JSJ 418: Security Scary Stories and How to Avoid Them with Kevin A McGrail

In this episode of JavaScript Jabber the panel interviews security expert, Kevin A. McGrail. He starts by explaining what security frameworks and what they do. The panel wonders how to know if your developers are capable of self-auditing your security or if you need help. Kevin shares recommendations for companies to look at to answer that question.

Special Guests: Kevin A McGrail

Show Notes

In this episode of JavaScript Jabber the panel interviews security expert, Kevin A. McGrail. He starts by explaining what security frameworks and what they do. The panel wonders how to know if your developers are capable of self-auditing your security or if you need help. Kevin shares recommendations for companies to look at to answer that question. 
Aimee Knight explains the hell she has been in making changes to be compliant with CCPA. The panel considers how policies like this complicate security, are nearly impossible to be compliant with and how they can be weaponized. They discuss the need for technical people to be involved in writing these laws. 
Kevin explains how you can know how secure your systems actually are. He shares the culture of security first he tries to instill in the companies he trains. He also trains them on how to think like a bad guy and explains how this helps developers become security first developers. The panel discusses how scams have evolved and how the same scams are still being run. They consider the importance of automated training and teaching developers to do it right the first time.
Finally, they consider the different ways of authentication, passwords, passphrases, sim card, biometrics. Kevin warns against oversharing or announcing vacations. The panel discusses real-world tactics bad guys use. Kevin explains what he trains people to do and look out for to increase security with both social engineering and technical expertise. 
Panelists
  • Aimee Knight
  • AJ O’Neal
  • Charles Max Wood
  • Dan Shappir
  • Steve Edwards
Guest
  • Kevin A McGrail
Sponsors
____________________________________________________________
"The MaxCoders Guide to Finding Your Dream Developer Job" by Charles Max Wood is now available on Amazon. Get Your Copy Today!
____________________________________________________________
Links
Follow DevChatTV on Facebook and Twitter
Picks
Aimee Knight:
AJ O’Neal:
Dan Shappir:
Kevin A McGrail:
Steve Edwards:
Special Guest: Kevin A. McGrail.

Transcript


Hey folks, I'm a super busy guy and you probably are too. You probably have a lot going on with kids going back to school, maybe some new projects at work. You've got open source stuff you're doing or a blog or a podcast or who knows what else, right? But you've got stuff going on and if you've got a lot of stuff going on, it's really hard to do the things that you need to do in order to stay healthy. And one of those things, at least for me, is eating healthy. So when I'm in the middle of a project or I just got off a call with a client or something like that, a lot of times I'm running downstairs, seeing what I can find that's easy to make in a minute or two, and then running back upstairs. And so sometimes that turns out to be popcorn or crackers or something little. Or if not that, then something that at least isn't all that healthy for me to eat. Uh, the other issue I have is that I've been eating keto for my diabetes and it really makes a major difference for me as far as my ability to feel good if I'm eating well versus eating stuff that I shouldn't eat. And so I was looking around to try and find something that would work out for me and I found these Factor meals. Now Factor is great because A, they're healthy. They actually had a keto line that I could get for my stuff and that made a major difference for me because all I had to do was pick it up, put it in the microwave for a couple of minutes and it was done. They're fresh and never frozen. They do send it to you in a cold pack. It's awesome. They also have a gourmet plus option that's cooked by chefs and it's got all the good stuff like broccolini, truffle butter, asparagus, so good. And, uh, you know, you can get lunch, you can get dinner. Uh, they have options that are high calorie, low calorie, um, protein plus meals with 30 grams or more of protein. Anyway, they've got all kinds of options. So you can round that out, you can get snacks like apple cinnamon pancakes or butter and cheddar egg bites, potato, bacon and egg, breakfast skillet. You know, obviously if I'm eating keto, I don't do all of that stuff. They have smoothies, they have shakes, they have juices. Anyway, they've got all kinds of stuff and it is all healthy and like I said, it's never frozen. So anyway, I ate them, I loved them, tasted great. And like I said, you can get them cooked. It says two minutes on the package. I found that it took it about three minutes for mine to cook, but three minutes is fast and easy and then I can get back to writing code. So if you want to go check out Factor, go check it out at factormeals. Head to factormeals.com slash JSJabber50 and use the code JSJabber50 to get 50% off. That's code JSJabber50 at factormeals.com slash JSJabber50 to get 50% off.

Hey folks, I'm a super busy guy and you probably are too. You probably have a lot going on with kids going back to school, maybe some new projects at work. You've got open source stuff you're doing or a blog or a podcast or who knows what else, right? But you've got stuff going on and if you've got a lot of stuff going on, it's really hard to do the things that you need to do in order to stay healthy. And one of those things, at least for me, is eating healthy. So when I'm in the middle of a project, or I just got off a call with a client or something like that. A lot of times I'm running downstairs, seeing what I can find that's easy to make in a minute or two, and then running back upstairs. And so sometimes that turns out to be popcorn or crackers or something little, or if not that, then something that at least isn't all that healthy for me to eat. Uh, the other issue I have is that I've been eating keto for my diabetes and it really makes a major difference for me as far as my ability to feel good if I'm eating well versus eating stuff that I shouldn't eat. And so, um, I was looking around to try and find something that would work out for me and I found these factor meals. Now factor is great because a, they're healthy. They actually had a keto, uh, line that I could get for my stuff. And that made a major difference for me because all I had to do is pick it up, put it in the microwave for a couple of minutes and it was done. Um, they're fresh and never frozen. They do send it to you in a cold pack, it's awesome. They also have a gourmet plus option that's cooked by chefs and it's got all the good stuff like broccolini, truffle butter, asparagus, so good. And you can get lunch, you can get dinner. They have options that are high calorie, low calorie, protein plus meals with 30 grams or more protein. Anyway, they've got all kinds of options. So you can round that out, you can get snacks like apple cinnamon pancakes or butter and cheddar egg bites, potato bacon and egg, breakfast skillet, you know obviously if I'm eating keto I don't do all of that stuff. They have smoothies, they have shakes, they have juices, anyway they've got all kinds of stuff and it is all healthy and like I said it's never frozen. So anyway I ate them, I loved them, tasted great and like I said you can get them cooked. It says two minutes on the package. I found that it took it about three minutes for mine to cook, but three minutes is fast and easy and then I can get back to writing code. So if you want to go check out Factor, go check it out at factormeals, head to factormeals.com slash JSJabber50 and use the code JSJabber50 to get 50% off. That's code JSJabber50 at factormeals.com slash JSJabber50 to get 50% off.

 

CHARLES MAX_WOOD: Hey everybody and welcome to another episode of JavaScript Jabber. This week on our panel, we have Steve Edwards. 

STEVE_EDWARDS: Hello from Portland. 

CHARLES MAX_WOOD: Dan Shapir.

DAN_SHAPPIR: I'm from Tel Aviv and it's my birthday today. 

CHARLES MAX_WOOD: Oh, happy birthday. 

STEVE_EDWARDS: Woohoo! 

DAN_SHAPPIR: Thank you very much. 

AIMEE_KNIGHT: Happy birthday. 

DAN_SHAPPIR: Thank you. 

CHARLES MAX_WOOD: Amy Knight. 

AIMEE_KNIGHT: Hey hey from Nashville. 

CHARLES MAX_WOOD: AJ O'Neil. 

AJ_O’NEAL: Amy, you've got a new profile picture that's super gangster. 

AIMEE_KNIGHT: Me? Yeah. 

AJ_O’NEAL: Backwards hat and chain necklace. 

AIMEE_KNIGHT: Oh God. I think that's a work picture or something. I'm not... 

AJ_O’NEAL: You didn't have a picture before. 

AIMEE_KNIGHT: Did I not? Well, now I look at this is me skating. You must have linked my gmail account or something. I'll send it to you. 

AJ_O’NEAL: Anyway, yeah, yo yo yo coming at you live from the viewing Amy's profile picture of Sphere. That's not creepy. 

CHARLES MAX_WOOD: So I was waiting for you to tell people that it had snowed here. I'm Charles Max Wood from DevChat.tv. This week we have a special guest and that's Kevin A. McRail.

KEVIN A MCGRAIL: Hello everybody, I live outside of Washington, D.C. in a little place called Fairfax, Virginia. It was my birthday Friday, but happy birthday and looking forward to it, thanks. 

CHARLES MAX_WOOD: Wow, it's a big birthday week. Because my birthday was Saturday, or yeah, Saturday. 

KEVI: Happy birthday. 

 

About You is one of the fastest growing e-commerce companies in Europe. The headquarters is located in Hamburg, Germany, and currently the fashion online shop is live in 10 European markets, with more than eight million app installs, platform and handles more than 300 million API calls per day. They are looking for awesome team members. One third of their employees are developers that come from over 40 different nations, which truly enriches the teamwork of the company. They also allow people to relocate and they offer free language courses as part of the deal if you want to relocate. Plus, they run Code.Talks, which is one of the biggest tech conferences in Europe. They're currently looking for full stack developers, front end developers, Dart slash Flutter developers, quality assurance engineers and project managers. So if you want to get involved in a terrific company that does awesome stuff for the community in Europe, then go check them out at about you.com slash apply. 

 

KEVIN A MCGRAIL: So for all the December birthdays, if you celebrate holidays, how much does it suck when you get your combined holiday gift though? Sometimes if you were good, like I learned later on to maneuver that to be like, Hey, can I get a giant gift for my combined birthday?

AIMEE_KNIGHT: My birthday is a week from Friday, and the saddest thing to me was never like the gift issue. It was when I was little and wanted to have birthday parties and all my friends were out of town. That was the sad part. I don't know if anybody else experienced that. 

AJ_O’NEAL: I never had any friends. I should have thought of that before you were born. 

AIMEE_KNIGHT: I know. I think I was an accident, though, so. Maybe not an accident. I was unplanned, so. 

AJ_O’NEAL: A lot of us think you were an accident. 

CHARLES MAX_WOOD: Oh, man. 

AIMEE_KNIGHT: Thanks.

CHARLES MAX_WOOD: Yeah, my birthday was early enough to where it was before Christmas break. So the weekend would be before people left, but yeah, I always got the combined present. It was like, this is for your birthday and Christmas. And I was always trying to tally up in my head how much it costs to see if it was fair. 

KEVIN A MCGRAIL: Well, see that was never too bad. Like I said, I learned later to manipulate that, to get the giant gift for the holiday slash birthday, but what was really bad is when they were coming in the door and going, Oh crap, it was his birthday two days ago. We need to change it. So it says a Merry Christmas slash happy birthday. 

DAN_SHAPPIR: Uh, I'm at that age where it's, uh, it's good to forget that you had a birthday. 

CHARLES MAX_WOOD: Yeah. My son's birthday was on the ninth and we may or may not have repurposed a couple of gifts. 

KEVIN A MCGRAIL: Don't do that horrible father. 

CHARLES MAX_WOOD: Yeah. Anyway, we, we have you on today to talk about web security and security frameworks.

KEVIN A MCGRAIL: Glad to talk about it. I love security. I love talking about it. I love making the world a safer place and happy to jabber about it all day long. Heck yeah. 

CHARLES MAX_WOOD: So it's interesting just to kind of get the conversation going. I looked at it and I started immediately thinking, wait, so there are security frameworks and are we talking about like frameworks in the same way that we have like React, Angular and Vue? So we actually have coding code frameworks for security or are these more sort of like mental models that you implement into your applications? 

KEVIN A MCGRAIL: No, so that's exactly what they're, they're security frameworks, just like the development frameworks that you're talking about. They try and give you a very structured approach to giving yourself a good security posture. 

CHARLES MAX_WOOD: Gotcha. So what are some of the ones out there and what are the trade-offs then? 

KEVIN A MCGRAIL: Oh, that could be an entire multi hour long discussion, but I did pick a couple that I wanted to talk about today. So, you know, a little bit about myself. My name is Kevin A. McGrail and I work at a company called Infrashield. And what Infrashield does is we work on high value, high target cyber physical security for the critical infrastructure sector. So what that means effectively is we do security for both information technology. That's like what you guys know of as like firewalls and things like that as well as operational technology. So that's things like building access controls and HVAC systems. And it's the combination of those two things where a lot of hacks have happened. You know, there's some pretty big, pretty big name hacks that have occurred where like things have come in through HVAC systems and gotten into point of sale systems and things like that. So some of the frameworks that are out there. So one of the ones that's probably gaining a lot of traction and a lot of discussion the DOD is going to be implementing next year is called CMMC that particular framework is uses what's called an RMF or risk management framework. And it kind of goes down some checkbox questions, if you will, to try and make your security posture better. The Bible that most people follow is from the National Institute of, what is it, Standards and Technology, or NIST. It's called the 853. That particular publication has a bunch of controls, or what they're called. They're kind of like questions about how you're doing things. But for a lot of people that have probably never done any type of security controls, one of the ones that I tell people to look at is PCI DSS. It stands for the Payment Card Industry Data Security Specifications. And a lot of people that do web work are familiar with it because they'll have a customer that's like taking credit cards or something like that. And they're told that they have to follow PCI DSS. And it's a very good framework from the standpoint that if you follow it and use it, you will have a very secure posture the PCI DSS framework is it's a self-assessed questionnaire and on top of that it has a lot of very confusing verbiage in it where people don't necessarily realize when they're not compliant because the questions aren't particularly thorough in implementing controls. So I hope that answered your question. 

DAN_SHAPPIR: So going back to Chuck's question, are we talking primarily about frameworks in the sense that it's documents that describe an auditing process or a self-auditing process? Or are we talking about actual software that I deploy within my infrastructure if I want to be more secure? 

KEVIN A MCGRAIL: So that's a good question. So normally those two are kind of blended. So you have you know what we would call the controls that you would go through that says audit process, self-audit process. Normally after you've done a self-auditing process, you would take it to the next step. And so before I get to the next step, a lot of times when I come in and do software development assessments, what I do is I talk to the programmers and I'll ask them a pretty basic question. I'll say, what security issues do you think might exist in the software today? And a lot of times they will tell me a lot of things. Oh, I think we're doing this wrong. I think there could be some issues here. I'm worried about the way we're sharing keys here or the way we're reusing a password here. Things like that, basic techniques and people know it. And then we normally move to a thing where it's like, okay, the first step in fixing a security problem is acknowledging you have a security problem and starting to write it down. So if you're using Jira or Bugzilla or whatever bug tracker, GitHub, start opening tickets that says, hey, there's a security issue here. I think the software is exploitable by doing this, this and this. Then if you can take it to that next stage and actually prove that it's exploitable, that's kind of what the security professionals do. Sometimes we'll use software to do that. So there's scanning software like Nessus or Tenable. There's a billion companies out there that sell quarterly and monthly scanning of your software to tell you whether it's out there, as well as software like Black Duck, which got bought by Synopsys, can do open source software an analysis of your code and kind of come back and tell you where you might have some problems in your embedded libraries and things like that. So that you can then reiterate that, make a new version of the product that's more secure, and you kind of repeat this self-assessment as well as the automated tools to come back and tell you whether or not you have any particular exploits in your code. 

DAN_SHAPPIR: So when you use the term framework in this context. What exactly do you mean? How do you define framework in this context? 

KEVIN A MCGRAIL: That's a good question. The reason it's used as a framework is because it's just like a house. It's basically something you've got to go in and put the two by fours are up. You've got to go put the drywall on and build all the rooms. So in this particular case, they come out and they tell you some things that you've got to do as part of a security framework. They tell you that you've got to implement certain things, principles of least privilege. You've got to have, you know, all of your administrators have to have security standards and perhaps use two-factor authentication. And you go in and fill out basically a kind of a yes, no, or what do you have to do to get to be compliant with that framework's control. And so that's why it's kind of a framework. You really could look at it as just a questionnaire. But the reason that it's more of a framework is because, especially with the way people use cloud these days. There's a cloud standard called FedRAMP where basically some portion of the framework is done by the contractor you've hired to host your website or host your resources. And then some part of that framework is implemented by you. So you could kind of look at it as a house where one contractor is coming in and building the garage and another one's putting in the security system, but then somebody else has to come in and do the overall assessment of the entire implementation to tell you that everything's good. 

DAN_SHAPPIR: From your experience with working with various companies or development organizations that build web applications, web services, what not whatever, how capable are they of really self auditing? Or is this something that absolutely positively requires bringing in a professional like you or your company in to assist with the process? Or is this something that I can just do on my own. I guess it varies from framework to framework, but in general. 

KEVIN A MCGRAIL: So generally, I like to educate people. I like to train people. So I would tell people to download the PCI DSS self-assessment questionnaire. So it's called like SAQ-M would probably be a good one for a merchant. Start going through the questions and see whether or not they make sense to you. There'll be things like, for example, do you have any production systems that are on Wi-Fi? If you're on Wi-Fi, are any of the systems accessible with anything less than WPA2? Are you using multi-factor authentication? Things like that. And if you don't know what those statements mean, that's probably where you'll want to have a professional come in. I think a lot of times I come in for a very short engagement. I try and help people get to a good security posture where a lot of it is about changing people's minds that security is important because when you're building a minimal viable product or you're a startup, the last thing you really care about is how secure the product is. You care about if it works and how many users click and whatnot. You're not going to be worried about are you doing hashing and salting on your user database. Now if I ask a question of you and I said, does your application use hashing and salting for the storage of user passwords. If you don't know what that means, you're probably not gonna be able to pass most security frameworks. But that doesn't mean you couldn't learn about it and come up to speed about it. 

CHARLES MAX_WOOD: I'm wondering, do you have any like horror stories or case studies where people have started working on something like this and then realized, oh, we have a major problem or where they should have known and ignored it and then wound up having a problem later on?

KEVIN A MCGRAIL: Yeah, I mean, there's so many horror stories. I often tell people when I talk about things from a humor standpoint or things like this, it doesn't mean that I'm not serious. It just means that sometimes I have to make light of the issues I deal with, or I go insane dealing with it. But for example, I've had a customer that we offered a free assessment, offered to look at some of their past audits and come back and give them a second opinion, do some particular involvement in that situation. And the response back from the CISO, which is like the Chief Information Security Officer, came back and said, no, don't do that. We know you'll find too many problems. So that's a phrase we call ostriching when people want to basically be blissfully ignorant. And the problem is that in US law, that can involve something where negligence is at play and punitive damages and 3X multipliers and things like that come into play. So the main thing I tell people it really is acknowledge that security is important, document things, and even if there's a problem that's caused by your security, the fact that you acknowledge that there was an issue and you've started working on it can save you from some very, very, very large fines in regulatory frameworks, but as well as things like CCPA that'll go into place here fairly soon. If you're not protecting your customer's data. Sorry, Amy. I have something to add about CCPA. 

AIMEE_KNIGHT: I'm in CCPA hell right now. But I actually have a question. I don't know if now is a good time, but. 

KEVIN A MCGRAIL: That's good for me. For those who don't know, CCPA is a privacy law that's gonna be going into place for consumer protection in California. And so similar to GDPR and other frameworks that have gone in place around the world, CCPA is probably going to have larger-reaching impacts to companies that have customers in California. So hit me with your question though. I just wanted to bring in that. 

DAN_SHAPPIR: So just before the question comes in, does that mean that in addition to that annoying question about cookies from the GDPR, we will now have two questions, you know, for two separate frame standards simultaneously for every website? 

AJ_O’NEAL: Yeah, there's gonna be another one. This website is known to the state of California to cause cancer, except.

AIMEE_KNIGHT: Yeah, I mean, so this is where my question comes from. I don't know if you want to answer Dan's question first, but. 

KEVIN A MCGRAIL: So, Dan, that gets into a whole world of hate. This is a big issue for companies dealing with multiple what we call nexus, which is where what areas of their business impacts and the change of how Internet works. There's a lot of stories about whether or not companies will fall under CCPA, whether they fall under GDPR as you mentioned, the cookies policy, and a lot of it is all about individual jurisdictions trying to stretch. And in some cases, people including myself will argue overreach their jurisdictional boundaries to try and force people to do things. So yes, I expect you'll see certainly because of the large number of companies that we think of as industry leaders that are that are based in California, you know, certainly, you know, Google, Twitter, to name three very, very large providers. I think you're going to see questions revolving around CCDA. 

DAN_SHAPPIR: Yeah, I was just going to say that it seems like whenever I go into a website, before I can get to the content, I need to click on so many dialogues. Like there's the GDPR one, there's the one about blocking notifications, there are probably others. So it seems as though content is getting ever further away from me. 

KEVIN A MCGRAIL: Well, for those in the US, they may not see that because a lot of the companies implement that with GOIP tagging. So you only see those warnings when you're outside of the United States. But no, I agree. You know, I've even had problems. I was doing a live demonstration at a college in Ontario and I was showing people how to do practical G Suite administration. So part of the demonstration, we were signing up for a G Suite instance and everything got redirected to google.ca as well as the fact that all the various privacy warnings came up for Canada, and then it wouldn't take my credit card because it was an out-of-country credit card. I actually had a kind person in the crowd who came up and gave me their credit card to use for the demonstration so that we could get past it. But yeah, I agree. It's an issue and it makes it very complex. Complexity is the enemy of security because it makes it difficult to understand, especially when you and I, I think you said you're in Tel Aviv if I didn't know that you were in Tel Aviv and that you're getting totally different prompts from what I'm seeing and we're trying to walk through some sort of security framework, can you imagine what kind of a nightmare that causes? 

DAN_SHAPPIR: Yeah, I would imagine. Amy, I interrupted you like a dozen times. 

AIMEE_KNIGHT: Yeah, I'm dying here. Yeah, I have a lot of questions and that's where I was kind of hoping to take this discussion because I have actually been like pretty heads down in CCPA land, more like CCPA hell for a better part of like the past three to four months for the team that I'm on. And there are so many, so it's even my understanding. I don't know if you are familiar with this, but the law has even been revised recently. And so I feel like even the lawmakers are really unsure. So this just makes like implementing this, um, for a dev team, like nearly impossible, because if you can't break down the law into like understandable parts, like how do you implement that code wise? So I'll ask my question in a minute, but I guess kind of like what I'm getting at is there's just, there's so many gotchas because, you know, this affects companies basically, um, it's not just if you reside in California, but if you sell to people in California, but like one of the biggest questions is like, how do you determine if it's somebody who's domiciled, if I'm using that word correctly in California. So, you know, they could be traveling. So you can't really like you know, geolocate people because then you end up potentially like showing banners and whatnot to people who aren't in California. Like it just seems like potentially like the lawmakers didn't really, which didn't surprise me really. I tried not to get super political, but it seems like they don't really have context of technical details because there's a lot of unknowns now. Thankfully there's a grace period with CCPA where you have six months to kind of like get all your ducks in order, but I think it'll be interesting to see one-one when this is, you know, people have to be compliant even with this great spirit, what happens. But backing up, so my question really was, in your opinion, how has the landscape changed from like a security standpoint? Because even like now what we consider PII or personally identifiable information is information that was completely public, maybe like a decade ago, or still public in phone books and whatnot. But now it's potentially like a security issue. 

KEVIN A MCGRAIL: Yeah, that is a great problem to unwrap there. I mean, we were talking about horror stories. When I went to Virginia Tech in the early 90s, they used to post all your grades next to your social security number. And so basically you memorized all of your roommates and friends' social security number because you could go by the classroom and check on how they did on a particular test or assignment. And then of course they took reams and reams of all these papers with everybody's social security number and just threw them in a dumpster every day. So yeah, what was considered public information not that long ago, drivers license done with social security numbers, et cetera, now all of a sudden is being treated like PII and it's going to cause a lot of problems, especially with things like FOIAs and voter rolls and all of the big data analysis that or occur with this data. So, so yeah, unwrap some of what you're saying. GDPR is a great example. It's a it's been a law of great intentions and horrible, horrible implementation. In my opinion, GDPR is virtually impossible to be compliant with because the regular regulations are so poorly written. 

AIMEE_KNIGHT: And that yeah, that's how I feel is CCPA only like it's almost even worse because it's like a segment of the population. 

KEVIN A MCGRAIL: Right. 

CHARLES MAX_WOOD: And if you're not aware of

KEVIN A MCGRAIL: Yeah. And CCPA had five revisions passed, I think, like mid September, which was the closing of California's legislation. And what's interesting is they didn't pass a sixth one, which a lot of people thought was bad as well. So five out of six revisions got allowed. The six didn't. And some of this, you've seen this in Europe already, is that these type of laws can be weaponized. You know, certain large corporations were filed against day one when GDPR went into effect, the EU regulators have said that they don't have enough money to fix the regulation until they start getting some of the funds from the regulation. So they're interested in and monetizing these. 

AIMEE_KNIGHT: Yeah, it really makes you wonder because there are even companies out there that are spinning up with the with the purpose of if you are some sort of like consumer on the internet you can work with these companies and they don't charge you any money. And these companies will proactively go out and like, I'll say, like fight on your behalf, which I understand, you know, in a place now where like we do have more access to information, we want to be a little bit more protective of it. But the part that like sounds all these alarm bells off for me is like monetizing that at the expense of like other people spinning up these companies just feels like a little bit dirty to me. It just makes you wonder like the law in general, like, is this really to serve our consumers or is it to serve like the pocketbooks of some people? 

AJ_O’NEAL: Absolutely the latter. 

AIMEE_KNIGHT: At the expense of my 70 hour weeks. And I'm exhausted. Hence why I've been super quiet on the podcast. So. 

AJ_O’NEAL: Well, this has happened with I mean, every piece of legislature with the, you know, quote unquote net neutrality, which is about making sure the net is not neutral. Like so many things go to legislature and they're exactly the opposite of whatever they say they are. You know, so they say this is a flying kite and it's a sinking rock. And it is to fill people's pocketbooks. It's because there's companies that are going to make money or special interest groups that are, you know, going to be able to take advantage of specifically targeted individuals or businesses or whatever. 

KEVIN A MCGRAIL: Yeah, I mean, I do think there is some altruism built into the concept of these laws, but unfortunately, it's going to follow the law of unintended consequences where it's going to be weaponized. It's going to be used by big businesses that have the budgets to comply with CCPA and GDPR and similar laws. And they're going to use it to squash the smaller competition from coming into play. You already see this with security frameworks. 

AJ_O’NEAL: So like patent trolling, but GDPR trolling? I start a company just to get hired to do investigation, to put other competitors out of business. 

KEVIN A MCGRAIL: I'd invest. Sounds like a business plan to me. 

CHARLES MAX_WOOD: Yeah. I think it's interesting too, just to dive into this. I've been fairly involved in the political processes here in Utah. And yeah, I mean, a lot of this, they wind up, you know, passing a law and then they'll, you know, they'll refine it and then they'll refine it again, you know, because they're realizing, Hey, you know, there's something here that's problematic. And there's a lot to the idea of the law of unintended consequences. The other thing that's interesting to me here as well is just, yeah, the burden, the regulatory burden against companies that have to implement these things, right? Because now you can't just have a startup that just has the bare minimum functionality, but they've got to meet all these regulations. But the other side of it is, is that they should have some obligation to protect the data. And so, you know, where's the, where's the fine line that kind of strikes the balance there? You know, it's, it's interesting too, you know, we've had similar conversations about like accessibility and things like that, where it's like, yeah, everybody should be able to use every website on the internet, but to mandate it governmentally means that now you have this extra thing that all of these companies have to do. And competition is a good thing for the economy. And so again, you know, where, where does the trade-off balance, right? Because there are these principles that we all kind of believe in, but they're in conflict in some way. 

AIMEE_KNIGHT: The issue that I see too, like CCPA, is there are so many loopholes in the law that I also don't know how much it protects the consumer. And it's more like up to just the company as to like how honest and nice they want to be because there's how the company is using the data, if it's for a selling purpose or if it's like a service provider. But service provider is where that verbiage gets really iffy. 

DAN_SHAPPIR: I have a question, Amy, can you give a concrete example of some change that you either have done or need to do or working on doing as a result of CCPA? 

AIMEE_KNIGHT: Hmm, let me think what is appropriate to share. So, And I'm also interested to hear other people, but the approach that we're taking, the way that the law is written, and because there's not a lot out there, and obviously we have a legal department and stuff like that, so I've been working closely with them. And so I'm the tech lead for this project, which there's, I personally feel a lot of pressure because I want to steer the team in the right direction. And there's just, there's a lot of implications if I make the incorrect choice on anything. So the implementation of it is, I don't really feel like there's a clear path. We're taking a session-based cookie approach right now, but we plan to do further work around that because there's also like, you know, we don't, you know, we want it to be a good customer experience for people. And, you know, if they're using a different browser or something like that, then we want to do as much due diligence as we can to not have to have users you know, have to like re-opt out and things like that. But there's, there's so many open questions. 

KEVIN A MCGRAIL: Yeah. And there's no answers. I mean, it, it, it follows a pattern of some very, very large regulations getting passed that have no real technical guidelines for how they can be approved or how they can be implemented. No, even like examples of here is one that we approved, um, that, that you can model off of and you can go with. So yeah, I, I feel your pain. Um, I think it's going to be unfortunately a difficult couple of months. I think at least the California legislature is doing a pretty good job of trying to give some exemptions that make sense and some leeway so people can kind of, if you will, explore what might be a good way to do this. And at the end of the day, I do applaud them trying to keep people's data private. But as you mentioned, there's just all these loopholes and all these loopholes basically represent XYZ lobbyists that got in there for XYZ industry so that they wouldn't be affected and they could continue doing evil things with the consumers' data that other people can't. 

AIMEE_KNIGHT: Yeah, and I don't mean to get us too far off topic of like, quote unquote, security issues, but yeah, it's just if we're going to, I think, as just a country or the internet in general, if we're going to start passing these laws, then we need to have technical people who are involved in creating the laws because right now there's just really no way to enforce it on either end, technically. 

KEVIN A MCGRAIL: And that's a great point to lead with because this is something I talk about with the bad guys a lot is that, you know, if your PII leaks and you can have all the rules in the world about right to be forgotten and things like that, your data needs to be expunged, the bad guys don't follow that. They're not going to follow it. And this is part of what I think they're trying to stop is they're trying to kind of, they're trying to be the Dutch boy with his finger in the dam that's broken. And whether or not that's going to help, I don't know. And meanwhile, they have all these unintended consequences to legitimate businesses, uh, trying to do things. So, uh, I wish you luck in your, uh, your implementation of CCPA and try not to, not to let it ruin your holidays too much. 

AIMEE_KNIGHT: Thank you. Yep. Yeah. 

CHARLES MAX_WOOD: I want to add one other thing to this. I remember I was contracting on an app fairly soon after they passed HIPAA. And what wound up happening was a whole bunch of people came out with a whole bunch of best practices. And I kind of see the same thing in security in general. So people come up with a list of best practices, but a lot of those, you know, beyond sort of the general advice of, you know, keeping your packages up to date and using, um, modern strong encryption with the, you know, certain length keys or whatever, you know, so sort of maintaining the state of the art. A lot of those best practices address, this is how this other company got breached, don't do this. And so, you know, kind of heading back towards security, but also, you know, talking about the regulatory end of this, it's interesting too, just to see how it gets interpreted by usually they're like rules committees or rules bureaucracies within the government that try to clarify what the law actually means once it's been passed. And so you try and abide by those rules as well. And then you've got. Yeah, these best practices that may or may not actually, you know, keep you in compliance. And since there's no solid standard for compliance, just like there isn't when we're talking in general about security, it makes it really hard to hit this. So how do you know if you're actually, you know, getting closer to the mark, cause I don't know if you were ever going to hit the mark, but how do you know you're moving closer to it? 

KEVIN A MCGRAIL: That's a great question. And I know I shouldn't say that every time you ask a good question, but. So I have a question that I ask developers and companies a lot, and it's very telling. What I ask them is, what is your process to take code from a development system to QA to production? And how long does that process take? Then when people give me an answer, what I follow that up with is I say, okay, I found a security problem in your, in your website or your code. I've got the fix. I'm going to hand you the fix. Here's the one line patch you got to make how long from the time I hand you that one-line fix until it's live in production. And the longer that period is, the worse you're off. And so that's where I look for a lot. And that's where you see a lot of really good company development that revolves around rapid release frameworks, ways of getting things into multiple AB. So, for example, they can push out new code to a small subset of people. And then if it passes with those people, it can roll out to more people, you know, different QA processes that are going out. There are some companies that claim that they do literally tens of thousands of releases a day. So, you know, perhaps the CI CD or continuous integration, continuous deployment type of environment. But that's, that's the question I asked. So it's kind of a question back for you. If, if I give you a fix, how long does it take you to put it in production? And if you think about it, that's an easy one. Now you take it from the law has changed. You've got to do something to change it, to have your website, do something differently. How long does it take you to react to that change short of taking down your site while you fix the problem? 

CHARLES MAX_WOOD: Yeah. But isn't that a double-edged sword? Because how long between when I introduce a vulnerability, right? Until it's out there in public. But yeah, you have to be able to respond because Yeah, I get what you're saying. I can just kind of see it the other way too. 

KEVIN A MCGRAIL: Well, and that's why in the security world, we measure exploits on a term called zero day. Zero-day means that the exploit is not known. So it's always a zero-day exploit until the day it becomes public. And then the counter starts for not being a zero-day anymore. So hopefully you don't deal with too many zero-day exploits. That's a totally different level of issue. But you know, let's get out of the zero days and talk about things like something's in the MITRE CVE database. That's the vulnerabilities database that's out there. So you know, there's a vulnerability in your software. You know exactly how to fix it. How long does it take you to push that fix into production? 

CHARLES MAX_WOOD: Yep. That's what you can control. 

KEVIN A MCGRAIL: Yeah. You got to control the stuff you can control and you know, the security is always about risk. You know, you're never going to close off everything, but you have to figure out what's the appropriate amount of resources and time that you can put into place with it. And for me, a lot of the reason I wanted to come on here today is to start with the fact that programmers need to look at things that security is a, security first has to be a principle of the company. The programmers have to take pride in the company and the code they're writing. The company has to take a strong security stance so that people are proud to work at that company and proud that they have a good security stance. And if you can, build that security culture up, you can start to fix things because there's always so many things to learn about security and about how bad actors will gain access to your system. I do a training that I call Cam's Think Evil class because what I try and do is I try and tell administrators and programmers to think evilly. One of the roundtables I do is I'll put all of the programmers or administrators into a room and I'll basically say, okay, you're now in think evil mode. I want you to tell me all the ways that you would try and steal or exfiltrate a data or rob the bank, whatever the particular scenario is, and how you would go about doing it. And then, of course, after that exercise is done, we flip it to how realistic are these particular exploits and how would you fight them? Because you have to start thinking like bad guys and how they will exploit things to start being a good guy and stopping the bad guys from doing things.

DAN_SHAPPIR: I actually did this sort of training at my current employer and it was awesome. And I, you know, it was eye-opening and, and sometimes entertaining and sometimes scary, but the thing that kind of concerns me is that if I look at a web development today and the rate in which, uh, new developers are joining, I, I remember hearing something like a 20% of web developers are new developers so that within like three years that your majority of developers are going to be juniors at that kind of churn rate or growth rate. How you know you you're probably going to need to do they need to do this sort of training like once every I don't know 18 months or so it becomes problematic for a lot of companies to invest so much effort and resources in that So the question then becomes can some of this effort be somehow automated maybe as part of the CI CD process. 

KEVIN A MCGRAIL: I think that absolutely the automation is a key. It's always the balance because it's a cat and mouse game. A lot of my area of expertise is email security. A lot of the scams are the same. Like for example, the Nigerian scam, you know, the Nigerian gold scam that you guys have probably seen over the years. Most people don't realize that's about a hundred years old. It was pulled off long before the internet was involved. Some of the first spam was for, was for real estate scams over telegraph. So these issues, these concepts aren't out there, but they evolve and they need to be constantly revisited. So unfortunately, the type of techniques we use to fix them, some of them stay the same. Like one that constantly amazes me that programmers don't know about is SQL injections. And for anybody who's listening to this podcast and doesn't know about it, if you are not aware of SQL placeholders go spend some time reading about SQL placeholders. It pretty much ends and has ended since the mid-90s any concept of SQL injection. So my firm, for example, has not used any SQL statements without placeholders for going on 20-plus years, nearing 25 years. So we haven't been vulnerable to an SQL injection in nearly a quarter of a century. Why are SQL injections still a thing that would be a question I'd ask. And it's because exactly what you said, people coming into the field, junior programmers aren't aware of the bad techniques with things like that. They write something to fix a problem, not realizing they've just opened a big giant back door for the bad actors to come in and exploit a website. Whereas if they were taught on day one that here's how you write an SQL query, here's how you implement a placeholder, and don't ever write a query without a placeholder, problem solved.

AJ_O’NEAL: So one thing I find so frustrating is that that's such a simple and elegant solution, but people come back and they say, well, we can't spend time teaching people security because we've got so much else to teach them. And my opinion is, well, I mean, if you just show them the right way the first time and you don't ever show them any other way, then they're, they're not going to know like, oh, this is more difficult or this is less difficult. And with something like the SQL injection, it's just using placeholders is easier than not using placeholders. Except for one rare case where you need to do dynamic table manipulation, most databases don't support placeholders for creating meta-characteristics like tables and that sort of thing. But anytime you're doing a query, using a placeholder is actually easier than concatenating a string together. 

KEVIN A MCGRAIL: Certainly makes it a lot easier to read. You don't have to worry about escaping things. No, you don't have to worry about different languages and yeah, no, I can't disagree whatsoever. You know, this is part of the, my evangelistic endeavor is to make companies realize that security first has to be a posture. And unfortunately, or fortunately, things like CCPA and GDPR are going to make the ramifications of not having a good security posture quite big and your company is going to go bankrupt if they don't follow this and end up with their their data hacks. You know, again, hashing and salting. If you wanted another thing, if you're listening to this podcast, if you don't know what hashing and salting is, go look it up. If you're storing usernames or passwords, definitely passwords, and clear text and you aren't hashing them. And then if you're hashing them, if you aren't storing them with the salt, you're probably making a mistake. These are little tiny techniques that have been known for, oh gosh, 30 years, maybe more when things like MD5 started coming into place with password encryption and things like that. So I don't have a good solution for how to fix it, but beyond bringing awareness and making sure that companies know that security is important and training is important. 

AJ_O’NEAL: So I want to get your opinion on something because passwords are a pet peeve of mine. I don't understand why we use them because they're only a back door. The password is the back door because the way that I authenticate is essentially through my email address and by putting a password on a website, you've now given a back door that I can get in another way, right? Like if we just did second-factor authentication, if it was just you go to login and it sends you the email link and you click on it and boom, you're done or it gives you the notification the app and you click allow and you're done. Like to me, that would be at least not taking away from security. Whereas I see passwords as no matter what you're doing with passwords, reducing the security as soon as you introduce a password because yes, but the person has to register anyway 

DAN_SHAPPIR: Sorry for that, but I had I can't resist but then how do you get into your email? 

AJ_O’NEAL: Well, okay There's lots of different ways that you could go about it with you know Two-factor authentication the biometric stuff that I mean think about how you get in your email right now Usually it's biometric, right?

STEVE_EDWARDS: Yeah, I can sort of jump in here and this is interesting because I work for a company that does biometrics. That's what we do is we provide authentication to companies who want to use biometric authentication to get into their whatever resources they need to get into. And one of the things we've passed around recently here was an article about second-factor authentication and how it can be hijacked. You know, one of the cases and I'm sure we've seen this is where SIM card hijacking, you know, where people would use text messaging. How's their second factor authentication? Well, somebody gets a SIM card and somehow hijacks their number. All of a sudden they've got access to everything that this person is using that phone for authentication. So anyway, it's, it's not, I know you're not saying it's a panacea and a cure-all and it's a slightly, you know, gives you a little more security, but there's issues there too. 

AJ_O’NEAL: So I'm going to have to first recommend, uh, there's a video on YouTube by technology connections as something about LED lights and it's like switching street lamps to LED lights works except sometimes and that except sometimes what he points out in the video is like it's a dangerous phrase because sometimes we have a technology that's better in every single way but of course it's not perfect and people latch on to the why it's not perfect when you're talking about SIM card hijacking that is a targeted attack you have to have a stalker in order to do SIM card hijacking it's not like you know, a broad sweeping attack where, you know, you get into a faulty database and now you have access to, you know, all six million passwords. 

KEVIN A MCGRAIL: Great point, AJ. I often, the phrase I use is never let, um, perfection be the enemy of progress. It's not a quote I invented. I don't know who to attribute it to, but that is a really big problem. I generally tell people that multifactor authentication, whether it's text messaging, phone, Google authenticator or some other solution will stop about 99% and a whole bunch more nines after that of hacks. There are of course still targeted attacks. I work in nation-state level security and things that revolve around the nuclear sector. So I can scare people when I talk about the fact that we use past phrases in addition to things like biometrics or multifactor because we always want to have systems that have something you know and something you have because if you're ever compromised, the something you have can't be compromised, whereas your phone can be stolen and things like that, as well as the fact that there can be protocols for things that you've probably seen before, like you punch in a different pin, you have two pins, one that's your real pin and one that's a compromised pin. And the compromised pin appears to be working, but alerts that you're compromised. Those type of systems exist and they exist for very specific purposes. 99.9% of people will never never ever need those things. Unfortunately, I'm also very negative on biometrics because when a biometric concept gets hacked, you can't change it. You know, if your fingerprint gets compromised, you can't change it. And there have been numerous situations where people have done high-rate photos, use things like laser printers and Elmer's glue to do the what I think the defense minister in Germany and get into a ministry building as a proof of concept that that fingerprints weren't secure enough. So unless you're going to wear gloves in public all the time, that doesn't work. Additionally, Apple with their face lock technology, not only does my son unlock an Apple phone with me on it, but his picture unlocks it, both of which should not work. 

AJ_O’NEAL: Whoa! Apple phones can be unlocked with pictures? They don't do IR? 

KEVIN A MCGRAIL: They're supposed to. I can just tell you, and there's people who have now made some 3D mapping type of things to get around the face lock as well from single 2D photos they've exploited as well. But like I said, it was a bug. I showed it to the guy. He acknowledged that yes, that should not be occurring. Of course, Samsung, as you might know, had a big problem with I think their S10 where if you had any screen protector on your phone, then any fingerprint would unlock your phone. The big, huge issue that occurred in the last few weeks, few months maybe, maybe a month or two. Anyway, so yeah, there's a lot. I love that you brought that up AJ because just because something's not 100% perfect doesn't mean it's not better. With passwords, the other thing I would, another tip that I would tell people is look up pass phrases. Passwords are old. If you're still using concepts like uppercase, lowercase, eight characters long with a special character that has a very low entropy, you're better off using longer things. So like the perfect pass phrase that I tell people to use is My wedding anniversary is January 1, 2020. It's very long, it's not gonna get brute forced. It's very easy to remember and it also helps you not forget your anniversary. So passphrases are much better than passwords. So. Yeah, 

AJ_O’NEAL: except when you go to a bank and they're like, your password must be between six and eight characters long, contain those special characters and only lowercase. 

CHARLES MAX_WOOD: It'll only work on our mainframe that way. 

 

Wish you could speed up your release cadence and skip the rollbacks and hot fixes. What if you could move faster, limit the blast radius of unforeseen problems, and free up individual teams to deploy as fast as they can develop? Split's feature delivery platform gives you progressive delivery superpowers, like the coupling deploy from a lease, gradual rollouts with automatic telemetry to detect issues before they show up in operations graphs, and the ability to prove whether your features are hitting the mark using real user data, not the highest paid person's opinion. To learn more and sign up for a free trial, go to split.io.

 

KEVIN A MCGRAIL: Don't get me started on the financial institutes. You know, like one of the things that I try and get people to stop doing and will Amy is the resident female on the panel, how many friends do you know that have Facebook accounts that have gotten married and their Facebook account has their maiden name on it? 

AIMEE_KNIGHT: No. Yeah, that's very true. 

KEVIN A MCGRAIL: Yep. And there are major financial institutions that have their standard password as what's your mother's maiden name. So how hard do you think that information is to get out there when mom and grandma and whatnot are all on Facebook. And I'm a targeted attacker and I wanna figure out your family tree and whatnot. 

AJ_O’NEAL: Yeah, the targeted attacking is such a different beast. Right? Like I wanna make sure we really, really stress that. Cause we're talking about targeted attacks and that is not 99.9 mini nines repeating types of attacks. Like if somebody is stalking you and takes your phone and use a 3D print of your face or some special glue to get in your phone, like. Your life is already in danger. 

DAN_SHAPPIR: Yeah. Sorry. I, all I'm saying is if somebody is really out to get you, I can literally get into all your accounts by coming over to your house while you're in it and grabbing you with some rope and a hammer. I can probably get all the information that I need out of you. 

KEVIN A MCGRAIL: Yeah. Dan scares me. He's already threatening. No, you're totally right. This is, this is what we refer to as FUD spreading fear, uncertainty and doubt. It doesn't improve people's security posture. But the techniques I'm talking about with social media are really used. Like one of the other techniques I tell people is to be very careful in what they overshare. Social media is one example of that. One big example that we see a lot in the business world is be careful what you post in your out of office message. Very common to have an out-of-office message that says something like, hi, you know, I'm out of the office from the 18th of December until the 25th of December. I'll be in Barbados. I won't have internet connection in my absence. Please talk to Dave. He'll take care of anything you need. Well, now I get that. I know you're out of the country. This is a great time to come steal all your stuff in your house. Great time to impersonate you on the internet. You're not going to see any of the warnings that come from things because you don't have internet access. Oh, and by the way, the person who I might be able to do a spearfish against is Dave. And I can send an email to Dave that says something like, hey, this is Bob. I don't remember what name I used. I'm in Barbados right now. I forgot to pay a bill before I left. Can you please make sure $5,000 is wired over to Dan so that he doesn't come and beat me up in my house for my passwords? 

DAN_SHAPPIR: Oh my God. Um, I see that I've really, uh, did damage to myself in this podcast. Uh, and on my birthday, no less. 

KEVIN A MCGRAIL: I know I'm so sorry. I, uh, Dan is not a bad actor. I just been using it as a handy example of real world situations. And. But Dan, you're absolutely right. These are real-world tactics that are used. They don't apply. And so I would like to reiterate that AJ's statement that things like SIM jacking are very real. Schmishing, that's actually SMS phishing. These are techniques that happen. You do have to look at a risk base, how much is your company going after, but executives, money handlers, people that do payroll, very, very common. We had a company that's next to our headquarters that got taken for $375,000 because some Spearfishers looked at it. They figured out what day payroll was on, which is, I mean, you figure what's it going to be, the 15th, 31st, and 1st for 90% of the companies in the world. And they basically sent in a note saying they needed to change the ACH information, similar to Swift and IBAN codes, and somebody processed it. And the next thing they know, the entire payroll payment went to a bank that of course was a money mule and the money was gone. These are real techniques, they are used. I do have companies that I talk to weekly, if not all more often, that are in tiers on the phone that are dealing with these situations. I have never dealt with anybody who's had somebody physically break into their house and hold them at gunpoint to elicit their passwords, but it does happen in the nation-state level world that I play in. 

CHARLES MAX_WOOD: I think we're kind of getting close to an idea that I wanted to bring up too, and that is, one of my favorite hacking book is Ghost in the Wires. And he talks a bit about, you know, kind of the technical ways that they did like phone freaking and things like that. But then he also talks a lot  about kind of the social engineering methods of picking up some of this data, right? And so they talk to somebody, they'd get enough information to talk to the next somebody who could give them access to the server where they could then go in and, you know, farm information out of there. And so how much of your security policy is technical and how much of it is like HR, personal training and the things. 

KEVIN A MCGRAIL: So for me, a lot of it comes down to training. It's a whole system that has to be put into place. And Kevin Mitnick's book that you're talking about with Ghost in the Wires is an excellent example of the combining social engineering with technical expertise to affect a specific getting into a system that you're not supposed to. A lot of times, for example, I start with training. You have to have people, this whole thing we see in the United States, for example, after 911, if you see something, save something. If you don't have policies like that, it can be bad. And many times, for example, I go in and one of the people I train is I train the administrators in the help desk. And one of the things I trade them on, excuse me, train them on is not being the, typical passive aggressive IT bastards that are portrayed in a lot of TV shows. I love the IT crowd, but if people are calling the help desk and getting hung up on, that's not going to work. You have to open tickets. You have to look at things as perhaps being the tip of the iceberg. You have to have data. And that's where you can start to see patterns that, hey, you know, we've had calls coming in where somebody is impersonating somebody trying to get a password and just good policies around this that stop these things. Start with human interaction. Pick up the phone and use out-of-band technology. That's one of the things I talk a lot to the millennials about because they don't like phones. They like to text people or email, text more often even so. And that's not a great way of necessarily confirming somebody's identity if you have an account that's compromised. 

AJ_O’NEAL: Oh my goodness. This just happened a couple months ago to an acquaintance of mine where she got a text message quote from her professor and it had like misspellings in it and stuff too. But she just chalked it up to or maybe it wasn't text message. It was an email. But she just chalked it up to, you know, fat fingering it and ended up like spending $500 on like this emergency that then the professor sent out an email like 30 minutes afterwards and was like, hey. If anybody got an email from me, it wasn't me and she'd already got scammed. 

KEVIN A MCGRAIL: Yeah, absolutely. And so, um, many of these scams, uh, you know, the, the, the thing that almost all scams start with is they try and separate your logic from your emotion. And so a lot of what I try and do in any type of training is the number one thing that I hear in incident response. So that's after something happens, you are doing a post-mortem. You're interviewing the people to find out how this occurred and how you can stop it. The number one thing that you will often hear is, 10 seconds after I did it, I knew I shouldn't have. And so everything that I try and do is to give the people that 10 seconds. If there's any question escalated to your help desk, have the help desk escalated. That inserts that 10 seconds, so cooler heads can prevail and the emotion is separated from the logic so that things can be looked at. You know, and if you look at almost all your scams, if you guys have anything in your email boxes or whatnot, take a look at how many of them try and add an artificial deadline. If you don't do this, the police are going to come arrest you. If you don't do this, the tax man is going to hit you with something. If you don't do this, your account will be deactivated in 24 hours, et cetera, et cetera, et cetera. Some artificial deadline that that evokes an emotional response so that you go, oh my God, here's my credit card. Please fix this immediately. Anyway, 

DAN_SHAPPIR: now all this is this, you know, this training that you do about dealing with fishing and scams and stuff like that. Is that part of a framework or is that just something that you do in order to improve and increase the way that the company operates? 

KEVIN A MCGRAIL: Sure. So, um, the answer to the question is both. So for example, Kevin Mitnick, I think sits on the board of a company called Fishme. I think Fishme got bought by a company called, called Co-Fence. Don't quote me on that, but I think that's right. One of the things that that company does is they'll do annual training to prevent phishing. We do similar things. So as part of many frameworks, they'll have requirements for how often things have to happen and annual training, quarterly scans, monthly reviews, the reviews of policies every annually. Those are standard procedures in many frameworks, and it's often one where people fail because they just don't even have a calendar. I'll come in and say, please show me your, if you will, log book that's kind of a little simplistic, but I'll say, please show me your logbook where this policy, this policy, and this policy have been reviewed. And they'll go, yeah, we don't have it. We've never reviewed them since the day they were written. And the framework will say, as one of its lines, it'll say, do you review your policies annually? And so if you can't come back and show that you reviewed it annually, you will fail the assessment. Fishing training every year is a typical training that will occur. And so many companies, including InfraShield, provide top notch training on fishing. And that's something, like I said, I enjoy doing it. It's something I like to do because I customize it for the particular sector, the particular customer, we deal with real-world situations, and I try and bring some if you will, humor and real world situations to it so that it's not a dry, boring thing so that it's a more effective training. So I hope that answers your question. 

DAN_SHAPPIR: Yeah, it does. By the way, how long does this training usually last? 

KEVIN A MCGRAIL: So apologize if this is a little salesy. So at InfraShield, we come in and do an entire day's training. What we do for that, I'll tell you, we do a flat rate $4,800 anywhere in the US. That includes customizing the entire presentation, dealing with any specific things for your particular company or your sector, flying in, coming in. Typically, we start at approximately 8 a.m. in the morning. We would do an hour and a half training for end users. We would then move into a four-hour training with the administrators. We would then probably stop for a lunch, maybe with the C-suite level people, go over particular issues they have. And then in the afternoon, we would go into a training with the problem people. So maybe people that have had that have been hacked or people that maybe are complaining about the issues so that we can deal with their particular problems and what their particular complaints are. And then oftentimes, uh, one of the things I like to do is finish it up in the evening. You know, if we're in a particular city to work with like a chamber of commerce or a city hall who will host us to come in and do like an hour-long presentation where the general citizenry and businesses from that area can come in for a free presentation and just do some training on general phishing awareness and how to help themselves. So some of it's business, but a lot of it is based on just making the world a safer place. 

DAN_SHAPPIR: Cool. That's really great. 

AJ_O’NEAL: So one thing that I wanted to bring up before, because we're getting kind of close to ending here. Since we are coders, and to us, framework means like something that you can NPM install and get 10,000 dependencies each with their own security vulnerabilities, Bitcoin hijackers and password snatchers. We want something like that. Now I know of Helmet. Do you know of anything that's in the JavaScript space that is a module that helps with multi-facets of the technical API layer of security?

KEVIN A MCGRAIL: I unfortunately don't because unfortunately most of them, including Helmet and things like that, if you're using certain things like Angular as a framework, for example, one of the biggest security issues you can have is if you go and touch the DOM directly. And that's where you've got to pick a framework, a development framework that has good security implementation. So Angular is a great example of a framework that was designed with security first. And a lot of times the problems that I find in Angular situations where, so if I get come in and asked to do an assessment on an Angular project and find security problems, almost always where we find problems are SQL injections, people not updating their copy of Angular, people forking the code. That's one of the biggest things and that probably applies to a whole bunch. And then people not having a good process to go from dev to production. And so backing up one, just to clarify what I mean by that, is people will get in and fork their particular framework they're using. And then what happens is a new version of the framework comes out that perhaps fixes a vulnerability, but they have to figure out how to back the fork they made onto the framework into this new version. And eventually get to the point where they are like, oh yeah, we haven't backported like 35 changes we made for like the last year and a half. So we know we're running an old framework. And as you said It's built on top of 30 other libraries that are, you know, that implement all these open source libraries that all themselves have their own vulnerabilities. And so that comes down to that whole question of, you know, how quickly can you get from dev to production and whatnot. So unfortunately I don't have a good solution for something that's automated like helmet and stuff like that, but a lot of it is much simpler. You know, if you aren't doing rapid releases, if you aren't doing constant updates on the, your underlying libraries. If you have a slow process to get from dev to production, you probably have problems. 

AJ_O’NEAL: I recently helped someone go from 800 high-severity bugs, security bugs in their NPM modules, down to 37 by running NPM update. And I think a good half of them were maybe not even as real as it would have seen because they were like the low-dash prototype things that the prototype is overwritten and that was considered like a high vulnerability or something. 

KEVIN A MCGRAIL: Yeah, but don't kid yourself. There's a gentleman named John Walley who works at the International Critical Infrastructure Security Institute and he has shown a number of situations where two or more low vulnerability, low score vulnerabilities can be combined to become absolutely completely exploitable. So, you know, you got to start somewhere. Don't worry if it's a small or a low fixing them all. These are where things like containers and different types of deployment technologies can be amazing where you have containers that destroy and you just deploy a new container for your code and that way you can do rapid deployment. Thinking about techniques you can use for rapid deployment is a lot of, it also helps a lot of security. There's a wonderful company named Skit Labs that was done out of George Mason University that does a whole bunch of stuff around virtualization and containers where part of their security model is to automatically destroy the containers and the servers that exist on a rotating basis. And what that does is it lowers dwell time. Dwell time is the amount of time bad actors could be in systems. And depending on whose research you read, the average dwell time is up in the 60 days to many hundreds of days into multi years. So dwell time is a big deal as well. So anyway, yeah, I applaud you for doing that and having a method. And sometimes it is just as simple as running NPM update and having a good test-based development framework where you can do some tests that you've written that are automated tests. You can say, okay, yep, this is ready to go for the customer and whatnot. 

AJ_O’NEAL: One thing I wanted to inject earlier, choice of words. How in the world do people have a SQL injection vulnerability when they're working with Angular? What the heck does that look like? 

KEVIN A MCGRAIL: So I can tell you, unfortunately, it's very simple. If you search for Angular and MySQL, the example code that's out there for implementing MySQL with Angular is susceptible to an SQL injection attack, because it doesn't use placeholders. So it's that simple. Even like the PHP examples use placeholders. Like, what is it like, like here's how you put a web server in your MySQL database and connect Angular directly to it? Man, that's crazy. 

KEVIN A MCGRAIL: One of the things that I won't do is I won't talk about ethical hacking with people who haven't taken an ethical hacking class. Not because I don't trust them, but because I get a lot of calls from developers, from people or administrators, and they're like, hey, I've got a problem. I've got XYZ people calling me telling me I did something, all I did was cut and pasted this bit off of Stack Overflow or off of this website or I ran this script and they don't understand what it does and they don't have time to understand what it does. So unfortunately, that's the nature of the internet and the nature of what's going on. And like I said, I know when I did an Angular conference earlier this year, the very first hit was for like how to use MySQL with Angular was susceptible to place was susceptible to SQL injections. 

AJ_O’NEAL: Cause I just, that just blows my mind because this is something that is so done and dead, like every library that I don't know of a library in any language that doesn't have placeholders as like the default example on the readme. You know, whether you go to PHP or you go to node or you go to go, or you go to rust, like any, any, anywhere you're going. I mean, I bet I guess people dig up old examples from the 1990s that are still out there and are still the most popular because they were the most popular in 1998 and they just got relinked and relinked and still the most popular day and so they copy that into the angular docs or whatever. 

KEVIN A MCGRAIL: Or nobody explains to them that placeholders are a security solution and so they just go well I don't need to do that I can just put the variable name here and that solves my problem. 

AJ_O’NEAL: Oh I guess so I guess so. I'm gonna go cry now. I need to take a minute to go cry.

KEVIN A MCGRAIL: I'm sorry. I usually try and make things more lighthearted and I usually have some sort of fun story and I, I will tell you guys a fun story. So I love Linux, I love penguins. And so when my son was about, oh gosh, three or four years old, I have to look about it for the age, he started loving penguins too. And I had all this penguin stuff. And so one day his aunt and uncle came to say he could go to, they were going to go see this new movie about penguins called March of the Penguins. So that was the year it came out. And he came to me and said, I want to dress up like a penguin. And so I gave him a penguin shirt and he wore a bow tie. And he was like three years old, cute as a button. And the aunt and uncle were not very logistically sound on the plan. So they showed up at the premiere for March of the Penguins at the National Geographic's headquarters in Washington, DC. Not knowing, of course, that this was the premiere with red carpet and all kinds of stuff. And so my son, because he was dressed like a penguin, won the Dressed Like a Penguin contest for four tickets to get into the premiere at National Geographic, right then and there on the spot, ended up on stage winning all this stuff with penguins waddling around next to him, and he did not pet the penguins. And he has caught crap for it for the rest of his life that he didn't pet the penguins that were waddling around on stage right next to him when he won the penguin costume at the National Geographic's premiere. 

AJ_O’NEAL: When you're three, it's hard to reason about these things in the moment. 

KEVIN A MCGRAIL: Oh, no, he was a total ham. He was hamming it up. He was, you know you know, if we have time for one more story, I will tell you about this. So my oldest son is very confident. And back when he was younger, he would, I, he loved ice skating and he was quite good at it. And he would skate in jeans cause he didn't want to skate and like the leotards and whatnot that the, the boys skated and whatnot. And one time he was skiing and by the way, he was only like four or something at this time and he fell and he fell hard. He, he fell hard that everybody on the place was going out to to see if he was okay. I was on the ice and sneakers trying to get over to him. And two older women, of course, get to him first. These are like 13 year olds. And he has fallen and stabbed himself in the back basically with his blade. Very badly bruised, didn't cut the skin, but hurt himself badly. And he has wet his pants. He has hit so hard, he has peed his pants. And his response to the quote unquote older older ladies who have come over to help him see if he's okay was, don't worry ladies, it'll dry. He used that story for his college essay and got into Virginia Tech using that essay about the fact that the number one thing you need in life is confidence. So anyway, so hopefully you don't have to go cry. You can remember my son's story about don't worry ladies, it'll dry and penguins and that'll make you happy. 

AJ_O’NEAL: I will remember that for next time I wet myself. 

KEVIN A MCGRAIL: Don't worry ladies, it'll dry. All right, well, it has been a pleasure being on your podcast and I hope that this has been helpful. I think we will win a little bit off the rails. I blame Amy for that and the state of California. Um, but 

AIMEE_KNIGHT: I super appreciate it. And I don't know. I am hopeful that it's like helpful to other people listening. 

KEVIN A MCGRAIL: I hope so. If that wasn't on the rails, I don't know what was. 

 

Hey folks, this is Charles Maxwood and I just launched my book, the Max coders guide to finding your dream developer job. It's up on Amazon. We self-published it. I would love your support. If you want to go check it out, you can find it there. the Max Cotters guide to finding your dream developer job. Have a good one. Max out. 

 

DAN_SHAPPIR: Are we going to be doing some picks now, AJ? 

AJ_O’NEAL: Oh, Chuck is gone. 

DAN_SHAPPIR: Yeah. He made you the moderator and left. He had to go and pick up one of his children, I think. 

AJ_O’NEAL: Oh, it's somehow I missed that. I may have been tuned out at that moment when that happened. Um, yeah, so. Now that we've neared time, we need to get to the picks. And so I'll go ahead and start us off, because I have some and that'll give everybody else some extra time to prepare. So I'm just gonna review things that I've already talked about during the episode here. So there's a Wild West conference, Wild West hacks, or Wild West something or other. Anyway, there's a couple of videos I've watched. One of them was titled, I think it was titled, I'll let myself in. I'm giving links in the description, but it's about physical security and basically how people just, you know, when there's security officers at the front door, they just go around the back and then, you know, slide in a credit card and Jimmy the lock or, you know, like do really, really simple things that don't take a lot of effort or education put their phone down, get a picture of the keys somebody's holding and then go 3d print the key and then bring it back the next day. These, these people are paid by companies to get into high security areas and defeat their security and they just do the simplest things from like hairspray to make fog on a IR door sensor so that it lets you in backwards and just, just crazy stuff. And I really enjoyed the videos and I'd highly recommend it. And it'll give you one of those moments where afterwards you have to say, it's okay, ladies, it'll dry. 

KEVIN A MCGRAIL: Yeah. The, uh, I hacked a brand new data center for, uh, Bell Canada using a piece of cardboard or using a similar technique to what you're talking about with the IR. And I hacked a $92 million, uh, building retrofit using a box of Rural Scout cookies. So yeah, that's, uh, 

AJ_O’NEAL: Now you, man, were you doing it by proxy? 

STEVE_EDWARDS: Well, the important question too is, was it the Thin Mints because those are the best ones. 

KEVIN A MCGRAIL: It was Thin Mints, just to be clear. 

STEVE_EDWARDS: Okay, good. That explains the potency in it. 

KEVIN A MCGRAIL: Yeah, so no, it was not a middleman. I was the actual in-the-field penetration tester hired with the rules of engagement to expose the testing. And the Girl Scout cookies is actually one that I use as a bit of a humbling for me because one of the things that it's made me do is when I do physical penetration testing, which is what you're referring to, I will caveat to people that First of all, it's been for many years, one of my caveats. I will not let anybody get fired over any of my physical penetration testing, success or failures. The only thing they're allowed to do is send people for training because my success rate is in the high 90%. And so it's not a question really of yeah. It's not a question of if I'm going to hack your building. It's a question of how easy it is. And so generally what we do with physical pen testing, it's going to come down to amount of resources. For example, I'll give a good example. If I want to, you know, let's pick on somebody other than Dan since it's his birthday. So if I want to hack Steve's company and they have, and I come to him with a million dollars, I can probably hack his company because a million dollars is a lot of money. So it's a lot of resources. Or if I'm going to take a year or two years to do it, I can probably get a job at his company and hack it from the inside. So those type of scenarios aren't pretty good. And so the Girl Scout cookies is one that I bring up as an example, because it basically is what a $4 expenditure. And we were able to hack a company with it. The, the real story around it, in case you care, as they were finishing a retrofit, we showed up every day for a week at a job site next to it. The people got to know us. We gave some Girl Scout cookies to them one day. And then like two days later, I showed back up and said, Hey, our port of John is broken. Can we use your restroom? They said, sure, badged us in and left us unescorted in the building. And we put ourselves into their building access control, which was using default username and passwords, but had been joined to the, to the entire corporate network. So once that was done, we were able to show up at the corporate headquarters and say, Hey, I forgot my badge. And they looked us up in the system and went, Oh, you have full access. Here you go. Here's a temporary badge. So yeah, the, the, but those stories aren't necessarily that useful for helping if they're not followed up with training and real-world recommendations on how they could fix that. In that particular case, as I said, nobody should be inside of a building unescorted. No system should be deployed without changing default passwords. And the frameworks, like for example, PCI DSS will have that in its framework. It'll have things like, are all your routers, servers, firewalls, et cetera, all deployed without the factory default passwords on them. It's a simple framework, but it gets- 

AJ_O’NEAL: But I trust those passwords. 

KEVIN A MCGRAIL: Well, you know, 

AJ_O’NEAL: I've got them memorized. 

KEVIN A MCGRAIL: Don't worry, ladies a little dry will make a good passphrase, I think. So, and by the way, to somebody mentioning PICS, I know XKCD got mentioned. Thank you. XKCD is a great way for administrators and security people to blow off steam. And if you search for XKCD password generator. There's a wonderful comment, comic, excuse me, that XKCD did explaining the differences of passphrases versus passwords and the level of entropy difference. And somebody actually wrote a passphrase generator that you can use at your company very quickly to make simple passphrases when you need one. So XKCD password or passphrase generator. 

AJ_O’NEAL: Cool beans. So we're intermingling picks, but I'm going to, I'm going to continue on with the rest of them and then we'll get back to you, I guess and let you do some more or are you done? 

KEVIN A MCGRAIL: Well, somebody stole my XKCD idea, so that was the only one I had. 

AJ_O’NEAL: Oh, okay, that was me. That was me, I stole that. So the LED traffic light and the danger of but sometimes video talks about, same thing we were talking about earlier, the XKCD security is really, that is what Dan was saying, was it's a comic, doesn't matter how much entropy or RSA key is when somebody's got a hammer, or a gun or whatever. And then my not mentioned in the show already picks, I'm gonna pick Regina Spector because, oh my gosh, just amazing. I love her music, it's so funny. And watching her videos is hilarious. Like watching her pantomime, her music videos are often kind of the definition of a strange loop where it's kind of breaking the fourth wall of this is a music video, similar to that, that Taylor Swift had one like that recently where she did that anyway, but the music video is really kind of top off the music, but the music is just amazing and it's so quirky and funny and just good music. So you head over to Amazon and use my affiliate link there to treat yourself to some, uh, some of her CDs, you know, if you're the kind of person that likes things staying around. And then also I was thinking last night as I was listening through a playlist, I was like, what can I compare her to? And I thought immediately, perhaps a pair of bright red boots if they had wings. And so I will also pick the Weebies along the line of quirky music. And those are my picks, ladies and gentlemen. AJ out. 

KEVIN A MCGRAIL: Great picks. I'll reiterate, if you've never seen the IT crowd, go watch it. It is the epitome of British humor combined with IT. And it's a great way of laughing. If you work in IT and you have people in your family that don't work in IT both people can appreciate it and love it, and it's one of my favorite shows ever. 

AJ_O’NEAL: And they have some of the characters from the British baking show, so you can see your favorites again. 

KEVIN A MCGRAIL: He's in three of the episodes, you're right, Richard. Yes, and season three, the episode four, the speech will tell you what the internet is and where it's stored. 

DAN_SHAPPIR: Oh yeah, in a box. 

STEVE_EDWARDS: But also remember that you can break the internet by Googling Google. 

KEVIN A MCGRAIL: Oh gosh, I don't wanna do that. But it doesn't weigh anything. That's good.

AJ_O’NEAL: Amy, do you have some? 

AIMEE_KNIGHT: I do. Sorry. Took me a minute to find the mute button. 

KEVIN A MCGRAIL: She's going to recommend everybody read revisions one through five. 

AIMEE_KNIGHT: Everyone check out CCPA. This is just something I saw on Hacker News. I'm not trying to get into anything. I just thought it was interesting. It's just a study and that Lanang published this that just said, um, the more gender inequality, the fewer women in STEM. They just covered the numbers. I know this is like not news to some people based on previous studies, but basically what they are thinking could be contributing to this is just in places where there does tend to be a little bit more equality for women. There's also kind of the narrative of you can do whatever you want, which sometimes lends itself to not as like necessarily lucrative careers. So that's all. I just thought this post was pretty interesting. So I'm going to share that and that'll be it for me. 

AJ_O’NEAL: Oh, and GSJabber just got canceled. 

AIMEE_KNIGHT: No, I mean, this is a scientific study. Like I'm not trying to propose anything. No, I'm like, here, like, here we are with people that are not trying to. 

AJ_O’NEAL: No, don't, don't even, don't even say more.

AIMEE_KNIGHT: I'm not trying to downplay anyone's negative experiences because those definitely do exist. Just like as I've said before, I think it's important to... Maybe I'll just stop there. 

AJ_O’NEAL: No, we can't. 

AIMEE_KNIGHT: This is literally just numbers. It's just numbers. It's just a study of numbers. And yeah, I'm sorry. Truly sorry. 

AJ_O’NEAL: No, no, no. 

AIMEE_KNIGHT: I'm in unfortunate situations.

AJ_O’NEAL: We can't let ourselves be pressured by those types of people anyway. Science and truth need to win over bullies, internet bullies. Anyway, moving along, Dan or Steve, one of you wanna round it out? 

STEVE_EDWARDS: Yeah, I'll go ahead and I'm just going one that continues along the XKCD line. A body in a plastic, that's one number for it off the top of my head. Little body tables that go well. Yes, five tables, I love that one. First time I ever saw that XKCD was that one taped up on a cubicle at work at a company I used to work at. But my second favorite one is called nerd sniping. It's XKCD number 356. I don't want to explain it, but for someone who's into the physical humor like me, it's one that makes me laugh every time I see it. So you can check that out at xkcd.com slash 356. 

DAN_SHAPPIR: So I guess it's not my turn as the birthday boy? 

AJ_O’NEAL: That's right. We saved the best for last, Dan.

STEVE_EDWARDS: Either that or the oldest for last either. 

DAN_SHAPPIR: Yeah, probably true. Both of them. Anyway, so Steve, you kind of took my XKCD one with the little Bobby tables. So be that as it may. So you know, in the vein of what we've been talking about today, this British comedian calls James Veitch. He was on Ted, I think twice speaking about how he responded to spam emails. I also had the pleasure of actually seeing him perform live, highly recommended, really, really funny. So I'm putting the link to that video on YouTube in my picks. So that's one. And the other one, a bit more generic but still amusing, is Jimmy Kimmel had this episode where they walked around and literally asked the people their passwords and people would tell them their password. So it was like, what's your password? And you know, it would be uh... the year where i graduated and uh... my cat's name and they would say all you've got a cat what's its name and people tell them and then where did you study all great and what did you graduate and yes so people will it really tell their passwords on t v so yeah those those would be my picks 

KEVIN A MCGRAIL: well happy birthday dan i have to say that uh... that's that's the epitome of oversharing is just giving your password there's a wonderful story that came out where Mitt Romney, the past US presidential nominee, was doing an interview not that long ago, maybe like three weeks ago, and he discussed that he isn't on Twitter except as an anonymous account, and that he told the reporter, I think, three details. He said it's not his name, that he has like 680 people that are in his circle, that he uses it mostly for his nephews and nieces, and that he follows, I think, Jimmy Kimmel. And with those pieces of information, they were able to backtrack that is that his secret Twitter name was Pierre Delecto. So you know, that's where oversharing can definitely get you and it doesn't take much data for bad actors to do it. Love the fact that you brought up each I love that thing. I will say my my last pick and I will be quiet after this is Apache spam assassin, we released a version 3.4 point three this weekend. So it's a great tried and true staple in anti spam frameworks. So check it out. 

DAN_SHAPPIR: So just because you told that story, I will tell another really quick one about oversharing. So Benjamin Netanyahu, our forever prime minister, like a decade ago, visited some event and they had some fundraising booth right at the entrance. It was for some great cause. So because he didn't have like enough cash on him, he literally wrote them a check. And because they had a check from the prime minister, they blew it up and put it up as a poster right about the booth. So one of the reporters copied off the bank account number and literally called the bank and identified himself as Benjamin Netanyahu and was able to get detailed information about a prime minister's balance. He was literally just a minute away from actually transferring funds. It was really funny. 

AJ_O’NEAL: Oh, I hate the banking system so much. 

KEVIN A MCGRAIL: Yes. Just never seen from again. Ha ha ha. 

AJ_O’NEAL: For anyone that gets paper statements from your bank, just go throw your money on the street right now because your account and routing number on are on every single statement that comes in the mail. And that's all someone needs to take your money. 

STEVE_EDWARDS: Well, it's also on every check you ever write too. So you're basically giving out your account number and routing number whenever you write a check to somebody. 

AIMEE_KNIGHT: What I was about to say too. 

STEVE_EDWARDS: worked for a bank for three years and I would, when I got out of college as a manager and I would get people, you know, I'd write a check number on back the check through. You're giving my account number away to somebody else. I'm like, ma'am, you give it away every time you write a check anyway. 

AJ_O’NEAL: Oh, and so, and FYI, all the security on checks is completely bogus. None of it's required. You just download the check font. Like I've literally done this. I didn't have any checks and somebody required, it was like a a rent payment for an apartment complex. Like they wouldn't allow anything else other than check. That was the only way you could pay. So I literally just downloaded the checking font and printed it out on a piece of paper and cut it with a craft cutting board to the size of a check and handed it to them. A piece of paper with your routing number and account number on it is a check, the end. 

KEVIN A MCGRAIL: It doesn't matter about all the little thermal. It's Miker, it's Magnetic, Magnetic Image Character Recognition, MICR. But no, and I'll leave that as another pick then if you guys have never read the book. The movie's good too, it's more of a yarn with Steven Spielberg directing it. I think his name is Frank Abbiglione or something like that. He was a black hat similar to Kevin Mitnick that did a bunch of kiting of checks. His biography is called Catch Me If You Can. 

STEVE_EDWARDS: Yeah, the movie was with Leonardo DiCaprio. 

KEVIN A MCGRAIL: But if you read the book, he goes into the whole thing about the bank routing issues that he found flaws in, I don't know what the 60s, 50s, I'm not even sure. And those flaws exist today. And he goes through how he, one of the things he did, he would go and cash a check in like LA and use routing codes that were on the other side of the country, knowing that it would take them three to seven days to figure out that it was a bad check and things like that.

STEVE_EDWARDS: Well, yeah, some of that's been been mitigated by the fact that the clearing time is a lot less. So you don't have as much time to float checks. 

KEVIN A MCGRAIL: Not when you're able to use non-microbase checks and somebody has to manually go get it. 

STEVE_EDWARDS: True. But yeah, I pulled the string on a couple of these scams in my day. 

AJ_O’NEAL: So yeah, I'm going to cut us off because we are way over time. I'm going to end the episode. If we want to continue this discussion and add it in as an addendum, I'm totally fine with that. I think Chuck will be fine with that, but I'm just going to like cut us so that people that need to get back to their day can get back to their day. So thank you. And actually now I have this embarrassing moment of I just see cam on the screen. I don't and I've got your name somewhere and we've probably said it like 10 times. I don't know. 

KEVIN A MCGRAIL: Kevin A. McRae. And that's just my initials. But most people have known me as cam since I was about 14 years old. My sister-in-law did not know my first name was Kevin until she I've been married for two years. 

AJ_O’NEAL: All right. And now you've given away all your PPI. Now we can go hack you. 

AIMEE_KNIGHT: I wondered that when I saw it too. 

AJ_O’NEAL: Might be an alias. 

STEVE_EDWARDS: And he does have a picture of a can of spam as Cam on his LinkedIn profile. 

KEVIN A MCGRAIL: I do. And that is a Canadian off-brand spam and I am proud to represent it. 

AIMEE_KNIGHT: I'm going to jump off too. I just wanted to say I really appreciate you being on the show. This was actually just helpful knowledge-wise and also just helpful for my mental health in the past four months and kind of being in a vacuum doing nothing. I feel better that we've done right. 

KEVIN A MCGRAIL: Absolutely. Go get a picture of a penguin and look at it. It will make you happier. 

AIMEE_KNIGHT: Awesome. Take care, y'all. 

KEVIN A MCGRAIL: Science proves it. 

AJ_O’NEAL: Bye. Yeah. So thank you so much for coming on the show. We've enjoyed having you. Bye. Bye, Amy. Thanks, Cam. Thanks, everybody else. And we will peace out. 

STEVE_EDWARDS: Adios. Bandwidth for this segment is provided by Cashfly, the world's fastest CDN.Deliver your content fast with Cashfly. Visit C-A-C-H-E-F-L-Y dot com to learn more.

 

Album Art
JSJ 418: Security Scary Stories and How to Avoid Them with Kevin A McGrail
0:00
1:29:50
Playback Speed: