Subscribe
& more

Episode 14

How Can Memes Improve Security?

Compiler

Show Notes

Memes are goofy. They’re easily recognizable. And they’re often used to make a point. So it’s no wonder that people on both sides of the InfoSec community are not only familiar with memes, but often use them in their endless games of cat and mouse. Consequently, memes are often a sign of a breach of security. Because there’s little as satisfying as leaving a meme as proof of your security prowess.

This episode, we hear from a couple of Red Hatters who rose to an unusual security challenge. And while intentions were good, the memes could have easily been something much more nefarious.

Transcript

00:01 - Johan Philippine 

Brent, Angela. Have you ever been pranked on a work computer?

00:06 - Angela Andrews 

Never.

00:07 - Johan Philippine 

Never. Wow!

00:08 - Angela Andrews 

No.

00:08 - Brent Simoneaux 

One time. Well, I'm ashamed to admit this, multiple times, I have left my laptop open.

00:17 - Johan Philippine 

Oh, Brent.

00:18 - Brent Simoneaux 

In the office.

00:19 - Johan Philippine 

Oh no.

00:19 - Brent Simoneaux 

And this, of course led to, I'll call them pranks.

00:25 - Johan Philippine 

Go on.

00:27 - Brent Simoneaux 

Well, they were mostly, I'll say kind reminders to lock my computer when I walk away from it.

00:37 - Angela Andrews 

Kind reminders.

00:38 - Brent Simoneaux 

Yeah. Kind reminders that mostly took the form of emails to myself, from myself.

00:46 - Johan Philippine 

At a previous company I worked at, we would do something very similar where if someone left their computer open and unlocked, someone would post as them in Slack saying like, "Hey, donuts are on me tomorrow." Right? So there's that extra little incentive for them to be a bit more careful.

01:02 - Angela Andrews 

That'll learn ya.

01:03 - Johan Philippine 

Mm-hmm (affirmative). It's harmless fun, right? But it has its role. And that is to encourage people to have better security practices. Now there's a story I want to share with the two of you that happened here at Red Hat, and it's called Caturday.

01:19 - Brent Simoneaux 

Caturday.

01:22 - Angela Andrews 

Do tell.

01:22 - Johan Philippine 

This story involves pranks and security, but it also involves memes.

01:29 - Angela Andrews 

You have my full attention.

01:30 - Johan Philippine 

This is a great story, but it also led me to wonder how can memes improve security?

01:36 - Angela Andrews 

Good question.

01:41 - Brent Simoneaux 

This is Compiler, an original podcast from Red Hat.

01:45 - Angela Andrews 

We're your hosts.

01:46 - Brent Simoneaux 

I'm Brent Simoneaux.

01:47 - Angela Andrews 

And I'm Angela Andrews.

01:49 - Brent Simoneaux 

We're here to break down questions from the tech industry; big, small, and sometimes strange.

01:55 - Angela Andrews 

Each episode, we go out in search of answers from Red Hatters and to people they're connected to.

02:01 - Brent Simoneaux 

Today's question: How can memes improve security?

02:05 - Angela Andrews 

Producer Johan Philippine is here to help us out.

02:13 - Johan Philippine 

Now, before we dig into the actual story of Caturday, it's really important that we understand the difference between blue teams and red teams. Angela, do you know what a blue security team is?

02:27 - Angela Andrews 

Yes, I do. So the blue team are the security folks inside of an organization who do the defensive security measures. They're putting the things in place to secure the infrastructure. That's the blue team.

02:42 - Brent Simoneaux 

You've got a defense team. And so I assume there's an offense team.

02:49 - Johan Philippine 

That's right.

02:49 - Brent Simoneaux 

Okay.

02:50 - Johan Philippine 

So it's red versus blue. That's the classic, you know, clash of the colors. The red teams, they do kind of the opposite of the blue team, right? They're there to consistently and constantly test the defenses that the blue team have put in place. And when they find something, they usually let the blue team know so that the blue team can then fix whatever it is that needs to be fixed in order to make sure that other people who are looking to find ways into the system can't use that same vector for attack.

03:23 - Brent Simoneaux 

And to clarify, the red team works for the same company as the blue team.

03:30 - Angela Andrews 

Not always.

03:31 - Brent Simoneaux 

Not always.

03:32 - Johan Philippine

Not always. Yeah.

03:32 - Brent Simoneaux 

Okay.

03:33 - Angela Andrews 

Not always. Sometimes red teams are external to your company. Yeah. Now, they're hired by your company.

03:40 - Brent Simoneaux 

Yeah.

03:41 - Angela Andrews 

But they've been given permission to try to scan and compromise your system and find out what your weaknesses are. It just so happens that this company has both red and blue teams.

03:56 - Brent Simoneaux 

And this is for the purpose of learning?

03:58 - Angela Andrews 

Yes. Seeing where your systems may be vulnerable and how to find and remediate those vulnerabilities.

04:08 - Johan Philippine 

No system is truly un-hackable, right? So if someone's in your system that shouldn't be there, you've got to be prepared and able to identify them. Now, luckily we've identified the two culprits for Caturday and it turns out they're part of the blue team. They are Alison Naylor:

04:25 - Alison Naylor 

I manage the North America incident response and operations team within the information, risk and security team here at Red Hat.

04:32 - Johan Philippine 

And Richard Monk.

04:33 - Richard Monk 

My job is Senior Information Security Analyst. My title is Consulting Information Security Analyst. But if you look in Rover, it says Consulting Detective, and I'm happy for that.

04:47 - Johan Philippine 

Now you may be wondering what memes have to do with red teams and blue teams.

04:53 - Angela Andrews 

This is what I was waiting for. You're speaking my love language now. I love memes.

05:00 - Johan Philippine 

Memes are so much fun.

05:02 - Brent Simoneaux 

What's your favorite meme?

05:03 - Angela Andrews 

My favorite meme that… this meme is in the hall of fame of memes. So when I was at my old job, we were on call and we rotated. So every time when my on-call came, I would post this photo of Beyonce, crying with her mascara running and she has a phone next to her ear and she looks a hot mess. And I would be like, "yeah, I'm on call this week." And I would post it on social media and I would send it to my boss. And then of course, when on call was over, I posted Mary Tyler Moore throwing her hat up in the sky and saying on call's over. Yeah, that's my hall of fame of favorite memes. Those two.

05:42 - Johan Philippine

Brilliant.

05:43 - Brent Simoneaux 

I love that.

05:44 - Johan Philippine 

Brent, do you have a favorite meme?

05:46 - Brent Simoneaux 

I… I don't internet.

05:49 - Angela Andrews 

I don't internet!

05:56 - Johan Philippine 

Well, the reason we're talking about memes today is because it turns out that these InfoSec teams, red team and blue team, and really the whole InfoSec community: they really love their memes.

06:09 - Richard Monk 

I make jokes that the InfoSec team are ancient Egyptians and that we speak in pictures and worship cats.

06:17 - Johan Philippine 

So Alison and Richard, they're part of the blue team, right? They're part of building up the defenses and they're monitoring the network, making sure that the systems are protected. They don't do any red team stuff… usually. But for this one project, Caturday, they switched sides. Here's how it started.

06:38 - Richard Monk 

I want to say that it was about 2010. It may have been a little bit later than that. When the very first TVs were put up in the office, our manager at the time said, "Hey, it'd be pretty cool if we got Business Cat up there."

06:55 - Brent Simoneaux 

I ask this as someone who doesn't internet: what is Business Cat? Or who is Business Cat?

07:04 - Richard Monk 

Business Cat is a very adorable black cat with a little collar and a little yellow striped tie on. And he's adorable. And he's kind of the mascot for a lot of things.

07:15 - Johan Philippine 

Pretty good mascot for a business prank, right? You put them up there and you know that something's not going right. Yeah.

07:23 - Angela Andrews 

You know.

07:24 - Johan Philippine 

Brent, would you mind kind of walking us through what these monitors are when and what they display, usually?

07:33 - Brent Simoneaux 

So when I first started working at Red Hat, there were no monitors in my office. And then suddenly, they started appearing and they're in places like the kitchen and in the hallway. And they usually just display the weather, different announcements, the menu in the cafeteria, things like that. But they are all over the place now.

07:59 - Johan Philippine 

So imagine there are these TVs put up all over the place, and you've got this challenge given by your boss to put Business Cat up on these TVs. I know that I would put at least a little bit of effort to try and get that done.

08:14 - Angela Andrews 

Oh yeah.

08:15 - Johan Philippine 

Yeah.

08:15 - Angela Andrews 

The reach!

08:19 - Brent Simoneaux 

Who wouldn't do that?

08:21 - Angela Andrews 

Right?

08:22 - Johan Philippine 

The challenge was issued in about 2010 or so, and there was a prize involved, but no one was able to claim it until 2019. Now I'll put a little bit more context onto this and say that over the course of those several years, it was something that they would maybe try and catch the monitors as they were being restarted to get as much information as they could. And they'd poke around a little bit, but weren't devoting all that much time into actually getting it done.

08:48 - Brent Simoneaux 

You're saying this wasn't their full-time job.

08:50 - Johan Philippine 

Exactly. Right?

08:51 - Angela Andrews 

Oh, okay.

08:56 - Johan Philippine 

The first breakthrough came in 2019.

08:59 - Alison Naylor 

During my normal security analyst type of work, I was investigating an event. And in the process of doing that, I saw some post names that looked a little different to me. I didn't immediately know what they were. We have taps on the network where we're able to observe some parts of the traffic. And I saw what looked like unencrypted plain text, FTP traffic. And as part of that metadata, I saw what looked like a username and a password. A really, really easy password that no one should be using. And I was like, "no, that can't be," but I thought I would try it anyway.

09:36 - Brent Simoneaux 

Was the password 1, 2, 3, 4?

09:39 - Angela Andrews 

Password?

09:40 - Johan Philippine 

It turns out that someone hadn't changed the default password for what turned out to be kind of this mothership server in charge of this whole network of Red Hat Tower TVs, monitors, displays.

09:59 - Brent Simoneaux 

Oh no.

10:00 - Johan Philippine 

And so at that point, she remembered the challenge, the Business Cat challenge, and she thought, oh, I might be able to actually finish this challenge. Finally.

10:10 - Alison Naylor 

Even though I was logged into this mothership, I couldn't actually interact with the contents too much, but I wanted to learn more about the other signs, how they were named, how they were on the network in our building, in Red Hat Tower. I've started to browse our internal Wiki. And I found some host names. They seemed to follow a pattern and I found quite a nice list, once I knew the pattern to look for. And I found one that seemed to be different from the rest. And it looked like it was in the main lobby for the building. And I'd looked for default passwords and I found one and I thought I would try it. It can't be this easy, right? But it worked. Unfortunately the sign was pretty new and I don't think it had been fully set up. So the default admin credentials absolutely worked for me.

10:56 - Johan Philippine 

She got super excited, she went over to her teammate, Richard. She told him what she'd found. She said, okay, let's go downstairs. Let's take a look at this. And let's get Business Cat up there.

11:05 - Alison Naylor 

We're sitting in reception, probably acting very sketchy. We told our front desk person what we were doing so she wouldn't worry. We found a part of the interface that would allow you just to display any arbitrary image. You could just give it a URL and it would display whatever you pointed it at. So very quickly I went and made a little Business Cat meme myself. And I made it say, "You should probably change your password right meow."

11:32 - Angela Andrews 

Aw! Right meow.

11:33 - Brent Simoneaux

Right meow. 

11:35 - Johan Philippine 

They displayed it in the lobby in all of its glory. Richard took this wonderful full picture of, it's got Business Cat in the background. And it's got Alison in the foreground kind of looking over her shoulder with this huge grin on her face. Like very satisfied with herself.

11:48 - Angela Andrews 

What?! Like another famous meme that I'm thinking about.

11:52 - Johan Philippine 

Disaster girl?

11:54 - Angela Andrews 

Yes, yes.

11:57 - Brent Simoneaux 

Internet! 

11:59 - Johan Philippine 

So they took the picture and then they take it down because they're well aware that they're in this lobby of a prominent tech company with a huge, huge screen that has some…

12:13 - Brent Simoneaux 

Doesn't look so good.

12:13 - Johan Philippine 

Yeah. It doesn't look good for a tech company to have a meme in their lobby about changing passwords. So they take it down and they go up to their boss and they say, "all right, we did it. Here's the proof. Now give us our prize."

12:32 - Brent Simoneaux 

What was the prize?

12:33 - Johan Philippine 

Well, apparently there was no prize at that point.

12:35 - Angela Andrews 

What?

12:36 - Johan Philippine 

Their manager said, "oh no, this isn't good enough. That wasn't the challenge. The challenge wasn't to get Business Cat on one screen that was new, that wasn't fully set up yet. The challenge was to get Business Cat on all the monitors and displays and TVs throughout the Red Hat Tower."

12:52 - Brent Simoneaux 

Oh.

12:53 - Angela Andrews 

Oh. The plot thickens.

12:56 - Johan Philippine 

And at that point, Alison and Richard, a little annoyed say, "all right then, challenge accepted." And that's when they put on their work gloves. And I'm imagining this whole big montage of like an '80s movie, their fingers go on the keyboard, they're typing away, there's code flying around. And really that's when the real work began, right? And what follows is, well, it gets pretty technically hairy. I'll let Alison give us the details.

13:27 - Alison Naylor 

We started to just look for everything that was accessible there, every part of it. And so we found some scripts that we thought we could maybe take advantage of. And so we were able to get an authenticated command injection vulnerability.

13:40 - Angela Andrews 

Tell us what that is.

13:41 - Johan Philippine 

The way I understand it is this allowed them to trick the system into giving them more permissions than they should have had. That allowed them to run commands as if they were administrators.

13:53 - Angela Andrews 

Okay.

13:55 - Alison Naylor 

We figured that needed to be a CVE. And we're going to have to tell them, we got to tell a vendor. But not right now, because we're definitely going to get Business Cat on the screens. So we started to find some other things. We were able to get a shell on this mothership and we started to examine the file system. We saw things like the temp directory. We could put programs there and run them. So we were able to do that. We were able to get ourselves an interactive shell, not just a reverse shell. And we really started to examine what we could find on that disc.

14:27 - Angela Andrews 

Once you have shell access, and administrative shell access at that, that's the money shot.

14:33 - Johan Philippine 

Yep. They could put programs on there and they could run them and they were able to get themselves an interactive shell. And it's just, at that point, that's when they were really able to do some mischief.

14:47 - Alison Naylor 

We found that there was a user in the sudoers file that could read everything. We found that there were some other users that could run some other utilities on the system, including HT password, which can write out files and plain text, as long as there's a colon present somewhere in the line. Conveniently that also works for sudoers files. So we were able to explore that, to write a line into the sudoers so that we could make ourselves root. And now it's kind the game over from here, right? We have all the permissions we want.

15:13 - Brent Simoneaux 

All right. I am a little lost here. What is sudoers?

15:20 - Angela Andrews 

Sudoers is a file in the etc directory on a Linux system. And that file, allows you to set permissions for other users. You can set people's permissions. So imagine having access to be able to edit sudoers? Game over. You got the keys to the kingdom.

15:41 - Johan Philippine 

So they have the keys to the kingdom, but it doesn't do them very much good unless they know how the system works.

15:49 - Richard Monk 

And we figured out that at one point in the scripts, there was a location where the files were downloaded and then they were moved into the cache. And so that was the point that we could insert something. So in the script we inserted a single line that called our own script.

16:08 - Brent Simoneaux 

Let's get our whiteboard out.

16:09 - Johan Philippine 

Let's get the whiteboard out.

16:10 - Brent Simoneaux 

Let's get the whiteboard out.

16:11 - Angela Andrews 

Got it.

16:11 - Johan Philippine 

Love, love the whiteboard. Let's draw a big old cloud on the top of the whiteboard.

16:18 - Angela Andrews 

Got it.

16:19 - Johan Philippine 

Okay. We've got some lines going up to the cloud.

16:25 - Brent Simoneaux 

Yep.

16:26 - Johan Philippine 

Okay. And along those lines, we're sending files, we're sending images. We're sending, you know, menus, weather reports…

16:35 - Brent Simoneaux 

These are the slides that I see, basically.

16:37 - Johan Philippine 

These are the slides that you see every day.

16:39 - Brent Simoneaux 

In the office. Every day.

16:40 - Johan Philippine 

They go up to the cloud server, that cloud server then sends the files down to a location and moved into a cache, locally. So that you don't have to keep loading them every time from the cloud, right? It helps you minimize the amount of internet traffic and the bandwidth that goes from the cloud to your local server.

16:59 - Angela Andrews 

Okay.

17:00 - Johan Philippine 

And then from that local cache, monitors and displays would pull the images that they would need and display them.

17:08 - Brent Simoneaux 

And these are monitors in offices, around the world, from China to San Francisco, to Sao Paulo, to-.

17:20 - Johan Philippine 

Wherever we have offices around the world that have this system and these displays in the offices, they're pulling from this cloud server.

17:32 - Richard Monk 

Every time a new slide was downloaded, they were all just images. It would take a picture of Business Cat, like a translucent picture of Business Cat and overlay it on the bottom right of every single one, every single slide.

17:45 - Brent Simoneaux 

This is pretty subtle.

17:47 - Johan Philippine 

It's pretty subtle. Yeah. It's very clever.

17:52 - Brent Simoneaux 

Yeah.

17:53 - Richard Monk 

The other thing was, there's a term we have called a CNC command and control server. And so we wanted to manage this thing. We wanted to see what it was doing because we're not going to be on the machine forever. And so I used a service to send every time one got updated, it would send both Alison and myself, a notification on our phones. It would say, "Hey, I saw a new slide" and it would give us a picture of the slide. So we could watch it in real time as it was updating these slides.

18:23 - Johan Philippine 

Then they would know that Business Cat was on his way to a screen near you.

18:28 - Angela Andrews 

Wow.

18:31 - Johan Philippine 

And so they did that. They left some comments in the code to say like, Hey, this is InfoSec. We're playing around. If you see this, let us know so we can talk about what's going on here. Within about 24 hours, Business Cat started making his way around the world. So obviously he started appearing in the Red Hat Tower in Raleigh, North Carolina. But Alison and Richard also started getting messages about Business Cats showing up in Brno, in the Czech Republic.

18:59 - Brent Simoneaux 

Wow.

19:00 - Johan Philippine 

And in Brisbane, Australia.

19:03 - Angela Andrews 

Worldwide Cat!

19:04 - Johan Philippine 

Mm-hmm (affirmative). So after years of stalling, the challenge had finally been completed.

19:13 - Angela Andrews 

That's awesome.

19:16 - Brent Simoneaux 

Wait what happened?

19:17 - Johan Philippine 

They were hoping that people would start noticing and contact them right away. That's not really what happened. So people did start noticing it because it was all over the place. They’d talk about it and they'd be like, "is that Business Cat on the monitors? What's he doing up there? What's going on?" And they'd be sitting there in the cafeteria, just kind of hiding their faces and giggling into their coffees, playing innocent. It took about a week before someone…

19:47 - Brent Simoneaux 

A week?

19:47 - Johan Philippine 

... actually contacted InfoSec to be like, "Hey, do you know what's going on here? Why is Business Cat showing up on these slides? We don't think that that's normal."

19:56 - Brent Simoneaux 

We don't think this is normal.

20:00 - Johan Philippine 

At that point they say, "yeah, that was us. We had our little fun, but we've got some things we need to talk about."

20:05 - Angela Andrews 

Wow. Okay. So they got Business Cat on all of the monitors, all over the world. That is such a feat…

20:14 - Johan Philippine 

Yeah.

20:15 - Angela Andrews 

...in and of itself. And what was their prize?

20:18 - Johan Philippine 

They went to their boss who had issued the challenge and explicitly told them that they had to get it. It couldn't be just one monitor. It had to be done all over the world. So they were like, "Okay, well this is what you asked for. Here it is." And their manager said, "Okay, good jorb," which is another meme. And then they ended up getting a, I believe it was a gift card of some sort as a reward for their efforts. But...

20:46 - Angela Andrews 

Job well done.

20:47 - Johan Philippine 

... obviously this story and the street cred is much more valuable.

20:52 - Angela Andrews 

I love this story.

20:56 - Brent Simoneaux 

So today's question was: how can memes improve security?

21:01 - Johan Philippine 

That's right.

21:02 - Brent Simoneaux 

Johan, what did you learn from this story?

21:05 - Johan Philippine 

Well, I learned that you can get some Cats up on some screens at Red Hat and the whole system becomes a little bit more secure. Let me trace out the logic for that a little bit more for you.

21:17 - Brent Simoneaux 

Okay.

21:17 - Angela Andrews 

Yeah. I'm sure people want to know what's the causality here, but yeah.

21:22 - Johan Philippine 

Yeah. Alison and Richard took extensive notes about what they were doing and the ways in which they actually got into the system.

21:31 - Angela Andrews 

Okay. They documented their procedure.

21:34 - Alison Naylor 

I actually wrote a report with all the problems laid out.

21:36 - Johan Philippine 

Alison and Richard shared their findings with the rest of the blue team at Red Hat so that they could patch these vulnerabilities. For those that weren't Red Hat's responsibility, they disclosed the rest of the findings to the vendor.

21:51 - Alison Naylor 

We did responsibly disclose our findings to the vendor because we wanted to help them fix those issues and to prevent some bad actors from finding the same holes that we did. And kudos to them for listening and taking us seriously. On the Red Hat side, the problems were those basic ones, right? Like plain text, unencrypted password on the wire that we were able to intercept, using a very weak and easily guessed password. Some passwords hadn't been set at all in the newer equipment. So they still had the defaults that admin default set up.

22:20 - Angela Andrews 

Always change the default password.

22:23 - Johan Philippine 

Yep. Yep.

22:24 - Angela Andrews 

Okay.

22:25 - Johan Philippine 

That's one of the easiest ways for people to get in, is they just try the default administrative passwords and if you haven't changed them, then they just have access to the system. One corollary to that is to make sure that you're not transmitting those passwords even if they are changed in a way that people can read them.

22:44 - Angela Andrews 

Encryption.

22:45 - Johan Philippine 

Encryption.

22:47 - Angela Andrews 

So using FTP is never good. Never good. If you're going to use FTP, then you use SFTP where passwords and things aren't going over in clear text.

22:59 - Johan Philippine 

And the S in SFTP stands for?

23:01 - Angela Andrews 

Stands for secure. There you go.

23:03 - Johan Philippine 

There it is. That's lesson number one, is just be very careful with your password.

23:09 - Angela Andrews 

Yeah. Password hygiene. Okay.

23:11 - Johan Philippine 

Exactly. Step number two, is to make use of the principle of least privilege. I could describe what that is. Angela, would you mind giving us what that means to you?

23:25 - Angela Andrews 

Sure. So, the principle of least privilege means, whatever user you are, you only have the privileges that you need to do your job. Everyone doesn't have to be root. You only get access to exactly what you need access to. So the principle of least privilege is, my account only gives me access to do the things that I only need to do, to do my job. Nothing more.

23:55 - Johan Philippine 

Yep.

23:55 - Angela Andrews 

Nothing more. So least privilege.

23:58 - Johan Philippine 

Not everyone needs to have root access, which is basically the permission to change everything on a machine. Now the third lesson is more of a human thing and that's not to bypass security features for convenience.

24:18 - Brent Simoneaux 

Wait, what do you mean by that?

24:19 - Johan Philippine 

So, say for example there's a security feature that's put in place that's meant to protect a system, but it takes some effort to get around it or to get through it, right? It's just another layer of something that you have to do. A lot of the times people will find that to be an inconvenience and they'll find a way to get around that or to ignore it, right? And at that point, you're leaving the door open for someone to actually go in and do what that security was supposed to protect against.

24:55 - Brent Simoneaux 

This is like, when I leave my front door unlocked, when I walk my dogs.

25:00 - Angela Andrews 

Yes, that’s… yes.

25:01 - Brent Simoneaux 

Pretty much because it's really annoying, slight inconvenience, but I find it annoying.

25:08 - Johan Philippine 

The one example that Alison put in her report is that.

25:12 - Alison Naylor

Through various parts of the system, they also used curl dash K, which is insecure mode, ignoring SSL. So we could have  man-in-the-middled there as well.

25:22 - Johan Philippine 

Those are the lessons, really high level lessons as to what not to do. But you might be wondering why is that important, right? Especially for a system of monitors and TVs in a Red Hat office.

25:36 - Angela Andrews 

This is just the beginning.

25:38 - Johan Philippine 

It's just the beginning. And even if you have access to just that system, there's still a lot of things you can do with it. And even though a Business Cat on screens is harmless, you can put things in front of people that aren't so harmless, like instructions to go to a certain website to fill out information, to update something for a made up…

26:01 - Brent Simoneaux 

Oh.

26:02 - Angela Andrews 

Yeah.

26:03 - Johan Philippine 

... work update, right? Say, Hey, everyone, you're supposed to go and update your profile and update all your personal information, and it turns out to be a malicious website. Then they start collecting all of this personal data about people from inside the company.

26:20 - Brent Simoneaux 

I could also see, like a QR code or…

26:23 - Johan Philippine 

Mm-hmm (affirmative).

26:24 - Angela Andrews 

Yeah.

26:25 - Johan Philippine 

Exactly.

26:25 - Angela Andrews 

I'm thinking of a myriad of ways or things that you can put up on that screen that could be so detrimental to Red Hatters all over the world. Business Cat was very innocent, very cute, but it just shows the depths at which you could infiltrate and social engineer folks to do all kinds of things that they wouldn't bat an eye. It's up on the monitors in our office, of course it's legit, right?

26:57 - Johan Philippine 

Mm-hmm (affirmative).

26:57 - Brent Simoneaux 

It's not like a USB stick you found on the sidewalk.

27:00 - Angela Andrews 

Exactly. It's not just one person picking it up and sticking it in their computer.

27:07 - Johan Philippine 

Now I would like to reiterate at this point that it took multiple years of people kind of poking at the system before they found a way in. There's no such thing as a perfect unhackable system.

27:19 - Angela Andrews 

That's true.

27:20 - Brent Simoneaux 

Yeah.

27:20 - Johan Philippine 

But this one seemed to be fairly secure up until it wasn't. Right up until they found that one little inch that they broke into and then kind of shimmied their way into the whole system.

27:33 - Angela Andrews 

But look at what they learned in the process, the report that Alison wrote, detailing the methods that she used to break in and get business Cat on there, the things that she saw and learned along the way.

27:47 - Johan Philippine 

Yeah.

27:48 - Brent Simoneaux 

Yeah. They definitely learned a lot, but Johan, I'm curious about our original question. How can memes improve security? So I'm kind of curious how you're thinking about that.

28:00 - Johan Philippine 

Are you not entertained? We've been talking about all these vulnerabilities that the blue team discovered, right? And I'm going to argue that it's thanks to the memes that these got found at all. I'm not sure that this challenge would've been completed, if it hadn't been for that meme element. If Alison and Richard had just been given a challenge to break into the system, it wouldn't have been as fun, right? There's that little element of mischief, that element of humor that I really think gave them the motivation to see it through. So I'm sitting here with my mug of tea, alone at my table, and I'm proclaiming that memes can be a fantastic way to find security vulnerabilities. Change my mind.

28:45 - Angela Andrews 

And that does it for this episode of Compiler.

28:53 - Brent Simoneaux 

Today's episode was produced by Johan Philippine and Caroline Creaghead. Victoria Lawton is always monitoring our work for shenanigans.

29:04 - Angela Andrews 

I love her for it. Our audio engineer is Elisabeth Hart. Special thanks to Shawn Cole. Our theme song was composed by Mary Ancheta.

29:14 - Brent Simoneaux 

Big thank you to our guests, Alison Naylor and Richard Monk for sharing the story of Business Cat’s big day at Red Hat.

29:22 - Angela Andrews 

Our audio team includes Leigh Day, Laura Barnes, Claire Alison, Nick Burns, Aaron Williamson, Karen King, Boo Boo Howse, Rachel Ertel, Mike Compton, Ocean Matthews, and Laura Walters.

29:37 - Brent Simoneaux 

If you liked today's episode, please follow the show, rate the show, leave a review, share it with anyone you know. It really does help us out.

29:49 - Angela Andrews 

It sure does. Thank you so much for listening. We'll see you next time.

29:52 - Brent Simoneaux 

All right. Bye everybody.

 

Compiler background

Featured guests

Alison Naylor

Richard Monk

We were so excited about our episode on licenses—so we have a special project that we want to share. Our Compiler theme song is now under a Creative Commons license. Add your own special touch to our theme. Remixes have the chance to be featured on a future episode.