1 00:00:01,280 --> 00:00:12,559 [Music] 2 00:00:15,120 --> 00:00:19,279 so right everyone welcome to mch 2022 3 00:00:19,279 --> 00:00:21,439 the abacus stage and i'm very happy to 4 00:00:21,439 --> 00:00:24,400 introduce breno davinta uh talking about 5 00:00:24,400 --> 00:00:26,960 open cat security through cat's eyes so 6 00:00:26,960 --> 00:00:29,050 take away breno 7 00:00:29,050 --> 00:00:33,390 [Applause] 8 00:00:34,559 --> 00:00:37,440 uh thank you very much yeah um you are 9 00:00:37,440 --> 00:00:39,120 going to see a lot of 10 00:00:39,120 --> 00:00:42,840 cat pictures in this presentation so be 11 00:00:42,840 --> 00:00:45,520 alert and be aware 12 00:00:45,520 --> 00:00:47,920 if you hate cats bad luck for you 13 00:00:47,920 --> 00:00:50,239 um i'm brendon winter i'm the harbor 14 00:00:50,239 --> 00:00:53,680 master and at the ministry of 15 00:00:53,680 --> 00:00:56,719 health welfare and sports i'm the chief 16 00:00:56,719 --> 00:00:58,480 security privacy operation for the 17 00:00:58,480 --> 00:01:01,280 corona tech we talked about it yesterday 18 00:01:01,280 --> 00:01:04,000 just a quick reminder this is my kid 19 00:01:04,000 --> 00:01:05,040 brani 20 00:01:05,040 --> 00:01:08,720 brani benani is how i cuddle her 21 00:01:08,720 --> 00:01:10,880 and that was the name of a project so we 22 00:01:10,880 --> 00:01:13,119 started the website then people said 23 00:01:13,119 --> 00:01:15,200 like that's kind of stupid this is uh 24 00:01:15,200 --> 00:01:18,320 hiro branni and kaiko in a government 25 00:01:18,320 --> 00:01:20,799 system it looks like this then somebody 26 00:01:20,799 --> 00:01:23,119 said like stop using cat names then the 27 00:01:23,119 --> 00:01:26,560 minister said you can use cat names so 28 00:01:26,560 --> 00:01:28,640 this is what we are going to talk about 29 00:01:28,640 --> 00:01:31,600 today and with the corona tech there are 30 00:01:31,600 --> 00:01:32,180 a few 31 00:01:32,180 --> 00:01:33,439 [Music] 32 00:01:33,439 --> 00:01:35,680 projects that we have to do 33 00:01:35,680 --> 00:01:38,479 contact racing contact racing app 34 00:01:38,479 --> 00:01:40,159 the 35 00:01:40,159 --> 00:01:41,680 i talked about 36 00:01:41,680 --> 00:01:42,479 the 37 00:01:42,479 --> 00:01:45,759 the eu dcc the qr codes 38 00:01:45,759 --> 00:01:47,920 um we built a 39 00:01:47,920 --> 00:01:50,159 ehr for hospitals 40 00:01:50,159 --> 00:01:53,040 in six weeks times we have exception 41 00:01:53,040 --> 00:01:55,920 routes um we do fraud protection red 42 00:01:55,920 --> 00:01:57,840 teaming and we are also supporting the 43 00:01:57,840 --> 00:02:00,479 other nations in our kingdom 44 00:02:00,479 --> 00:02:03,520 aruba and sid martin so that's a lot to 45 00:02:03,520 --> 00:02:06,479 deal with and then what do we need to do 46 00:02:06,479 --> 00:02:08,959 of course the continuous monitoring 47 00:02:08,959 --> 00:02:11,520 and you have all the occasional issues 48 00:02:11,520 --> 00:02:13,599 the shortage of people the high stress 49 00:02:13,599 --> 00:02:14,560 level 50 00:02:14,560 --> 00:02:16,480 especially the political environment 51 00:02:16,480 --> 00:02:19,520 that you're in and then all the tasks 52 00:02:19,520 --> 00:02:22,000 you have to do starting with pen testing 53 00:02:22,000 --> 00:02:24,800 code reviews ending with your risk 54 00:02:24,800 --> 00:02:27,520 assessments and your weekly starting at 55 00:02:27,520 --> 00:02:28,560 7 00 56 00:02:28,560 --> 00:02:31,040 pm on a saturday 57 00:02:31,040 --> 00:02:34,080 ddos it's those standard things you have 58 00:02:34,080 --> 00:02:37,120 to deal with all the time and with a 59 00:02:37,120 --> 00:02:39,680 small group of people doing that that is 60 00:02:39,680 --> 00:02:41,040 kind of a hard 61 00:02:41,040 --> 00:02:43,280 thing 62 00:02:43,440 --> 00:02:46,319 now i've been in security for over 30 63 00:02:46,319 --> 00:02:48,400 years and 64 00:02:48,400 --> 00:02:51,040 over 40 nearly 40. 65 00:02:51,040 --> 00:02:53,760 and um one of the things i've learned 66 00:02:53,760 --> 00:02:56,400 from the thousands of incidents i saw is 67 00:02:56,400 --> 00:02:59,280 whenever hits the van 68 00:02:59,280 --> 00:03:00,640 a 69 00:03:00,640 --> 00:03:02,879 configuration management database is 70 00:03:02,879 --> 00:03:04,720 totally different from reality on the 71 00:03:04,720 --> 00:03:08,959 left hand side you see amsterdam in 1538 72 00:03:08,959 --> 00:03:11,200 and that is generally the map when you 73 00:03:11,200 --> 00:03:13,920 end up at an incident that they give you 74 00:03:13,920 --> 00:03:17,120 this is amsterdam in reality 75 00:03:17,120 --> 00:03:18,480 so 76 00:03:18,480 --> 00:03:21,040 yeah and and for my colleague cleo sorry 77 00:03:21,040 --> 00:03:24,000 but uh this is the harsh reality 78 00:03:24,000 --> 00:03:24,879 so 79 00:03:24,879 --> 00:03:27,120 this needs to change and this is an 80 00:03:27,120 --> 00:03:29,599 issue for us as well and then 81 00:03:29,599 --> 00:03:32,480 what we're doing to prevent incidents is 82 00:03:32,480 --> 00:03:35,440 basically finding the famous needle in a 83 00:03:35,440 --> 00:03:37,840 haystack 84 00:03:37,840 --> 00:03:40,080 and as i've shown you we've got all 85 00:03:40,080 --> 00:03:43,120 sorts of projects going on and different 86 00:03:43,120 --> 00:03:46,720 nations to support so basically i'm 87 00:03:46,720 --> 00:03:48,799 searching in more haystacks than 88 00:03:48,799 --> 00:03:51,040 basically would fit on a powerpoint 89 00:03:51,040 --> 00:03:53,440 slide 90 00:03:55,840 --> 00:03:58,400 so far so good then the game this day 91 00:03:58,400 --> 00:04:02,400 when we had this corona testing facility 92 00:04:02,400 --> 00:04:05,360 that was hacked by the dutch news author 93 00:04:05,360 --> 00:04:07,920 outlet rtl news 94 00:04:07,920 --> 00:04:09,680 and basically what they found was a 95 00:04:09,680 --> 00:04:11,920 google firebase that was in development 96 00:04:11,920 --> 00:04:12,879 mode 97 00:04:12,879 --> 00:04:14,720 and yeah then you can go through all the 98 00:04:14,720 --> 00:04:16,079 data 99 00:04:16,079 --> 00:04:19,279 and parliament said um to the minister 100 00:04:19,279 --> 00:04:22,000 you have to 101 00:04:22,000 --> 00:04:24,080 investigate all these parties yeah but 102 00:04:24,080 --> 00:04:27,120 it's not a job yes you have to 103 00:04:27,120 --> 00:04:29,520 so we started continuous monitoring and 104 00:04:29,520 --> 00:04:32,800 that was for up to 70 companies at the 105 00:04:32,800 --> 00:04:34,880 same time 106 00:04:34,880 --> 00:04:37,040 there isn't a single security company 107 00:04:37,040 --> 00:04:38,880 that will say like oh sure we'll help 108 00:04:38,880 --> 00:04:40,320 you with this one 109 00:04:40,320 --> 00:04:42,240 um because it's highly political 110 00:04:42,240 --> 00:04:46,479 sensitive it's all open so there we were 111 00:04:46,479 --> 00:04:47,759 so we did 112 00:04:47,759 --> 00:04:49,919 a lot of manual scanning in a weekend 113 00:04:49,919 --> 00:04:52,080 found hundreds of vulnerabilities at 114 00:04:52,080 --> 00:04:53,120 these 115 00:04:53,120 --> 00:04:55,120 at these facilities 116 00:04:55,120 --> 00:04:56,880 and then the next 117 00:04:56,880 --> 00:04:59,040 question came okay now we've sent the 118 00:04:59,040 --> 00:05:00,960 information over 119 00:05:00,960 --> 00:05:03,280 how do we know for sure that it was all 120 00:05:03,280 --> 00:05:07,039 fixed and then you start scanning again 121 00:05:07,039 --> 00:05:09,039 and then this company will go like no no 122 00:05:09,039 --> 00:05:11,360 no there was nothing wrong it's a false 123 00:05:11,360 --> 00:05:13,280 positive 124 00:05:13,280 --> 00:05:14,880 of or 125 00:05:14,880 --> 00:05:18,240 it wasn't really a problem 126 00:05:18,639 --> 00:05:20,560 and then we found other stuff as well 127 00:05:20,560 --> 00:05:22,639 for instance one of these 128 00:05:22,639 --> 00:05:24,880 facilities basically said like okay 129 00:05:24,880 --> 00:05:26,479 we've got secure meal 130 00:05:26,479 --> 00:05:29,039 for healthcare applications 131 00:05:29,039 --> 00:05:30,560 we let them 132 00:05:30,560 --> 00:05:32,800 be part of our system 133 00:05:32,800 --> 00:05:36,400 and then somebody by accident discovered 134 00:05:36,400 --> 00:05:37,919 that they turned that off because you 135 00:05:37,919 --> 00:05:39,759 have to buy a subscription of a couple 136 00:05:39,759 --> 00:05:41,919 of euros per month that apparently was 137 00:05:41,919 --> 00:05:43,360 too expensive 138 00:05:43,360 --> 00:05:46,240 how do you monitor that altogether 139 00:05:46,240 --> 00:05:47,520 so 140 00:05:47,520 --> 00:05:49,600 there were a lot of issues and it's not 141 00:05:49,600 --> 00:05:51,600 even that simple because there's one 142 00:05:51,600 --> 00:05:53,600 other issue as well it's not only about 143 00:05:53,600 --> 00:05:57,360 security it's also about what makes 144 00:05:57,360 --> 00:06:00,240 us as team but also the minister 145 00:06:00,240 --> 00:06:01,759 vulnerable 146 00:06:01,759 --> 00:06:04,080 and that might also be security issues 147 00:06:04,080 --> 00:06:05,440 that aren't there 148 00:06:05,440 --> 00:06:08,560 so we stopped talking about security and 149 00:06:08,560 --> 00:06:11,280 we started to talk about everything that 150 00:06:11,280 --> 00:06:13,280 makes you vulnerable 151 00:06:13,280 --> 00:06:14,880 that really doesn't scale down the 152 00:06:14,880 --> 00:06:16,240 problem 153 00:06:16,240 --> 00:06:20,160 so we decided to go for a tool and 154 00:06:20,160 --> 00:06:21,039 since we're talking about 155 00:06:21,039 --> 00:06:23,520 vulnerabilities the dutch word is quetz 156 00:06:23,520 --> 00:06:24,720 by hayden 157 00:06:24,720 --> 00:06:26,960 and we want to analyze them and it's a 158 00:06:26,960 --> 00:06:29,360 tool so we call it the quest behavior 159 00:06:29,360 --> 00:06:30,880 analysis tool 160 00:06:30,880 --> 00:06:35,840 and for behold that's the dutch word cat 161 00:06:36,000 --> 00:06:37,600 for the ones that were in my lecture 162 00:06:37,600 --> 00:06:39,840 yesterday 163 00:06:39,840 --> 00:06:42,319 this is our team logo that 164 00:06:42,319 --> 00:06:46,720 is perfectly fine for the tool as well 165 00:06:47,120 --> 00:06:48,800 so we learned a couple of lessons and 166 00:06:48,800 --> 00:06:51,280 one of the things that we should do 167 00:06:51,280 --> 00:06:55,120 is prove that if we found something 168 00:06:55,120 --> 00:06:57,199 that this is really true 169 00:06:57,199 --> 00:06:59,360 and if something changes i want to be 170 00:06:59,360 --> 00:07:00,560 alerted 171 00:07:00,560 --> 00:07:02,960 and i don't know what can change but if 172 00:07:02,960 --> 00:07:06,319 anything changes i want to be alerted 173 00:07:06,319 --> 00:07:08,080 and then we found that there were 174 00:07:08,080 --> 00:07:09,599 basically no tools that really 175 00:07:09,599 --> 00:07:14,560 understood the dutch context properly 176 00:07:15,199 --> 00:07:18,000 let alone the medical context so long 177 00:07:18,000 --> 00:07:19,360 story short 178 00:07:19,360 --> 00:07:22,000 um we needed something that 179 00:07:22,000 --> 00:07:23,759 would be able to scan would be able to 180 00:07:23,759 --> 00:07:26,400 do other stuff but um 181 00:07:26,400 --> 00:07:31,638 also doesn't violate the dutch laws 182 00:07:31,680 --> 00:07:34,000 all one could say i was looking for an 183 00:07:34,000 --> 00:07:37,520 aya lake in the world miksao 184 00:07:37,520 --> 00:07:40,319 so how do i realize this 185 00:07:40,319 --> 00:07:43,319 help 186 00:07:44,639 --> 00:07:48,400 so i phoned my friend jan klopper 187 00:07:48,400 --> 00:07:50,960 and said like yum help and john is a 188 00:07:50,960 --> 00:07:52,639 hacker 189 00:07:52,639 --> 00:07:53,540 oh 190 00:07:53,540 --> 00:07:56,879 [Applause] 191 00:07:56,879 --> 00:07:59,120 i have i know i have aged a bit yes it's 192 00:07:59,120 --> 00:08:00,000 true 193 00:08:00,000 --> 00:08:00,960 um 194 00:08:00,960 --> 00:08:02,800 so yeah we had a problem 195 00:08:02,800 --> 00:08:04,800 and and bennett decided on calling me i 196 00:08:04,800 --> 00:08:06,080 don't know why but you know these things 197 00:08:06,080 --> 00:08:08,000 happen well i picked you because you 198 00:08:08,000 --> 00:08:10,560 were allergic to cats this is true yes 199 00:08:10,560 --> 00:08:12,319 uh but you didn't know that back then 200 00:08:12,319 --> 00:08:14,639 yeah and the first thing you say said 201 00:08:14,639 --> 00:08:16,080 was 202 00:08:16,080 --> 00:08:18,160 stop throwing data away 203 00:08:18,160 --> 00:08:19,280 yep 204 00:08:19,280 --> 00:08:21,039 so what we see in 205 00:08:21,039 --> 00:08:23,360 the general availability of security 206 00:08:23,360 --> 00:08:24,800 tools that you 207 00:08:24,800 --> 00:08:27,280 start scanning and the end product is 208 00:08:27,280 --> 00:08:29,199 always you know the vulnerability that 209 00:08:29,199 --> 00:08:31,120 you find the end product is always this 210 00:08:31,120 --> 00:08:32,880 report saying you have to fix this you 211 00:08:32,880 --> 00:08:35,200 have to fix that 212 00:08:35,200 --> 00:08:37,599 but to get there you're probably gonna 213 00:08:37,599 --> 00:08:39,760 you know do a lot of queries collect a 214 00:08:39,760 --> 00:08:41,360 lot of information 215 00:08:41,360 --> 00:08:42,479 and 216 00:08:42,479 --> 00:08:44,159 all of these tools next to each other do 217 00:08:44,159 --> 00:08:46,480 that again and again every time they you 218 00:08:46,480 --> 00:08:48,800 know do a dns query do a you know 219 00:08:48,800 --> 00:08:50,800 connection to the server collect some 220 00:08:50,800 --> 00:08:54,320 information parse it in their own way 221 00:08:54,320 --> 00:08:56,320 make their own answers put the answer in 222 00:08:56,320 --> 00:08:58,480 the report and you get only the answer 223 00:08:58,480 --> 00:09:01,360 from the report and we decided to 224 00:09:01,360 --> 00:09:03,120 do it a bit differently and say okay 225 00:09:03,120 --> 00:09:05,120 each one of these little steps 226 00:09:05,120 --> 00:09:07,440 should be should be a little program by 227 00:09:07,440 --> 00:09:09,839 itself the unix philosophy 228 00:09:09,839 --> 00:09:12,000 and every time we do 229 00:09:12,000 --> 00:09:13,600 one of these little loops we're going to 230 00:09:13,600 --> 00:09:15,200 collect the information 231 00:09:15,200 --> 00:09:17,200 both raw so we can actually prove that 232 00:09:17,200 --> 00:09:18,160 we did it 233 00:09:18,160 --> 00:09:20,240 and we're going to collect whatever 234 00:09:20,240 --> 00:09:22,800 comes out of it in the database 235 00:09:22,800 --> 00:09:24,640 how do we prove it 236 00:09:24,640 --> 00:09:25,760 good question 237 00:09:25,760 --> 00:09:27,040 um 238 00:09:27,040 --> 00:09:29,360 so we decided on running all the tools 239 00:09:29,360 --> 00:09:30,880 in containers 240 00:09:30,880 --> 00:09:32,080 very fancy 241 00:09:32,080 --> 00:09:34,560 but it you know it it's not a means to 242 00:09:34,560 --> 00:09:36,000 an internet it's actually something that 243 00:09:36,000 --> 00:09:37,040 helps us 244 00:09:37,040 --> 00:09:38,959 and we run the container for example 245 00:09:38,959 --> 00:09:41,440 nmap very simple tool we run it we 246 00:09:41,440 --> 00:09:42,640 collect the information that goes into 247 00:09:42,640 --> 00:09:44,640 the container the ip address 248 00:09:44,640 --> 00:09:47,279 we collect um the version the hash of 249 00:09:47,279 --> 00:09:48,399 the image 250 00:09:48,399 --> 00:09:50,880 and we collect whatever comes out of it 251 00:09:50,880 --> 00:09:53,200 and that gives a pretty good pretty good 252 00:09:53,200 --> 00:09:55,600 complete answer of what the tool did 253 00:09:55,600 --> 00:09:57,279 and then we allow someone else an 254 00:09:57,279 --> 00:09:59,920 external party to sign that package hash 255 00:09:59,920 --> 00:10:02,320 it sign it timestamp it so make sure you 256 00:10:02,320 --> 00:10:04,399 prove what we did so basically the 257 00:10:04,399 --> 00:10:06,399 external timestamp surface make sure 258 00:10:06,399 --> 00:10:08,320 it's forensically sound 259 00:10:08,320 --> 00:10:10,000 correct and then we do that for every 260 00:10:10,000 --> 00:10:12,160 step along the way 261 00:10:12,160 --> 00:10:13,680 while collecting information to build 262 00:10:13,680 --> 00:10:15,040 this graph 263 00:10:15,040 --> 00:10:17,519 yeah and this graph we built 264 00:10:17,519 --> 00:10:19,760 in a cross-time database so that we can 265 00:10:19,760 --> 00:10:21,680 see the status of an object in all 266 00:10:21,680 --> 00:10:23,120 moments in time 267 00:10:23,120 --> 00:10:24,560 so i can 268 00:10:24,560 --> 00:10:27,600 compare an object on january 1st 269 00:10:27,600 --> 00:10:29,519 around midnight to the status of the 270 00:10:29,519 --> 00:10:31,279 object right now 271 00:10:31,279 --> 00:10:33,279 yeah so we have the graph 272 00:10:33,279 --> 00:10:35,600 and the graph that we have today might 273 00:10:35,600 --> 00:10:37,279 be slightly different than the graph we 274 00:10:37,279 --> 00:10:39,680 had yesterday and that allows us to 275 00:10:39,680 --> 00:10:42,240 obviously see the differences 276 00:10:42,240 --> 00:10:43,760 but since we have this database of 277 00:10:43,760 --> 00:10:45,680 information we have all the little nodes 278 00:10:45,680 --> 00:10:48,959 of information we can use that graph to 279 00:10:48,959 --> 00:10:51,920 then and only then 280 00:10:51,920 --> 00:10:53,680 start looking for patterns start looking 281 00:10:53,680 --> 00:10:55,120 for objects start looking for things 282 00:10:55,120 --> 00:10:57,600 that we don't like in our graph in our 283 00:10:57,600 --> 00:10:58,839 reality 284 00:10:58,839 --> 00:11:02,160 um within our set of business rules so 285 00:11:02,160 --> 00:11:03,519 if you 286 00:11:03,519 --> 00:11:05,600 if you put everything in objects you put 287 00:11:05,600 --> 00:11:08,079 needles with needles and hey with hay 288 00:11:08,079 --> 00:11:10,399 yep so if you say i'm looking for a 289 00:11:10,399 --> 00:11:12,480 needle then basically you can say hey 290 00:11:12,480 --> 00:11:14,240 here's a better here's your bunch of 291 00:11:14,240 --> 00:11:16,880 needles yes 292 00:11:16,880 --> 00:11:18,000 okay 293 00:11:18,000 --> 00:11:20,560 the question is how do we get the daiita 294 00:11:20,560 --> 00:11:21,600 and we get 295 00:11:21,600 --> 00:11:23,839 data with buffus you're going to 296 00:11:23,839 --> 00:11:25,440 to you're going to learn a little bit of 297 00:11:25,440 --> 00:11:28,160 dutch as well buffy is the dutch word of 298 00:11:28,160 --> 00:11:30,000 rescue 299 00:11:30,000 --> 00:11:32,560 and basically it's a plugin yeah so we 300 00:11:32,560 --> 00:11:34,240 have a bunch of different plugins and 301 00:11:34,240 --> 00:11:36,079 buffies is the first one 302 00:11:36,079 --> 00:11:38,160 and it's the one that goes out and gets 303 00:11:38,160 --> 00:11:40,640 data um it goes on the internet or it 304 00:11:40,640 --> 00:11:43,360 goes you know look at the various tools 305 00:11:43,360 --> 00:11:44,640 or apis 306 00:11:44,640 --> 00:11:46,720 um or maybe in internal or external 307 00:11:46,720 --> 00:11:49,519 databases and it only you know it has a 308 00:11:49,519 --> 00:11:51,920 question it goes and fetch the raw data 309 00:11:51,920 --> 00:11:53,519 doesn't really matter which format it is 310 00:11:53,519 --> 00:11:54,240 in 311 00:11:54,240 --> 00:11:56,320 and it collects it to be stored in our 312 00:11:56,320 --> 00:11:58,720 forensic database 313 00:11:58,720 --> 00:12:00,639 they are just facts 314 00:12:00,639 --> 00:12:01,360 so 315 00:12:01,360 --> 00:12:03,760 in a regular tool 316 00:12:03,760 --> 00:12:07,200 for example if you run nmap um and a lot 317 00:12:07,200 --> 00:12:09,680 of tools will immediately say oh you got 318 00:12:09,680 --> 00:12:12,160 port 22 open don't do that 319 00:12:12,160 --> 00:12:14,240 i don't care about party you know it's 320 00:12:14,240 --> 00:12:17,440 fine do whatever you want 321 00:12:17,440 --> 00:12:19,839 i get that a pen tester you know 322 00:12:19,839 --> 00:12:22,240 probably has a reason not to do port 22 323 00:12:22,240 --> 00:12:23,360 on the internet 324 00:12:23,360 --> 00:12:26,000 but that's a business rule 325 00:12:26,000 --> 00:12:27,519 and the business rule comes later 326 00:12:27,519 --> 00:12:31,040 because we made a distinction between 327 00:12:31,040 --> 00:12:33,839 facts and conclusions i have got this 328 00:12:33,839 --> 00:12:37,120 guy walking around along canada and he's 329 00:12:37,120 --> 00:12:39,519 basically always doing a finding and 330 00:12:39,519 --> 00:12:41,680 then saying like okay 331 00:12:41,680 --> 00:12:44,240 you have to decide if it's important for 332 00:12:44,240 --> 00:12:46,800 you or not so he says like okay breno 333 00:12:46,800 --> 00:12:48,880 i'm looking at your house 334 00:12:48,880 --> 00:12:49,920 i see 335 00:12:49,920 --> 00:12:52,480 smoke coming out of the roof and flames 336 00:12:52,480 --> 00:12:55,279 if this is important to you 337 00:12:55,279 --> 00:12:57,440 the logic step would be to dial one one 338 00:12:57,440 --> 00:13:00,320 two and ask for the fire brigade 339 00:13:00,320 --> 00:13:02,880 optionally optionally optionally you 340 00:13:02,880 --> 00:13:04,399 know i don't i don't know what you're by 341 00:13:04,399 --> 00:13:06,480 the way i call him my chief conspiracy 342 00:13:06,480 --> 00:13:07,680 officer 343 00:13:07,680 --> 00:13:08,560 um 344 00:13:08,560 --> 00:13:10,560 we have a whole bunch of 345 00:13:10,560 --> 00:13:13,839 plugins already we need a lot more so 346 00:13:13,839 --> 00:13:15,519 um 347 00:13:15,519 --> 00:13:17,680 i'll do the shout out now come to open 348 00:13:17,680 --> 00:13:18,639 cat 349 00:13:18,639 --> 00:13:23,360 tent and join uh join the scene 350 00:13:23,839 --> 00:13:26,560 but then i've got data and data is still 351 00:13:26,560 --> 00:13:29,519 something that is unstructured 352 00:13:29,519 --> 00:13:30,720 yep 353 00:13:30,720 --> 00:13:32,959 so by now we've ran all these buffers 354 00:13:32,959 --> 00:13:34,000 and we collected all this raw 355 00:13:34,000 --> 00:13:36,000 information probably just command line 356 00:13:36,000 --> 00:13:38,480 outputs or json blobs from somewhere 357 00:13:38,480 --> 00:13:39,519 and 358 00:13:39,519 --> 00:13:41,600 in that data is a lot 359 00:13:41,600 --> 00:13:44,560 extra information 360 00:13:44,720 --> 00:13:46,720 we need to process that to actually you 361 00:13:46,720 --> 00:13:50,079 know make sense of make needles 362 00:13:50,079 --> 00:13:52,480 and what we do is we have a separate set 363 00:13:52,480 --> 00:13:54,560 of plugins normalizers or whiskers as we 364 00:13:54,560 --> 00:13:56,240 call them and we 365 00:13:56,240 --> 00:13:58,000 you know we couple each whisker either 366 00:13:58,000 --> 00:14:00,160 to a buffer to a mime type and say oh 367 00:14:00,160 --> 00:14:02,480 let's see we have text html forensic 368 00:14:02,480 --> 00:14:04,880 proof what can we do with that we have 369 00:14:04,880 --> 00:14:06,639 nmap output what could we do with that 370 00:14:06,639 --> 00:14:09,440 and we scan that data 371 00:14:09,440 --> 00:14:10,880 from the store 372 00:14:10,880 --> 00:14:12,240 check it and if we find something that 373 00:14:12,240 --> 00:14:13,760 we understand then we add it to the 374 00:14:13,760 --> 00:14:14,880 database 375 00:14:14,880 --> 00:14:17,279 but 376 00:14:17,279 --> 00:14:20,160 today i understand only so much 377 00:14:20,160 --> 00:14:21,440 and then all these people are going to 378 00:14:21,440 --> 00:14:23,279 help and then i understand i know more 379 00:14:23,279 --> 00:14:25,440 yes i know that's very interesting 380 00:14:25,440 --> 00:14:28,399 so imagine having this you know vault of 381 00:14:28,399 --> 00:14:30,240 data that you collected over many many 382 00:14:30,240 --> 00:14:31,839 years over systems that you you know 383 00:14:31,839 --> 00:14:33,199 have in production 384 00:14:33,199 --> 00:14:34,480 um 385 00:14:34,480 --> 00:14:35,839 and and 386 00:14:35,839 --> 00:14:38,639 you know you had done this as you would 387 00:14:38,639 --> 00:14:40,399 because brendo asked you to 388 00:14:40,399 --> 00:14:42,480 and 389 00:14:42,480 --> 00:14:44,880 it's a good morning you wake up and you 390 00:14:44,880 --> 00:14:46,160 notice there's something wrong with your 391 00:14:46,160 --> 00:14:48,880 website cpus are spiking every time a 392 00:14:48,880 --> 00:14:52,480 browser visited and you find um 393 00:14:52,480 --> 00:14:53,920 a bit of javascript code in there and 394 00:14:53,920 --> 00:14:56,240 it's bitcoin mining 395 00:14:56,240 --> 00:14:58,160 so it's essentially destroying the 396 00:14:58,160 --> 00:14:59,040 planet 397 00:14:59,040 --> 00:15:00,079 um 398 00:15:00,079 --> 00:15:02,160 you find that bit of bitcoin code the 399 00:15:02,160 --> 00:15:04,720 cryptominer and and you notice that you 400 00:15:04,720 --> 00:15:06,560 you obviously missed it because you 401 00:15:06,560 --> 00:15:09,360 didn't know it was there 402 00:15:09,360 --> 00:15:11,680 what you can do from that point on is 403 00:15:11,680 --> 00:15:13,519 you know collect that information you 404 00:15:13,519 --> 00:15:15,680 write a normalizer that looks for this 405 00:15:15,680 --> 00:15:17,519 specific bit of javascript 406 00:15:17,519 --> 00:15:21,360 add it to cut to open cut and it will um 407 00:15:21,360 --> 00:15:23,120 probably find another few of these you 408 00:15:23,120 --> 00:15:26,000 know injected bits of html or javascript 409 00:15:26,000 --> 00:15:28,160 in your various sites 410 00:15:28,160 --> 00:15:30,000 because we had already downloaded all 411 00:15:30,000 --> 00:15:32,399 the html we had already you know 412 00:15:32,399 --> 00:15:33,839 collected the proof 413 00:15:33,839 --> 00:15:35,920 so you can immediately start fixing 414 00:15:35,920 --> 00:15:37,120 these things 415 00:15:37,120 --> 00:15:38,160 but 416 00:15:38,160 --> 00:15:39,600 you also have all the historic 417 00:15:39,600 --> 00:15:41,519 information in your forensic store so 418 00:15:41,519 --> 00:15:43,440 now the normalizer can start working 419 00:15:43,440 --> 00:15:46,000 backwards over all that over all that 420 00:15:46,000 --> 00:15:48,720 collected data and you know pinpoint the 421 00:15:48,720 --> 00:15:50,399 moment in time because you know we have 422 00:15:50,399 --> 00:15:51,279 a 423 00:15:51,279 --> 00:15:53,920 crosstime database 424 00:15:53,920 --> 00:15:56,320 where you know where we saw that bit of 425 00:15:56,320 --> 00:15:58,399 javascript for the first time 426 00:15:58,399 --> 00:16:00,320 and this obviously helps with 427 00:16:00,320 --> 00:16:02,399 pinpointing you know when you were 428 00:16:02,399 --> 00:16:03,519 attacked 429 00:16:03,519 --> 00:16:05,839 um and by having that you know specific 430 00:16:05,839 --> 00:16:08,399 moment you can probably also 431 00:16:08,399 --> 00:16:10,240 dumb it down and you know look at other 432 00:16:10,240 --> 00:16:12,079 log files to see how the hell they came 433 00:16:12,079 --> 00:16:14,000 in because you know 434 00:16:14,000 --> 00:16:15,199 seeing a bit of javascript in your 435 00:16:15,199 --> 00:16:17,680 website is one thing knowing how they 436 00:16:17,680 --> 00:16:19,360 got in is probably you know very 437 00:16:19,360 --> 00:16:21,199 expensive 438 00:16:21,199 --> 00:16:22,639 research yeah a bit of expensive 439 00:16:22,639 --> 00:16:24,560 research yeah yeah and then we store all 440 00:16:24,560 --> 00:16:27,199 the data in bytes is that one of my cats 441 00:16:27,199 --> 00:16:30,800 definitely not it's simon's 442 00:16:31,360 --> 00:16:33,519 but we store it forensically in our data 443 00:16:33,519 --> 00:16:34,720 store 444 00:16:34,720 --> 00:16:36,880 and then basically we go for the 445 00:16:36,880 --> 00:16:38,480 business rules 446 00:16:38,480 --> 00:16:41,120 yeah so business rules 447 00:16:41,120 --> 00:16:43,440 very enterprising name i know um 448 00:16:43,440 --> 00:16:45,120 business rules are 449 00:16:45,120 --> 00:16:48,320 more or less like complex css queries 450 00:16:48,320 --> 00:16:49,519 and 451 00:16:49,519 --> 00:16:51,519 you have a set of data you have a tree 452 00:16:51,519 --> 00:16:53,680 of information and what a business rule 453 00:16:53,680 --> 00:16:56,000 actually does um we have one on screen 454 00:16:56,000 --> 00:16:58,079 here it says okay every time an ip 455 00:16:58,079 --> 00:17:00,079 address is added to the graph 456 00:17:00,079 --> 00:17:01,759 i'd like to be ran 457 00:17:01,759 --> 00:17:04,480 so it's more or less a state machine and 458 00:17:04,480 --> 00:17:06,720 it does collect some other additional ip 459 00:17:06,720 --> 00:17:08,880 information so ap port and websites 460 00:17:08,880 --> 00:17:11,359 might be related to this ip address 461 00:17:11,359 --> 00:17:14,640 and then we do some python magic 462 00:17:14,640 --> 00:17:16,959 run over some crates and websites 463 00:17:16,959 --> 00:17:19,599 we collect some ports and 464 00:17:19,599 --> 00:17:21,439 you know if we have all the ports at 465 00:17:21,439 --> 00:17:23,280 this computers and we can do this bit of 466 00:17:23,280 --> 00:17:25,119 logic saying okay 467 00:17:25,119 --> 00:17:28,720 if port 80 is open or port 443 is open 468 00:17:28,720 --> 00:17:30,480 or not 469 00:17:30,480 --> 00:17:31,919 you know then there's probably something 470 00:17:31,919 --> 00:17:33,360 wrong 471 00:17:33,360 --> 00:17:36,480 if so we'll add a finding yield defining 472 00:17:36,480 --> 00:17:39,200 to the database and what this does is it 473 00:17:39,200 --> 00:17:41,679 creates a new object in the graph 474 00:17:41,679 --> 00:17:45,280 so if a exists b must also exist 475 00:17:45,280 --> 00:17:48,000 but a or b or c you know this might be 476 00:17:48,000 --> 00:17:50,160 more complex queries we try to keep them 477 00:17:50,160 --> 00:17:52,320 simple and that opens up for instance 478 00:17:52,320 --> 00:17:54,160 one possibility is that you say like 479 00:17:54,160 --> 00:17:56,880 okay yesterday you had five ports open 480 00:17:56,880 --> 00:17:59,679 today it's 12 481 00:17:59,679 --> 00:18:01,919 maybe your firewall configuration is no 482 00:18:01,919 --> 00:18:05,919 longer good yep but there's more 483 00:18:05,919 --> 00:18:07,679 if i see that you're running a bit of 484 00:18:07,679 --> 00:18:10,559 software for example wordpress 485 00:18:10,559 --> 00:18:12,400 i can do you know 486 00:18:12,400 --> 00:18:14,640 a query over all software instances i 487 00:18:14,640 --> 00:18:16,000 can see that you're running wordpress if 488 00:18:16,000 --> 00:18:17,440 this is wordpress 489 00:18:17,440 --> 00:18:20,360 then there must also exist these other 490 00:18:20,360 --> 00:18:23,600 1568 dependencies 491 00:18:23,600 --> 00:18:25,919 it's deduction it's very simple 492 00:18:25,919 --> 00:18:27,679 it's a simple business rule 493 00:18:27,679 --> 00:18:29,200 and the business rule feeds on external 494 00:18:29,200 --> 00:18:31,280 information and it you know it handles 495 00:18:31,280 --> 00:18:33,120 every bit of wordpress in your site or 496 00:18:33,120 --> 00:18:35,120 whatever you want yeah right there is 497 00:18:35,120 --> 00:18:37,520 this nice example of the this this 498 00:18:37,520 --> 00:18:39,440 corona test street they were using 499 00:18:39,440 --> 00:18:41,440 wordpress and a new 500 00:18:41,440 --> 00:18:44,480 common film nobility exposure came out 501 00:18:44,480 --> 00:18:47,280 and that basically um 502 00:18:47,280 --> 00:18:50,320 gave a cvss score of 9.8 which is kind 503 00:18:50,320 --> 00:18:51,760 of serious 504 00:18:51,760 --> 00:18:55,280 so after they after we downloaded it 505 00:18:55,280 --> 00:18:58,000 i phoned the director of that testing 506 00:18:58,000 --> 00:18:59,360 street and 507 00:18:59,360 --> 00:19:01,679 within 10 minutes of getting the alert 508 00:19:01,679 --> 00:19:05,440 the website was fixed i can't prove 509 00:19:05,440 --> 00:19:08,160 that we prevented the hack but likely it 510 00:19:08,160 --> 00:19:10,880 we did 511 00:19:10,880 --> 00:19:13,120 yeah so the business rule was triggered 512 00:19:13,120 --> 00:19:16,000 again when we renewed the list of cves 513 00:19:16,000 --> 00:19:17,039 and 514 00:19:17,039 --> 00:19:19,280 the second that happened we added all 515 00:19:19,280 --> 00:19:21,360 the extra facts to the database yeah 516 00:19:21,360 --> 00:19:23,039 there's only one thing you know the 517 00:19:23,039 --> 00:19:25,520 buffers get the data 518 00:19:25,520 --> 00:19:27,679 the bites feed them to the whiskers the 519 00:19:27,679 --> 00:19:29,039 octopus 520 00:19:29,039 --> 00:19:31,600 octopus is what we call the 521 00:19:31,600 --> 00:19:34,480 the system that basically um does all 522 00:19:34,480 --> 00:19:36,880 all the handling of the data and then 523 00:19:36,880 --> 00:19:39,600 ultimately it ends up with bits 524 00:19:39,600 --> 00:19:42,480 and bits is basically uh i'm sorry we we 525 00:19:42,480 --> 00:19:44,880 run the bits and then basically you can 526 00:19:44,880 --> 00:19:47,280 do your reporting etc we've obviously 527 00:19:47,280 --> 00:19:49,760 got the interface for that 528 00:19:49,760 --> 00:19:50,880 um 529 00:19:50,880 --> 00:19:52,880 one of the interesting things yeah i'm 530 00:19:52,880 --> 00:19:54,480 not happy oh yeah 531 00:19:54,480 --> 00:19:55,760 one of the interesting things about 532 00:19:55,760 --> 00:19:58,720 these bits is that like i said they add 533 00:19:58,720 --> 00:20:01,200 data and objects back into the graph 534 00:20:01,200 --> 00:20:02,720 they don't have to be findings but you 535 00:20:02,720 --> 00:20:04,000 know they could be 536 00:20:04,000 --> 00:20:04,960 and 537 00:20:04,960 --> 00:20:06,880 once you alter the graph 538 00:20:06,880 --> 00:20:08,720 you can then you know have another set 539 00:20:08,720 --> 00:20:10,799 of bits 540 00:20:10,799 --> 00:20:12,400 looking at that data again and say oh 541 00:20:12,400 --> 00:20:14,240 wait a minute if you have that little 542 00:20:14,240 --> 00:20:15,760 technical issue 543 00:20:15,760 --> 00:20:17,360 then you're not compliant with for 544 00:20:17,360 --> 00:20:19,600 example internet.nl and if you're not 545 00:20:19,600 --> 00:20:20,880 complied with internet i don't know 546 00:20:20,880 --> 00:20:22,480 we've added a finding for this saying oh 547 00:20:22,480 --> 00:20:24,159 you're not compliant with this 548 00:20:24,159 --> 00:20:25,600 then we can add you know another 549 00:20:25,600 --> 00:20:26,799 business rule saying oh if you're not 550 00:20:26,799 --> 00:20:28,559 compliant with internet rnl you're not 551 00:20:28,559 --> 00:20:31,360 compliant with um nta 552 00:20:31,360 --> 00:20:34,640 75 65.6 which is safe email for the 553 00:20:34,640 --> 00:20:36,799 healthcare yeah so you can you build 554 00:20:36,799 --> 00:20:39,840 these really big compliancy questions 555 00:20:39,840 --> 00:20:42,240 and you know strip them down into 556 00:20:42,240 --> 00:20:44,480 smaller technical questions simple 557 00:20:44,480 --> 00:20:46,559 queries 558 00:20:46,559 --> 00:20:48,720 yeah there's only one thing that i'm 559 00:20:48,720 --> 00:20:50,960 totally not happy about 560 00:20:50,960 --> 00:20:53,600 and that is um so far i have to do 561 00:20:53,600 --> 00:20:56,720 everything myself start it click it 562 00:20:56,720 --> 00:20:57,840 so 563 00:20:57,840 --> 00:21:00,480 we've got a scheduler 564 00:21:00,480 --> 00:21:01,919 mula another cat of one of the 565 00:21:01,919 --> 00:21:03,280 developers 566 00:21:03,280 --> 00:21:05,360 mula is our scheduler and we're now kind 567 00:21:05,360 --> 00:21:07,520 of in you know in the 568 00:21:07,520 --> 00:21:10,799 volume of search engines um 569 00:21:10,799 --> 00:21:13,200 so we have lots of objects and every 570 00:21:13,200 --> 00:21:14,720 object that we add to the graph either 571 00:21:14,720 --> 00:21:17,120 triggers a bit or business rule but they 572 00:21:17,120 --> 00:21:18,880 can also 573 00:21:18,880 --> 00:21:21,360 be input for another set of buffers 574 00:21:21,360 --> 00:21:22,880 if we find a hostname doesn't matter 575 00:21:22,880 --> 00:21:24,640 where we collected it from 576 00:21:24,640 --> 00:21:26,480 then we can probably do a bunch of 577 00:21:26,480 --> 00:21:28,480 things like you know 578 00:21:28,480 --> 00:21:30,960 dns queries we can try and see if 579 00:21:30,960 --> 00:21:32,880 there's any sub-domains we can look for 580 00:21:32,880 --> 00:21:34,480 certificates 581 00:21:34,480 --> 00:21:38,400 via transparency um records so deciding 582 00:21:38,400 --> 00:21:40,640 on which booth used to run 583 00:21:40,640 --> 00:21:44,159 and in what you know what order 584 00:21:44,159 --> 00:21:46,000 is something that the scheduler does 585 00:21:46,000 --> 00:21:48,559 also deciding on when to rescan 586 00:21:48,559 --> 00:21:50,080 some things don't need to be resched 587 00:21:50,080 --> 00:21:52,000 every day some do 588 00:21:52,000 --> 00:21:55,120 so if we're re-scanning then i can also 589 00:21:55,120 --> 00:21:57,200 see that if somebody fix something it is 590 00:21:57,200 --> 00:21:59,520 fixed correct yeah 591 00:21:59,520 --> 00:22:03,919 so if we see something broken today 592 00:22:03,919 --> 00:22:06,080 we collect proof of that and by the time 593 00:22:06,080 --> 00:22:08,559 we rescan either manually or through the 594 00:22:08,559 --> 00:22:10,000 scheduler 595 00:22:10,000 --> 00:22:12,720 we also collect evidence on when you 596 00:22:12,720 --> 00:22:13,760 fixed it 597 00:22:13,760 --> 00:22:16,080 which is obviously very very useful 598 00:22:16,080 --> 00:22:18,000 yeah but now we need to use the real 599 00:22:18,000 --> 00:22:21,039 life practices and we need yeah need 600 00:22:21,039 --> 00:22:23,919 some help for that 601 00:22:23,919 --> 00:22:25,760 because i don't know how to do that so i 602 00:22:25,760 --> 00:22:29,440 would like to invite oscar kuro 603 00:22:33,600 --> 00:22:36,320 if he still dares 604 00:22:36,320 --> 00:22:39,120 well actually the joke the actual joke 605 00:22:39,120 --> 00:22:41,470 is 606 00:22:41,470 --> 00:22:44,400 [Applause] 607 00:22:44,400 --> 00:22:45,840 the actual joke is that this is a 608 00:22:45,840 --> 00:22:48,480 government-approved picture in an actual 609 00:22:48,480 --> 00:22:49,280 uh 610 00:22:49,280 --> 00:22:51,039 interview that i gave 611 00:22:51,039 --> 00:22:52,480 but let's face it 612 00:22:52,480 --> 00:22:54,559 with respect to what my day job is 613 00:22:54,559 --> 00:22:56,640 because my night job is yeah well having 614 00:22:56,640 --> 00:22:59,520 fun and doing stuff but uh on the day 615 00:22:59,520 --> 00:23:01,600 job site my responsibilities for an 616 00:23:01,600 --> 00:23:03,200 entire ministry 617 00:23:03,200 --> 00:23:05,919 consists out of uh depending on how you 618 00:23:05,919 --> 00:23:08,799 count either 11 or 25 or even more 619 00:23:08,799 --> 00:23:10,480 organizations 620 00:23:10,480 --> 00:23:13,679 so i know what kind of things are 621 00:23:13,679 --> 00:23:16,480 coming to me with respect to uh how to 622 00:23:16,480 --> 00:23:18,320 prove that you're compliant how to prove 623 00:23:18,320 --> 00:23:19,840 that you have your security in control 624 00:23:19,840 --> 00:23:21,760 that you prove that your privacy 625 00:23:21,760 --> 00:23:23,760 controls are if you can test them with 626 00:23:23,760 --> 00:23:27,679 technical means that they are okay 627 00:23:27,760 --> 00:23:30,159 yeah but before we do that now that we 628 00:23:30,159 --> 00:23:31,840 are the three of us 629 00:23:31,840 --> 00:23:34,799 um we need to get the op cut out 630 00:23:34,799 --> 00:23:38,320 yeah and that needs to be published 631 00:23:38,320 --> 00:23:39,120 so 632 00:23:39,120 --> 00:23:40,559 when did we do that 633 00:23:40,559 --> 00:23:44,000 uh we did it we did that on july 1st um 634 00:23:44,000 --> 00:23:47,039 at 2200 hours and in the next morning we 635 00:23:47,039 --> 00:23:49,200 got a call from davide 636 00:23:49,200 --> 00:23:53,120 the nice guys who were before us and 637 00:23:53,120 --> 00:23:54,559 good going 638 00:23:54,559 --> 00:23:57,919 and we had the information disclosure so 639 00:23:57,919 --> 00:24:00,640 i dare to say open source seems to work 640 00:24:00,640 --> 00:24:03,520 yeah so thanks to the work of them that 641 00:24:03,520 --> 00:24:05,679 they actually looked at the code so 642 00:24:05,679 --> 00:24:07,919 quickly so fast and found something that 643 00:24:07,919 --> 00:24:09,120 we've missed 644 00:24:09,120 --> 00:24:11,200 it's that's the thing that i think it's 645 00:24:11,200 --> 00:24:12,799 it's what open source should be well not 646 00:24:12,799 --> 00:24:14,159 just us 647 00:24:14,159 --> 00:24:16,320 i think it speaks to you know why we do 648 00:24:16,320 --> 00:24:17,360 open cut 649 00:24:17,360 --> 00:24:19,760 yeah many people have been looking at 650 00:24:19,760 --> 00:24:21,440 you know at open cut 651 00:24:21,440 --> 00:24:23,840 including some companies yeah 652 00:24:23,840 --> 00:24:25,840 and we all missed it 653 00:24:25,840 --> 00:24:27,360 and i think this is also one of the 654 00:24:27,360 --> 00:24:29,600 examples again because we've seen all 655 00:24:29,600 --> 00:24:31,600 kinds of other improvements that we've 656 00:24:31,600 --> 00:24:32,880 had in the talk that we've had with 657 00:24:32,880 --> 00:24:35,440 breno and and ron 658 00:24:35,440 --> 00:24:36,880 in other days 659 00:24:36,880 --> 00:24:38,720 that open source can work if you 660 00:24:38,720 --> 00:24:40,720 actually put your mind to it and do the 661 00:24:40,720 --> 00:24:43,200 right steps and then this can work again 662 00:24:43,200 --> 00:24:46,159 so it's really appreciative okay but 663 00:24:46,159 --> 00:24:47,919 your mission is really to make cat 664 00:24:47,919 --> 00:24:49,919 holistic mch 665 00:24:49,919 --> 00:24:50,460 um 666 00:24:50,460 --> 00:24:53,539 [Music] 667 00:24:54,000 --> 00:24:56,320 make cat holistic i'll slide you know 668 00:24:56,320 --> 00:24:57,679 i'll let it slide that this one is not 669 00:24:57,679 --> 00:25:00,250 with decay 670 00:25:00,250 --> 00:25:02,080 [Applause] 671 00:25:02,080 --> 00:25:04,400 so one of the goals is that we can scan 672 00:25:04,400 --> 00:25:06,799 all the resources that we can actually 673 00:25:06,799 --> 00:25:08,960 get from the infrastructure and if we 674 00:25:08,960 --> 00:25:11,760 can't then use the agent services 675 00:25:11,760 --> 00:25:14,320 which is going to be a lot because the 676 00:25:14,320 --> 00:25:16,480 amount of organic organizations that you 677 00:25:16,480 --> 00:25:18,480 have to deal with with the pandemic 678 00:25:18,480 --> 00:25:20,159 that's fine that's a lot but the 679 00:25:20,159 --> 00:25:23,440 ministry itself has at least 680 00:25:23,440 --> 00:25:25,679 it's a bit bigger and i've got more 681 00:25:25,679 --> 00:25:27,919 suppliers even to deal with and each of 682 00:25:27,919 --> 00:25:29,600 them need to be compliant and the 683 00:25:29,600 --> 00:25:30,720 compliance 684 00:25:30,720 --> 00:25:33,200 rules and regulations will improve 685 00:25:33,200 --> 00:25:35,840 because of all the yeah this thing only 686 00:25:35,840 --> 00:25:38,159 works if the objects are being filled so 687 00:25:38,159 --> 00:25:41,520 if you've got sufficient assets 688 00:25:41,520 --> 00:25:44,960 to add discover assets well if 689 00:25:44,960 --> 00:25:46,400 this is one of the things that i had to 690 00:25:46,400 --> 00:25:48,240 do myself in the weekends because that's 691 00:25:48,240 --> 00:25:50,880 the night job is try to scan 692 00:25:50,880 --> 00:25:52,720 the infrastructure itself and then 693 00:25:52,720 --> 00:25:56,159 discover oh my gosh we have more apis we 694 00:25:56,159 --> 00:25:58,080 have more things to do more things to 695 00:25:58,080 --> 00:25:59,840 control and everything is getting more 696 00:25:59,840 --> 00:26:00,880 and more 697 00:26:00,880 --> 00:26:03,039 so we need to have scale 698 00:26:03,039 --> 00:26:04,880 in what we do 699 00:26:04,880 --> 00:26:07,200 and this is why i think this is a cool 700 00:26:07,200 --> 00:26:08,480 thing that we have 701 00:26:08,480 --> 00:26:10,720 now is that we have the opportunity for 702 00:26:10,720 --> 00:26:11,840 scaling 703 00:26:11,840 --> 00:26:13,760 yeah and the cool thing is if you really 704 00:26:13,760 --> 00:26:15,760 understand this um 705 00:26:15,760 --> 00:26:18,240 think of log4j 706 00:26:18,240 --> 00:26:20,400 what did most organizations do they 707 00:26:20,400 --> 00:26:22,320 started scanning the moment the house is 708 00:26:22,320 --> 00:26:24,400 on fire 709 00:26:24,400 --> 00:26:26,080 collecting you know collecting where 710 00:26:26,080 --> 00:26:27,679 log4j was 711 00:26:27,679 --> 00:26:29,120 even included 712 00:26:29,120 --> 00:26:30,880 um we didn't know i didn't know what it 713 00:26:30,880 --> 00:26:33,679 was i mean i know java but that's about 714 00:26:33,679 --> 00:26:35,600 it 715 00:26:35,600 --> 00:26:39,039 but we already knew where it was yeah so 716 00:26:39,039 --> 00:26:41,360 one of the yeah fridays if i'm not 717 00:26:41,360 --> 00:26:44,559 mistaken i looked at the code kudos to 718 00:26:44,559 --> 00:26:46,559 the northwave guys because i thought 719 00:26:46,559 --> 00:26:48,000 that was the most readable python 720 00:26:48,000 --> 00:26:50,960 implementation of scanning log4j then 721 00:26:50,960 --> 00:26:54,080 extending that and then well telling to 722 00:26:54,080 --> 00:26:57,039 the guys hey look i've scanned 723 00:26:57,039 --> 00:26:58,960 the entire ministry at least from what i 724 00:26:58,960 --> 00:27:00,159 could get 725 00:27:00,159 --> 00:27:01,520 please help me 726 00:27:01,520 --> 00:27:04,080 i need to make it into the service 727 00:27:04,080 --> 00:27:05,279 yeah 728 00:27:05,279 --> 00:27:08,960 and sharing is caring sharing is caring 729 00:27:08,960 --> 00:27:09,919 so 730 00:27:09,919 --> 00:27:12,000 so and yeah what 731 00:27:12,000 --> 00:27:14,880 we also do is we also have to be open to 732 00:27:14,880 --> 00:27:16,320 parliament and state look this is what 733 00:27:16,320 --> 00:27:17,200 we do 734 00:27:17,200 --> 00:27:18,559 and one of the important thing is that 735 00:27:18,559 --> 00:27:20,960 we don't just keep it to ourselves and 736 00:27:20,960 --> 00:27:22,880 but also make it available for all the 737 00:27:22,880 --> 00:27:24,720 other ministries who have the same 738 00:27:24,720 --> 00:27:26,880 challenges well not just ministries i 739 00:27:26,880 --> 00:27:28,559 mean 740 00:27:28,559 --> 00:27:30,880 and then we can go big 741 00:27:30,880 --> 00:27:31,600 bigger 742 00:27:31,600 --> 00:27:34,000 and why why limit ourselves to that yeah 743 00:27:34,000 --> 00:27:36,720 there's all the friends that see cert 744 00:27:36,720 --> 00:27:37,520 who 745 00:27:37,520 --> 00:27:39,919 are going to scan hospitals with it 746 00:27:39,919 --> 00:27:41,840 so that's kind of cool 747 00:27:41,840 --> 00:27:44,480 there are so many opportunities 748 00:27:44,480 --> 00:27:45,360 yeah 749 00:27:45,360 --> 00:27:47,520 well this is basically the overview if 750 00:27:47,520 --> 00:27:49,279 you want to know more there is time for 751 00:27:49,279 --> 00:27:52,080 questions we did deliberately um left 752 00:27:52,080 --> 00:27:54,960 some time for questions if we can think 753 00:27:54,960 --> 00:27:56,720 we can understand if it's hard for you 754 00:27:56,720 --> 00:27:58,480 to think about questions so we thought 755 00:27:58,480 --> 00:28:00,840 of a couple of questions 756 00:28:00,840 --> 00:28:04,880 um for you i still have questions so you 757 00:28:04,880 --> 00:28:06,799 should have questions as well 758 00:28:06,799 --> 00:28:09,360 exactly and if you don't dare to ask 759 00:28:09,360 --> 00:28:12,240 questions now come to the open cut tent 760 00:28:12,240 --> 00:28:15,520 and ask um questions then 761 00:28:15,520 --> 00:28:18,399 any questions 762 00:28:23,840 --> 00:28:24,640 hi 763 00:28:24,640 --> 00:28:26,559 i was wondering if there's uh 764 00:28:26,559 --> 00:28:28,960 there are plans for an api 765 00:28:28,960 --> 00:28:31,279 yeah um so 766 00:28:31,279 --> 00:28:32,799 the question was if we have any plans 767 00:28:32,799 --> 00:28:35,360 for apis and i'm guessing you you mean 768 00:28:35,360 --> 00:28:37,600 to extract data from cat and use it 769 00:28:37,600 --> 00:28:39,279 somewhere else right 770 00:28:39,279 --> 00:28:41,679 yeah also to configure it 771 00:28:41,679 --> 00:28:45,600 um yeah sure sure so uh cat is open cut 772 00:28:45,600 --> 00:28:48,320 is built out of various containers um as 773 00:28:48,320 --> 00:28:49,919 you saw you know we have bytes the 774 00:28:49,919 --> 00:28:51,600 forensic store you can use and interact 775 00:28:51,600 --> 00:28:53,360 that with that 776 00:28:53,360 --> 00:28:54,240 if you 777 00:28:54,240 --> 00:28:56,159 skip the buffiest part and inject data 778 00:28:56,159 --> 00:28:58,159 right into bytes the normals will pick 779 00:28:58,159 --> 00:28:59,279 them up 780 00:28:59,279 --> 00:29:01,200 you can also query bytes as well and you 781 00:29:01,200 --> 00:29:03,279 know get data out of it 782 00:29:03,279 --> 00:29:06,000 octopus same story you could add objects 783 00:29:06,000 --> 00:29:07,360 there you can 784 00:29:07,360 --> 00:29:11,600 query octopus for objects at any time 785 00:29:11,600 --> 00:29:13,679 yeah just as with granny bernani what we 786 00:29:13,679 --> 00:29:14,799 did is 787 00:29:14,799 --> 00:29:16,480 make a big problem 788 00:29:16,480 --> 00:29:18,159 and that's actually what i learned from 789 00:29:18,159 --> 00:29:19,600 mendel moba 790 00:29:19,600 --> 00:29:22,240 if you have a big puzzle make it a bunch 791 00:29:22,240 --> 00:29:24,480 of small puzzles so what we did is 792 00:29:24,480 --> 00:29:25,919 that's why we have all these little 793 00:29:25,919 --> 00:29:27,440 projects 794 00:29:27,440 --> 00:29:30,799 so that you make it a little bit smaller 795 00:29:30,799 --> 00:29:33,120 yep 796 00:29:33,440 --> 00:29:35,600 hello congratulations on building and 797 00:29:35,600 --> 00:29:37,600 releasing such an excellent tool i have 798 00:29:37,600 --> 00:29:40,000 a question regarding the forensics 799 00:29:40,000 --> 00:29:43,120 collection and the keeping data 800 00:29:43,120 --> 00:29:46,320 why discard it do you keep pcaps of all 801 00:29:46,320 --> 00:29:48,640 your scans and if not why not 802 00:29:48,640 --> 00:29:50,799 very good very good question thank you 803 00:29:50,799 --> 00:29:52,880 yes it's on the roadmap and yes we have 804 00:29:52,880 --> 00:29:54,720 promised this and no we don't do it yet 805 00:29:54,720 --> 00:29:55,600 so 806 00:29:55,600 --> 00:29:57,120 since we're running all the containers 807 00:29:57,120 --> 00:29:59,440 with the buffets in there um it's a very 808 00:29:59,440 --> 00:30:01,120 logical question and a very logical 809 00:30:01,120 --> 00:30:03,039 thing to also collect all the network 810 00:30:03,039 --> 00:30:04,960 traffic that is being generated because 811 00:30:04,960 --> 00:30:05,760 you know 812 00:30:05,760 --> 00:30:08,559 nmap might just output something but it 813 00:30:08,559 --> 00:30:10,159 you know might have seen something else 814 00:30:10,159 --> 00:30:12,960 it might have been collecting data 815 00:30:12,960 --> 00:30:15,200 and once we have that data we could 816 00:30:15,200 --> 00:30:17,600 easily make normalizers to scan through 817 00:30:17,600 --> 00:30:19,440 that data as well scan through the pcap 818 00:30:19,440 --> 00:30:21,360 files and you know 819 00:30:21,360 --> 00:30:24,000 pick them apart and and collect even 820 00:30:24,000 --> 00:30:25,840 more data points from there because we 821 00:30:25,840 --> 00:30:28,080 might not know what we're looking for 822 00:30:28,080 --> 00:30:29,919 you know until we discover this in the 823 00:30:29,919 --> 00:30:31,919 future and also have the proof on what 824 00:30:31,919 --> 00:30:33,919 kind of data we've actually sent out 825 00:30:33,919 --> 00:30:36,559 over the network per scan or in this 826 00:30:36,559 --> 00:30:39,679 case repair per container yeah so one of 827 00:30:39,679 --> 00:30:41,600 the reasons we do this uh there's 828 00:30:41,600 --> 00:30:44,159 actually two main reasons why we why we 829 00:30:44,159 --> 00:30:46,000 do this we 830 00:30:46,000 --> 00:30:47,600 want to make sure that 831 00:30:47,600 --> 00:30:49,120 if we scan 832 00:30:49,120 --> 00:30:51,279 that we have a proof of that we actually 833 00:30:51,279 --> 00:30:52,240 scanned 834 00:30:52,240 --> 00:30:53,760 this is something that's missing from 835 00:30:53,760 --> 00:30:55,600 lots and lots of uh 836 00:30:55,600 --> 00:30:57,440 pen testing reports did you actually 837 00:30:57,440 --> 00:30:59,039 scan this i don't know 838 00:30:59,039 --> 00:31:01,760 so if for example you do n mapping on on 839 00:31:01,760 --> 00:31:03,600 an ip address and if it doesn't return 840 00:31:03,600 --> 00:31:06,000 any ip addresses or ports does it show 841 00:31:06,000 --> 00:31:08,080 up in your pen test 842 00:31:08,080 --> 00:31:09,440 i'm guessing not 843 00:31:09,440 --> 00:31:11,120 um how do you prove that you've actually 844 00:31:11,120 --> 00:31:12,320 scanned it 845 00:31:12,320 --> 00:31:14,480 by showing that you know you have the 846 00:31:14,480 --> 00:31:15,679 input you have the output you probably 847 00:31:15,679 --> 00:31:18,240 have the pcap file somewhere then you 848 00:31:18,240 --> 00:31:20,000 have actual proof 849 00:31:20,000 --> 00:31:22,159 that you've done your work and that you 850 00:31:22,159 --> 00:31:23,679 didn't find anything 851 00:31:23,679 --> 00:31:26,399 but if for someone like a reason nmap is 852 00:31:26,399 --> 00:31:29,360 broken in that version and it 853 00:31:29,360 --> 00:31:31,200 skips port 22 854 00:31:31,200 --> 00:31:32,559 um 855 00:31:32,559 --> 00:31:34,480 i want to make sure that i have proof of 856 00:31:34,480 --> 00:31:36,559 you know running that specific version 857 00:31:36,559 --> 00:31:38,000 and doing my job 858 00:31:38,000 --> 00:31:39,919 i have run yeah there is a very good 859 00:31:39,919 --> 00:31:42,960 reason for that there was this one case 860 00:31:42,960 --> 00:31:44,799 where i was involved in this incident 861 00:31:44,799 --> 00:31:46,559 with the city 862 00:31:46,559 --> 00:31:48,159 with a city in the east of the 863 00:31:48,159 --> 00:31:49,760 netherlands and they got fully 864 00:31:49,760 --> 00:31:52,159 ransomware and then there i 865 00:31:52,159 --> 00:31:55,279 stumbled across this 866 00:31:55,279 --> 00:31:58,000 pen test and it didn't say that rdp was 867 00:31:58,000 --> 00:31:58,880 open 868 00:31:58,880 --> 00:32:01,039 but the funny thing was when you went to 869 00:32:01,039 --> 00:32:03,120 showdown i could see that all the days 870 00:32:03,120 --> 00:32:05,039 of the pen test 871 00:32:05,039 --> 00:32:07,840 except one or two this port actually was 872 00:32:07,840 --> 00:32:09,919 open so how can that be 873 00:32:09,919 --> 00:32:11,679 and this is why you want to have that 874 00:32:11,679 --> 00:32:14,080 proof 875 00:32:14,080 --> 00:32:16,240 excellent answer thank you um also if 876 00:32:16,240 --> 00:32:18,240 you're negotiating secure connections 877 00:32:18,240 --> 00:32:20,559 like tls keep a copy of all the keys 878 00:32:20,559 --> 00:32:23,519 that you've negotiated we do yes thank 879 00:32:23,519 --> 00:32:26,320 you thank you 880 00:32:27,279 --> 00:32:28,480 yeah so 881 00:32:28,480 --> 00:32:31,279 my question was about your cmdb you said 882 00:32:31,279 --> 00:32:34,399 it was not complete enough is open cut 883 00:32:34,399 --> 00:32:36,720 more complete than you seem to be 884 00:32:36,720 --> 00:32:38,559 there or is it more than it is 885 00:32:38,559 --> 00:32:39,840 no it but 886 00:32:39,840 --> 00:32:42,080 no i would not say that at this moment 887 00:32:42,080 --> 00:32:44,799 definitely not but um this is why we are 888 00:32:44,799 --> 00:32:47,360 focusing on the asset management 889 00:32:47,360 --> 00:32:50,080 um because this is what you really want 890 00:32:50,080 --> 00:32:52,080 and of course we'll draw all your 891 00:32:52,080 --> 00:32:53,919 inferences from that 892 00:32:53,919 --> 00:32:57,440 modern cmdbs have extra modules to scan 893 00:32:57,440 --> 00:33:00,080 the network and have from actual 894 00:33:00,080 --> 00:33:02,480 collections of whatever agents or 895 00:33:02,480 --> 00:33:05,519 whatever data input you can then state 896 00:33:05,519 --> 00:33:07,679 oh look the cmdb is not completing these 897 00:33:07,679 --> 00:33:10,159 kinds of elements but today yeah and 898 00:33:10,159 --> 00:33:11,840 today we got actually an offer of 899 00:33:11,840 --> 00:33:13,919 somebody who um 900 00:33:13,919 --> 00:33:16,880 who is looking in making in a buffer 901 00:33:16,880 --> 00:33:20,559 that connects to ac cmdb so yeah this is 902 00:33:20,559 --> 00:33:22,720 what we want to trigger as well 903 00:33:22,720 --> 00:33:24,640 yeah there's two two rounds there 904 00:33:24,640 --> 00:33:26,960 actually so you can use 905 00:33:26,960 --> 00:33:29,440 you know you can use your existing cmdb 906 00:33:29,440 --> 00:33:30,159 or 907 00:33:30,159 --> 00:33:32,880 admin panel or whatever to feed into 908 00:33:32,880 --> 00:33:34,720 open cut saying hey i have these assets 909 00:33:34,720 --> 00:33:36,399 please scan them 910 00:33:36,399 --> 00:33:37,840 you could go the other way as well and 911 00:33:37,840 --> 00:33:39,120 say 912 00:33:39,120 --> 00:33:41,360 let's scan everything that we can find 913 00:33:41,360 --> 00:33:43,600 and then have a business rule saying 914 00:33:43,600 --> 00:33:45,919 if there's something in the open cap in 915 00:33:45,919 --> 00:33:48,080 octopus in the database which is not 916 00:33:48,080 --> 00:33:50,640 present in my cmdb 917 00:33:50,640 --> 00:33:52,559 there's a finding right something's 918 00:33:52,559 --> 00:33:54,480 missing in your cmdb so 919 00:33:54,480 --> 00:33:56,720 you can use both ways you know whatever 920 00:33:56,720 --> 00:33:59,679 you want to do with it 921 00:34:03,039 --> 00:34:06,080 um you said you scanned log files and is 922 00:34:06,080 --> 00:34:08,159 that from outwards inwards the reason 923 00:34:08,159 --> 00:34:10,480 for the question is like um if you have 924 00:34:10,480 --> 00:34:13,679 normal users using the system you log ip 925 00:34:13,679 --> 00:34:17,040 addresses and then maybe the gdpr comes 926 00:34:17,040 --> 00:34:18,159 into play 927 00:34:18,159 --> 00:34:20,960 if you say you have them hashed uh uh 928 00:34:20,960 --> 00:34:23,199 subscribed that this is uh wasn't 929 00:34:23,199 --> 00:34:26,799 changed how do you handle that 930 00:34:27,679 --> 00:34:29,199 we're just looking at her we're not just 931 00:34:29,199 --> 00:34:31,679 you know figuring out the answer um 932 00:34:31,679 --> 00:34:35,119 [Laughter] 933 00:34:35,119 --> 00:34:36,879 so a bunch of questions in there 934 00:34:36,879 --> 00:34:38,879 actually so yes we are currently 935 00:34:38,879 --> 00:34:40,800 scanning from the outside in 936 00:34:40,800 --> 00:34:41,760 and 937 00:34:41,760 --> 00:34:42,960 that means that we're not collecting 938 00:34:42,960 --> 00:34:46,159 information on clients for example 939 00:34:46,159 --> 00:34:47,040 but 940 00:34:47,040 --> 00:34:49,839 we are working on um having more run 941 00:34:49,839 --> 00:34:52,320 times so internal run times like uh in 942 00:34:52,320 --> 00:34:54,639 your network in your vlans possibly even 943 00:34:54,639 --> 00:34:55,679 agents 944 00:34:55,679 --> 00:34:57,839 um that are on your 945 00:34:57,839 --> 00:35:00,640 and collect raw files like forensic 946 00:35:00,640 --> 00:35:02,000 information and then we can normalize 947 00:35:02,000 --> 00:35:03,520 that and build the graph 948 00:35:03,520 --> 00:35:05,760 once you start doing that obviously you 949 00:35:05,760 --> 00:35:07,520 might you know 950 00:35:07,520 --> 00:35:09,040 get personal information in there and 951 00:35:09,040 --> 00:35:10,240 then you obviously have to deal with 952 00:35:10,240 --> 00:35:11,440 that 953 00:35:11,440 --> 00:35:13,040 the way 954 00:35:13,040 --> 00:35:14,880 you do that is 955 00:35:14,880 --> 00:35:16,400 defined in the model 956 00:35:16,400 --> 00:35:18,960 um and you can we don't have it yet but 957 00:35:18,960 --> 00:35:20,480 we can probably add something like 958 00:35:20,480 --> 00:35:23,040 encrypted models saying this has a you 959 00:35:23,040 --> 00:35:25,920 know a key rollover after so many months 960 00:35:25,920 --> 00:35:28,160 and it you know gets destroyed 961 00:35:28,160 --> 00:35:30,880 through that means um 962 00:35:30,880 --> 00:35:32,880 at the moment we don't use any 963 00:35:32,880 --> 00:35:34,400 we don't have any objects that actually 964 00:35:34,400 --> 00:35:35,440 collect 965 00:35:35,440 --> 00:35:37,040 private information 966 00:35:37,040 --> 00:35:38,720 because we as the ministry don't want to 967 00:35:38,720 --> 00:35:40,800 do that 968 00:35:40,800 --> 00:35:42,560 nothing's stopping you though from 969 00:35:42,560 --> 00:35:44,560 creating these models and adding these 970 00:35:44,560 --> 00:35:46,800 boofies yourself and also of course we 971 00:35:46,800 --> 00:35:48,640 already have the name spacing that makes 972 00:35:48,640 --> 00:35:50,640 it possible to do internal scanning as 973 00:35:50,640 --> 00:35:52,880 well and we've already got the project 974 00:35:52,880 --> 00:35:54,960 name for that and that is kitten 975 00:35:54,960 --> 00:35:59,040 cat on a pie small cat kitten 976 00:35:59,040 --> 00:35:59,830 okay thank you 977 00:35:59,830 --> 00:36:03,020 [Music] 978 00:36:03,599 --> 00:36:05,760 hello and congratulations on this 979 00:36:05,760 --> 00:36:07,119 beautiful product 980 00:36:07,119 --> 00:36:08,320 and 981 00:36:08,320 --> 00:36:10,079 my question is really since this does 982 00:36:10,079 --> 00:36:13,040 look like a bunch of awesomeness 983 00:36:13,040 --> 00:36:15,040 this is bound to take off 984 00:36:15,040 --> 00:36:17,200 it means that more people want an open 985 00:36:17,200 --> 00:36:18,240 cat 986 00:36:18,240 --> 00:36:20,160 and one day a different ministry or 987 00:36:20,160 --> 00:36:21,839 hospital is going to come along and says 988 00:36:21,839 --> 00:36:24,160 we would like to get an open cat 989 00:36:24,160 --> 00:36:25,200 instance 990 00:36:25,200 --> 00:36:27,280 but we would like to get help with that 991 00:36:27,280 --> 00:36:29,680 is there a company that can do that for 992 00:36:29,680 --> 00:36:32,480 me and the question is have you 993 00:36:32,480 --> 00:36:33,760 given any 994 00:36:33,760 --> 00:36:35,839 thought about a 995 00:36:35,839 --> 00:36:38,880 hybrid commercial ecosystem 996 00:36:38,880 --> 00:36:40,960 around this because it is the question 997 00:36:40,960 --> 00:36:43,520 is going to come um 998 00:36:43,520 --> 00:36:45,520 yeah john 999 00:36:45,520 --> 00:36:49,680 ian and i had a lot of thursday evenings 1000 00:36:49,680 --> 00:36:51,520 so one of the bullet points missing on 1001 00:36:51,520 --> 00:36:54,079 my slide is cereal entrepreneur um 1002 00:36:54,079 --> 00:36:55,599 because it's so cheesy 1003 00:36:55,599 --> 00:36:57,119 um 1004 00:36:57,119 --> 00:37:00,079 my mic is cancelling sometimes but yeah 1005 00:37:00,079 --> 00:37:02,960 have been thinking about this um 1006 00:37:02,960 --> 00:37:05,680 but obviously we just want to do this 1007 00:37:05,680 --> 00:37:08,720 within the industry first um someone 1008 00:37:08,720 --> 00:37:10,960 else is bound to you know take the 1009 00:37:10,960 --> 00:37:14,240 source and you know take it build some 1010 00:37:14,240 --> 00:37:16,240 some cloud platform out of this we don't 1011 00:37:16,240 --> 00:37:18,000 know we do have the name for it though 1012 00:37:18,000 --> 00:37:19,599 it's gas 1013 00:37:19,599 --> 00:37:23,440 get there's a surface yeah 1014 00:37:23,440 --> 00:37:24,640 so you know 1015 00:37:24,640 --> 00:37:26,720 we 1016 00:37:27,280 --> 00:37:28,800 we have in fact done half the work 1017 00:37:28,800 --> 00:37:31,920 already but uh breno how much 1018 00:37:31,920 --> 00:37:34,240 introductions and stories do you tell 1019 00:37:34,240 --> 00:37:36,480 how much presentations do you 1020 00:37:36,480 --> 00:37:37,680 give about 1021 00:37:37,680 --> 00:37:41,119 cut to how many people we have 1022 00:37:41,119 --> 00:37:43,280 don't like dozens and dozens of 1023 00:37:43,280 --> 00:37:45,920 presentations which time frame i think 1024 00:37:45,920 --> 00:37:48,960 dozens per i think we've done about 150 1025 00:37:48,960 --> 00:37:51,760 demonstrations uh in the last so so that 1026 00:37:51,760 --> 00:37:54,800 means you are lighting a fire 1027 00:37:54,800 --> 00:37:57,920 of enthusiasm oh yeah 1028 00:37:57,920 --> 00:37:59,839 and i speak from from experience i would 1029 00:37:59,839 --> 00:38:01,599 very much urge you to 1030 00:38:01,599 --> 00:38:04,160 get the thinking done barely but it's 1031 00:38:04,160 --> 00:38:06,320 open so hey here's your commercial 1032 00:38:06,320 --> 00:38:09,040 option but i must say look open yeah but 1033 00:38:09,040 --> 00:38:11,119 it's not open look it's on github 1034 00:38:11,119 --> 00:38:13,280 download clone do what you want no no 1035 00:38:13,280 --> 00:38:14,560 it's it's 1036 00:38:14,560 --> 00:38:16,880 the thing that i like about this is that 1037 00:38:16,880 --> 00:38:19,200 it's being told there's a story being 1038 00:38:19,200 --> 00:38:21,119 told there's a story behind it why a 1039 00:38:21,119 --> 00:38:22,320 philosophy 1040 00:38:22,320 --> 00:38:24,960 and this is also being told at each of 1041 00:38:24,960 --> 00:38:26,640 the presentations 1042 00:38:26,640 --> 00:38:28,800 not just to look how cool this quote 1043 00:38:28,800 --> 00:38:31,359 this tool is no why did we do it and how 1044 00:38:31,359 --> 00:38:32,880 do we do it and this is also one of the 1045 00:38:32,880 --> 00:38:35,440 first well let's face it tries from a 1046 00:38:35,440 --> 00:38:38,079 ministry perspective to 1047 00:38:38,079 --> 00:38:40,079 share something that we've built for 1048 00:38:40,079 --> 00:38:42,880 ourselves to a wider community way 1049 00:38:42,880 --> 00:38:45,119 beyond the scope of what we do this is 1050 00:38:45,119 --> 00:38:46,640 not quite the place to hash this out but 1051 00:38:46,640 --> 00:38:48,800 let me 1052 00:38:48,800 --> 00:38:50,160 i want to tell you i'm super 1053 00:38:50,160 --> 00:38:52,640 enthusiastic and i'm more worthy that it 1054 00:38:52,640 --> 00:38:54,400 will be 1055 00:38:54,400 --> 00:38:57,680 that it will get too hot and 1056 00:38:57,680 --> 00:39:00,960 so i have a i have a theory about this 1057 00:39:00,960 --> 00:39:01,920 um 1058 00:39:01,920 --> 00:39:03,599 if you're in 1059 00:39:03,599 --> 00:39:05,359 in this kind of space and you're 1060 00:39:05,359 --> 00:39:08,560 innovating um what happens is as soon as 1061 00:39:08,560 --> 00:39:10,320 a commercial company 1062 00:39:10,320 --> 00:39:12,839 stumbles on something that makes 1063 00:39:12,839 --> 00:39:15,760 money the sales drones come in that 1064 00:39:15,760 --> 00:39:18,240 could become terrible but let us yeah 1065 00:39:18,240 --> 00:39:20,079 well i'm i'm available for further 1066 00:39:20,079 --> 00:39:22,240 discussions because i i did it once and 1067 00:39:22,240 --> 00:39:23,760 it nearly failed 1068 00:39:23,760 --> 00:39:25,359 but i've got the feeling that we are 1069 00:39:25,359 --> 00:39:28,160 going to have some grappa at the entire 1070 00:39:28,160 --> 00:39:29,920 i'm looking forward to it 1071 00:39:29,920 --> 00:39:30,640 but 1072 00:39:30,640 --> 00:39:31,440 yeah 1073 00:39:31,440 --> 00:39:32,960 thank you 1074 00:39:32,960 --> 00:39:35,599 this is my cue 1075 00:39:35,599 --> 00:39:37,040 urgency 1076 00:39:37,040 --> 00:39:39,599 there is a grappa emergency going on on 1077 00:39:39,599 --> 00:39:42,320 mch there is no more grappa at the 1078 00:39:42,320 --> 00:39:44,720 italian embassy what 1079 00:39:44,720 --> 00:39:47,839 so tonight at 10 we will be having fun 1080 00:39:47,839 --> 00:39:50,000 at the opencut village 1081 00:39:50,000 --> 00:39:51,520 because we need to 1082 00:39:51,520 --> 00:39:53,119 and because 1083 00:39:53,119 --> 00:39:54,960 jan was so kind 1084 00:39:54,960 --> 00:40:00,000 to present the original design of her 1085 00:40:00,000 --> 00:40:02,480 so this is the original original this is 1086 00:40:02,480 --> 00:40:04,640 the only one do you know why my sister 1087 00:40:04,640 --> 00:40:06,240 is the designer of this 1088 00:40:06,240 --> 00:40:07,680 she made this 1089 00:40:07,680 --> 00:40:09,040 um 1090 00:40:09,040 --> 00:40:11,440 and we'd like to opt it off for you know 1091 00:40:11,440 --> 00:40:12,800 the good cause 1092 00:40:12,800 --> 00:40:15,440 um it's the only one in existence 1093 00:40:15,440 --> 00:40:17,599 so and niels 1094 00:40:17,599 --> 00:40:20,720 is doing kick-ass stuff going back and 1095 00:40:20,720 --> 00:40:22,960 forth delivering ambulances to the 1096 00:40:22,960 --> 00:40:26,000 ukraine delivering all sorts of um 1097 00:40:26,000 --> 00:40:28,319 there that they really really need can i 1098 00:40:28,319 --> 00:40:30,000 start bidding now 1099 00:40:30,000 --> 00:40:33,760 i have already made a 250 euro bit 1100 00:40:33,760 --> 00:40:37,839 so 250 from this gentleman here yeah who 1101 00:40:37,839 --> 00:40:40,480 is offering more i'm offering 300 open 1102 00:40:40,480 --> 00:40:43,359 cuts we can do that later 1103 00:40:43,359 --> 00:40:46,160 but tonight at 10 open cut village 1104 00:40:46,160 --> 00:40:48,000 guys come over we'll have a blast 1105 00:40:48,000 --> 00:40:50,620 together 1106 00:40:50,620 --> 00:40:53,599 [Applause] 1107 00:40:53,599 --> 00:40:54,560 and 1108 00:40:54,560 --> 00:40:57,119 stealing your mic to auction it off 1109 00:40:57,119 --> 00:40:59,040 i i have a very 1110 00:40:59,040 --> 00:41:00,560 serious question 1111 00:41:00,560 --> 00:41:03,760 and that is uh what is free cut and how 1112 00:41:03,760 --> 00:41:04,839 does it 1113 00:41:04,839 --> 00:41:08,800 work frequent is stupid because it's the 1114 00:41:08,800 --> 00:41:11,440 cop website made by anian 1115 00:41:11,440 --> 00:41:13,520 and um 1116 00:41:13,520 --> 00:41:16,319 i don't like it the funny thing is 1117 00:41:16,319 --> 00:41:18,560 anion presented free cut to us after we 1118 00:41:18,560 --> 00:41:20,560 you know launched the open cut website 1119 00:41:20,560 --> 00:41:22,960 and i couldn't resist and put free cut 1120 00:41:22,960 --> 00:41:26,079 uh nl in open cut the software 1121 00:41:26,079 --> 00:41:27,590 um 1122 00:41:27,590 --> 00:41:29,440 [Music] 1123 00:41:29,440 --> 00:41:31,839 and then asked anayan what are these 1124 00:41:31,839 --> 00:41:33,520 and he's like oh is that said online 1125 00:41:33,520 --> 00:41:35,839 1126 00:41:37,760 --> 00:41:39,040 yeah exactly 1127 00:41:39,040 --> 00:41:42,560 older than the the poster 1128 00:41:42,720 --> 00:41:45,359 so in that case is the relation between 1129 00:41:45,359 --> 00:41:47,599 free cat and open cat comparable to the 1130 00:41:47,599 --> 00:41:51,040 relation between free bsd and open bsd 1131 00:41:51,040 --> 00:41:51,490 no 1132 00:41:51,490 --> 00:41:53,680 [Laughter] 1133 00:41:53,680 --> 00:41:55,599 at this moment 1134 00:41:55,599 --> 00:41:58,560 it's politically charged 1135 00:41:58,560 --> 00:42:00,839 i think it's complicated that'll be the 1136 00:42:00,839 --> 00:42:03,280 status okay i have one statement and one 1137 00:42:03,280 --> 00:42:05,119 silly question the first statement is i 1138 00:42:05,119 --> 00:42:07,200 have some experience in open source 1139 00:42:07,200 --> 00:42:08,880 stuff and government 1140 00:42:08,880 --> 00:42:10,760 uh please listen to baird 1141 00:42:10,760 --> 00:42:12,160 [Laughter] 1142 00:42:12,160 --> 00:42:14,400 please we we will 1143 00:42:14,400 --> 00:42:15,359 uh 1144 00:42:15,359 --> 00:42:17,920 so why the comic sans i'll give you the 1145 00:42:17,920 --> 00:42:18,680 question 1146 00:42:18,680 --> 00:42:21,119 [Music] 1147 00:42:21,119 --> 00:42:23,040 why was one slide because it's really 1148 00:42:23,040 --> 00:42:25,119 honest i actually find the content of 1149 00:42:25,119 --> 00:42:26,640 the comic slide 1150 00:42:26,640 --> 00:42:28,160 kind of interesting 1151 00:42:28,160 --> 00:42:31,839 yeah the the comic sans was basically 1152 00:42:31,839 --> 00:42:34,880 made um because i wanted to annoy anyone 1153 00:42:34,880 --> 00:42:36,400 because i can 1154 00:42:36,400 --> 00:42:38,400 and there we have him hey 1155 00:42:38,400 --> 00:42:40,720 it's so good to see you yes i still have 1156 00:42:40,720 --> 00:42:42,800 one more question that is why was 1157 00:42:42,800 --> 00:42:44,800 freakout released five minutes before 1158 00:42:44,800 --> 00:42:46,050 open cut 1159 00:42:46,050 --> 00:42:48,480 [Laughter] 1160 00:42:48,480 --> 00:42:50,820 i'm guessing foresight 1161 00:42:50,820 --> 00:42:55,280 [Applause] 1162 00:42:55,280 --> 00:42:58,520 it's complicated 1163 00:42:59,599 --> 00:43:01,920 thank you 1164 00:43:03,200 --> 00:43:05,520 i guess there are no more questions 1165 00:43:05,520 --> 00:43:07,359 i've got a question actually so if we 1166 00:43:07,359 --> 00:43:10,240 want to implement um cat ourselves is 1167 00:43:10,240 --> 00:43:12,800 there a kitkat to help us do that 1168 00:43:12,800 --> 00:43:13,290 the name 1169 00:43:13,290 --> 00:43:15,440 [Laughter] 1170 00:43:15,440 --> 00:43:17,040 i don't know if you get those over here 1171 00:43:17,040 --> 00:43:18,690 hopefully 1172 00:43:18,690 --> 00:43:20,960 [Applause] 1173 00:43:20,960 --> 00:43:22,000 i try 1174 00:43:22,000 --> 00:43:23,839 yeah 1175 00:43:23,839 --> 00:43:25,119 that's been really interesting thank you 1176 00:43:25,119 --> 00:43:26,480 very much 1177 00:43:26,480 --> 00:43:30,079 thank you so much eddie asked comments 1178 00:43:30,079 --> 00:43:32,160 and the auction just to repeat i i just 1179 00:43:32,160 --> 00:43:34,079 wanted i ever expected really somebody 1180 00:43:34,079 --> 00:43:36,960 to ask the question is mch 2020 1181 00:43:36,960 --> 00:43:40,960 too in control but nobody did tell us 1182 00:43:42,160 --> 00:43:44,079 no we don't think so because those are 1183 00:43:44,079 --> 00:43:46,560 all the findings but there we go 1184 00:43:46,560 --> 00:43:49,359 i think that's the false positives 1185 00:43:49,359 --> 00:43:51,200 unlikely 1186 00:43:51,200 --> 00:43:52,720 thank you very much indeed for a very 1187 00:43:52,720 --> 00:43:54,820 interesting talk thank you 1188 00:43:54,820 --> 00:43:58,050 [Applause]