It's called River, which I think is a terrible name for a TV show.

Because?

Well, it's not about a river, and it's rubbish search engine optimization because it's just such a common word.

Poor Stephen King with a book called It, you know?

Right!

He's suffering. No one's heard of him.

If you search for It in a search engine, does Stephen King's It come top?

That's a fun game.

That could have been called Creepy Clown Hiding Under the Road or whatever it was he did. I've never watched it because it's too scary. Smashing Security, Episode 273: Password Blips and Who's Calling the Airport? With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 273. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, this week, for a very good reason, we don't have a main guest on the show, do we?

No, it was kind of my fault. I had some technical difficulties yesterday of an incredibly mysterious and annoying order. So after 3 tries, we let our guests go and we figured out the problem. So here we are, and we will have our guests next week. So you'll have to just put up with the 2 of us for this week. And blame me, not Graham this time.

Well, steady. So, yes. So anyway, so hopefully we'll still be able to have a good old show.

Of course we're going to have a good old show. What does that mean? How about we say thank you to this week's sponsors, Kolide and NetFoundry. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to Uh-oh.

Plus, we have a fabulous featured interview with Clint Dovholuk from NetFoundry, who's going to explain the brilliance of zero trust networking. All this and much more coming up on this episode of Smashing Security.

be talking telephone numbers. Now, chum, chum.

Yes, yes.

What's that?

We're back at the 1970s. Okay, and as we are celebrating

What could that be? What could that be? What could that noise be? Is it some strange kind of duck? Some bream out on the lake? No, it's a telephone, of course, isn't it?

World Password Day today, I'm going It's always hard to tell with your impressions, honestly.

And what do you do, Carole, with a telephone?

You answer. Or you ignore it, if you're me.

Well, in your case, yes, you would completely and utterly ignore it. But the normal sociable person picks up the telephone and says, "Hello, how can I help you?" Now, I want to talk today about telephone attacks and telephone denial of service.

to be testing Graham.

I'm going to take you back in time to one of my earliest blog entries. I remember when I was writing on the Sophos blog, on my very own little blog over there in 2008.

I was there sitting about 4 feet from you.

So. Well, do you remember this? In 2008, Houston Zoo called in the FBI because their phone switchboard was being swamped. They couldn't do anything.

Funnily enough, I do not remember that particular instance from 2008.

It was impossible for relatives of the various animals in the zoo to get in touch by telephone.

What, relatives of the animals at the zoo? So what, lions couldn't get in touch with lions in the zoo? They couldn't phone in because the switchboard was completely jammed up. Now, you're probably wondering, why was the switchboard jammed up in April 2008 at the Houston Zoo? Because the text messages were going through as kind of phone—

Ah, well, a very sensible assumption, but no, no, the text messages weren't being sent to the zoo. The text messages were being sent to the general public.

To call the zoo.

Well, yes. Yes. But not to call the zoo to ask about opening hours or how to adopt a penguin. But instead, what they were doing was responding to messages they'd received saying, hey, someone's talking down on you. Look for them. And the message would appear to come from the number belonging to the zoo. And so people would think, who is this? And they would ring up to try and work out who it was. There was another one which says, "Hey, why is someone calling me and looking for you and asking where you're at and where you live? Here's the number. Tell them to stop calling me." And so people responded to these text messages, by calling the number it appeared to come from.

Would you respond? Would you respond to one of those? Even back in 2008, even if you squint your eyes and go back to 2008, I think I'd ignore it if I didn't recognise the number.

You ignore it now, you ignore it then, Carole.

That's true.

That's true.

That's true.

Yeah. But the normal, as I say, polite person might say, "Oh, well, someone's clearly made a mistake.

Yeah.

Okay. Now, you might think that is an odd kind of attack. I'll call them back, or I'll get in touch and tell them that they've sent it to the wrong place." This is the normal Houston accent, is it? Yes. Okay.

Yeah.

What is strange is that was happening in Houston. At the same time, the switchboard of Dublin Zoo similarly reached thermal death point after 5,000 people got a text message, at least 5,000 people, telling them to ring a number urgently, which belonged to the zoo.

I have a theory.

Oh, okay.

You ready?

Yeah, go ahead.

Is it animal rights activists that did this in order to protest against animals in captivity?

It didn't really get the message across though, to fight animals being held in zoos, did it? I mean, it's a nuisance.

Well, it annoyed the zoos a lot.

I suppose. I suppose it would've annoyed people who were planning to go to the zoo. It's an interesting theory.

Okay.

So in Dublin, people were receiving this text message and it said, "Ring this number urgently and ask for a particular person." And the people they were being asked to contact, they all had fake names, which were animal-related, like Rory Lion.

Oh my God.

Anaconda. Mr. Sea Lion, or G-Raph.

Okay, I have another theory.

Okay.

Okay. The reason you're talking about this now is because the same guys that were behind this are now doing something. And at the time they were like 13.

Well.

And thought this was hilarious.

It's a lovely theory.

Okay, I'm just throwing them out there.

Just throwing them out there. Well, I can understand why you're trying to work out why am I talking about this now in 2022, or where the year is.

Either you're lazy because you were just reviewing your illustrious career of blogging and decided to pull up on the first one, or—

Or—

Oh my God.

Oh, yes. Or— yes, of course. Sorry, that was my cue, wasn't it, to say there is another explanation because there is a brand new telephone denial of service taking place.

Okay.

Not against a zoo. But it is in Dublin. So who knows? What's happened is this: Dublin Airport has a noise complaints hotline. So if you're upset with the noise which is coming in, you can ring Dublin Airport, right?

Right. I'm sure all airports have that.

Okay. Now, what's interesting is last year in 2021, Dublin Airport received 13,569 complaints on its noise hotline.

I have no idea if that's good or bad. I have no idea.

Well, in two years, it'd risen from 1,500 a year to 13,569. So that's quite big.

That's quite a ramp up.

It's quite a ramp. It's why would that number be so much bigger? And the reason why that number is so much bigger is that more than 12,000 of those telephone complaints last year came from the same person.

Person or bot?

One single person.

An individual.

An individual living in Ongar in northwest Dublin.

Who dialed the number.

Has called. He's probably got it on speed dial, Carole. Has called the Dublin Airport noise complaints line 12,273 times in 2021.

Okay, so he—

He is behind 9 out of every 10 of all aircraft noise complaints at Dublin. This one person. He, on average, is ringing that hotline 34 times per day.

You know, okay. I'm going to defend this guy, right?

Okay, okay. Come on.

Let's hear it.

Ready? Okay.

Obviously, the noise is driving him mad. How far— Have you done any recon on how far he is from the airport?

I'm not sure. We don't know his precise address. His identity has not been revealed by the Irish Independent.

Sure, sure. But is he close enough for the noise to actually bug him in terms of the town? If you do a map recon—

I think we can assume he's rather bugged by the noise. Yes, the fact that he's making 34 complaints every day.

Well, no, he could be a disgruntled ex-employee who maybe lives 50 miles away and is just going redial, redial, redial, redial.

I think you may have misunderstood something. Last year, he rang 12,273 times. Every single day, including Sundays, including bank holidays, including Christmas Day.

And this is during one whole year?

That's— yes, that's just in one year. The previous year, he rang 6,227 times. That was in 2020, so he's really ramped up his activity.

Okay, I'm working out his daily call rate here. So he would ring 32 times a day, 33.

34, 34. Yeah, round about that.

That's doable.

Well—

And when he rings, does he hang up or does he log— he says something?

Well, no, these are lodged complaints. Don't forget, when you make a complaint, there's someone who processes that complaint at the other end. The phone is ringing. Remember, and this is during waking hours, one assumes, right? I mean, this guy must sleep at some point. Let's assume he sleeps. He sleeps for, or at least tries to sleep, for maybe 6 or 7 hours a day.

Yeah, I've just worked it out. Yeah. So if each call took him 5 minutes to do, that's fair, right? 5 minutes, you know, to log his complaint.

To have a complaint, you'd have to leave your name and address and contact details, wouldn't you?

Right.

You know, say what your complaint is.

Right. And then you divide it, right, for a day. He is working, he's working almost 7 hours a day on this.

It's an occupation. You know, what's his phone bill like? How many people are Dublin Airport? There must be. If you go for a job interview at Dublin Airport in the noise complaints department—

You have a job for life!

As part of the induction.

Until this guy goes, until he passes or moves on to someone else. You're sorted, I think.

They're going to say, oh, by the way, by the way, they say, you're probably going to learn about Steve pretty soon. There he is. You've got a special hotline, Commissioner Gordon with the Batphone. Of the complaint coming through. And of course, the more calls that are coming in, that's going to prevent other people calling in with complaints, possibly.

Well, maybe that's also useful as well.

Right?

Maybe there's not much the complaints people can do about the noise of the planes. Right? Maybe it turns out—

Well, maybe Steve, or whatever his name is, maybe he— could move. Do you think he deliberately moved there because he complaining and he realised he was under the flight path and he thought, "Right, I've got my retirement sorted out. I know what I'm going to be doing. I'm not going to be sucking on Werther's Originals or doing crosswords."

We don't know

We don't know. I'm just assuming. I'm just assuming it's someone with a lot of time on his hands.

Yeah, that's— Yeah. Okay. Okay. Well, maybe he has a very boring job where, you know, maybe he is a complaints department where no one's complaining. So he's making use of his time. how old this guy is.

Oh, you think he's calling from the office?

Maybe.

So he probably isn't calling on Christmas Day and Saturdays and Sundays and bank holidays.

Yeah.

That's an even greater effort, isn't it? Yeah, it turns out I think my math was way wrong. I think it works out to about 3 hours a day. It was difficult doing the math whilst listening to you. Yeah, well, all I'm saying is denial of service attacks don't just have to be via the internet.

And hey, if you're out there bored with a lot of time on your hands—

He hasn't got time to listen to us.

No, not him. I'm saying everybody else. This is what they could do for fun. He's obviously loving it.

Oh, I see. Oh, I thought you meant listen to us instead. Oh, I see.

Well, mine's a little more security related.

How dare you?

Topic today is passwords because today marks the 9th anniversary of World Password Day.

So you're saying people should just start—

So according to Verizon, more than 60% of breaches involve the thievery of credentials.

No, I think it'd be more than that. I think it'd be more.

Yes. Well, they are really good at research, so it's good that you think more, but— and credentials do remain the most highly sought-after data type, right? In other words, the miscreant gets their hands on a username and password, and that gets them inside somewhere. Now, 6 out of 10 is not insignificant, right? It's not to be poo-pooed. And the reason is that we humans at large continue to be pretty digitally hackable. In April, Lapsus$ attackers entered the network through a single Microsoft employee account. And soon after the breach, the thieves apparently boasted of the crime via its Telegram channel.

Did you hear about— what? Did you hear about that? They apparently, they started downloading Microsoft source code.

Yes!

But they fell asleep. They got bored.

Yeah, the hackers claimed they had 90% of the source code for Bing and approximately 45% of the code for Bing Maps and Cortana. And then what, fell asleep? Or there was these Brazilian hackers who called themselves NaughtySecGroup who recently hacked the network of TransUnion South Africa. The group claims to have gained access to TransUnion's network through an employee's weak password. The ransom, $15 million. And on its website, TransUnion acknowledges that the ransomware attack and stated that 3 million South African consumers and 600,000 businesses were affected. So yeah, a single weak password and it can be a serious game changer in a bad way.

Yep. Are you gonna put me on the spot?

Yeah, we're gonna see if you know what you're talking about. Hands off keyboard.

Hands off— that's Hock, H-O-C-K.

Question number 1.

Yeah.

What do 8 of the top 10 most common passwords have in common? So we have top 10 most common passwords out in the world. What do 8 of the 10 have in common?

Is it that they're all lowercase? No.

I bet they are all numbers. 8 of the 10 involve numbers. In fact, sequential numbers, all starting with 1, right? And of being of varying lengths, except for number 7, which is 111111. Very excellent password there.

I think you'll find they are all lowercase as well.

Are numbers lowercase?

Well, I would say yes.

Oh really, would you?

Yes. Okay, maybe a point to me.

Question number 2: What percentage of people, Graham, say they rely on their memory to remember passwords?

Oh, goodness me. I would think a lot. I would say 95%.

I'm going to repeat the question for you. What percentage of people say they rely on their memory to remember passwords? Because I agree with you on that one, but the number is a little bit lower.

How many, how many people say they do? 5%.

53.

Okay, okay.

Question number 3: What percentage of people who have already been scammed still have not changed their passwords? What percentage of people?

80%.

They say 57%, which is still humongous. These are people that have already been scammed.

Yeah, yeah. It's astonishing, isn't it?

Exactly. And okay, number 4. We're almost there. You're doing fantastically.

Well, yeah.

Yeah, 0 out of 3 so far. So, question number 4. A single password is used to access what number of accounts on average?

All of them. All of them.

Yeah, that's a hard one. That's a hard one.

Well, what person, what, a single password?

Yeah, so someone has a password and they reuse it how many times for how many accounts on average?

20?

No, 5. Oh, 5.

I'm sorry, I was rubbish at this, wasn't I?

No, we're not even done yet. Don't worry, you maybe save yourself. Okay, and finally, the National Cybersecurity Centre, the NCSC, Smashing Security, okay, they did a study that revealed the top 20 most commonly attacked password categories, okay? Can you name any of them? Maybe one in the top 3. So these are categories, I can give you an example of some at the bottom of the list to give you a hand here.

Okay, yeah, just give me some of the bottom of the list, yeah.

Okay, so from the bottom of the list, you might see religions, hobbies, weather, drinks.

All right, so let's say names or years.

Yes, number 2. Years is not listed. Let me just look for numbers. Nope. Interesting. Love. Interesting. Emotions is number 4. And pet names. So if you want to add those together, emotions and names.

Oh, squelchy poops.

Yeah.

Love, baby, and angel are the top 3 most used around the world in terms of— Is the number 1 anything to do with passwords or the name of the actual company you're logging into?

Number 1 is pet names. Sounds way more fun than listening to us. So, all those little dog names and cat names, and also the words dog and cat.

Carole, what's your

You might have Henry the dog or Max the cat.

See, I do it the other way round. I call my cat Password.

But seriously, okay, so the advice. What is the advice? What do you say to people who need to get safer at password management? What do you do?

story for us this week? Oh, you should get a password manager.

Check.

You should get that to generate random, unique passwords for you. You shouldn't reuse your passwords.

Check.

Don't be a doofus.

Use multifactor authentication.

Oh, yes, yes. Turn on two-factor authentication. Don't use really short passwords.

Mm.

But yeah, you use a password manager. Let that take all the pain away from you.

Okay, well, I have something I want to run past you. Okay. And you can call me a Muppet or a genius. Yes.

All right. Well, I think, yeah.

Nice. So there's an interesting campaign being run by the NCSC at the moment called 3 Random Words.

Yeah.

Have you seen this?

So the idea is rather than your password being awful, awful, gloop, awful, awful, gloop, random, exclamation mark, 3Zy. Which you can't remember. You look around and you think, okay, I'll choose 3 random words— well, Donald Trump sort of said camera, woman. Do you remember that? When he said, I'm really good, I can—

I can come up

I can come up with 3. I can come up with words. And he just spoke, he just said exactly what was in front of him. But yes, you could come up with 3 words, you know, sort of stamp, sausage dog, banana or something.

So, as you are Mr. Computer Security Guru, why don't we play a little game? And— But to your point, I think that's the problem with it because people say what's in front of them. with 3 words. Okay, and listeners can play at home as well. Listeners can play at home as well. So it's going to be always curtain, desk, lamp, computer, shelf.

And worse than that, it doesn't scale because what you eventually find is actually because every password should be unique, you need hundreds or in my case,

Okay, you ready?

I've got over 1,000 passwords for different sites and things.

Yeah, you're unusual.

Right, but you know, I think it's all right to use that sort of technique if it's a password which you have to remember. Maybe it might be the password for your computer, as long as they're truly random. But generally, I would rather get the password manager to generate those 3 random words, or just a whole sequence of random characters, and it can remember it.

Yes. We agree with that. But let's say a listener is not into password managers. Are you ready for my idea?

Oh, okay, go ahead. Yeah?

So it's based on these 3 random words, which I don't like for this, you know, because people are just going to choose what's in front of them and everyone has the same stuff in front of them. But what if you used that website called What3Words? So you could go there and put in a random place, somewhere, just use Google Maps to just get a random place and then put that place in. Choose a random place on the map, get those three words, and use those three words. Smart or dumb?

Yeah, is there a danger that they will choose their home or somewhere like that?

Not if they're listening right now to this show.

Yeah, yeah, I know. I've also got a bit of a problem with What3Words.

Because?

They've been in quite a tangle. Maybe we can put some links in the show notes with a site of a security researcher called Cyber Gibbons. And it's also been reported, I think, in The Reg as well. Because they're just a bit nasty. What3Words is not quite as cool as it should be.

It was your pick of the week once, I just wanna say.

Well, you know what? Well, since then, since then, I'm gonna unpick them.

You're unpicking them?

I'm revoking a pick of the week. You heard it here first.

Smashing Security flash news, everyone.

The network is dead, long live the network. This is the tagline from our sponsor this week, NetFoundry. Protecting applications is getting more complicated. We all care about security, but man, it's hard. You see, all networks, according to NetFoundry, are insecure, period. And the Zero Trust security model is the way to go. It was created with the idea of never trust, always verify. But historically, this has been seriously hard to implement. NetFoundry have created OpenZiti to provide an open source, free, and easy way for you to embed zero trust networking into anything. Embed SDKs inside your app, tunnelers to run on all major operating systems, or deploy an edge router for any cloud. And the best bit, no networking engineering skills required. This is something you guys definitely want to check out. Visit smashingsecurity.com/netfoundry. That's N-E-T-F-O-U-N-D-R-Y. And thanks to NetFoundry for sponsoring the show.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.

Week. Pick of the Week. Better not be.

Well, my pick of the week this week is not security related. My pick of the week this week is on the television. I've been watching television recently. Fancy that. Carole, have you ever seen the movie Truly, Madly, Deeply with Alan Rickman and Juliet Stevenson?

Yes, but what was that in the '90s?

Yeah, 1992, 1991. Alan Rickman gets a bit of a bad cold, dies, breaks the heart of his partner, Juliet Stevenson. But she misses him so much, he comes back as a ghost.

Yes. With Demi Moore.

But good.

And Patrick Swayze. Oh, come on.

No, no, sorry. Oh, for goodness' sake. Truly Madly Deeply is a wonderful movie. Ghost is just an aberration.

Okay.

Anyway, it was the inspiration for the TV programme I want to recommend this week. A programme called River. And they've basically stolen the central idea of Truly Madly Deeply, which is the idea of someone coming back and visiting the person who's still alive and having conversations with them. It is a police procedural drama, and it stars that Swedish chap, Stellan Skarsgård. And Nicola Walker. If you know Nicola Walker, she's lovely.

I'm trying to look it up. I think I've seen this, but—

Well, it was on a few years ago. It was on BBC One, then it was on Netflix, and I've been watching it on BritBox. And the policeman, the main policeman, he's suffering from guilt over a recent loss.

Okay.

And he's investigating a case, and dead people keep coming back to him and talking to him. And is he going crazy? Is he not going crazy? It appears that he's been having these visions for quite some time, but they're sort of helping him a little bit.

Are you staying awake during these shows?

I have been staying awake during— I haven't finished the whole series. I'm about halfway through, but I am definitely enjoying it. And I think it's pretty good. I like it. But I've got one problem with it. Which is its name. It's called River, which I think is a terrible name for a TV show.

Because?

Well, it's not about a river. And it's rubbish search engine optimisation because it's just such a common word. I think it should be called, I don't know, Haunted Cop or something like that.

Poor Stephen King with a book called It, you know?

Right.

He's suffering. No one's heard of him.

If you search for 'It' in a search engine, does Stephen King's 'It' come top? I don't know.

That's a fun game.

That could have been called 'Creepy Clown Hiding Under the Road' or whatever it was he did. I've never watched 'It' because it's too scary for me. But anyway, it's— But you know how a lot of police shows are named after the central characters? You have Bergerac, you have Shoestring, you have Columbo, you have Inspector Frost. You have Morse. I just think, "Oh, guys, come on. Chill out, man. Come up with a more imaginative name." Why is his name John River? Other than that—

I love when your pick of the weeks are just you ranting about ridiculously unimportant things.

Other than that, it's an interesting show. And I've been watching it on BritBox. Maybe it's available elsewhere. I think other people might enjoy it as well.

Yeah, walk, don't run.

I haven't given away some major plot twists. I've been very good on the spoilers. River is my Pick of the Week.

Okay.

Crow, what's your Pick of the Week?

Okay, I have to ask you a question. Are you a shoes-on or shoes-off household?

Ooh, well, it depends where I— Oh, my house.

Yeah, your house.

I mean, I'm pretty free and easy about it, right?

So you're 90% shoes on?

Well, I take my shoes off.

Oh, you take your shoes off?

Yeah, most of the time.

Yeah.

But I've got wooden floors. I would feel differently about it maybe if I had carpet everywhere, right? You know, because I just think, you know, I don't want you squashing in sheep shit all over my carpet.

And what about when you go to other people's houses?

Other people's houses. I'm trying to remember what I do when I go to your house, because I know you're gonna pull me up on this.

No, I'm not gonna make you.

No, you might, you might, Carole. You might pull me up on it. I think I would normally take my shoes off.

Often after I bark a sentence, "Oi, Muppet, shoes off." Yes.

Right?

That's normally what seems to happen.

Yes, exactly.

Well, my pick of the week this week is an article in The Guardian about this very topic. And it turns out that you shoes inside people are, to quote the journalist Tanya Barra, scientifically gross.

I think you just say gross.

One-third of the matter building up inside your home comes from outside, much of it being tracked in on the soles of shoes.

Right.

And these shoes, they found a high prevalence of microbiological pathogens, including grass fertilizers, asphalt, road residue, all this stuff that's very not good for us. So you see, you're killing me by coming in with your sheep shit ridden shoes.

But you know what?

You live on a farm, for God's sake.

Yes. Yeah, but listen, listen, listen. Don't you feel that you need to be exposed to some of the outside world? Every kid needs a little bit of dirt in them.

Not pathogens!

Well, how else are we going to become more resilient?

Okay, so you're taking on the scientists. Okay, okay, great.

We've been locked down for two years and now we're being felled by all kinds of regular little sniffles. I'm not talking about COVID and things, but other things. Because our resistance has probably gone down a bit, right? 'Cause we haven't been exposed. We all need to get out there and get our nostrils down in the field and into our bodies to make us a bit tougher, perhaps.

Listeners, do not listen to Graham. Read the article, make your own mind up, and stop wearing shoes indoors. It's gross. But that's just my opinion, and it's Tara's opinion in The Guardian.

Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.

So that is my pick of the week. And Graham, from now on, shoes at the door.

Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. All right, maybe I'll do that as well.

Alrighty, guess what time it is? Time to listen to my chat with Clint Dovholuk from NetFoundry.

You can try Kolide with all of its features on an unlimited number of devices for free for 14 days, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Oh, yes. And thanks to Kolide for supporting the show.

Today we have as our special guest Clint Dovholuk. Did I say it correctly?

Yeah, you nailed it.

Awesome.

So Clint is a zero trust advocate at NetFoundry, and this is a company, I don't know if I can say this, but I'm gonna say focused on revolutionizing our relationship with networking. Is that fair?

I would totally agree with that. Yeah.

Clint's here to talk to us about pasta as well, it turns out, but that'll all become clear in a few minutes. So Clint, tell us about NetFoundry, what you do there, and what we're gonna talk about today.

Yeah, so you are right. NetFoundry is absolutely trying to revolutionize the way in which networks are even conceptualized. So this is a company that's founded around zero trust principles. I say zero trust is a giant buzzword. Everybody's zero trust. You can't throw a rock into the internet waters and not hit some company who proclaims to be zero trust. So what is zero trust at its core? I think we should talk about that in a little bit, but basically this company is about zero trust. It's about not trusting your network. That's a better way of saying zero trust. And really what we're trying to do is take that same core principle of Zero Trust and bring it into applications themselves. So let's not stop with Zero Trust at your network. Let's bring those Zero Trust principles all the way into your applications.

It's the movie Ghost. Wow.

Okay. So, and Zero Trust, how do we explain that? Yeah.

So way back there was a fellow that coined the term Zero Trust. And really what he was going at is Networks are not secure. Networks were not designed to be secure. They were designed to share data and to be accessible. The whole idea of not trusting your network is kind of crazy, right? You know, we started out in the dark ages with hubs and switches, and everybody was able to see all of the packets that were traveling. And then all of a sudden, that was, oh, that's neat, but maybe I only want my packets to go to a certain destination. So switches became popular. And then people were, well, people can sniff whatever traffic is out there. Maybe I'll use secure protocols. And so we just kept layering on more, and then micro-segmentation came out, and we just kept layering more and more security into this thing called the network. And then firewalls, right? All this stuff was basically bolted onto the network. As opposed to building security in from the start, we had to be reactionary and we had to bolt that security on afterward. And so that's what we've been doing.

Kind of imagine, you know, a kind of soldier wearing loads of armor, and it must make you heavy and sluggish as having to go through all those different bolted-on security components.

Yeah, if you take a look at some of the presentations I've given, I use a slide where I show you this thing called the Beast, which is the president— that's what the limo the president of the United States drives around in. And if you look at that limo, it looks like a limo, right? Because all of the security is built into it. It's not bolted on. And then to contrast that, if you've seen the movie Mad Max, it's a car with armor plating and spikes and all kinds of defenses that are clearly visible and clearly are afterthoughts, right? They were bolted on afterwards. So yeah, here in the Foundry, we'll use the terms build it in, don't bolt it on. And that means take that zero trust, put it right in your application, and then, you know, you don't even know it's there.

God, it must be difficult for companies to get their heads around that because they're thinking, well, my whole environment is basically bolted together. So how do I make the jump? How do I start?

Yeah, what a great question. I would say the very first hurdle people jump over is, I've already built all that security, isn't that good enough?

Right?

And my answer to that is, well, you know, have you heard of something called Log4Shell? Have you heard of the Lapsus variants that are going around? Landing somewhere and expanding your network reach by finding other vulnerable machines on that network. Happens every single day. And even in companies that are gigantic who have lots of red team, blue team activities. So realistically, that amount of trust that you put on just your network has for a long time served us well, but it's probably time to start thinking about making it even more secure. You know, you think about IoT devices, all those things are getting compromised left and right, right? They're constantly vulnerable. They don't get patched. How are you going to fix those sorts of devices?

Yeah, and they're plugged in everywhere as well, right?

And they're plugged in everywhere. And who carves off a VLAN for themselves on their home network? I mean, some people might, right? But my mother won't, you know, because it's not something that she would know how to do. So if those IoT devices could have that whole concept of zero trust built into them, then those devices only know how to communicate to the services that they are supposed to communicate to. And when that starts happening, when you have firewalls on all your devices everywhere and you have no open ports, then we'll start having an even better security posture. The whole idea is to make this so difficult for an attacker that they'll move along and go someplace else.

I know I often talk about how people assume that the default settings in whatever device or anything they're plugging into the network are not necessarily the best ones for security, right? They're there for connectivity. So it comes back to your original point of why computers were even created in the first place is to share information. So how are you doing this? I know that you're a huge advocate of open source approach as well. So how does that fit in with NetFoundry?

So NetFoundry takes the open core model, which means we put all of our software into the open source world, free open source software. It's the full version. You don't have to worry about having some sort of neutered version where you don't get any of the neat features. Oh, they're only available on the enterprise All totally free and open source. In fact, if you could go to GitHub right now, drop a little star on github.com/openzd/zd and put a star on that main repository. It's right there when you pop up. That'll help us get the word out that there is this free open source software out there that creates an entire overlay network and also allows you to take an SDK because this project also deploys SDKs into your favorite language. And you could, if you were a developer like me, you can start coding a secure zero-trust application right today. And there's lots of demos, there's lots of samples you can find out there. So NetFoundry takes that open core approach. And then of course, not everybody wants to have the hassle of standing up a server in the cloud, right?

Right.

I'm one of these developers who I do not like it when the quick start makes me sign into Amazon. I don't even want to do that, right?

No. So some people don't want to do that, and that's where NetFoundry comes in. We'll host a network for you, right?

We have a different UI. So the free ZRP stuff comes with a UI, but the NAS stuff from NetFoundry also has a UI and it does a little bit extra stuff. It adds some secret sauce, like you get really nice charts and data, really rich reports that you can get from the enterprise grade that requires things like a data lake. And requires more enterprise-type features. That's focusing on the businesses out there. But what about the non-businesses? So is this good for just enterprises or do smaller companies, can they take advantage of this as well? Yeah, yeah, absolutely. In fact, I write all the quick starts so far.

I used to do that.

I know, I know how hard and wonderful that can be and how much feedback.

Yes.

So if you go out to openziti.github.io, that's the doc landing page, you can choose 4 quick starts, one of which is just So if you like Docker, Docker Compose, you can go that route. And then there's the host-it-yourself option, which lets you either host it on a don't, you know, let me run this entirely on my local developer machine or home network or whatever, right? machine in your local network or host it on a machine in the cloud. The maker space, I think OpenZiti is particularly well suited for because I want to run it on one machine and don't get in my way. We have some Docker-based installs. VPS, a virtual private server, is something that lots of makers end needing for various reasons.

And you know, you'll hear there's, and there are lots of good options in this space too. I'm not, you know, OpenZiti is not the only one, but you could absolutely go and stand up all of this for free right now. If you go to YouTube and you search for OpenZiti, you could find me doing it. I stand these things up all day long and to get an entire overlay network, which, you know, it sounds difficult, but it really isn't. It comes down to one thing called a controller, one thing called an edge router. And you can do that in 5 minutes tops.

Wow.

I have to ask you, silly question. Why the pasta reference?

Oh, so yeah, so if you go— another plug— so OpenZiti is on Twitter, and OpenZiti has a mascot. Because if you are an open source project and you don't have a mascot, are you really an open source project? You have to have a mascot. So we have this mascot, and he is a piece of pasta, and he looks like a piece of ziti. So yeah, his name is Ziggy. So you can go out to Twitter and follow @OpenZiggy, and Open Ziggy is, he actually tweets about CVEs and zero days and makes various security type of tweets. He is a piece of ziti because zero trust, if you take the Z and the T, it's a Z and T, and now it's ziti. And so yeah, we make lots of jokes about baking ziti and OpenZiti is what you want to look for. Do not search for ziti. You'll be hungry.

What are some of the big pain points that someone right now is listening to this and they're looking around their network and they're going, yeah, no, I could totally do this? I could totally just go and do this.

So one of the best, one of the absolute sweet spots for OpenZiti and NetFoundry is multi-cloud. So let's say that you are a SaaS vendor. And you have customers who are running in their own data centers. They want to have control of their data, but you want to be able to monitor whatever they're doing, or you need to deploy something into their environment. With an open source zero trust overlay network like OpenZiti, you can simply give those people an appliance that they can install into their domain or data center. And then you will have secure zero trust access into their data center, and then they can authorize whatever services they want to authorize you to have access to. So that reach from one cloud to another cloud, multi-cloud— there's a whole new term called supercloud, right? And makes it just so easy, it's not even funny, because when you're on a zero trust overlay network like OpenZiti, the internet is your LAN, basically. So you just have to authorize a service or an identity. It's all around zero trust, which is strong identities as a core pillar of zero trust. Those strong identities are cryptographically signed documents or X.509 certificates, and those are used to identify who you are or what device you're on more accurately or what application you're using even more accurately. And you can authorize that identity to do various things. So we make these applications and I'm a developer and I've talked a lot about adding code to your app, but it's also not just for code. Zero trust is a journey. And what that means is people are not going to be able to go from trusting their network to zero trust application embedded solutions because that's going from 0 to 60 in 0 seconds.

Right. You can't do it in the blink of an eye. It takes a bit of time to get there. Yeah. And a lot of times what you'll do is you'll install this little thing. Oh, wow. Oh, yeah, it's really neat. An example I like to use is like, you know, http.ziti. Ziti is not a valid top-level domain, which means it doesn't exist. Wow, Clint, this has been a huge wealth of information. Is there anything that you'd like to add? Yeah, yeah. So I'd really love it if people would go to that open source project. Perfect. And Clint Dovholuk, Zero Trust Advocate at NetFoundry. And thank you so much for talking to us.

Yeah, it's been nice to be here.

It's been nice to have you. And listeners, of course, Clint shared loads of resources during his chat with us, but you can also go to smashingsecurity.com/netfoundry and you'll see everything you need there.

Hmm. Very interesting, Carole. Well, good stuff. And massive thank you to our episode sponsors, NetFoundry and Kolide, and to our wonderful Patreon community. It's thanks to all of them that this show is free.

Until next time, cheerio. Bye-bye.

Bye. I miss having a guest, Graham.

Yeah, I know, but you know, we're in a hurry. I've got to go to a dentist. That's going to be scary, both for the dentist and myself.

Yeah. She's getting you ready.