Episode 90: What in the World is a Kane Box?
Amrit Williams, BigFix CTO, discusses the forthcoming network security tool, the Kane Box with inventor, nCircle founder, and Life Zero blogger John Flowers.
Subscribe in iTunes:
Subscribe with XML:
FULL TRANSCRIPT
Amrit Williams: Welcome, this is Amrit Williams, your host Williams on “Beyond the Perimeter”, and today I am very excited to be joined by John Flowers, also known as kanendosai.
And, John, thank you very much for joining me today; it’s just a great pleasure to spend some time with you, and I appreciate it.
John Flowers: Oh, yeah; my pleasure indeed. Thanks for having me.
Amrit Williams: I’ll let you talk a little bit about your background. John and I had a relationship that started at a company called nCircle, which John founded originally as HIPAA World anBayesiand then transferred into a really great vulnerability assessment and security audit and compliance company, which is now still privately held out of San Francisco.
John has done some interesting things, and I definitely want to touch on those. I know you have a lot of passion with writing and creativity and have done some things in digital media with the movie industry, so I definitely want to hear a little bit about that; but I think the thing that’s probably most exciting and I’m most interested in is your new concept and your new ideas in technology, and you always bring just a wealth of experience and information and expertise to the market. So I think a lot of people will be watching with great interest how this company takes off.
And I’d like to start talking a little bit about that. The product is Kane Box, and I believe you have a couple things here that I definitely want to touch on, like you have a very interesting business model, a very interesting approach to delivery of the technology.
But let me turn it over to you, John, and let me just start with tell us a little bit about Kane Box and what you’re bringing to market and the problem you’re trying to solve and how you’re going about doing it.
John Flowers: Sure, my pleasure. Kane Box is kind of an interesting thing for me, because I really didn’t expect to build it. I kind of gave up on security a while back and thought that this product would be built. And for, I don’t know, somewhere in the neighborhood of about six years, I didn’t even really look at the network-security space; I was looking at other spaces. In my case I was looking at, as you said, the space of media. Specifically, I was looking at color correction and automating workflow in feature films.
And I also spent some time building technology called kozoru, and kozoru is a natural-language search system, a platform really, that used a novel approach for answering-natural language questions. We did key sentence extraction out of documents rather than keyword lookups.
And I built that technology, kozoru, in LISP, which I’ve always been a huge fan of LISP. If you recall, the original nCircle system had an awful lot of LISP behind the scenes. And so that’s been a huge passion of mine is this idea of trying to bring this language, this language that I love so much, to the forefront in some kind of way where it actually works.
So, anyway, so I’m out of network security, I’m not looking at it; and I thought these things would happen. One of the things that I thought would happen after nCircle is, I thought network security systems would get smarter — not just that they would get smarter but that they would have to get smarter, because we start seeing all of these different attacks, we start seeing obfuscation techniques and fuzzing and these products that just run enormous amounts of data against your system, such as skipfish; skipfish is a great example that where it just rains a hailstorm of packets at you. And so I thought, “Well, network-security technologies have to get smarter. They have to get smarter to get handle these obfuscation techniques, they have to get smarter to understand what’s on your network, they have to get smarter because it’s not enough to say ‘You’ve had 10,000 signatures fire against these rules.’” What you should be saying is “Someone outside your network ran skipfish against you, or someone outside your network ran HailStorm against you” — I mentioned hailstorm as an idea, now I’m saying it as a product.
But none of them do that, right? None of them say, “Someone ran Nmap with the following options against your system”, right? What they say is, “Oh, you have this kind of ICMP packet, you have this kind of TCP packet, you had these different conditions occur, and I’m gonna generate a mountain of data for you to try and sift through.”
And so when I came back and started looking at the space a few years ago and really getting back into it and the ideas that were being pushed forward in different technologies I expected it to be further along, and that’s where Kane Box comes in. My frustration with the lack of innovation in the space has forced me to try and think about a solution that actually I think works for people in a way that they want it to. And I have a lot of ideas behind that, and I can talk about those in detail.
Amrit Williams: You know, it’s interesting, too, John, because we’ve been sort of facing the same problem with — and I don’t want to call it a lack of innovation so much as a lack of understanding about how companies really require the actionable intelligence to make proper decisions, this mountain of data that they get and how do they respond to it. And we have tools that generate a ton of data; a lot of it is not always actionable, and it requires a ton of expertise on the other side to parse through and make decisions around. So whenever people start taking an approach around how to provide better analytics and more actionable information, I think it’s one that most people would like to embrace and like to see better evolved.
(00:05:18)
But can you talk a little bit about what mechanism is being used differently? I certainly get the concept. If you can, share what you’re actually proposing technically to make this easier. I mean, is there better analytics in terms of correlating these events to provide what basically is an overview of what’s happening versus the very detailed packet level?
John Flowers: That’s exactly right. The best way to think about Kane Box is to look at it as a system that does a couple of things and does those things really well. One, it understands packets. You and I both know a system has to understand packets; packets are what drive all of this. So we start there.
The second thing is, it has an engine behind it, and if you’ve read the whitepaper you see all of these references to the Kane Box engine and these modules, and it’s a fairly complex system. But the idea behind the engine is that it understands packets, and it understands statistical analysis, probability; it understands Bazian statistics, Bazian learning. And so without getting into the math, the idea here is that you can tell Kane Box, “Okay, I want to train you. I want to teach you about something.” And that’s a simple matter of typing “Kane Box” on the command line with a Train option and training it on either a pcap file that you’ve previously captured or on traffic on the network.
And when you train it, you tell it a couple of other things. One, you tell it the CAPEC capec.mitre.org) number that the training reference is and, if there is no CAPEC capec.mitre.org) number, you just give it an arbitrary number. And the second thing is, you give it a name. And so you have this training file, and I will give you an example: BitTorrent traffic. BitTorrent traffic is encrypted often and on different ports, and it has all of these wild variations on it; but it has a statistical representation, okay? So you capture a bunch of BitTorrent traffic, you have this pcap capture file and you tell Kane Box, “Hey, Kane Box, this traffic that I’m about to train you on is BitTorrent”. So now, great. So now Kane Box knows what BitTorrent looks like. It knows it from a statistical perspective, not from a signature-based perspective.
Amrit Williams: And just real quickly for the audience, understanding statistically the characteristics of BitTorrent from that perspective versus the packet-level perspective or the port-protocol-communication perspective means that you’re better able to describe and see these things without just dumping the data for folks in sort of a glorified Wireshark or something, some tool like that where you’re just providing some intelligence on top of that.
John Flowers: Correct, yeah, I would agree with that completely. And I’ll tell you, that’s interesting, I think, that you could look at BitTorrent and say, “Okay, I know now what BitTorrent traffic looks like, and if I ever see it I’ll say, ‘Hey, by the way, that’s BitTorrent,’” right? I won’t say, “Oh, that’s a TCP/IP packet on port 31337” or whatever it is, right? I will say, “Oh, that’s BitTorrent.” And that’s fantastic, okay? But it’s not all that useful yet.
Here is where it gets useful. Kane Box has an ability to take multiple different kinds of training sets, or traffic in this case, and to use those training sets to create these overarching or what I would refer to as macro exposures, right? I look at existing technologies and I say, “That’s a micro exposure.” We’re looking at macro exposures. We’re looking at these giant conditions with all of these different variables that are extremely complicated that create these exposures.
Now, how do we know what an exposure is? Well, for one, we train the system. For two, we can tell the system what normal traffic looks like — and I’ll get into that a little bit in a second. But you’ve got these training sets; so what you can say is, you can say, “Okay, I’ve got this training set for BitTorrent. Now, let me create another training set. Let me run, oh, I don’t know, some application like a HailStorm against my network”, okay? And what you do is you tell Kane Box, “Hey, Kane Box, I’m gonna train you, and what I’m gonna say to you is that this traffic that you’re about to see is called HailStorm”, right? And so you run Kane Box with the training set, you blast HailStorm against it, you stop Kane Box when it’s done. Now, Kane Box has a training set that is a training set called HailStorm, right — not an individual specific tiny little packet-based micro exposure, but rather a macro exposure that says, “Hey, somebody is running HailStorm”. So now in your report if someone is running HailStorm what you get is, “Hey, by the way, somebody ran HailStorm against you”, and you can dig in like you can with other tools and look at all the packets and inspect them and go through all the process that you would normally expect to go through; but now you’re not looking at 100,000 different conditions, right? And you can do the same thing with skipfish, and you can do the same thing with all of these other different tools.
And there’s a couple of other things. You can take those training sets and their combinatorial, right, meaning, if you train Kane Box on… let’s say you train it on Nmap with a certain flag, and then you train it on Nmap with another flag, and then you train it on Nmap with another flag. These create a hierarchy where Kane Box starts to learn that all of these things fit within an umbrella that we’re gonna call Nmap, right? And you also get to see about escalation, which we’ve talked about in the past, you and I, if I recall: this idea that you can leverage one vulnerability to get to another…
Amrit Williams: Yes, got it.
John Flowers: … this sort of chaining of vulnerability and conditions. And so that’s the thing that I’m most excited about is the idea that you’re not just seeing one set of conditions; but you’re seeing multiple conditions, how they interact with one another, how they relate to one another and how they can actually be leveraged in a way where you can go from one exposure to another to another to another.
Amrit Williams: So let me ask you, ‘cause I think some of the folks listening would have some obvious questions. Obviously, you know, there are some great resources that you have available for them to get more information, and we’ll talk about those in a minute. But I think the natural skepticism would be around two things. One is the amount of time and resources that one would need to spend to train or get the system to learn and how many preexisting conditions or knowledge the system would have originally. Two is how does it deal with slight variations to that type of traffic that someone might be able to manipulate to get around someone trying to learn it and also how do you look at stuff that just hasn’t been learned yet.
So I think those are probably natural question that folks would have, skepticism about it is how do I deal with the amount of time one needs to spend learning and how do I deal with variations for what’s been learnt or what would be seen as unknown or — you know, I don’t want to stay zero-day; but, you know, you get the idea.
John Flowers: Right, and I think those are natural questions and I think I should probably say out loud that I still don’t believe that Kane Box is gonna work the way that I want it to; but I’m seeing a lot of evidence to suggest that it does. So I find myself every day when I do training and listen on the network, I find myself every single day constantly surprised by it. You know, it’s the idea of taking a different metaphor for finding vulnerabilities.
And, yeah, Kane Box isn’t gonna do the kind of things that… like you suggested Wireshark, right? I mean, it’s not meant to replace Wireshark, it’s not meant to replace Snort, it’s not meant to replace these other tools that gather all of this data and let you sift through it, all right? It’s meant to give you this high-level overview of the kind of things that are going on in your network and to find exposures and vulnerabilities in a way that will help automate a lot of that human work, right, automate a lot of the work that you’re doing with people.
And as you know, that’s been a huge theme in my life is to try and automate all of what I consider to be just the boring details of work that you normally pay someone to do and they probably don’t enjoy that much; or if they do, they’re probably masochists, because some of the work that you have to do sift through packets is really frustrating.
Amrit Williams: Well, I remember in the early days of IDS I was… back at McAfee when we first did the first CyberCop IDS, I remember one of the developers coming to me and he says, “Open up a file-share on your computer”. And I did and he goes, “Look, it shows up as an alert”, and I said, “I’m sorry, why is that good? I just did something very normal, and you’re showing it as several different alerts in the system; how does this thing not innovate somebody with noise?”
And the resistance to trying to get people to see that, you know, just these IDSs back in the days, one example, we’re just overwhelming people with data to get them to understand that this isn’t actually very productive and could in a lot of cases cause them to miss sight of something very serious, and it took a while for people to really understand that. Even today, there’s a lot of people who are very comfortable parsing through, as you say, large amounts of data to pull out what may or may not be relevant to them. And they enjoy it, I think they are masochists.
John Flowers: Yeah, and the real problem is it’s hard for someone to truly understand how much data you’re talking about or how much of a chain of pain this really is until you have a larger network. You have a couple of hundred machines and you’ve got a team of a few people, it’s really not as big a deal, although I think it is a big deal if someone goes crazy with some kind of remote scanning tool. It gets nuts.
(00:14:59)
Like I said, skipfish scares the hell out of me, because I don’t know if you’ve ever seen the amount of traffic that skipfish generates. I mean, it’s a great auditing tool; but it is chat-ty. It’s amazing how much data that thing generates. And I would not want to be the person who had a network of 10,000 machines that had skipfish run against them and try and sift through just what I was looking at.
Amrit Williams: Yeah, variables.
John Flowers: Exactly, and that’s a large part of what I’m talking about.
So you asked a question earlier about there’s this sense of maybe… I’m not quite sure how to word it, right; but there is the sense that maybe Kane Box may or may not do some of the things or there is some skepticism, and I understand skepticism. I mean, we’ve been in this industry long enough that I think people have been mislead or dragged down a path where a tool overpromised and underdelivered, and so one of the realizations I came to over the last couple of years when I was thinking about Kane Box as a tool was ironically something my wife suggested to me, which is a quote from J. K. Rowling of Harry Potter, right? It’s this idea that you should never trust anything that can think for itself if you can’t see its brain, and I completely buy into that idea. I stopped using Mac OS X, I stopped using Windows, I stopped using all of these tools that were closed source, because they were frustrating to me because I didn’t understand how they were doing some of the things that they were doing, or when they’d break obviously that’s frustrating.
So the really big idea here behind Kane Box is the hardware is open source, the software is open source; everything about it you can just download, you can look at it, you can poke it, you can play with it, you can see what it’s doing, you can improve it hopefully because, you know, it’s not being developed by an army of people, and you can make it better. And I think that that idea, the idea of creating a technology that is also a company but is open source and sort of giving people the opportunity to look at it, to see whether I’m accurate or they should be skeptical or what have you I think is a really positive way to maybe bring some of the trust back into these kind of tools, and I hope it will play out that way
Amrit Williams: It’s interesting, too, because, I mean, one of the things I actually didn’t realize at first until recently when I was looking at your website is this business-model approach that you have. I think it’s probably the first time I’ve seen somebody do that. I don’t want to do it a disservice, so can you describe this business model that you have?
John Flowers: Well, the business model is right now kind of a three-pronged approach, right? The first side of it is giving the tool away as an open-source unrestricted license so that you can use it in a way that you want to use it, you can modify the source code, you can contribute back if you want to or not if you don’t, those kind of things. So the idea there is to kind of amplify my signal by putting it out to a lot of smart people and letting them stomp on it or not stomp on it or say it’s great or say they hate it or tell me all the things I’m doing wrong or whatever they want to do. Install it in their network, use it, right? Improve on it for their environment, that’s great.
So the thing that I get back from that is obviously I get contributions from smart people helping make the technology better, and I don’t think there’s anyone who could argue that that’s not a positive thing. I mean, if you look at Linux, you know, you and I remember the day when Linux was unusable; but today, I’m running Ubuntu, the 10.X, you know, LTS release, and I would argue that there are aspects of Ubuntu that are far and away better than Windows, not the least of which is that I’m not virus-ridden every eight seconds.
And so I’m excited about this idea, right, this idea of opening something up and letting smart people beat on it, and I think that’s great.
The second thing is the way that the company will make money is through selling hardware. Now, the one thing about the hardware that’s exciting to me is the hardware is a custom system created and optimized for Kane Box so that it does some things like fast DMA transfers across the bus so that you can sniff and snatch and do all of these different things that Kane Box does at a really high rate of speed across the network interfaces. And as you know, I’m no stranger to that, right? The work that we did in the past to try and increase the transfer speed on network cards is something I remember vividly and something that I know is a necessity. The one step we didn’t take, I think, in the past is you need custom hardware to do this. You can’t just modify an existing network card and make it fast; you have to do something unique, right?
Amrit Williams: Yeah, definitely.
John Flowers: And so that’s where the money gets made essentially for the company, right, the idea of you sell hardware. And the realization that I came to — and this may sound a bit blasphemous and I’m sure it does, but that’s fine; it’s not the first thing I’ve said that’s blasphemous — network-security technology should not be a budget item that requires an executive-level signature just to purchase it, right? Network security should be inexpensive, and it should be baked in to a lot of what you’re doing. And sometimes inexpensive means free in the case of Kane Box and other technologies you can just download and use. Of course, as we know — all know, a lot of those technologies don’t work very well, because they don’t have the resources or funding behind them, and that’s one of the things I’m hoping to change with this model, right?
So that means, too, though, that it should be cheap — or, inexpensive; I don’t want to say “cheap”, that’s not the right word — but it should be inexpensive. And because it’s inexpensive and affordable, maybe more people will use it. I mean, as it stands right now, you can pick up a Kane Box Ronin system, which will be available, will actually be shipping in July, for 500 bucks. And what that system does, it does scrubbing, scanning, sniffing, reporting, all of that, on up to 250 hosts on a network up to full transfer speed of 10 megabit per second for 500 bucks. And the source code is free and the source code is open, and you can play with it and you can dig in and you can do all of these things.
And I think that’s a fundamental shift in the way that most people look at network-security technologies. I think most people look at it as a very expensive line item that they have to have executive-level signatures to purchase, and I’m hoping to change some of that by providing a good tool that people can use for not a lot of money. And hopefully, that will resonate.
Amrit Williams: Oh, I’m sure it will. Whenever you talk about cost reduction, especially in this economy, people are gonna definitely gravitate towards it. It would be interesting to see if — you know, there’s always this misconception that the value of something is predicated on its price; so it will be interesting to see if the value of this is, or anything, for example, when price is reduced below what people believe such a thing should cost that they’ll… they’ll have the same perception of value.
You mentioned some — you actually on your site, you mentioned something about investment and rounds of venture funding, and I thought the approach there was actually pretty innovative, as well. Is that still going on, the ability for folks to donate and be a part of this?
John flowers: Yeah, we’re… as you know I put that on the site about… well, less than 48 hours ago from the time of recording this, and what I said — because there are a lot of legal issues around this and, you know, I’ve raised money before and I know what all these legal issues are — you’re not technically allowed to invest in a company and get stock unless you’re an investor with a certain amount of assets to your name and all of these different things. So there are all these requirements around investors.
So what I did is I talked to a lawyer and we figured it out and we figured out, “You know what? Actually there’s a way around this, which is if somebody donates a dollar to you, you can take that as a donation and then later, if you decide you want to donate them a share of stock, you can do that.”
And so the approach that you’re talking about right now is that I’m working on putting together about $10,000 worth of what I’m just gonna call seed money through donations, and the idea is that that represents 10% of the company. And as you know, that’s a tremendous amount of the company for very little money upfront; but like I said, I want people to feel like they have a sense of ownership in something here.
I mean, like you said, this economy is not great and I think a lot of people have been through a lot of different things, and I think the idea of people being able to participate in something by helping it off the ground and then getting something in return for that, especially in an open-source environment, is really exciting.
And so, yeah, the idea is $10,000 gets you 10% of the company. I’m not taking investments over $1,000. I mean, I’ve just — I’ve turned down probably 20 people in the last 24 hours who wanted to put in the whole thing, because that’s not the point.
Amrit Williams: Right.
John Flowers: The point is to give somebody who has $10 and wants to participate in the next… you know, the next generation of network security, to give them an opportunity to do that.
Amrit Williams: I think it’s fascinating. I’d love to see how that works, and I think if it does work it’s a model that other inventors will be able to adopt and hopefully play with; and, even better, it’s hopefully a model that others will embrace in a more general way.
So I’m certainly excited about seeing that and definitely excited about seeing how Kane Box works; I wouldn’t mind get my hands on a Ronin myself when it’s available.
For those folks out there that are interested in learning more about Kane Box, they can go to HYPERLINK “http://www.kane-box.com/”www.kane-box.com; so that’s HYPERLINK “http://www.kane-box.com/”www.kane-box.com. There’s information on John Flowers, his personal website is HYPERLINK “http://www.lifezero.org/”www.lifezero.org; and you guys can also follow him on Twitter, @kanendosai.
Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.
Thanks for listening!
