basis again to actually administer justice rather than knee-jerk voter appeasing reactions, but that’s a conversation slightly beyond the scope of this.
But one of the things that is generally accepted in UK courts, and it didn’t used to be this way, is that a computer operates correctly unless you can prove otherwise. The prescription is that a computer will be correct, and that the records that a computer keeps are correct, unless it is shown to be incorrect. And when you’re talking about systems that are tens of thousands of lines of code, hundreds of thousands of lines of code, possibly millions of lines of code, that the experts who have built them are telling you operate correctly and the defence aren’t necessarily given access to review, the idea that this presumption of it effectively turns on the head the idea that you’re innocent until proven guilty because the computer is saying that you’re guilty until you can prove that you’re innocent by showing that it’s inoperative.
And so, we’re kicking off a little bit in this country an idea about revisiting this, or at least it’s been mooted by a couple of people that this would be a good idea. And therefore, you know, it’s an interesting thing. But I was wondering if you happen to know what the stance is in Australia with regards – well, actually no; first question: have you ever known a computer actually operate correctly? Because I’ve been working in IT 25 years and I mean, I’m pretty well aware they don’t.
Desi: How could you think that a computer operates correctly when the solution to most of it is to turn it off and on again? You literally have to reset its memory to get it to work. Clearly that tells you something that when a computer is running, it will eventually fuck itself up so bad that you need to turn it off to get it to reset its brain. I feel like by default we just don’t trust computers because at any point they can go into the Blue Screen of Death. And Windows has tried to make it more blue-friendly, but we all know that dark blue that scared the shit out of us because we just lost all our work. Now, straight up, I can’t trust that.
The next thing I was thinking while you were telling this story was something that happened in Australia with regards to Centrelink repayments. And they put together this whole piece of software to try and account for people’s payments that they needed to pay back, and essentially the piece of software fucked up and it had done the calculations wrong so the maths was wrong in the repayments. And all these people got these letters saying you owe a couple of thousand to tens of thousands, I think it might have gone up to one hundred thousand, but anyway, the people that were getting these letters were still on Centrelink or had come off Centrelink.
Centrelink for international listeners is essentially government welfare. It covers things like single parent payments. Centrelink is the broad term; it’s generally for unemployment, but it’s also things like, when I was at uni, when you’re studying, if you’re living out of home, you get a certain amount of study allowance. The government will give that to you to help you try and live, which is definitely not enough to live, but it’s something. So it covers a whole range of welfare services, and everyone was getting hit from people that are still on Centrelink to people that had finished and been working for 10 years, and all of a sudden they’re like, “Oh, you owe $10,000 to the government again.”
And the same thing happened; some people got really upset trying to fight this, and I’m not sure whether anyone got prosecuted, because everyone was up in arms about it, but people were getting so stressed that they took their own lives. And it was a mess, and now there’s a Royal Commission about, I actually don’t know where that went, I should look that up and I’ll post that in the show notes as well, but essentially all these higher ups and politicians got told that the program wasn’t ready, and they were like, “Nah, just do it.” and there was no duty of care on their end.
And then when it was happening, the government was like, “Oh no, it’s fine, the program’s correct”. And then now, looking back, all this stuff’s come out where the developers were like, this shouldn’t go into production. It is not ready to do the calculation, you haven’t done the testing on a small set, they just rolled it out on a large body of people, and yeah. So, 100%, I think the legal system, or at least the government saw it as the computer is right, because it’s a computer, and it’s an algorithm; but people made it, and people are idiots half the time. Like, I’m an idiot half the time. I lift weights and I can’t count my own weight plates. Am I going to trust someone who’s writing code to get money back off people?
"I think the legal system, or at least the government, saw it as ‘the computer is right’, because it's a computer, and it's an algorithm. But people made it." Click To TweetSi: I think this is the thing is that there are so many levels to this, isn’t there? It’s like, you’re right. First of all, there’s human error. And it’s like, well, you go, okay, so if it’s a perfectly Turing complete machine, and it’s operating in the way that it should, then it is operating on logic, and therefore it will do exactly as it’s told. But I don’t know, I mean, you’re younger than I am, but I don’t think significantly. So do you remember the Intel chip problem whereby they couldn’t add up? So even if you did tell it the right algorithm, you could still get the wrong results.
Again, that’s a human implementation of a logical concept being done wrong with some gates, but when you’re talking about that many logic gates on a chip, it’s insane.
Desi: It just reminds me of when you were going with the IBM thing and it actually made me think of this quote, but “A computer can never be held accountable for decisions, therefore all computers decisions are management decisions.” No, I don’t think that was the right quote. Oh no, it was this one. So they’d written that quote down. “A computer can never be held accountable, therefore a computer must never make a management decision” is the quote. And that’s from a 1979 IBM slide.
So, yeah. You think about the level of management decisions that computers make now based on workflow, software, and everything else; 100%, you still need people managers, and you still need to put people first, and you should not make a management decision based off, like, imagine if you were tracking people’s coming into work, just for an example, and you said that, “Okay, if they’re not hitting a certain KPI for a number of days of coming into work, we let them go” and that’s the decision that comes out of the software. Now, what if that person was doing a whole bunch of work outside of hours at home, and they were struggling with their child that had cancer, and then you just let them go? You’ve just let a computer make a management decision that affects someone’s life that they’re trying to still help the company and still do the right thing in their own way, but you’ve never checked in with them. And so, just as a basic example, but I’m sure that happens somewhere.
Si: You say that’s a basic example, but let’s go back. I’ll give you two different examples that aren’t either basic or fictional. The first one, we were talking with Sophie only a couple of weeks ago now about the fact that they were doing this automated testing aptitude testing. And then a computer is effectively making a decision: Is this person employable or not? Yes or no? That’s it. I mean, that’s already is a computer making a decision on the basis of an algorithm that was written by somebody and nobody is accountable for it, fundamentally.
The other one and arguably more serious, no, definitely more serious, is that there have been computers used in asylum decisions for people wanting to make asylum claims, for refugees and that kind of thing. And the idea that somebody who is fleeing a country because they have a fear of death, and, you know, again, a lot of press and a lot of the right-wing press in the country at the moment is all about economic migrants who are just coming here to improve their life, there’s no actual genuine fear of death now.
Now, honestly, we need people to come and work in this country and this is a topic of contention that the government is trying to split the country on so they can get some votes in the next election and all sorts of things like that. But fundamentally, there are genuine asylum seekers. Whatever you think about the proportion of those who are just coming for a better life versus those who are actually fleeing, there will be some people who are actually fleeing.
Is it acceptable to make it easier to send a whole bunch of people back because you’ve done an automated testing and then send a couple of people to their death? Or should we actually consider each and every application on its own merit and in its own right? You know, this is something that we should never be applying.
And I was talking to lawyers about this at an AI in Law conference. It wasn’t technically AI, it was an algorithmic match of, you know, they have come from this country, they are this age, therefore they must be coming for a reason that is not related to genuine asylum seeking. I mean, that already is a horrible thing. But the fear that we would then do some sort of machine learning, again, we’re going back to our applied statistics, that will say, but like you said, it’s only going to look at those superficial markers that are contained in the record, it’s not going to look at the actual detail, not for decades anyway. I mean, even if we get to the point of machine learning, being able to read through stuff.
Desi: We shouldn’t drop the automated testing, we should be doing it alongside it, and then it’s also not, we should just be allowing humans to make the decision without any training. Because people need training to be able to handle these kinds of situations. So, I think sometimes we try to make things easier, and we go down the path of too much automation sometimes because we don’t want to either have hard conversations ourselves, or put time in to train people on how to manage people correctly.
Because a lot of my management experience has just come from being thrown in and doing it. A lot of how I think I learned to be a better manager was looking at the shit managers in my life and going, “I don’t want to be like that.” I hope now when I’ve worked with other people and they’re going into management roles, I try to impart the good things. And the good things are: always consider the humans, look after their pay and their leave first, and their family well being, and then anything else after that. Work priorities are always going to be there, but if someone needs leave to go see their dying mum, it’s kind of a no brainer. Sort it out.
Si: I mean, it’s interesting, isn’t it, because, you and I both have come, or have been through, I haven’t come from a military background, that’s an incredibly unfair thing to say, because I’ve never served in any way, shape, or form. I have worked with Ministries of Defence, and in defence for a while, but at the end of the day, the single most important thing at any given point in time is life. Whatever else you’re doing with your systems, whatever else you’re doing with your strategies, your thing, the most important thing at any point in time is human life.
And therefore, you need to bring that to the fore with everything. To disregard somebody because they haven’t met an objective without finding out why, I mean, maybe they are a lazy little arse, but-
Desi: Oh yeah, 100%, have processes to get rid of them. But you’re saying that the most important thing is life, and it’s funny that it deeply aligns with the fact that the greatest asset a business can have is human capital. So if you have hardworking people that are happy to work there, your business will thrive.
And there will be people that are shit, and you need to get rid of them. But make sure that they’re just shit, that there’s not a reason that you could help them because that builds organisational loyalty. If you help someone out in their time of need, and I get there are limits to small businesses and medium businesses and that kind of thing. But if it’s within reason,maybe it’s just that they need to rock up an hour later every morning or something because they need to drop their kids off, they’ll feel so much more loyalty to the people that they work with, that they’ll want to work harder.
Si: Yeah, it is that. I’m going to say, again, you know, if you’ve been around in life for any length of time, you’ve had managers who are brilliant, who are genuinely there, who you like going and talking to, and who you feel very happy to go an extra mile for. And then there are those ones who you’re like, “Right, it’s five o’clock, I’m gone.” because they’ve built no loyalty, but they themselves don’t seem to have any loyalty. Loyalty is a two way-street, isn’t it? You are loyal to someone because they will stand up for you and see your best interests being looked after.
Desi: But it’s all built on those relationships, right? That whole company is built on those two-way relationships at every level, and even with your peers. It’s always a decision when you’re moving from one company to another, and you work for you yourself now so it’s a little bit different, but I’ve been to a few companies. And the hardest decision isn’t isn’t the money or the work; the hardest decision when leaving is: am I going to like working with the people that I’m going to the next company with? Or am I leaving a really good bunch?
And that’s been the hardest decision every time with my peers. I’ve loved working with all of them, and I’ve just been really lucky that every time I’ve got on with the next bunch of people because it’s a small industry. It’s a good industry, but I’ve had friends that have gone into their next job and they hate their manager or they hate their teammates because there’s just so much conflict.
Si: I mean, I think it’s interesting that you sort of say it applies less, it applies differently if you’re self-employed because we still have to build and maintain relationships with people and you’re like, “Okay, I liked working with this police officer. I know that he was a good guy. I know that the work he gave me was sound and had a good foundation to it.” And then you’re like, “Well, I worked with this other solicitor and they gave me lousy instructions. It was a crock of shit. And then they didn’t do anything useful with what I tried to work with them for. And they didn’t answer questions.”
And so it does come around to: “I will work with him again, I don’t want to work with them again.” And you try to build a network of people who you can be with. And it is the same thing in a number of ways, but it is that we do deal in human capital, really, at the end of the day. And even on our most technical days when we’re saying reading hex code, at the end of the day, it’s about someone and it’s about what someone has done or what somebody wants to do if we’re talking about security consultancy, because, you know, there are other people who listen to this other than forensic analysts.
It used to be that we joked about security. That’s like, we would tell everybody, “No, you can’t do this. No, you can’t do that.” What we’re trying to do is actually give them a way to do what they need to do or they want to do in the safest way possible. Occasionally what they want to do is bloody stupid and we say no. Making an entire copy of the live database and then putting it into a test system that’s accessible to the internet springs to mind.
Generally speaking, the question then came down to, well, why do you want to do that? What is it that’s necessary that you need to do? And I said, well, we needed to share the testing with a vendor. Okay, how can we enable that so that the vendor can do what they need to do without giving them? Can we redact it? Can we tokenize it? Can we do something that’s going to make this data set valid for testing? But, you know, and it’s all about this. Because computers are just a tool. It’s a hammer. And at the end of the day, you need to build something with it. It’s not a thing in itself.
Desi: It’s the one thing I hated about the security advice that went around for a while. It was the leading thing that a lot of vendors use, but how humans were the weakest link in a security thing. I hated that, because it means that you’re just neglecting the training. Sure, humans are the way to get in, but humans are running your company. So, I mean, if they’re the weakest link, usually the best risk control is to eliminate, so remove all the humans from your company and see how well your company goes. You’re not going to make any money, so you don’t have to worry about security risks, right?
So, yeah, it was something I always hated, and it was a shortcut way to just put in tools to monitor humans doing things when a lot of the stuff you look at now, like, if you look at the framework, they’re all moving away from that wording, particularly the compliance and regulation frameworks that are trying to help the industry get better as a whole. You look across critical infrastructure, finance and banking have been doing it well for a long time because they’ve just been targeted for so long. VBut even small to medium to large enterprises as well, it’s now more about, let’s now get your security hygiene in check.
Like, the reason that humans are the weakest link or they’re meant to be, is because you’re not doing application listing in your organisation. So, of course they’re going to click on an email link, something will download and it’ll execute on the endpoint. That’s not their fault. If your application will allot this, that thing’s not going to run on your endpoint. But you’re being lazy and not investing into the security control that is literally basic security hygiene.
Si: I’m going to say it’s sort of something we said earlier, I can’t remember exactly what I was thinking, but it’s like – oh, that was it was the snake oil. Going back into the, the sort of snake oil and stuff. Don’t get me wrong. I’ve made some very good money out of security consultancy in my time, but it infuriates me that I’ve walked into organisations and you go in and you go, “Okay, so let’s start off. Can I see your asset list?” They’re like, “We don’t have one.” It’s like, “Okay, so what I want you to do is get me a bloody asset list, because until you know what you’ve got, there is nothing I can do for you.” And these basic things don’t need somebody going in at hundreds of pounds a day to say, “Get an asset list”.
I went to a photography trade show yesterday. Great fun. Really, really cool. And speaking there was a guy called Ian, I can’t remember his surname off the top of my head, but he’s a detective sergeant for the regional cybercrime unit in the West Midlands. So I was aware of him by name, I met him at this show. And he gave a talk available for photographers to attend about how to secure their data. Because, photographers are dealing with human beings who have personal details and all of the stuff like this, as well as talking to them about their businesses. And he was there giving away really, really good advice for free.
And not enough people went to listen to him. Just as simple as that. His talk was first of all, not put on in a space large enough to accommodate the amount of people that should have gone to listen to him. And second of all, not enough people turned up to even fill the space that he was in, which took very well and if he reached one person, he’s already improved the world. So that’s a good thing for him, for us all.
But there are so many sources of good, basic advice on how to do things better that people just ignore and don’t listen to. And it applies to the smallest business to multinational. You go in and you go like, “Can I have your asset list? I haven’t got one. What’s your password policy? It’s not good enough. Are you using MFA? No.” You know, it’s not rocket science. Sorry, again, I don’t wish to do any security consultants out of a job, but most of it is not rocket science.
Desi: It is effort, which is, I think, the issue in itself, is humans are inherently lazy, and we will try and not do it. And if we don’t have to, we won’t. And it takes someone within the organisation to really care about it. I mean, making people wear PPE and making sure there are rails to stop people falling into pits of acid or whatever you’ve got at your company should be a no-brainer that you do that to protect people and life. But it’s not, and that’s why we have compliance and regulations.
So, yeah, 100 percent agree. I look at some of the stuff that I’ve done in work before. I mean, even in my own personal life, from my own personal cyber security stuff, sometimes there are some things that I’m like, “Oh, I’m not going to do this” and then I’m like, “Wait, like I’m in this industry, I should really do this.” But it’s that, just like, “Oh, I could just open this now, rather than spinning up a VM and checking that it’s the right thing” or downloading something and going to check the checks on the website kind of thing. There are so many little things like that, where you can download it, run the MSI, and install it on your computer.
But you need to go do that extra step to make sure that what you’re downloading is what they’re saying you’re downloading and verify that. I can understand from a human level, because I’m the same. But when you see the level of problems that large companies have, or medium companies have, and how much money they’re spending to fix it, and you’re like, 10 years ago if you just did this thing, or if you start now, in two years you won’t be spending half a million pounds on this problem. Because in two years time, you’ll be at a stage where you can do it yourself. You don’t have to get a consultancy to come in, you don’t have to pay for this vendor to have this weird and wonderful word for vulnerability management that you think you have.
And you can run it all yourself because you know what assets you have and you can patch it. And you have updated Windows systems that will just install patches themselves because you’re just, I don’t know, a bakery that has two computers. Anyway, tonight’s been a good chat.
Si: Yeah, it’s really good to catch up and yeah, we’ll go back to lifting weights now. Or at least you’re going to go to bed and I’m going to lift weights.
Desi: I’ve lifted weights for today. Yeah, I haven’t had a shower yet, so I’m going to go have a shower. But yeah, it’s been good. We should do these more often.
Si: Yeah, we will. I mean, I was going to say-
Desi: I think we spoke about doing one where we were going to review a paper each and then talk about the paper. We should do that.
Si: Yeah, we talked about that. And we also talked about, and I have severe reservations about this, doing a Twitch stream of CTF, because I don’t want to prove that I’m an idiot.
Desi: Honestly, I’m not good at CTFs. Like, I’m good at incident response ones, but when they’re generic CTFs, I’m bloody terrible.
Si: I had an email today asking me to help write one, so I might go down that route instead.
Desi: I would do, maybe like, after the fact I would go through and do one. Maybe we could test gamified platforms. That’d be cool.
Si: Again, we have a Discord channel, ladies and gentlemen, boys and girls, and everyone we’re in between of Forensic Focus, and also, HardlyAdequate, which thoroughly recommend, you can come and see us weightlifting. And please do jump in on the podcast channel and say if there’s anything you’d like us to talk about or anything you’d like us to stop talking about is also a valid thing, probably weightlifting.
And also please participate in the Discord forum. It’s starting to pick up slowly and there are loads and loads of people who are in it, but at the moment the activity is quite low, but it’s starting to pick up and that’d be really cool.
As per usual, we are available on a whole bunch of podcast platforms that I am not going to remember to list. However, what I did learn the other day is, is if you do have the time and the patience and ideally something complimentary to say, if you write reviews in the Apple Podcasts app, apparently it increases our visibility, which might be helpful to getting us out to a slightly broader audience than we already have.
Desi: Same for YouTube. Engagement will increase the channel. So if you’re on YouTube watching this, feel free to comment, put the thumbs up, thumbs down, doesn’t matter if it’s good or bad, you can tell us to stop talking about weightlifting and tell us to lift more weights because we’re too small. Although, you guys haven’t seen Si. Si’s tall and he can lift a lot of weight. Watch him deadlift a car.
Si: Links will be in the show notes, embarrassingly. There you go.
Desi: Awesome. All right, we’ll catch everyone, I don’t know when, but we’ll plan another one of these and I’m sure we’ll be throwing out lots of episodes.
Si: Now, I was going to say, you are back in the UK at some point, are you not? Or has this already happened?
Desi: No, that trip got cancelled, so I won’t be back in the UK any time soon.
Si: Oh, no. No, that’s not fair. Oh, I’m sorry to hear that.
Desi: Well, I changed companies, so it got canned.
Si: We’ll have to find something else for you to come for, or meet somewhere in the middle. Where’s in the middle? India? I don’t know, I’ve never been.
Desi: One of the oceans? Hopefully on an island.
Si: Depends which way you go, I think. Meeting on Easter Island, that’s it, problem solved. Al right, you take care. I’ll talk to you soon.
Desi: Alright, take care.
