Episode 14
How Can Memes Improve Security?
Show Notes
Memes are goofy. They’re easily recognizable. And they’re often used to make a point. So it’s no wonder that people on both sides of the InfoSec community are not only familiar with memes, but often use them in their endless games of cat and mouse. Consequently, memes are often a sign of a breach of security. Because there’s little as satisfying as leaving a meme as proof of your security prowess.
This episode, we hear from a couple of Red Hatters who rose to an unusual security challenge. And while intentions were good, the memes could have easily been something much more nefarious.
Transcript
00:01 - Johan Philippine
Brent, Angela. Have you ever been pranked on a work computer?
00:06 - Angela Andrews
Never.
00:07 - Johan Philippine
Never. Wow!
00:08 - Angela Andrews
No.
00:08 - Brent Simoneaux
One time. Well, I'm ashamed to admit this, multiple times, I have left my laptop open.
00:17 - Johan Philippine
Oh, Brent.
00:18 - Brent Simoneaux
In the office.
00:19 - Johan Philippine
Oh no.
00:19 - Brent Simoneaux
And this, of course led to, I'll call them pranks.
00:25 - Johan Philippine
Go on.
00:27 - Brent Simoneaux
Well, they were mostly, I'll say kind reminders to lock my computer when I walk away from it.
00:37 - Angela Andrews
Kind reminders.
00:38 - Brent Simoneaux
Yeah. Kind reminders that mostly took the form of emails to myself, from myself.
00:46 - Johan Philippine
At a previous company I worked at, we would do something very similar where if someone left their computer open and unlocked, someone would post as them in Slack saying like, "Hey, donuts are on me tomorrow." Right? So there's that extra little incentive for them to be a bit more careful.
01:02 - Angela Andrews
That'll learn ya.
01:03 - Johan Philippine
Mm-hmm (affirmative). It's harmless fun, right? But it has its role. And that is to encourage people to have better security practices. Now there's a story I want to share with the two of you that happened here at Red Hat, and it's called Caturday.
01:19 - Brent Simoneaux
Caturday.
01:22 - Angela Andrews
Do tell.
01:22 - Johan Philippine
This story involves pranks and security, but it also involves memes.
01:29 - Angela Andrews
You have my full attention.
01:30 - Johan Philippine
This is a great story, but it also led me to wonder how can memes improve security?
01:36 - Angela Andrews
Good question.
01:41 - Brent Simoneaux
This is Compiler, an original podcast from Red Hat.
01:45 - Angela Andrews
We're your hosts.
01:46 - Brent Simoneaux
I'm Brent Simoneaux.
01:47 - Angela Andrews
And I'm Angela Andrews.
01:49 - Brent Simoneaux
We're here to break down questions from the tech industry; big, small, and sometimes strange.
01:55 - Angela Andrews
Each episode, we go out in search of answers from Red Hatters and to people they're connected to.
02:01 - Brent Simoneaux
Today's question: How can memes improve security?
02:05 - Angela Andrews
Producer Johan Philippine is here to help us out.
02:13 - Johan Philippine
Now, before we dig into the actual story of Caturday, it's really important that we understand the difference between blue teams and red teams. Angela, do you know what a blue security team is?
02:27 - Angela Andrews
Yes, I do. So the blue team are the security folks inside of an organization who do the defensive security measures. They're putting the things in place to secure the infrastructure. That's the blue team.
02:42 - Brent Simoneaux
You've got a defense team. And so I assume there's an offense team.
02:49 - Johan Philippine
That's right.
02:49 - Brent Simoneaux
Okay.
02:50 - Johan Philippine
So it's red versus blue. That's the classic, you know, clash of the colors. The red teams, they do kind of the opposite of the blue team, right? They're there to consistently and constantly test the defenses that the blue team have put in place. And when they find something, they usually let the blue team know so that the blue team can then fix whatever it is that needs to be fixed in order to make sure that other people who are looking to find ways into the system can't use that same vector for attack.
03:23 - Brent Simoneaux
And to clarify, the red team works for the same company as the blue team.
03:30 - Angela Andrews
Not always.
03:31 - Brent Simoneaux
Not always.
03:32 - Johan Philippine
Not always. Yeah.
03:32 - Brent Simoneaux
Okay.
03:33 - Angela Andrews
Not always. Sometimes red teams are external to your company. Yeah. Now, they're hired by your company.
03:40 - Brent Simoneaux
Yeah.
03:41 - Angela Andrews
But they've been given permission to try to scan and compromise your system and find out what your weaknesses are. It just so happens that this company has both red and blue teams.
03:56 - Brent Simoneaux
And this is for the purpose of learning?
03:58 - Angela Andrews
Yes. Seeing where your systems may be vulnerable and how to find and remediate those vulnerabilities.
04:08 - Johan Philippine
No system is truly un-hackable, right? So if someone's in your system that shouldn't be there, you've got to be prepared and able to identify them. Now, luckily we've identified the two culprits for Caturday and it turns out they're part of the blue team. They are Alison Naylor:
04:25 - Alison Naylor
I manage the North America incident response and operations team within the information, risk and security team here at Red Hat.
04:32 - Johan Philippine
And Richard Monk.
04:33 - Richard Monk
My job is Senior Information Security Analyst. My title is Consulting Information Security Analyst. But if you look in Rover, it says Consulting Detective, and I'm happy for that.
04:47 - Johan Philippine
Now you may be wondering what memes have to do with red teams and blue teams.
04:53 - Angela Andrews
This is what I was waiting for. You're speaking my love language now. I love memes.
05:00 - Johan Philippine
Memes are so much fun.
05:02 - Brent Simoneaux
What's your favorite meme?
05:03 - Angela Andrews
My favorite meme that… this meme is in the hall of fame of memes. So when I was at my old job, we were on call and we rotated. So every time when my on-call came, I would post this photo of Beyonce, crying with her mascara running and she has a phone next to her ear and she looks a hot mess. And I would be like, "yeah, I'm on call this week." And I would post it on social media and I would send it to my boss. And then of course, when on call was over, I posted Mary Tyler Moore throwing her hat up in the sky and saying on call's over. Yeah, that's my hall of fame of favorite memes. Those two.
05:42 - Johan Philippine
Brilliant.
05:43 - Brent Simoneaux
I love that.
05:44 - Johan Philippine
Brent, do you have a favorite meme?
05:46 - Brent Simoneaux
I… I don't internet.
05:49 - Angela Andrews
I don't internet!
05:56 - Johan Philippine
Well, the reason we're talking about memes today is because it turns out that these InfoSec teams, red team and blue team, and really the whole InfoSec community: they really love their memes.
06:09 - Richard Monk
I make jokes that the InfoSec team are ancient Egyptians and that we speak in pictures and worship cats.
06:17 - Johan Philippine
So Alison and Richard, they're part of the blue team, right? They're part of building up the defenses and they're monitoring the network, making sure that the systems are protected. They don't do any red team stuff… usually. But for this one project, Caturday, they switched sides. Here's how it started.
06:38 - Richard Monk
I want to say that it was about 2010. It may have been a little bit later than that. When the very first TVs were put up in the office, our manager at the time said, "Hey, it'd be pretty cool if we got Business Cat up there."
06:55 - Brent Simoneaux
I ask this as someone who doesn't internet: what is Business Cat? Or who is Business Cat?
07:04 - Richard Monk
Business Cat is a very adorable black cat with a little collar and a little yellow striped tie on. And he's adorable. And he's kind of the mascot for a lot of things.
07:15 - Johan Philippine
Pretty good mascot for a business prank, right? You put them up there and you know that something's not going right. Yeah.
07:23 - Angela Andrews
You know.
07:24 - Johan Philippine
Brent, would you mind kind of walking us through what these monitors are when and what they display, usually?
07:33 - Brent Simoneaux
So when I first started working at Red Hat, there were no monitors in my office. And then suddenly, they started appearing and they're in places like the kitchen and in the hallway. And they usually just display the weather, different announcements, the menu in the cafeteria, things like that. But they are all over the place now.
07:59 - Johan Philippine
So imagine there are these TVs put up all over the place, and you've got this challenge given by your boss to put Business Cat up on these TVs. I know that I would put at least a little bit of effort to try and get that done.
08:14 - Angela Andrews
Oh yeah.
08:15 - Johan Philippine
Yeah.
08:15 - Angela Andrews
The reach!
08:19 - Brent Simoneaux
Who wouldn't do that?
08:21 - Angela Andrews
Right?
08:22 - Johan Philippine
The challenge was issued in about 2010 or so, and there was a prize involved, but no one was able to claim it until 2019. Now I'll put a little bit more context onto this and say that over the course of those several years, it was something that they would maybe try and catch the monitors as they were being restarted to get as much information as they could. And they'd poke around a little bit, but weren't devoting all that much time into actually getting it done.
08:48 - Brent Simoneaux
You're saying this wasn't their full-time job.
08:50 - Johan Philippine
Exactly. Right?
08:51 - Angela Andrews
Oh, okay.
08:56 - Johan Philippine
The first breakthrough came in 2019.
08:59 - Alison Naylor
During my normal security analyst type of work, I was investigating an event. And in the process of doing that, I saw some post names that looked a little different to me. I didn't immediately know what they were. We have taps on the network where we're able to observe some parts of the traffic. And I saw what looked like unencrypted plain text, FTP traffic. And as part of that metadata, I saw what looked like a username and a password. A really, really easy password that no one should be using. And I was like, "no, that can't be," but I thought I would try it anyway.
09:36 - Brent Simoneaux
Was the password 1, 2, 3, 4?
09:39 - Angela Andrews
Password?
09:40 - Johan Philippine
It turns out that someone hadn't changed the default password for what turned out to be kind of this mothership server in charge of this whole network of Red Hat Tower TVs, monitors, displays.
09:59 - Brent Simoneaux
Oh no.
10:00 - Johan Philippine
And so at that point, she remembered the challenge, the Business Cat challenge, and she thought, oh, I might be able to actually finish this challenge. Finally.
10:10 - Alison Naylor
Even though I was logged into this mothership, I couldn't actually interact with the contents too much, but I wanted to learn more about the other signs, how they were named, how they were on the network in our building, in Red Hat Tower. I've started to browse our internal Wiki. And I found some host names. They seemed to follow a pattern and I found quite a nice list, once I knew the pattern to look for. And I found one that seemed to be different from the rest. And it looked like it was in the main lobby for the building. And I'd looked for default passwords and I found one and I thought I would try it. It can't be this easy, right? But it worked. Unfortunately the sign was pretty new and I don't think it had been fully set up. So the default admin credentials absolutely worked for me.
10:56 - Johan Philippine
She got super excited, she went over to her teammate, Richard. She told him what she'd found. She said, okay, let's go downstairs. Let's take a look at this. And let's get Business Cat up there.
11:05 - Alison Naylor
We're sitting in reception, probably acting very sketchy. We told our front desk person what we were doing so she wouldn't worry. We found a part of the interface that would allow you just to display any arbitrary image. You could just give it a URL and it would display whatever you pointed it at. So very quickly I went and made a little Business Cat meme myself. And I made it say, "You should probably change your password right meow."
11:32 - Angela Andrews
Aw! Right meow.
11:33 - Brent Simoneaux
Right meow.
11:35 - Johan Philippine
They displayed it in the lobby in all of its glory. Richard took this wonderful full picture of, it's got Business Cat in the background. And it's got Alison in the foreground kind of looking over her shoulder with this huge grin on her face. Like very satisfied with herself.
11:48 - Angela Andrews
What?! Like another famous meme that I'm thinking about.
11:52 - Johan Philippine
Disaster girl?
11:54 - Angela Andrews
Yes, yes.
11:57 - Brent Simoneaux
Internet!
11:59 - Johan Philippine
So they took the picture and then they take it down because they're well aware that they're in this lobby of a prominent tech company with a huge, huge screen that has some…
12:13 - Brent Simoneaux
Doesn't look so good.
12:13 - Johan Philippine
Yeah. It doesn't look good for a tech company to have a meme in their lobby about changing passwords. So they take it down and they go up to their boss and they say, "all right, we did it. Here's the proof. Now give us our prize."
12:32 - Brent Simoneaux
What was the prize?
12:33 - Johan Philippine
Well, apparently there was no prize at that point.
12:35 - Angela Andrews
What?
12:36 - Johan Philippine
Their manager said, "oh no, this isn't good enough. That wasn't the challenge. The challenge wasn't to get Business Cat on one screen that was new, that wasn't fully set up yet. The challenge was to get Business Cat on all the monitors and displays and TVs throughout the Red Hat Tower."
12:52 - Brent Simoneaux
Oh.
12:53 - Angela Andrews
Oh. The plot thickens.
12:56 - Johan Philippine
And at that point, Alison and Richard, a little annoyed say, "all right then, challenge accepted." And that's when they put on their work gloves. And I'm imagining this whole big montage of like an '80s movie, their fingers go on the keyboard, they're typing away, there's code flying around. And really that's when the real work began, right? And what follows is, well, it gets pretty technically hairy. I'll let Alison give us the details.
13:27 - Alison Naylor
We started to just look for everything that was accessible there, every part of it. And so we found some scripts that we thought we could maybe take advantage of. And so we were able to get an authenticated command injection vulnerability.
13:40 - Angela Andrews
Tell us what that is.
13:41 - Johan Philippine
The way I understand it is this allowed them to trick the system into giving them more permissions than they should have had. That allowed them to run commands as if they were administrators.
13:53 - Angela Andrews
Okay.
13:55 - Alison Naylor
We figured that needed to be a CVE. And we're going to have to tell them, we got to tell a vendor. But not right now, because we're definitely going to get Business Cat on the screens. So we started to find some other things. We were able to get a shell on this mothership and we started to examine the file system. We saw things like the temp directory. We could put programs there and run them. So we were able to do that. We were able to get ourselves an interactive shell, not just a reverse shell. And we really started to examine what we could find on that disc.
14:27 - Angela Andrews
Once you have shell access, and administrative shell access at that, that's the money shot.
14:33 - Johan Philippine
Yep. They could put programs on there and they could run them and they were able to get themselves an interactive shell. And it's just, at that point, that's when they were really able to do some mischief.
14:47 - Alison Naylor
We found that there was a user in the sudoers file that could read everything. We found that there were some other users that could run some other utilities on the system, including HT password, which can write out files and plain text, as long as there's a colon present somewhere in the line. Conveniently that also works for sudoers files. So we were able to explore that, to write a line into the sudoers so that we could make ourselves root. And now it's kind the game over from here, right? We have all the permissions we want.
15:13 - Brent Simoneaux
All right. I am a little lost here. What is sudoers?
15:20 - Angela Andrews
Sudoers is a file in the etc directory on a Linux system. And that file, allows you to set permissions for other users. You can set people's permissions. So imagine having access to be able to edit sudoers? Game over. You got the keys to the kingdom.
15:41 - Johan Philippine
So they have the keys to the kingdom, but it doesn't do them very much good unless they know how the system works.
15:49 - Richard Monk
And we figured out that at one point in the scripts, there was a location where the files were downloaded and then they were moved into the cache. And so that was the point that we could insert something. So in the script we inserted a single line that called our own script.
16:08 - Brent Simoneaux
Let's get our whiteboard out.
16:09 - Johan Philippine
Let's get the whiteboard out.
16:10 - Brent Simoneaux
Let's get the whiteboard out.
16:11 - Angela Andrews
Got it.
16:11 - Johan Philippine
Love, love the whiteboard. Let's draw a big old cloud on the top of the whiteboard.
16:18 - Angela Andrews
Got it.
16:19 - Johan Philippine
Okay. We've got some lines going up to the cloud.
16:25 - Brent Simoneaux
Yep.
16:26 - Johan Philippine
Okay. And along those lines, we're sending files, we're sending images. We're sending, you know, menus, weather reports…
16:35 - Brent Simoneaux
These are the slides that I see, basically.
16:37 - Johan Philippine
These are the slides that you see every day.
16:39 - Brent Simoneaux
In the office. Every day.
16:40 - Johan Philippine
They go up to the cloud server, that cloud server then sends the files down to a location and moved into a cache, locally. So that you don't have to keep loading them every time from the cloud, right? It helps you minimize the amount of internet traffic and the bandwidth that goes from the cloud to your local server.
16:59 - Angela Andrews
Okay.
17:00 - Johan Philippine
And then from that local cache, monitors and displays would pull the images that they would need and display them.
17:08 - Brent Simoneaux
And these are monitors in offices, around the world, from China to San Francisco, to Sao Paulo, to-.
17:20 - Johan Philippine
Wherever we have offices around the world that have this system and these displays in the offices, they're pulling from this cloud server.
17:32 - Richard Monk
Every time a new slide was downloaded, they were all just images. It would take a picture of Business Cat, like a translucent picture of Business Cat and overlay it on the bottom right of every single one, every single slide.
17:45 - Brent Simoneaux
This is pretty subtle.
17:47 - Johan Philippine
It's pretty subtle. Yeah. It's very clever.
17:52 - Brent Simoneaux
Yeah.
17:53 - Richard Monk
The other thing was, there's a term we have called a CNC command and control server. And so we wanted to manage this thing. We wanted to see what it was doing because we're not going to be on the machine forever. And so I used a service to send every time one got updated, it would send both Alison and myself, a notification on our phones. It would say, "Hey, I saw a new slide" and it would give us a picture of the slide. So we could watch it in real time as it was updating these slides.
18:23 - Johan Philippine
Then they would know that Business Cat was on his way to a screen near you.
18:28 - Angela Andrews
Wow.
18:31 - Johan Philippine
And so they did that. They left some comments in the code to say like, Hey, this is InfoSec. We're playing around. If you see this, let us know so we can talk about what's going on here. Within about 24 hours, Business Cat started making his way around the world. So obviously he started appearing in the Red Hat Tower in Raleigh, North Carolina. But Alison and Richard also started getting messages about Business Cats showing up in Brno, in the Czech Republic.
18:59 - Brent Simoneaux
Wow.
19:00 - Johan Philippine
And in Brisbane, Australia.
19:03 - Angela Andrews
Worldwide Cat!
19:04 - Johan Philippine
Mm-hmm (affirmative). So after years of stalling, the challenge had finally been completed.
19:13 - Angela Andrews
That's awesome.
19:16 - Brent Simoneaux
Wait what happened?
19:17 - Johan Philippine
They were hoping that people would start noticing and contact them right away. That's not really what happened. So people did start noticing it because it was all over the place. They’d talk about it and they'd be like, "is that Business Cat on the monitors? What's he doing up there? What's going on?" And they'd be sitting there in the cafeteria, just kind of hiding their faces and giggling into their coffees, playing innocent. It took about a week before someone…
19:47 - Brent Simoneaux
A week?
19:47 - Johan Philippine
... actually contacted InfoSec to be like, "Hey, do you know what's going on here? Why is Business Cat showing up on these slides? We don't think that that's normal."
19:56 - Brent Simoneaux
We don't think this is normal.
20:00 - Johan Philippine
At that point they say, "yeah, that was us. We had our little fun, but we've got some things we need to talk about."
20:05 - Angela Andrews
Wow. Okay. So they got Business Cat on all of the monitors, all over the world. That is such a feat…
20:14 - Johan Philippine
Yeah.
20:15 - Angela Andrews
...in and of itself. And what was their prize?
20:18 - Johan Philippine
They went to their boss who had issued the challenge and explicitly told them that they had to get it. It couldn't be just one monitor. It had to be done all over the world. So they were like, "Okay, well this is what you asked for. Here it is." And their manager said, "Okay, good jorb," which is another meme. And then they ended up getting a, I believe it was a gift card of some sort as a reward for their efforts. But...
20:46 - Angela Andrews
Job well done.
20:47 - Johan Philippine
... obviously this story and the street cred is much more valuable.
20:52 - Angela Andrews
I love this story.
20:56 - Brent Simoneaux
So today's question was: how can memes improve security?
21:01 - Johan Philippine
That's right.
21:02 - Brent Simoneaux
Johan, what did you learn from this story?
21:05 - Johan Philippine
Well, I learned that you can get some Cats up on some screens at Red Hat and the whole system becomes a little bit more secure. Let me trace out the logic for that a little bit more for you.
21:17 - Brent Simoneaux
Okay.
21:17 - Angela Andrews
Yeah. I'm sure people want to know what's the causality here, but yeah.
21:22 - Johan Philippine
Yeah. Alison and Richard took extensive notes about what they were doing and the ways in which they actually got into the system.
21:31 - Angela Andrews
Okay. They documented their procedure.
21:34 - Alison Naylor
I actually wrote a report with all the problems laid out.
21:36 - Johan Philippine
Alison and Richard shared their findings with the rest of the blue team at Red Hat so that they could patch these vulnerabilities. For those that weren't Red Hat's responsibility, they disclosed the rest of the findings to the vendor.
21:51 - Alison Naylor
We did responsibly disclose our findings to the vendor because we wanted to help them fix those issues and to prevent some bad actors from finding the same holes that we did. And kudos to them for listening and taking us seriously. On the Red Hat side, the problems were those basic ones, right? Like plain text, unencrypted password on the wire that we were able to intercept, using a very weak and easily guessed password. Some passwords hadn't been set at all in the newer equipment. So they still had the defaults that admin default set up.
22:20 - Angela Andrews
Always change the default password.
22:23 - Johan Philippine
Yep. Yep.
22:24 - Angela Andrews
Okay.
22:25 - Johan Philippine
That's one of the easiest ways for people to get in, is they just try the default administrative passwords and if you haven't changed them, then they just have access to the system. One corollary to that is to make sure that you're not transmitting those passwords even if they are changed in a way that people can read them.
22:44 - Angela Andrews
Encryption.
22:45 - Johan Philippine
Encryption.
22:47 - Angela Andrews
So using FTP is never good. Never good. If you're going to use FTP, then you use SFTP where passwords and things aren't going over in clear text.
22:59 - Johan Philippine
And the S in SFTP stands for?
23:01 - Angela Andrews
Stands for secure. There you go.
23:03 - Johan Philippine
There it is. That's lesson number one, is just be very careful with your password.
23:09 - Angela Andrews
Yeah. Password hygiene. Okay.
23:11 - Johan Philippine
Exactly. Step number two, is to make use of the principle of least privilege. I could describe what that is. Angela, would you mind giving us what that means to you?
23:25 - Angela Andrews
Sure. So, the principle of least privilege means, whatever user you are, you only have the privileges that you need to do your job. Everyone doesn't have to be root. You only get access to exactly what you need access to. So the principle of least privilege is, my account only gives me access to do the things that I only need to do, to do my job. Nothing more.
23:55 - Johan Philippine
Yep.
23:55 - Angela Andrews
Nothing more. So least privilege.
23:58 - Johan Philippine
Not everyone needs to have root access, which is basically the permission to change everything on a machine. Now the third lesson is more of a human thing and that's not to bypass security features for convenience.
24:18 - Brent Simoneaux
Wait, what do you mean by that?
24:19 - Johan Philippine
So, say for example there's a security feature that's put in place that's meant to protect a system, but it takes some effort to get around it or to get through it, right? It's just another layer of something that you have to do. A lot of the times people will find that to be an inconvenience and they'll find a way to get around that or to ignore it, right? And at that point, you're leaving the door open for someone to actually go in and do what that security was supposed to protect against.
24:55 - Brent Simoneaux
This is like, when I leave my front door unlocked, when I walk my dogs.
25:00 - Angela Andrews
Yes, that’s… yes.
25:01 - Brent Simoneaux
Pretty much because it's really annoying, slight inconvenience, but I find it annoying.
25:08 - Johan Philippine
The one example that Alison put in her report is that.
25:12 - Alison Naylor
Through various parts of the system, they also used curl dash K, which is insecure mode, ignoring SSL. So we could have man-in-the-middled there as well.
25:22 - Johan Philippine
Those are the lessons, really high level lessons as to what not to do. But you might be wondering why is that important, right? Especially for a system of monitors and TVs in a Red Hat office.
25:36 - Angela Andrews
This is just the beginning.
25:38 - Johan Philippine
It's just the beginning. And even if you have access to just that system, there's still a lot of things you can do with it. And even though a Business Cat on screens is harmless, you can put things in front of people that aren't so harmless, like instructions to go to a certain website to fill out information, to update something for a made up…
26:01 - Brent Simoneaux
Oh.
26:02 - Angela Andrews
Yeah.
26:03 - Johan Philippine
... work update, right? Say, Hey, everyone, you're supposed to go and update your profile and update all your personal information, and it turns out to be a malicious website. Then they start collecting all of this personal data about people from inside the company.
26:20 - Brent Simoneaux
I could also see, like a QR code or…
26:23 - Johan Philippine
Mm-hmm (affirmative).
26:24 - Angela Andrews
Yeah.
26:25 - Johan Philippine
Exactly.
26:25 - Angela Andrews
I'm thinking of a myriad of ways or things that you can put up on that screen that could be so detrimental to Red Hatters all over the world. Business Cat was very innocent, very cute, but it just shows the depths at which you could infiltrate and social engineer folks to do all kinds of things that they wouldn't bat an eye. It's up on the monitors in our office, of course it's legit, right?
26:57 - Johan Philippine
Mm-hmm (affirmative).
26:57 - Brent Simoneaux
It's not like a USB stick you found on the sidewalk.
27:00 - Angela Andrews
Exactly. It's not just one person picking it up and sticking it in their computer.
27:07 - Johan Philippine
Now I would like to reiterate at this point that it took multiple years of people kind of poking at the system before they found a way in. There's no such thing as a perfect unhackable system.
27:19 - Angela Andrews
That's true.
27:20 - Brent Simoneaux
Yeah.
27:20 - Johan Philippine
But this one seemed to be fairly secure up until it wasn't. Right up until they found that one little inch that they broke into and then kind of shimmied their way into the whole system.
27:33 - Angela Andrews
But look at what they learned in the process, the report that Alison wrote, detailing the methods that she used to break in and get business Cat on there, the things that she saw and learned along the way.
27:47 - Johan Philippine
Yeah.
27:48 - Brent Simoneaux
Yeah. They definitely learned a lot, but Johan, I'm curious about our original question. How can memes improve security? So I'm kind of curious how you're thinking about that.
28:00 - Johan Philippine
Are you not entertained? We've been talking about all these vulnerabilities that the blue team discovered, right? And I'm going to argue that it's thanks to the memes that these got found at all. I'm not sure that this challenge would've been completed, if it hadn't been for that meme element. If Alison and Richard had just been given a challenge to break into the system, it wouldn't have been as fun, right? There's that little element of mischief, that element of humor that I really think gave them the motivation to see it through. So I'm sitting here with my mug of tea, alone at my table, and I'm proclaiming that memes can be a fantastic way to find security vulnerabilities. Change my mind.
28:45 - Angela Andrews
And that does it for this episode of Compiler.
28:53 - Brent Simoneaux
Today's episode was produced by Johan Philippine and Caroline Creaghead. Victoria Lawton is always monitoring our work for shenanigans.
29:04 - Angela Andrews
I love her for it. Our audio engineer is Elisabeth Hart. Special thanks to Shawn Cole. Our theme song was composed by Mary Ancheta.
29:14 - Brent Simoneaux
Big thank you to our guests, Alison Naylor and Richard Monk for sharing the story of Business Cat’s big day at Red Hat.
29:22 - Angela Andrews
Our audio team includes Leigh Day, Laura Barnes, Claire Alison, Nick Burns, Aaron Williamson, Karen King, Boo Boo Howse, Rachel Ertel, Mike Compton, Ocean Matthews, and Laura Walters.
29:37 - Brent Simoneaux
If you liked today's episode, please follow the show, rate the show, leave a review, share it with anyone you know. It really does help us out.
29:49 - Angela Andrews
It sure does. Thank you so much for listening. We'll see you next time.
29:52 - Brent Simoneaux
All right. Bye everybody.
Featured guests
Alison Naylor
Richard Monk