Episode 91: Horror Films to Hackers
Amrit Williams, BigFix CTO, discusses the lessons learned from the film industry with inventor, nCircle founder, and Life Zero blogger John Flowers.
Subscribe in iTunes:
Subscribe with XML:
FULL TRANSCRIPT
Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I am very excited to be joined by John Flowers, also known as kanendosai.
And, John, thank you very much for joining me today; it’s just a great pleasure to spend some time with you, and I appreciate it.
John Flowers: We’ve been doing some really exciting things, everything from traveling to parts of the world that I personally had a lot of connection with and love for, like Thailand and Southeast Asia.
Amrit Williams: As well as doing some digital media work which you discussed briefly earlier. You have credits on such films as “Star Wars, Episode 3”, “King Kong” and “Wasting Away”. And you’ve been out there; you went into a different industry, left Security altogether. You formed a search company, a natural-language search company called Kozoru.
I’m curious, before I dig into any of these, how much did these experiences influence you in terms of what you’re doing with Kane Box? I mean, what would you say that this world view has done, this sort of looking at the world in a different way through different lenses that don’t really have anything to do with Security? How do you think that’s informed or provided insight for you in terms of how you might approach getting back into the Security world and potentially, you know, starting another company?
John Flowers: Well, I mean, at the risk of sounding a big cheesy, I think it’s the reason I was able to see Kane Box in the way that I am, you know, in the way that I’m seeing it. You know, I did a lot of workflow automation, I did a lot of automated color correction for films.
You know, you mentioned “Wasting Away”. “Wasting Away” was a fun film. I worked with these two guys who were doing the zombie comedy from the perspective of the zombies, and they had this color-correction person who wasn’t quite as good as they might have indicated in their interview (laughing). And I came in at the last minute and, you know, the film needed color correction and it needed all these different things, and we had a very short period of time before we were going to Screamfest. And we were going up against “30 Days of Night”, if you recall that film.
Amrit Williams: Oh, yeah.
John Flowers: Big budget, you know, Hollywood film; and here we are, this little half-million-dollar zombie film going up against that.
And so I came in and I wrote a lot of software to automate the color-correction process so that these guys could get the film ready for Screamfest. And I’m proud to say — I mean, this was a… I don’t know, two weeks of work, which if you know anything about coming in and color-correcting film from scratch, especially when you’re automating it, that was insane. I actually slept on their couch, I think, every night for all two weeks.
Amrit Williams: (Laughing.)
John Flowers: But we ended up getting it done, we went to Screamfest, and it won the Audience Award at Screamfest against “30 Days of Night”.
And so I started thinking about that and, you know, the film went on to win something like 21 other festival awards and all based on this automated color correction, meaning I didn’t touch a color wheel on that film. I wrote software that looked holistically at what flesh tones look like and what all these other different colors look like; and then we used some pictures that the directors had taken of how they wanted the film to look, and we used that as a model and let the software color-correct the film and drive everything to the right, you know, area.
And, in fact, I actually have something I haven’t released, which I was calling HD Instant Color, right, which was a plug-in for final cut where you could just drag a picture in it and it would color-correct your film. It’s buggy, it’s gross and, you know, it was cranked out so fast it’s primarily useless; but that technology, obviously you can see some parallels between that and between Kane Box: this idea of just looking at everything. And you know enough about film when I say to you “Oh, this is a 2K film” or “This is a 1080p, you know, frame”, you understand just the sheer number of pixels per frame, and then there are 24 frames per second.
Amrit Williams: Okay.
John Flowers: So you know how much data is being pushed through when I start talking about those numbers. I mean, you look at a red camera shooting 4K — and actually they shot on a 2K camera — but, you know, the sheer volume of pixels being pushed through per second, right?
And that helped me understand what I needed to do to synthesize all of this information and look at it globally, right, rather than at a pixel-by-pixel level, and do something interesting with it or mathematically interesting, something that was fast.
So when you ask did it inform me, yeah, like I say, I think it all informed me.
Amrit Williams: It’s interesting, too, because the movie industry, I think a lot of folks in Security, the personality type of the people that traditionally go into Security — I know it’s changed over the years, but in the earlier days — I think they’re drawn to the industry, the movie industry as a whole. I don’t think that they fully understand how difficult that industry is and how complex it is to navigate. So it’s very interesting to hear you talk about it.
I’ll send you a link after the podcast. My cousin has a film that they’re working on called “Blue”, and they struggle with a lot of these same issues, being, you know, compared to a big-budget film with the budget constraints, but definitely with all the post-editing work is quite tedious. And when they talk about it, I don’t think everyone realizes how much work absolutely goes into even dealing with something as… as what we all might think as benign as color correction, and it’s fascinating.
John Flowers: Absolutely. The other thing I think people may or may not realize, it typically takes let’s say 6 weeks to shoot a feature film; and then it takes 18 months to edit that film, add music, color-correct it, do all the things that you’re talking about in the post-production world. So a film takes let’s say 18 to 24 months to complete, and the lion’s share of that work is definitely in the post-production side, just telling the story.
Amrit Williams: Yeah, no, it’s — I could go on this whole subject for a long time.
John Flowers: (Laughing.)
Amrit Williams: You know, brothers are sharing a comic and that kind of stuff; some relationship with folks in that industry.
But I wanted to turn it just a little bit back to Security again, because you have such a fascinating background there: your take on the state of Security today. I mean, you were out of it for a while; definitely you still had some tentacles in it even when you were gone, I’m sure, and had communications with folks. But you left, you clearly saw when you came back that there were still problems to be addressed. But if you could — if you could sort of high-level it for the audience, I mean, what’s your take on what’s going on in Security? It certainly hasn’t improved much from the protection side; but give me some of your thoughts based on, you know, leaving and coming back, what you think about what’s going on right now.
John Flowers: Well, I was fortunate enough to have Stephen Northcut interview me as a SANS Network Security Thought Leader. He interviewed you, as well; I read your interview, it was fantastic. I think you and I agree on a couple of fundamental big-picture things about Network Security. It’s not getting better. It’s definitely not getting better.
I have the misfortune of having picked up a net book in Latin America when I was in Panama right around — oh, I was in David; but it’s in Panama, outside Panama City. And I picked up this net book, and aside from it having a Spanish keyboard, which I found infuriating (laughing), it came with on the Spanish language version of Windows a virus. By the time I had powered the system on, the virus had Trojaned my system and was reaching out to places in Canada and Europe and was starting to spam and do spam relaying because of this Trojan, or this bot, I guess, that was installed on my system. And this was before I even downloaded an update.
I found that… well, I found it ridiculous, obviously. I mean, the only reason I booted Windows was to install Linux, no offense (laughing).
Amrit Williams: (Laughing.)
John Flowers: But here I am, I can’t even do that, right? I have to go to an Internet café just to download Linux just to put it on this system, because the system is already compromised.
And we’re hearing stories about other systems that are compromised. There is a cell-phone manufacturer who probably doesn’t want to be named who released over a million cell-phone units that had a virus installed in them. If you plug the cell-phone into your Windows system, viruses go everywhere.
You know, and so you start hearing about all of these things; but the one thing that you and I both know is that traffic has a pattern: it has a signature, it has a statistical representation from the Trojan to the bot net to all of these other things. And you have to start asking yourself, “Why is no one solving that problem in a way that is not looking at the host as an atomic unit, but looking at the network instead and the traffic on the network as an atomic unit?” And what I mean by that is I really expected this concept of scrubbing, of traffic scrubbing, to be much, much, much further along, and I’m really, really saddened and disappointed that it isn’t. This idea that let’s say your system is compromised. Heaven forbid, we know it never happens; but you’re compromised. If you had an unobtrusive device on your network that knew what normal network traffic looked like — and I know that’s a tall order — that device could scrub out abnormal network traffic. And then the Trojan system becomes a matter of patching, not a matter of DEFCON 1, red alert, threat level orange freak-out (laughing), trying to yank it from the network and then figure out what happened in a forensic way.
So that’s my perspective. And that’s just one aspect of a thousand things that frustrate me, but that’s probably at the top of my mind right now.
Amrit Williams: It’s interesting, too, because there’s been promises that a lot of this stuff would be addressed, and in fact we saw some movement towards that in key areas; but fundamentally the organizations themselves revert back to the old way of doing things, and we get stuck in this… really, I don’t know how else to describe it but just this continuously non-ending circle of reacting and responding and not really thinking about how to look at the organic, what potentially could be thought of as organic elements inside of an environment and addressing those in a much broader way.
And we still have the same divisions: we still have the Security guys being antagonistic with the Network guys, who won’t talk to the Server Ops guys, and the Application guys are sitting in a different room and they won’t communicate. And so everything just boils back down to these stovepipes, and so it’s interesting when you talk about, you know, Kane Box bringing back up these elements that you’re also talking about potentially solving another major problem in Security, which is around language.
And one of the things that when I — when I was with nCircle, one of the things that frustrated me a little bit was it was very difficult to communicate vulnerable conditions and exposures to the IT Ops Teams who ultimately had to make the modifications and the remediation actions, because the output of the data we were providing at the time, as it should have been, was oriented towards the Security guys, and so we would show them information on unique, distinct vulnerabilities and there really… even today, there really is not a good mechanism for providing information that both Security and Operations people can consume and react to. And fundamentally, it’s because there is a large language barrier for the way that the folks interpret data. Anything that can be done to resolve that I think will greatly advance how folks maintain the health and security of their computing environment; so definitely going to be interested to see how that’s received and how that’s developed and evolved. But I think that is a fundamental issue, as well, and it’s interesting to see how that’s gonna be resolved, and it just hasn’t yet.
John Flowers: I agree. And one of the things that I’ve talked about quite a bit in the whitepaper and in other discussions is this concept of the counting game. I cannot believe we’re still playing the counting game; it’s infuriating. And what I mean by that is CDE numbers and CWE and all these different things is just… it’s amazing. It’s like, “Oh, well, look at this: the open-source vulnerability database has 67,000 unique (laughing)… you know, signatures, if you will, for these unique conditions.” Never mind the fact that 15,000 of them are fundamentally the same thing that has a few different words or has a slightly different modification.
And what I’m happy to see is that someone else recognized that, and ironically the person who is working on that project was one of the first employees at nCircle, this guy Tom Stracener, who I’ve been friends with since I was around eight. 12:49 has a solution called CAPEC, the Common Attack Pattern. Have you seen this, www.capec.mitre.org?
Amrit Williams: I have not. I’m actually writing it down.
John Flowers: It is fantastic, and if this were an R-rated show I would use very strong words that started with an F to talk about how fantastic it is (laughing).
Amrit Williams: (Laughing.) Phenomenal if it was spelled with F, right?
John Flowers: Right (laughing). Freaking fantastic, there you go.
Amrit Williams: (Laughing.)
John Flowers: So what it does is it looks at Network Security issues from a big-picture perspective, and it classifies issues at a macro level. And so there are just a few hundred of these CAPEC issues. And one of them be, let’s say, Directory Traversal.
Now, let’s take a step back in the Network Security world and ask ourselves, “Have you ever seen a vulnerability that was so broad and wonderful as Directory Traversal?” Other tools talk about the very tiny and specific microscopic detail that is creating a Directory Traversal problem; but the problem is Directory Traversal. And so one of the things I’m doing with Kane Box is I’m leveraging this; I’m leveraging this beautiful and greatly constructed, very holistic look at Network Security issues. And I can’t believe more people aren’t. And, yeah, you can take 1 CAPEC issue and relate it to 6,000 of these other, you know, CDEs or whatever. And that’s good and that’s fine, and I think that’s great; but the idea of being able to look at something from a big-picture perspective is exciting to me.
You know in that example that I just used, imagine if you had a Trojan horse on your newly installed Windows system, and the technology told you, rather than a bunch of crazy alerts that don’t do anything, it told you, “By the way, a new system came online. That system was running Windows. That Windows system had a Trojan horse, and so I blocked outgoing traffic from that application signature until you fix it”. And that’s the problem I’m trying to solve.
Amrit Williams: And that’s a wonderful promise. You know, as you were talking, I think I realized something. It’s not so much of an epiphany more than something I think I knew but just didn’t articulate well. You mentioned the frustration you had with this… you know, the industry’s wanting to count everything: everything is about quantity — “I have more data files than you” — and we experienced this at nCircle with our competitors: “I have more checks than you do”. It keeps the industry very much focused on the primitive conditions, and focus on the primitive conditions is not reflective of the abstract things that people actually need to do. And these abstract, the abstract versus the primitive or the macro versus the micro I think is reflective of how much difficulty most organizations just have in Information Security.
So it’s definitely… definitely resonates with me, those comments, and I hope that folks listening understand that difference and are able to adopt it and look for tools that are better able to help them move from very primitive, detailed conditions to much more abstract macro-level conditions so that they can take action; and they’re not able to right now.
So, John, I wanted to ask you one thing, because I was going through the airport the other day and I was… I was both shocked and happy and saddened all at the same time. We’ve seen Security — and I don’t like using the term “cyber”, but I’m going to — cybercrime, cyberwar, cyber espionage, cyber blah, blah, blah starting to get mainstream media attention. And there’s a part of me that always just sort of starts shaking and wanting to run into a fetal position because of the way that it’s communicated is so bad. At the same time, I’m excited that it’s getting the attention of the broader world.
I picked up two magazines. The first magazine was Rolling Stone, and the only reason I grabbed it was because the headline on the magazine actually said “The Biggest Cybercrime in History: Sex, Drugs, and Hackers Gone Wild”; so I had to pick up that and read what that was about.
And then I picked up Discover Magazine, and I picked that up because it had an article on paleontology that I thought my son would enjoy; but as I was looking through it, you know, they had a big interview with Richard Clarke and it was all about cybercrime.
So here are two magazines that are certainly not trade journals for Information Security and I think are not read by most Information Security professionals that are touching on Information Security. And there’s… I’m really torn with how much I like or don’t like that.
So I’m curious. What are your thoughts as you see Information Security go mainstream?
John Flowers: Well, that’s a really interesting question (laughing). I guess… I’ve been kind of blinded by my position in life, which is to say, you know, we… we were the first company back at nCircle, we were the first company to come up with this idea of network security scanning combined with intrusion detection. I mean, we may have even coined the phrase “intrusion prevention”, right (laughing)? That’s this whole crazy sort of world that I lived in for years and years and years. And so to me it’s kind of funny, because I sort of always thought it was going mainstream. I always felt like patterns are things that you find when you’re looking for them, and so when I’d flip on the TV and I’m in the Network Security space I say, “Oh, well, look, there’s a CSNBC or a CNBC article about how girls can be hackers, too”. Never mind how offensive that show was, but (laughing)…
Amrit Williams: (Laughing.)
John Flowers: You know, you see the sort of things that you’re looking for, you know. There’s a Buddhist ideology or a Buddhist idea that is, you know, we see as we are, right? So whatever we’re focused on, we sort of see those patterns.
So I kind of always thought, “Oh, wow, it’s going mainstream.” But I have to say, Rolling Stone is a step in a direction that I didn’t expect, and it tells me that Network Security — and this is an unfortunate thing, and it’s one of the reasons I think the good guys are losing — being a hacker somehow, even though it is illegal and it’s a crime against the government and it’s all of these different things, somehow it got sexy over the last four years. And I can’t… I mean, being a hacker was always interesting and dangerous and all of these different things; but being a bad guy is somehow sexy now. And I don’t know if people are watching too much of “24” or what they’re doing, but Rolling Stone kind of proved that, right, with this idea of “Oh, it’s kind of sexy to… you know, ‘Sex, Drugs, and Hackers,’” you know.
And I think that’s a bummer, because I think that means more people are going to be driven toward the glamorous side of it than already are, and less people are gonna be driven toward the side of — the prevention side.
Amrit Williams: Yeah, I mean, I got the same feeling, too. I was disappointed that the article had been written in such a way that it made it sound sexy and cool and, you know, it was outlaw in a way that you would see young teenage boys looking up to, as opposed to outlaw like, you know, the criminals that end up in San Quentin (laughing).
So it’s unfortunate; but at the same time it’s nice that it’s getting more attention from traditional media, and hopefully that attention will equate to actual problem-solving and not just more ridiculous hacking.
Any last thoughts that you’d like to give to the audience before we end the podcast here?
John Flowers: Well, I think one of the things that — and this touches on what we just talked about. One of the things that I would encourage people to take a deep breath and think about is the idea that because vulnerability discovery and disclosure has gone underground, and the idea that the kinds of things that — you know, when we were doing nCircle, the kind of things that were out in the open: on BUGTRAQ and on focus ideas’ list and on Security folks and on all these other places, the kind of things where you could freaking read the source code, right?
Those aren’t there anymore. You know, I fear that a lot of the guys who are doing the really innovative black-hat work are being paid by various nefarious organizations, and they’re being paid well. And, you know, it’s this kind of idea that, you know, when you outlaw guns, only outlaws have guns, right? This idea that we’re sort of outlawing the idea of disclosure, then the only people who are sharing them are these underground organizations, essentially amounting to the bad guys because, you know, if you do disclose something there’s a really serious potential that you could get into trouble for it.
What that means is we have to find different ways of finding vulnerabilities and exposures than relying on the community to disclose them to us. And if I were to say that there was one driving force behind why a tool or technology like Kane Box is the future, I think that would be it. We just… we don’t know what we don’t know, and we have to teach the systems what looks like normal traffic, what doesn’t look like normal traffic and teach them how to alert on it and how to give us meaningful data from that. We sure… we sure aren’t able to play the counting game the way that we used to by sending exploits out in the wild.
Amrit Williams: You know, it’s funny, too, because I just did a podcast with Marc Maiffret from eEye a couple of weeks ago, and he made the same observation about sort of the vulnerability research and disclosure not only going underground; but a lot of the folks that had been involved in exposing that information, a lot of the information that we used when we were nCircle, they just don’t exist. It’s not that they don’t exist; clearly, they’re still alive. But they just don’t do that type of work in the same way, and it’s been at the detriment of the folks that are trying to do good with Information Security that have been impacted, and that’s unfortunate. It’s unfortunate because that — this is a self-created condition.
So hopefully, you know, either the system will correct itself so that the information that was being used can be returned to use, or the technologies that are created in its absence will help folks better understand the environment that they’re in. We shall see.
Well, John, you’ve just been a fantastic guest; I can’t wait to get ya back on, I can’t wait to see ya live ‘cause it’s been, I don’t know, six-plus years since I think we sat in front of each other.
John Flowers: (Laughing.)
Amrit Williams: And I know you’ve definitely… you definitely have some great stories, so I can’t wait to dig into a lot more of ‘em.
Those folks who wanna learn a little bit more about Kane Box and the work that John’s doing, they can find that at www.kane-box.com; again, that’s www.kane-box.com. John also maintains a personal blog at www.lifezero.org, which has information on Kane Box and some of the other stuff he’s involved in. You can follow him on Twitter at kanendosai. You should check out his thought-leadership article on SANS; you can just Google SANS Thought Leadership to pick that out.
John, I’m just really happy you were on; I just had a great time, and I look forward to talking to you again soon. Thanks a lot, man.
John Flowers: My pleasure, absolutely. Loved being on, and love talking to you anytime.
Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.
Thanks for listening!
