 5, 4, 3, 2, 15 Wrong direction, 20 after 25 10, 9, 8, 0 5, 4, 3 Import Episode 45 It's 22nd April 2017, streaming directly from Singapore It's Rebuild Live This time on Rebuild Live, we'll be chatting about computer security with Eugene Yay, Eugene Tio! Welcome to Episode 45 of Rebuild Live I'm your host, Sayani, and on the soundboard is Chinme That's right, and our guest today is Eugene Tio Hello! And he's right here with us in person This is for the first time ever Yes It's possible Yes, we finally managed to get... You know how we talked about when we rebooted Rebuild Live, we had a new studio in quotes Yes And one of the things we tried to do with the studio was to allow guests to come in live Because you've always had this question like, oh, how do I join you? Do I come over to your place? We were like, no, no, we have the internet now We could do this whole thing for the internet But we did have the ability to have a third person And Eugene was like, I'll come over Because Eugene happens to be our neighbor Yes, he happens to live very close by So like, okay, come on down So it's fun because then we have been chatting a lot about stuff before So I think you're already in the groove Great So Eugene has been our friend actually for quite a few years We got to know him as a security geek, a Linux geek With a very special history, okay, anyway But I will let Eugene Tio introduce himself Eugene Hi, my name is Eugene Tio And I'm a director of security at a US based company dealing with HR related security And this is the first time I'm doing a podcast And I'm very happy to be invited Thank you for inviting me And I hope to share what I know with you guys And if you have any questions later, feel free to ask Great So Eugene, you have been dabbling with security for about Maybe close to 15 years 15 years, okay, let's learn I'm only just getting started But as an engineer, I'm realizing that security is so, so important And this was a great chance So, but Chinme, before we move on, you have a welcome gift Yes, so there's a tradition in our, we've been live That we welcome every guest with a so-called malformed query Oh, why? So it's a riddle So for you Eugene, your riddle is Why do security conscious people live in dark and closed houses? Does Eugene do that? I don't do that Okay You know why? Because bugs come in through open windows Okay No, I don't use windows, so I Yeah, so that's why you don't have any windows, right? I don't move bugs Okay, so what operating system do you use? I used to use Linux all the time I started using Mac, Fedora, Debian Okay I like Debian I remember one of the talks that Eugene gave once about how he was He was scolded by Linus Torvalds Oh, yeah That's a privilege Because you work so close to that I mean, I'm guessing you've spent a lot of time with Linus Yes, yes, I mean, Linus is my first love And ever since when I was in Poly, you know, I refuse to use windows Not because I, I mean, maybe, yeah, I hate windows I don't like to use windows even today But not because of the operating system, but because of the philosophy And because of the things that they do But at that time, I don't feel like, you know, why I should spend money Buying proprietary software So I started to use Linus and I play with it And I also tried different flavors of Unix And it just became a nice hobby to have And it gives me a challenge That's a great way, especially for students, you know Because students are always, like, cash strapped And that's a great way to start off with Unix Great, so live audience, if you're listening to us There are quite a few listening to us from the stats So please listen to us while having your breakfast or your tea And drop your- Yeah, very late, like 11 o'clock already, you want breakfast and tea We just had coffee with Eugene Yes, we did Bring your drinks, favorite drinks along And post your security questions for Eugene on Gitter Chat So that's Gitter.in-slash-webuild-sg-slash-live So post your questions and we will pick it up And during the audience polling question, Eugene will answer them Great, so let's start off with the computer security topic of the day So why is security important today? Well, you know, computer security is always important It's just a matter of whether people knowing that it's important I guess, you know, there's many ways of looking at computer security Some people look at it like insurance People think that insurance is only important when something terrible happens And if nothing happens, why are you paying premiums? And likewise, when people look at security, they look at it the same way If nothing happens, why should we invest in technologies to protect ourselves? I think that back in 2013, when there was an enormous operations attack On some of the prominent Singapore websites I was involved in providing expert opinions to AGC And some members of the Singapore Police Force And we went through the evidence and all that But the main point is that it really made people wake up that computer security is important That we shouldn't ignore And we started to see that government has been spending money building the rights And our agencies, hiring people, emphasizing that security is important And people started to get applicants who tell me that Oh, I'm very interested in security, I want to switch my careers That's a nice change But security has always been important When I started learning Linux, security wasn't my focus But at some point, a couple of years later, I felt that Maybe I should learn another skill And I chose computer security But there's a story behind it, I can share with you if you want But it's something important because if you don't protect your infrastructure If you don't protect your software, bad things can happen to you And you do not want that to happen And especially these days, we do so many things on our computers Networked computers, everything, banking, insurance So many things that are very sensitive And slowly it's being connected to the physical infrastructure Along with finance, medical systems Utilities across cities So we will have security vulnerabilities Or this kind of mindset is needed even more So let's say somebody comes to you to look at a brand new system And to secure it How would you get started? I always get confused about how to get started What's the approach you would take? When people work on a new system, security is always an afterthought Yeah, absolutely Ideally, when you start working on a system You should get security involved right at the very beginning Right from day one The design stage Try to understand, go through a checklist If you're going to have a login page, do you have SSL And all that kind of stuff And usually what I would recommend is to do threat modeling Understanding your system from a point of view of an attacker What are the points of entry? Where are your crowd drawers? Where are your high-value assets? How can an attacker gain access to your system from a different means? Try to understand your system from a different perspective And try to see how you as a defender protect yourself at the design stage Don't wait until you ship the product to your customers or to your users So complaining And people start complaining and it starts to deal with all the security issues that people may find That would be too late You'll be patching and fixing the problem And not really addressing the root cause of the problem But people should realize that no matter whether you're a small company Or whether you're working on an open source project Security has to be the number one Or maybe number two The priority in your development And start approaching problems from that perspective One of the things I always struggle with is that as a developer I mean a lot of the audience are not security professionals They're mostly developers or hackers, makers, engineers I think the perspective that you need Or the mindset you need to consider Like what you're talking about threat models You said look at it from an attacker's perspective See how you can get it I think it's super hard for an engineer to think from that perspective We only think of features Engineers features or bugs I mean in my previous roles I do work with many different developers And engineers like when I was at Red Hat I get to work with people with long hair and long beard I get to work with people like Linus or Andrew Morton From the Linus channel community The perspective from a developer is so different from a security guy Let me give you an example Let's say you have a smartphone And you see a notification popping up on your phone A software engineer will probably A developer will probably say How can I show the notification on your phone After receiving a certain event And what happens when you close the notification So I just close it So I perform another action and all that And what should I display on the notification A QA engineer will say things like How do I make sure that what the developer did Is indeed what they have written Make sure that the notification appears at the right time Close instead of just ignoring your input and all that But from a security point of view A security guy or lady Will think something like How can I run a long text in the notification So that I can crash the phone How can I make sure that the notification Don't appear when you want it to appear And how can I make use of this notification So that I can break into the software And gain access So it's a very different mindset It is Like what you said I think is very interesting Normally let's say you're making a notification widget As an engineer you would test If I type in words it works If I type in letters it works If I type in a long sentence it works Okay good can really Nobody's going to try to type a thousand characters And see where it crashes I will even look at Unicode Yeah People won't try to follow them The recent news The Chrome on the browser So now we can go to Apple.com But it's not actually Apple.com This is definitely somebody who thought of it as saying If I put Unicode inside the URL by It would look nice and people would be happy with it And then somebody found a way to hack around it It's so hard for engineers to think that way What would you suggest? Do you suggest that you hire professionals Do you suggest engineers maybe take courses Like how would an engineer Work better Make that mindset off Or at least be aware of it I think everyone starts from somewhere Even a security guy has to learn some new things And start from the very basics And be as good as they are today Developers can do the same As compared to the 90s Or even the early 2000s We have so much books So many security books now That you can just go to Amazon.com To pick up a few And spend some time learning And you'll be as good as a security guy But I think learning is just one thing You really need to change the mindset You really need to think about the corner cases You need to think about If you do this When a software developer will look at a door There's a point of entry But a security guy will look at a window As a point of entry So you've got to change the mindset Change the way you think And try to read as much as possible Look at what other people are doing Not to say that you want to be a bad person But try to learn what the bad people are doing And try to see how you can defend it From the defender's point of view You can only defend if you know The attack of mindset Precisely Yeah Great Eugene, why don't we talk about some tools And resources that you use daily Or you like Let's get into the nitty gritty details I'm sure It really depends on what you mean by security Security is like a beer But do you like to brew a beer Or do you like to buy beer Do you like to drink beer Or do you just like to spend money So that people can drink beer Just like security For us At least for my team We do a lot of monitoring We do a lot of detection and response And we also work on incident response So some of the tools that we use Includes like Elastic search Kibana We do a lot of data analysis Interesting We try to learn Python Right now we are trying to learn machine learning To see how we can apply That in the screening monitoring Because there's lots of different activities going on In the company infrastructure You want to see how we can reduce the number of noise So you focus on the more important things And there's a lot of things that we can do I remember we talked about this with Rahul When we talked about infrastructure Our previous episode guest And he talked about how he had Gigabytes of logs coming in From all the different bits of infrastructure In his office And we were asking him how can he manage that How does he manage that I didn't realize but Stuff like machine learning could be Very interesting in this stuff But to pop out interesting events Saying that this kind of a pattern Is probably something wrong There's a lot of opportunities To apply machine learning in security Things like clustering Understanding how we can separate Different kinds of logs How can we look through The different alerts that we have And maybe use random forest to reduce Force positive and give us probability That this could be an incident This maybe this is not valid The kind of things so that we can Spend more time on the things That we want to look at And less time on this kind of noise Fascinating Is this already used in the industry? Is this something that's commonplace? Are you guys like trying to come up with new ideas And new techniques of doing things? Well there are many security startups That are emphasized on using machine learning To solve big problems For my company We are all security people We are not machine learning engineers And we are trying to see How we can customize Our monitoring platform To do all this I think right now We are still in an emerging stage Where people are trying to figure out What we can do with machine learning As compared to other industries Where it's more mature Let me give you an example Amazon.com If you buy a book Or if you browse a book They will give you recommendations And you will find that Some of the books they recommend Is something that you may like But for security That's a very different problem If a machine learning algorithm Gives you a list of things And then ignore the rest Because based on the algorithm The probability of that Something happening is low And if it turns out to be false It turns out to be a real incident That we are in big trouble And there's something that We still need people To go through them Just to make sure Because the stakes are a lot higher And the problems that we do Are a lot more serious Compared to just book recommendations Also a lot of things that we have Also I think once people realise That you are using a certain system They will try to game that They will try to go around it And see how can I hide my tracks Even if you're using this thing So there's always going to be This cat and mouse thing That your machine learning has to Keep on top of So if you look at the academic research There's this thing called The adversarial machine learning Where you have machine algorithms Doing some of the things But the inputs The data, the logs and all that Is still controllable by the attacker And how can an attacker influence Your machine learning algorithms To give a result That the attacker can give Wow It was a very interesting space I never thought of that Even machine learning It was like You know that they're using This machine learning And you want to tweak it To give you the wrong wow This is It was very interesting I never thought of security In machine learning In this aspect Yeah exactly This is one of the things I wanted to ask Eugene Before when you're talking about it Because he was saying He's getting really into machine learning Now I was curious What it is And now I understand This is really fascinating stuff So you want to use machine learning To look for patterns Yeah look for patterns Give me a high probability Of things, events or alerts They are being triggered And so that you know Rather than going through everything Which could mean a lot of time Been spent on tickets How can we reduce that So there is only located Just a subset of those alerts Okay Because you know With bigger and bigger systems We are like Just flooded by alerts And notification And that's where machine learning Can come in place And there's a lot of things That we can automate Right That's really cool So quick question We were talking about tools And resources Like let's say You know I'm doing this kind of stuff I want to get started with You know Maybe not machine learning Maybe basic data Data science kind of stuff Are there any packages Libraries, tools That you'd recommend I mean I guess Everyone who starts Learning security Will have played With meta exploit Yeah Yeah I mean most of the candidates I spoke to They Learned pen testing Penetration testing I think The movies The TV Gave people the impression That you know Security is all about Penetration testing Hacking You know Trying to Run tools Towards a target The software In order to find out Whether they have A security issue And I will say that You know Meta exploit A tool similar to that Will be a good Way to get started At least You've been exposed to Some of the fun stuff And it keeps you Gets you motivated And learns some More stuff And I also Want to encourage people You know That if you're interested In security Just focus on one area Try to Explore as many areas As possible Before you specialize What do you mean by Areas Let's say You know Like you could focus You could focus On vulnerability analysis You could focus On mobile reverse Engineering These are the areas Of security that I Okay There are security operations Where we look at Network logs And all that So there are many things That we can do With security But Try to have exposure In many areas As possible Especially as a beginner As a beginner Yes What about Books or movies Movies Stay away I don't know Movies are Like Not the right perception Movies No Okay There's one Movie There's one TV drama Was that Elliot In there What's this Amazon It was super famous Apparently that was one Of the most accurate Portrails ever Of like Security I watched a few episodes I think it's Okay It's a TV show It's a TV show I just couldn't remember Okay Sure We will Elliot kid House of Elliot Mr. Robot Mr. Robot Okay Mr. Robot We are Googling At the same time Okay Mr. Robot Incidentally right I have two members In my team Whose name Elliot Elliot Is like a new man What an apt name For a security team Yeah So you can see That shows like these Can have An impend on people Or that They like it to the point Where they would Use their names Yeah You know Books There are so many books around I would suggest That Try to Look At a website like Amazon Look at the reviews Look at the number of stars Try to get a book There is recent Don't try to get a book That is like five years old Two years old Really Like aren't there some Fundamentals In security That just lives on Like physics or maths You know there are Certains fundamentals No Okay So you know Like people People usually complain Yeah Things move so quickly Yeah Security Well Things move even faster Because you have to Like one up The attacker Yeah You can see That could be one of the reasons But I think that You know Like when you learn security You don't just Want to learn A theory You know You want to do Some hands-on And books Get oscillated Very quickly True Especially technology books Yeah You know Sometimes When they publish a book They talk about the issue They write POC A proof of concept To show you Why this is a problem But by the time you Read the book The issue has been resolved And you cannot You cannot try You know Maybe you have To go through Lots of steps To get that issue You know To be To be available For you to try out But the thing is That you know If you get the book That is more recent You know The opportunity to Learn is a lot greater Okay Great So live audience If you're listening in And there are Quite a few of you In the chat as well Do post your questions In the chat Which is Yeah We already have a couple of questions A bunch of stuff Happening in the chat Yeah So join in the chat Get your tea or coffee And just Write your opinions And your Expressions about Security on Gitter.im Slash Rebuild SG Slash Live Great Let's talk a little bit About Like What an engineer Developer should take note Of when building systems Yeah Well If you have any Specific Angles That you can Share Maybe Are there Some What should A new engineer A developer should Take note Of when Building new systems Sorry I wasn't Pay attention You were Distracted By the chat The chat is What are some things That an engineer A developer should Take note of I mean You talked about A little bit earlier But Would you have Specific Things for them To learn Or look at Or checklists To follow Or guidelines To look at If they want to Yeah Sure Like If you're Doing web Development That's Or was Top 10 Or was Yep A lot better than Many people out there Yeah And if you are More Interested in More of a traditional Enterprise software We should be Could look at Products like Covarrity Or similar Products where You could Do study analysis To understand What are Some of the problems That are In the code And try to resolve them Or you could Look at Developing fuzzers Try to Find problems You know Dynamically What are the things They can do? One thing I learned As an engineer Is that Especially when Working on IoT things Is that I must have a means To patch the software Like Especially for IoT You know Your physical Like little lamps Or bulbs They're like just Deployed Physically Like in a Very, very Routes are a big Issue Yeah, routers too In fact TP-Link I think Engineers should take note Like You know By default The user should not Be able to do Something that is Not secure Or by default You know Immediately when the patches All the vulnerability Is found The patches Kind of developed You should be able To remotely patch All your devices Or software It's easy to say that Then though Yeah, absolutely I was reading Another article recently About Some super cheap Android phones Where they have This So And And And they just Go to a random website Not over SSL Just plain You know Like normal HTTP And then download this firmware bundle And then they flash it Into themselves Very fishy Yeah Very fishy Perfect This is the thing It's a lot of times You're like Oh, you know I'm going to implement A firmware update Feature And you do it And then you never think That hey Maybe somebody can Just redirect my HTTP traffic And that's the way To verify that You know The update is really from you Yeah I think there's a lot of problems With IoT And not to Just Make everybody depressed But there's a lot of things That we need to do You know IoT You know There's lots of different vendors And not all vendors Are committed to Provide The updates and patches For a long time Also I feel that Because traditionally IoT devices As of today Are being made By vendors Who did appliances They are not really aware Of networking They're not aware Of security They probably build Mechanical systems Or microcontrollers That were just Like Kind of isolated Into that device So they have no Awareness of security at all Yeah So There's so much Things that we can do You know And there's so much Things that we can Learn And a lot of companies Are Understanding This is a problem And if They were to address Security issues One by one Or by device Or by the way So Like People have to come up With new innovative ways To solve this problem Maybe we look at A network layer We try to Put all these devices In a network And try to Protect users from that way Do filtering And all that Also they Have A Core architecture So that If anybody Wants to work on IoT device To use The APIs And all that But There's also a lot Of Face when you use IoT They cannot transmit A lot of data Oh yeah Low bandwidth Low power Devices Your cheap devices So you They can't be very powerful Processors And you want them to last On a battery For like 10, 20 years And then Typical advice Will be Don't reinvent the wheel Don't Use an open source Project that is mature And people have done it Before But sometimes Will not apply Especially in Mature People are still trying to figure Out how to have that Efficient energy And low bandwidth Protocol and yet secure So yeah I agree with you So you're going to have Job security for a long time Including you Eugene If you work So this is Your tip to the audience If you want to Make sure that you have a job You know Work in IoT And security No I mean Like If you think about it The whole software industry Is broken Yeah You know Like Which other industry Except you know Bars And broken software Is that don't work In production You know That you can sell You know right Yeah Unfortunately software Industry is kind of Wide spread in many industries Transportation Airplane Run software Medical device Medical device Run software It's like Everywhere No it's interesting Because What you said Is very true Like if you go To a market If you buy And say You know I get full refund for this But If you get a bug In your Windows Code You can't go back to Microsoft And say I want to return this You know Windows You know License key to you I don't like this anymore I don't want that Like that whole thing Is not there anymore Also like For more Critical stuff Like you know Medical equipment And stuff You can sue people If they sell you stuff That's not Transportation as well And if they sell you stuff None of that stuff In the fair world As well So when you think about Alright Eugene One last question On this topic Before we move forward What are you excited About security We had a lot of like Scary stories And stuff Are you excited About something I think it's because Of the scary stuff That it makes me Continue to be Very interested In this field Interesting And I think For my career I have made A lot of I mean Even though I went from A very rich person To a More like Very specialized person Focusing on Linus Connell And then I I went on to lead teams And build teams And all that I think there's So much things to do You know I think What really keeps me Interested is that You know Computers are not going away Internet is not going away Yep And my kids Are going to use internet When they grow up And they're Going to use software And we need to make sure That you know We continue to educate people Educate you know Developers Make sure that we do the right things To protect You know The privilege that we have today You know If you talk about me When I was younger I don't get to use a computer Until I was 15 And To use a computer To be able to hook up On to the internet Before more damn And hear the dull tone It was like Wow Magic You know That feeling That feeling You know You can never forget that feeling And We need to Really do our part You know To make sure that We do Make sure that the internet is safe And And people You know Be able to do Improve their lives a lot You know With a safe environment That they can perform Traditions They'll do their banking Traditions and all of that I think it's very important And you know We should keep it that way To keep the privilege to You know People in the future Right Are there some algorithms Or technology That you're looking for To learning I don't know There's so much Things to learn Sorry I built an open source Curriculum Of modules To learn You know I mean I'm pretty interested In data science these days You know I've been really booked Like R for data science And Learning R And Trying to take a module On linear algebra And Trying to relearn My calculus Because Some bad experience In the past Thanks to some teachers I really hate the topic But I know I need to relearn And Yes What online course I go Like For the math modules I'm taking Those from MIT Right And then Some machine learning From Stanford Everyone knows about M2 Exactly These are all open And available to anyone So don't stop learning Even if you Have You have as much experience As Eugene Exactly You know If you look at Maybe 10 years ago People have to pay to learn You know Now people are Giving you stuff to learn Great Great So that's it for The main segment Of this episode Which is Computer security But Chinmay We are going on to the next Segment Which is I.O. Polling That's right The second segment In our show Is called I.O. Polling And this is where Eugene is already Like Flexing Getting ready to Fight it all No It's about audience questions And the audience has already Been asking some questions So Which is How do you balance business cost With security? Is something that You know Now you're saying You're a leading team Something you Probably face all the time Is like Justifying that You know I'm going to have to spend All this money To make something Secure And it might not be Very obvious So how do you Rebalance that? Yeah I mean From a technical guy You want to Solve everything But You know When you look at Businesses It should really work With different departments Like Sales and business You know Development Because Ultimately You want to understand Right In the company Which product or services Generates the most revenue And The top priority Will be that Which software Or services Collects Lots of PII You know Personally Identifiable Data And all that That should be The main Use of formula Security Equal one Over convenience Whenever you do something You know If you want security You have to sacrifice convenience If you want convenience You have to sacrifice some Security And Of course There are other variables It's not as straightforward As that formula You go to To a risk assessment You go to Understand the business You look at the Financial reports And Make sure you Protect the right things You cannot Have all your resources Because Usually Everything You got to Spend What you have right now To focus on What's the most important Thing Once you've done Do it well You start to focus On other things That are less Important That way You'll be Able to Make sure you have a team To Solve problems You're not solving All the problems You solve The most important problems They're focused And You get things done The main The worst thing That will happen Is You have a small team Focusing on all the problems And you end up Nothing done Yeah Like a jack of all the trades Kind of thing Yeah Would you have some Recommendation suggestions For management people? Um Management people like Because engineers Have to work with them Security people Have to work with them Do we have any tips For managers? Yeah, exactly For managers Like we had tips For engineers But how about managers? I think the best My opinion My personal opinion Hopefully I don't offend anybody But My opinion is that The best manager Actually people Who have done this before Like they have been Ex-security or engineers Yes I've seen managers Who mess everything up Because they have no idea Right What their guys are doing And they have no idea How difficult it is Or What the technical Challenges They are facing Right A technical person Who is a manager Understands What they're going through They do the best To make sure that they support them And Remove any impediments They may face Yeah, absolutely Remove obstacles And I think The usual tips are Like people will tell me Eugene What you're telling me Are all common sense But really they're all common sense Right Make sure that you provide What they need You invest in them You can do your part By making your work environment Fun We have monthly Lunge and learn We have a sharing session Share links We have You know Machines that we can have fun with We set up No test labs And all that And We want to work on Pat projects You know If you can spend An hour Which I don't think is too much to ask Right Working on something interesting Or learn something new Why not And The more important thing Is to not have a top down Approach But to share Open collaboration You know If you hire people You want to empower them Not to control them And I think that's very important Right And the only way to find out Is you going through What they went through Right So they know what they want And that way You have a happy thing Yeah And I think what Harish Pillay In the chat also pointed out Leaders must be humble And get a clue So even if you Totally Thank you Harish For that comment Great Any other question So I think this is something You do with the recent news But Justlyn asks No sorry Before that Yeah Michael asks Maybe As Thread actors Potentially facing Singapore In the next five years This will be interesting Thread actors Facing Singapore In the next five years Very specific question What are the specific Thread actors You are worried about I guess What kind maybe I mean If you look at Singapore Yes All the threats That we have seen Are all quite Not very Cool You know They are not very Like Super difficult to You know Lunch That will not Publicly Shared Right I think the question I will I mean I will rephrase the question Maybe it's wrong But What is more important Is to have A government That is more open To sharing And it has to work Two ways Not just The private Organization Sharing information To the governments But the governments Have to come forward To share These learning experiences To everybody So that Everyone knows Of course People will say that Oh You know You need to have intelligence And You know If you share too much People will Other foreign You know Governments will know Other adversaries Will know That We share too much Right This is like The open source Argument Right Like the open Algorithms are But I think There's a I mean I think There's a way To strike a balance If there's An attack happening We don't need to know Who did it We probably Want to know How it was done So that everyone knows How to protect themselves Or Organization could learn From some of the lessons That they've been through To protect ourselves And I think That's very important And something needs to be done Nice That was a very good answer Okay So Next question From Justin Two more questions At least This is something to do With the recent news About the both Could you give a brief background Of what happened? Seems like You have a Both No I don't have A wireless headset Actually I do But I don't have a Boss one Okay Okay To be honest I have not read That news So if one of you Have I just Quickly Grants through it I believe The issue was The people were Claiming That both Was listening Into their Because they had Some Backlink stuff That was happening I'm like Reading off headlines Both wireless headphones By on listeners Lawsuit Leak It's like Another news where WikiLeaks Leaks some information About TV Listening to Yeah So I mean Like Just I mean Okay See That's If you Sometimes In life You don't have All these things Just leave Just don't say Your password Don't say that Your password Don't share Private information If you have to do it Do it With encrypted channels Signal And all that Just live your life Normally Live your life As if Anything you say Or do Will be leaked Anyway The walls Are starting to have Years The walls Have always had Years Of Things Because People know it anyway Okay Cool Alright So the next question Is from Wei Man It's a long one So it says I think the public Tends to have a vague idea Of How Computer Security works And often puts themselves At risks Through clicking On phishing links And such What do you think Are the most important Things that Public Like a lay person Needs to know About Computer Security And struggle with Non-technical Employees Yes So Three things Right The stuff you receive From By e-mail The links that you Visit And the website That you visit Right User Users Users User Education Is very important You know You can have The best Security technology out there You can Spend all your money Making sure That you have The best And if You do not know That when they receive An e-mail Let's say Your best And best Security technology Could block The e-mail Or block the Attachment People shouldn't Click on the link If they find it Suspicious Let me give you A story There was Someone Who received An e-mail And she Received An e-mail And that Attachment And that Attachment Was the same So nothing very suspicious So she felt that Or maybe Just double click on it And see what happened And then she Shared the same e-mail To her colleague And what happened Was that That attachment was A ransomware A malicious program That tries to Encrypt your files And ask you for a ransom Not very good Right So she Click on it Her colleague Click on it And their files Are all encrypted What made it worse Was that To a shared Server So shared servers got The files are all encrypted But If they Are aware That they shouldn't Click on Links that They are not They find suspicious Or find funny Or not interesting They should report it To the security team I think one of the Problems I find When I'm trying to Explain this to people Is You and I have a very Tune sense Of what is suspicious But a lot of people Don't get it They are like Somebody send me A free textbook Okay I want I want They don't get it It's so hard To train people About these things Another day I got an email From my parents Saying that I got an email From Apple Saying that A thousand dollars Have been charged On your Apple iTunes account Blah blah Check the email address It's not from Apple.com Of course it's fake We have a written Agreement with our parents Like If anybody send you A web SMS Email Please forward it To us Before clicking Anything Anything So I guess A lot of companies Will try to simulate You know They pretend to be The bad guy Send the best stuff To them But nowadays Even better They pretend to be The good guy Like Oh we found Your computer Was hacked By a bad guy Let me fix it For you Yeah Yeah Alright Let's go to the chat room Yeah But Eugene will be here I think Yeah Eugene is already Looking at the chat So don't worry We will get on with the show Yeah We'll get on the show And then we can Answer questions As we go along Afterward as well So the next segment Is what we call The rapid fire round And in the rapid fire round I get to Ask a bunch of Rapid questions To Eugene And you have To answer Equally rapidly Don't worry About being politically Correct B.I. Yes Hi fans What is your favourite website For getting Your news or fix Like all this In this world Of computer security What do you get? Twitter So you follow Some Twitter accounts I follow A lot of Twitter accounts So you know If you want to know Who to follow You can follow Eugene And then you can See who he follows What's your current favourite Video game or board game Are you a video game? Well I'm not a play game Okay Alright Real life board games I mean My favourite one would be Road Fighter Nintendo Okay Old school Is there a new Geek toy or gadget You're looking forward to buy? I'm looking to buy The USB What do you call it The My fair My fair Cardwriter Oh okay Cool yeah That stuff is quite fun Getting into Doors And accessing Including my cards Combine Few cards in one Nice Is there a new Book you want to pick up? I just want to learn more Are For data science Do you have a favourite Sci-Fi movie or a book? I don't really read much But I hope to read more Okay What about What's your current favourite Meetup group in Singapore? Pied it up Pied it up You're involved You're one of the organisers So I started a group I was involved until Late last year And I took a break Okay Good to know What's your favourite Programming language? Uh-oh Uh-oh Uh-oh Uh-oh Say it Uh-oh Okay It used to be C But uh-oh is really fun Okay Cool And last one This one is even more Uh-oh What's your favourite Distribution of Linux? Uh-oh Say it Uh-oh They're good They're good? Alright Cool Alright Thank you very much For answering our rapid-fire That's all we have Next round Which is called PIX And the way we do PIX Is basically it's a You know Everybody gets to choose Two or three interesting Fun things That you want our audience To try out And we'll go around the table We'll let you give you some time To think about it Eugene Till then we can Say any Yeah I wanted to share about Online course I think Eugene mentioned a lot About it And this is specifically Udemy.com Slash Collection Slash Skills Future Credit Go and attend this course And you can claim them Under some Government scheme And this I think I believe What Eugene mentioned Like you know The government has to work With the public And the people Of the country Together And I think There are some security Uh-uh Actually there are Some security Related courses Here Let me just Quickly Google And get them out For you So go Quickly To Udemy.com Slash Courses Slash Skills Future So the complete Cyber Security Course Hackers Exposed Complete Cyber Security Course Endpoint Protection There's really a lot Web hacking And security Linux Security And hardening So get started People If you're curious About security And you have access To computer And the money too Yes So you can go to Skillsfuture.sg Slash Credit Or one of the URLs We'll put all the links In the social And you can Claim it So go and have Some good online Courses For free All right Is that all? Yup That's all for me I have two picks The first Is a podcast As you know I'm a podcast Fanboy I listen to podcasts All the time The guy who runs it I think he's An old school Colonel Developer He basically goes through All the new patches That were sent out On the mailing list And just goes through All of them And then talks about What all of them are It's awesome It's super fun Oh, Joe Masters Okay You know him? No, I'm not him Joe Okay, of course The way he talks About things he sounds Like he knows He's been there He's been doing stuff For a while But yeah John Masters Dooper Like techie Like he talks about You know So and so Put a new patch For Intel 5.0 Paging You know So and so Put a new patch For this And then goes deep Into the patches And what they're doing And all the To employee That was in the Mailing list It's almost like Audio way To follow The next Colonel Mailing list He's a very smart guy And He's a very Protective guy With a system Yeah That's a lot of contribution That you're thinking Nice Definitely So that's super fun And the other Framework I want to Pick today Is something called Port Audio Which is a very nice Cross-platform Audio framework So if you want to Do anything with audio As you know I also like Audio stuff So if you Want to make Anything that Plays audio Records audio Whatever Port Audio is a great Framework to use It's very simple I've picked it before as well When I'm using it again And it's super cool Super useful Very easy to use Alright I have One link to share Yes Alright Let me paste the link Basically This page has All the different Covert.io Yes All the security Papers that you want to read About machine learning And security Deep learning And all that stuff Blocks and projects And even data That you could use For your machine learning And I'll be going through These papers And if you're interested No we could discuss And you know Speaking of papers Yeah We have a meetup Called Papers We Love In Singapore And around the world Where engineers Or rather the non-researchers Share such papers So thanks for the link I'll definitely Share it with the Papers We Love Yeah Covert.io So the Subtitle of this Website is Security, Big Data And Machine Learning And that's something Eugene has been talking About a lot What he's been doing And let's have a look At something Which is Covert.io Great So Let's go On to the very Couple Few last segments Starting with Event loop Interesting Events To attend Near your place So there is Gophercon Singapore That's gonna happen In a month And if you go To 2017.gophercon.sg The Conference is happening From 25th at Golang? Not yet. Not yet. He's busy with R. All right. So go and attend buy tickets for go for Khan. The next one is Maker Faire Singapore. Maker Faire Singapore is happening. Let me see what is happening. It's happening at July actually, 20 to 21st July Maker Faire is a great place to find IoT things to hack. That is true. That is actually true because these maker projects are mostly hobbies that people just like to try and play with. But it's also a great place to tell people about security. You know like Eugene said from day one you have to think about it. So day one is where makers get involved in building a project. So Maker Faire and go for Khan. Is there a pie data conference something that you guys are organizing or is there you know so how does the pie data meetup work is it a monthly thing now? Yeah it's a monthly thing and we basically find speakers to present stuff. It's a very difficult meetup but it's a very casual and no sales speech. Only technical stuff. Awesome. That's how most developer meetups should be. Speaking of meetups, are there security meetups in Singapore that Singapore public can go and attend? Yeah. In fact there is one that is quite active. It's called Now Singapore. Oh yes, Emil one of our friend also is part of it. Yeah. And in fact I was there like yesterday or two days ago. They had a meetup which is pretty cool. Okay cool. Go and attend Now Singapore meetups. And just for the record. There's also a hurry she's saying in chat. I remember seeing this in WeBuild.g as well. There's DevSecOps meetups. Oh yes. Ah yes. DevSecOps. So for any of these meetups by the way in Singapore you can go to rebuild.sg subscribe to the calendar and you can attend. Plug. Yes. Yes. Which brings us to the last segment Electric Plug. All right. Plug, plug, plug. This is a plugging time. So Eugene you get to plug yourself and where people can find you. Yeah. I have a Twitter account. Yes. Twitter.com slash Eugene tail. And I have a home page which I need to update. Tell us the website. Yeah, tamasig.org. Tamasig.org. Tamasig has a very special meaning in Singapore. I hope I don't get into trouble. No, this has been running for ages. Anyway, tamasig.net is also Not that it's owned by Harish. So now we have two friends owning tamasig domain name. Yes, there you go. Harish in the chat is saying. I need to drag Harish into it. Well, that's a fact. Harish owns it. He says it. So tamasig.org website. It has a secure HTTPS. So look at it. I got to push up my ranking, you know, Google. Yeah, Google doesn't like HTTPS, not HTTPS websites. Yeah, I think they have a signal to increase the rank. I don't know if you have all the HTTPS. Right. So for Google search, your website will be higher. All right. Great. So website or Twitter and as Eugene mentioned, go and follow his followings on Twitter so that you know who are the secure to people and get things. Leave a comment on my blog so that I don't feel lonely. Great. So thank you, Eugene. That's it for this week's episode. It was really, really good. And having you our first guest live in person. Yeah, I'm surprised that the system held up. I was expecting like, you know, massive crashes and stuff like not working, but it's been very smooth. And thank you for inviting me. And this is my first podcast. And I'm enjoying myself. Oh, thanks. That's the whole point of doing it. Great. So thank you, Eugene. And that's it for this episode. 45 of We've Been Live. We will get together again online on another Saturday morning with another cool guest. Until then, return zero.